I’ve a Linux server with an uncovered SMB share Backup. It is bodily related to a LAN by way of a router. MacBook Professional bodily related to the identical LAN by way of the identical router can join, arrange Time Machine and make a backup to this SMB share utilizing Linux server LAN IP (e. g. 192.168.X.X).
The router additionally has a WAN deal with. ISP blocks 139 and 445 incoming connections on the WAN facet so I NATed WAN:tcp:446 to Linux server:tcp:445.
One other MacBook Professional on the web needs to backup to the identical share. It is ready to hook up with the share as smb://consumer@WANIP:446 by way of Finder, then a system immediate seems with consumer prepopulated, a discipline for password and a checkbox to avoid wasting the password to Keychain. After offering the password it efficiently connects to the Linux server and exposes Backup share and I can see, learn, edit, delete, create, rename and so on the information and directories on it by way of Finder.
Then I am going to Time Machine setup, Select Disk, it efficiently sees the related share and permits to decide on it, asks for consumer and password and each are prepopulated. Then it efficiently schedules a backup in 120 seconds.
When 120 seconds go or if I order guide backup proper now it says authorization failed and can’t backup.
After that, I nonetheless can do the whole lot with the share in Finder i. e. it is absolutely functioning.
tmutil reveals the whole lot is alright.
$ tmutil destinationinfo
====================================================
Identify : Backup
Type : Community
URL : smb://consumer@WANIP:446/Backup
Mount Level : /Volumes/Backup
ID : {***GUID***}
logs present these particular errors
$ log present --style syslog --predicate 'senderImagePath incorporates[cd] "TimeMachine"' --info
...
2020-05-14 14:46:10.150565+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Trying to mount 'smb://consumer@WANIP:446/Backup'
2020-05-14 14:46:10.427385+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] NAConnectToServerSync failed with error: 80 (Authentication error) for url: smb://consumer@WANIP:446/Backup
2020-05-14 14:46:10.427395+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Authentication error (80) - the proper consumer or password information might not exist within the System.keychain or the server might now not enable entry for this consumer.
2020-05-14 14:46:10.427414+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Trying to mount alternate URL 'smb://consumer@WANIP:446/Backup'
2020-05-14 14:46:10.706242+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] NAConnectToServerSync failed with error: 80 (Authentication error) for alternate url: smb://consumer@WANIP:446/Backup
2020-05-14 14:46:10.706249+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Authentication error (80) - the proper consumer or password information might not exist within the System.keychain or the server might now not enable entry for this consumer.
2020-05-14 14:46:10.706328+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Authentication error (80) - the proper consumer or password information might not exist within the System.keychain or the server might now not enable entry for this consumer.
2020-05-14 14:46:10.706771+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Backup failed with error 29: There was an issue authenticating with the vacation spot.
2020-05-14 14:46:10.708332+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Pending cancel request cleared.
smb.conf is kind of easy
[global]
use sendfile = sure
retailer dos attributes = no
server companies = smb
mangled names = no
dos filetimes = no
workgroup = MYGROUP
server string = Samba Server
server position = standalone server
log file = /dev/stdout
max log dimension = 50
dns proxy = no
pam password change = sure
map to visitor = dangerous consumer
usershare enable friends = sure
create masks = 0660
drive create mode = 0000
listing masks = 0770
drive listing mode = 0110
drive consumer = smbuser
drive group = smb
comply with symlinks = sure
load printers = no
printing = bsd
printcap title = /dev/null
disable spoolss = sure
strict locking = no
aio learn dimension = 0
aio write dimension = 0
vfs objects = catia fruit streams_xattr
consumer ipc max protocol = SMB3
consumer ipc min protocol = SMB3_02
consumer max protocol = SMB3
consumer min protocol = SMB3_02
server max protocol = SMB3
server min protocol = SMB3_02
fruit:delete_empty_adfiles = sure
fruit:time machine = sure
fruit:veto_appledouble = no
fruit:wipe_intentionally_left_blank_rfork = sure
[Backup]
path = /residence/backup
browsable = sure
learn solely = no
visitor okay = no
veto information = /.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Community Trash Folder/Short-term Objects/Thumbs.db/
delete veto information = sure
If I solely change visitor okay = no to sure with no different modifications and hook up with smb://visitor@WANIP:446 as a substitute – backup works (clearly visitor rw entry by way of the web is a foul concept).
If I create routable (L3, not L2, so SMB broadcasts are usually not seen) VPN between the MacBook Professional on the web and the router, depart visitor okay = no and hook up with smb://consumer@LANIP:445 with password – backup works (it’s a lot slower over the VPN, sadly, that is why I am making an attempt to set it up with out).
I am misplaced – it is not an auth situation as I can join and do the whole lot by way of Finder by way of WANIP with visitor okay = no. It isn’t a privileges situation as I could make a backup by way of LANIP over VPN with visitor okay = no. It appears to not be a NAT situation as I could make a backup by way of WANIP with visitor okay = sure.
I’ve tried to decrease SMB3 necessities to SMB2 – identical behaviour. I’ve tried to take away all of the passwords from Keychain and reconnect, change the title of the share, change WANIP (in order that there could possibly be no saved settings on the MacBook Professional associated to this share) – identical behaviour.
What do I miss? Does non-guest entry require NATing one other port? (I can’t NAT 137-139 as they’re blocked by the ISP.)
I’d tremendously admire if you happen to may assist me! Thanks upfront.
macOS Catalina 10.15.4 on MacBook Professional 13″ 2018.
Linux kernel 5.1.18.
Samba 4.11.5.
