Archive:NetApp-CIFS-Backup

From SEPsesam

Netapp CIFS Backup

About

This document describes how to configure your SEP sesam and NetApp environment in order to be able to backup not only files but also Windows ACL Informations. The backup can either be done via one complete backup task or split into two separate tasks:

* backup of actual file data (for example via NFS)
* backup of ACL information only (via CIFS share)

Requirements

SEP Sesam

Sesam Client Version >= 4.2.1.43

Netapp

The Netapp System must be part of your Windows Domain. The Netapp system must be able to resolve your domain user names into domain S-I-D's.

Environment configuration

In order to be able to backup ACL information, there must be a special user in your Windows Domain environment which has special rights in order to override all permissions. The Sesam client on the Windows system which acts as backup-client, must be started with this user. A special group "Backup operators" exists in your Windows and Netapp environment, this group is also often used to allow anti virus software to access files which it would not have access to.

Setting up the Domain user

The Domain user (for example DOMAIN\backupuser) must be added to the following groups in your windows environment:

Backup Operators
Administrators

Setting up the Netapp User

This Domain user must be added to the local NetApp system groups, in order to add the user, login to your NetApp system via SSH and execute the following commands:

netapp> useradmin domainuser add DOMAIN\backupuser -g "Administrators"
netapp> useradmin domainuser add DOMAIN\backupuser -g "Power Users"
netapp> useradmin domainuser add DOMAIN\backupuser -g "Backup Operators"

Setting up the Netapp volume

In the CIFS share options the user DOMAIN\backupuser must have full access rights. If the actual file backup is done by a Linux system, the volume also must be accessible via NFS. Change this in your Netapp Filer Admin frontend:

CIFS -> Shares -> Manage -> Change Access

Setting up the Sesam client

The Sesam client on the Windows system must be started with the user "DOMAIN\backupuser", in order to do so go to the services configuration, choose the "SEP Sesam Server" service an change the user the service is started with to the user "DOMAIN\backupuser". Restart the service afterwards.

Backup configuration

There are multiple options to backup the data, either via UNC path or via a mapped network drive on the Windows system.

Windows

In case the backup is done via UNC, specify the backup source like:

\\netapp_sytem.local\share$

In case the backup is done via an mapped network drive, make sure the network drive is mapped with the correct user name:

"net use Y: \\server\share {passwd} /user:domain\backupuser"

Windows (ACL only) and Linux (data)

It is also possible to backup the real data via an NFS Share mounted on the backup system, and use the Windows backup client to backup the ACL information only.

In order to make the windows client backup ACL information only, the following special options has to be added to the tasks additional save options:

-o skip_data

like shown in this screen shot:

Netapp cifs 01.jpg

The Linux backup task is configured like a regular file backup.

Restore

If only one task was used to restore both file data and ACL information, a regular file restore to a UNC path or mapped drive is sufficient.

When the backup task has been split into two separate tasks (ACL only and actual data) the data itself has to be restored to the NFS share via the Linux system. As a second step the restore of the ACL information is done via Windows file restore and the special option:

-o skip_data

follows.

like shown in this screen shot:

Netapp cifs 02.jpg

Troubleshooting

Backup of ACL fails with "Warning: Cannot get item security data for"

If the backup of ACL information fails with the following error:

2013-04-09 15:10:50: sbc-2046: Warning: Cannot get item security data for [\\?\UNC\netapsystem.local\share$\example.txt].

the configured user, which is used for the backup, does not have sufficient rights to access the files. This problem is related to the Domain<->Netapp/file permissions and has nothing to do with Sesam.

In this case please check:

* is the volume, which is backed up, mapped onto the Windows system multiple times, if so unmap it via "net use" and map it again
* is the sesam service running with the desired DOMAIN\backupuser
* was the information about the backup user distributed amongst all primary domain controllers / does the NetApp system know about it
* check the volume rights on the Netapp system

See Also

Further Links/Literature

For further reading on the topic we recommend the following links: