How to Change Credentials for a Shared Folder in a File to Tape Job

Challenge

Instructions to change credentials for UNC paths added to File to Tape jobs.
 

Cause

Shared folders added to File to Tape jobs become objects that cannot be managed via any user interface. They will remain part of the backup infrastructure even after being removed from all jobs.

When a UNC path is added to a File to Tape job, upon clicking Next a message box may appear asking for credentials. This interface is the only way to change credentials associated with a shared folder object. This message box will only appear if no credentials were previously assigned to the share, and then only if the Veeam Data Mover Service (VeeamTransportSvc.exe) is unable to access the share.
 

Solution

If a credentials record is already associated with a shared folder, the simplest way to change the credentials used for that share is to change the user name and password specified for the existing record. That is, from the main menu, click Manage Credentials, locate the record, click Edit, and enter the new user name and password. If it is unclear which record to change, see “Identifying the Credentials Record Associated with the Share”, below.
 

Changing the Credentials Record

To associate a different record with the shared folder, temporarily deny access to the file or folder added to the File to Tape job. A complete overview of SMB share permissions is beyond the scope of this article, but consider the following examples.

Example 1: Shared folder on a Windows file server

A folder E:\share on a Windows 2012R2 file server is shared as \\fs1\share with the special group Everyone. \\fs1\share is added to a File to Tape job.
On the file server:

1. In an Explorer window, right-click the shared folder (E:\share) and select Properties;
2. From the Sharing tab, click Advanced Sharing;
3. Click Permissions;
4. Select Everyone and note the current permissions;
5. Deny all permissions, click OK, then in the Advanced Sharing window click Apply.
6. In the Veeam console, in the Files and Folders page of the File to Tape job settings, click Next. A message box will appear;
7. Change the permissions for \\fs1\share to match what was noted in step 4;
8. In the Veeam console, choose a credentials record in the message box, or add a new record.

 

Example 2: Shared file on a domain-joined NAS

A file \\nas01\share\folder1\file1.txt is added to a File to Tape job. There is no credentials record associated with nas01. The Veeam Data Mover Service on backup server VEEAMBK01 is running as Local System.

1. Open an Explorer window to \\nas01\share\folder1;
2. Right-click file1.txt and select Properties;
3. From the Security tab, click Edit;
4. Click Add;
5. Click Object Types, and make sure Computers is checked. Click OK;
6. Type VEEAMBK01$ and click OK;
7. Deny all permissions to the VEEAMBK computer account, and click Apply;
8. In the Veeam console, in the Files and Folders page of the File to Tape job settings, click Next. A message box will appear;
9. Return the file permissions for file1.txt to their prior state by selecting the VEEAMBK computer account and clicking Remove, then Apply;
10. In the Veeam console, choose a credentials record in the message box, or add a new record.

Deleting the Shared Folder Object

These steps are not generally recommended, but may in some cases be simpler than denying access to the share.
For information on how to apply SQL scripts please review https://www.veeam.com/kb1443.

1. Backup the Veeam database. (http://www.veeam.com/kb1471);
2. Verify the record to be deleted by running the following query against the configuration database (VeeamBackup by default);
   
   SELECT * FROM [backup.model.mrulist]
3. Run the following query, changing <share path> to match the record to be deleted.
   
   DELETE FROM [backup.model.mrulist] WHERE url = ‘<share path>’

For example, if the folder \\nas01\share\folder1\ is added to the job, replace ‘<share path>’ with ‘\\nas01\share\folder1’ to produce the query:
(Example) DELETE FROM [backup.model.mrulist] WHERE url = ‘\\nas01\share\folder1’
 

Identifying the Credentials Record Associated with the Share

To get a list of credentials for file share objects, open the Veeam Backup & Replication main menu and start Powershell, then run the following script
$job = Get-VBRtapejob -name "NameOfYourTapeJoB"
$job.object | Foreach{
    New-Object -Typename PSObject -Property @{
        Path = $_.Path
        Credentials = $_.Credentials.Name
        CredsDescription = $_.Credentials.Description
    }
}

A UNC path may or may not be associated with a credentials record. If there is no associated record, the share is accessed using the account specified for the Veeam Data Mover Service (VeeamTransportSvc.exe). Local System is used by default. Use the Services MMC console (services.msc) to determine the account currently in use.
Note: It is possible to change this service account from this MMC console, but keep in mind that this service also determines the account used by data mover processes (VeeamAgent.exe), which can have an impact on other job types that access files on the Veeam Backup server. When changing the service account, make sure no jobs or restores are running before restarting the service.
 

Additional Considerations

The “Size” displayed in the File to Tape Job wizard is based on information collected by the Veeam Installer Service (VeeamDeploymentSvc.exe). If this service is running as an account that does not have read access to the share, and no credentials record is associated with the share, 0.0 KB will be displayed, and the job will fail with the message “unable to enumerate files in folder”.