Thanks for sharing, it’s frustrating that we have to use that registry key as that’s the equivalent of turning off fast clone from the NAS from what I see, you don’t leverage fast clone anymore and therefore don’t get any space savings 😞
Can you confirm that’s what you see with your synthetic fulls now?
Yes, but I just found that disabling feature on Synology NAS don’t solve the error. 🤔
With that reg (and switching to Active full) it goes smoothly.
marcofabbri wrote:
Yes, but I just found that disabling feature on Synology NAS don’t solve the error. 🤔
With that reg (and switching to Active full) it goes smoothly.
That’s interesting, I wonder if readding the repository after removing the feature would be required, I don’t know how frequently Veeam would check if Fast Clone is still supported on an existing repo, as generally these attributes wouldn’t change.
MicoolPaul wrote:
marcofabbri wrote:
Yes, but I just found that disabling feature on Synology NAS don’t solve the error. 🤔
With that reg (and switching to Active full) it goes smoothly.
That’s interesting, I wonder if readding the repository after removing the feature would be required, I don’t know how frequently Veeam would check if Fast Clone is still supported on an existing repo, as generally these attributes wouldn’t change.
Yes, it’s a possibility!
Thank you for the workaround.
Do you have to use the Synology with a NAS (SMB) share? Is the problem with iSCSi present, too?
I used a SMB share for a repository only once. There were problem the whole time
Since then I use iSCSI or FC connections everytime.
JMeixner wrote:
Thank you for the workaround.
Do you have to use the Synology with a NAS (SMB) share? Is the problem with iSCSi present, too?
I used a SMB share for a repository only once. There were problem the whole time
Since then I use iSCSI or FC connections everytime.
On reddit discussion they say that iSCSi configuration don’t present the issue.
But @JMeixner do you connect the iSCSI directly on VB&R machine? Because it’s a security weak if an attacker got access to that machine.
marcofabbri wrote:
JMeixner wrote:
Thank you for the workaround.
Do you have to use the Synology with a NAS (SMB) share? Is the problem with iSCSi present, too?
I used a SMB share for a repository only once. There were problem the whole time
Since then I use iSCSI or FC connections everytime.
On reddit discussion they say that iSCSi configuration don’t present the issue.
But @JMeixner do you connect the iSCSI directly on VB&R machine? Because it’s a security weak if an attacker got access to that machine.
Yes, with a private VLAN for the iSCSi and mutual chap authentication
JMeixner wrote:
marcofabbri wrote:
JMeixner wrote:
Thank you for the workaround.
Do you have to use the Synology with a NAS (SMB) share? Is the problem with iSCSi present, too?
I used a SMB share for a repository only once. There were problem the whole time
Since then I use iSCSI or FC connections everytime.
On reddit discussion they say that iSCSi configuration don’t present the issue.
But @JMeixner do you connect the iSCSI directly on VB&R machine? Because it’s a security weak if an attacker got access to that machine.
Yes, with a private VLAN for the iSCSi and mutual chap authentication
Ok, but with this method if an attacker gain a shell/access as administrator can browse iscsi folder as a local disk and operate directly from that machine. I prefer SMB share because there’s an other different password, that windows isn’t aware of, to protect backups.
I’m absolutely not criticizing your way (hope my english doesn’t sounds like that), I’m just write-thinking!
marcofabbri wrote:
JMeixner wrote:
marcofabbri wrote:
JMeixner wrote:
Thank you for the workaround.
Do you have to use the Synology with a NAS (SMB) share? Is the problem with iSCSi present, too?
I used a SMB share for a repository only once. There were problem the whole time
Since then I use iSCSI or FC connections everytime.
On reddit discussion they say that iSCSi configuration don’t present the issue.
But @JMeixner do you connect the iSCSI directly on VB&R machine? Because it’s a security weak if an attacker got access to that machine.
Yes, with a private VLAN for the iSCSi and mutual chap authentication
Ok, but with this method if an attacker gain a shell/access as administrator can browse iscsi folder as a local disk and operate directly from that machine. I prefer SMB share because there’s an other different password, that windows isn’t aware of, to protect backups.
I’m absolutely not criticizing your way (hope my english doesn’t sounds like that), I’m just write-thinking!
On this topic, the password would be stored within Veeam’s database wouldn’t it? So it would be extractable? Interested in your thoughts on this.
From a reliability & performance perspective I’d only use a NAS if it was presenting LUNs due to all of the protocol issues with SMB/NFS.
In all scenarios these are less secure than DAS and hardened repo, especially since to delete the data from the NAS we could just open Veeam and delete the backups from the NAS via the GUI, no need for credentials
MicoolPaul wrote:
In all scenarios these are less secure than DAS and hardened repo, especially since to delete the data from the NAS we could just open Veeam and delete the backups from the NAS via the GUI, no need for credentials
Oh. Never thought about that.
You’re right in the case of attacker got GUI on VB&R machine and then access to veeam console, but in the case of attacker gain system shell this can’t happen (or at least I think 🤔)
Fortunately with ver.12 we’ll get MFA on VB&R console!
MicoolPaul wrote:
On this topic, the password would be stored within Veeam’s database wouldn’t it? So it would be extractable? Interested in your thoughts on this.
Absolutely with a “classic SMB”, but not in case of hardened repository with single-use credentials!
But as Rick once said “anyone on a network with administrative access & unlimited time will eventually do something bad.”
Interesting discussion.
I am glad to hear your opinions about this.
Thanks for sharing this. I use Synology at home so will test this out for sure as that is my backup appliance along with VMs, etc.
All-in-one 😋😂
You’re right in the case of attacker got GUI on VB&R machine and then access to veeam console, but in the case of attacker gain system shell this can’t happen (or at least I think 🤔)
@marcofabbri
Credentials can exported in a decrypted format in VBR PowerShell (The command was posted some years ago in the forums). MFA in the console doesn’t protect you against that :)
Mildur wrote:
You’re right in the case of attacker got GUI on VB&R machine and then access to veeam console, but in the case of attacker gain system shell this can’t happen (or at least I think 🤔)
@marcofabbri
Credentials can exported in a decrypted format in VBR PowerShell (The command was posted some years ago in the forums)
MFA doesn’t protect you against that :)
Oh thanks @Mildur now I’m so curious about that script!!
From a security perspective it won't matter much how the NAS is accessed. If an attacker gets access to the VBR server or console, you'll lose everything anyway; except if you have air-gapped or immutable backups.
But thanks for posting this @marcofabbri. I didn't know that fast clone also works via SMB. Just wondering why Veeam tries to use it if it's BTRFS, which isn't supported.
Still working on version 12.
Now there’s even a KB about: https://www.veeam.com/kb4381
