I have a Linux server with an exposed SMB share Backup. It's physically connected to a LAN via a router. MacBook Pro physically connected to the same LAN via the same router can connect, set up Time Machine and make a backup to this SMB share using Linux server LAN IP (e. g. 192.168.X.X).
The router also has a WAN address. ISP blocks 139 and 445 incoming connections on the WAN side so I NATed WAN:tcp:446 to Linux server:tcp:445.
Another MacBook Pro on the internet wants to backup to the same share. It's able to connect to the share as smb://user@WANIP:446 via Finder, then a system prompt appears with user prepopulated, a field for password and a checkbox to save the password to Keychain. After providing the password it successfully connects to the Linux server and exposes Backup share and I can see, read, edit, delete, create, rename etc the files and directories on it via Finder.
Then I go to Time Machine setup, Choose Disk, it successfully sees the connected share and allows to choose it, asks for user and password and both are prepopulated. Then it successfully schedules a backup in 120 seconds.
When 120 seconds pass or if I order manual backup right now it says authorization failed and cannot backup.
After that, I still can do everything with the share in Finder i. e. it's fully functioning.
tmutil shows everything is alright.
$ tmutil destinationinfo
====================================================
Name : Backup
Kind : Network
URL : smb://user@WANIP:446/Backup
Mount Point : /Volumes/Backup
ID : {***GUID***}
logs show these specific errors
$ log show --style syslog --predicate 'senderImagePath contains[cd] "TimeMachine"' --info
...
2020-05-14 14:46:10.150565+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Attempting to mount 'smb://user@WANIP:446/Backup'
2020-05-14 14:46:10.427385+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] NAConnectToServerSync failed with error: 80 (Authentication error) for url: smb://user@WANIP:446/Backup
2020-05-14 14:46:10.427395+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Authentication error (80) - the correct user or password info may not exist in the System.keychain or the server may no longer allow access for this user.
2020-05-14 14:46:10.427414+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Attempting to mount alternate URL 'smb://user@WANIP:446/Backup'
2020-05-14 14:46:10.706242+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] NAConnectToServerSync failed with error: 80 (Authentication error) for alternate url: smb://user@WANIP:446/Backup
2020-05-14 14:46:10.706249+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Authentication error (80) - the correct user or password info may not exist in the System.keychain or the server may no longer allow access for this user.
2020-05-14 14:46:10.706328+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Authentication error (80) - the correct user or password info may not exist in the System.keychain or the server may no longer allow access for this user.
2020-05-14 14:46:10.706771+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Backup failed with error 29: There was a problem authenticating with the destination.
2020-05-14 14:46:10.708332+0100 localhost backupd[2435]: (TimeMachine) [com.apple.TimeMachine:General] Pending cancel request cleared.
smb.conf is quite simple
[global]
use sendfile = yes
store dos attributes = no
server services = smb
mangled names = no
dos filetimes = no
workgroup = MYGROUP
server string = Samba Server
server role = standalone server
log file = /dev/stdout
max log size = 50
dns proxy = no
pam password change = yes
map to guest = bad user
usershare allow guests = yes
create mask = 0660
force create mode = 0000
directory mask = 0770
force directory mode = 0110
force user = smbuser
force group = smb
follow symlinks = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
strict locking = no
aio read size = 0
aio write size = 0
vfs objects = catia fruit streams_xattr
client ipc max protocol = SMB3
client ipc min protocol = SMB3_02
client max protocol = SMB3
client min protocol = SMB3_02
server max protocol = SMB3
server min protocol = SMB3_02
fruit:delete_empty_adfiles = yes
fruit:time machine = yes
fruit:veto_appledouble = no
fruit:wipe_intentionally_left_blank_rfork = yes
[Backup]
path = /home/backup
browsable = yes
read only = no
guest ok = no
veto files = /.apdisk/.DS_Store/.TemporaryItems/.Trashes/desktop.ini/ehthumbs.db/Network Trash Folder/Temporary Items/Thumbs.db/
delete veto files = yes
If I only change guest ok = no to yes with no other changes and connect to smb://guest@WANIP:446 instead – backup works (obviously guest rw access via the internet is a bad idea).
If I create routable (L3, not L2, so SMB broadcasts are not seen) VPN between the MacBook Pro on the internet and the router, leave guest ok = no and connect to smb://user@LANIP:445 with password – backup works (it is much slower over the VPN, unfortunately, that's why I'm trying to set it up without).
I'm lost – it's not an auth issue as I can connect and do everything via Finder via WANIP with guest ok = no. It's not a privileges issue as I can make a backup via LANIP over VPN with guest ok = no. It seems not to be a NAT issue as I can make a backup via WANIP with guest ok = yes.
I've tried to lower SMB3 requirements to SMB2 – same behaviour. I've tried to remove all the passwords from Keychain and reconnect, change the name of the share, change WANIP (so that there could be no saved settings on the MacBook Pro related to this share) – same behaviour.
What do I miss? Does non-guest access require NATing another port? (I cannot NAT 137-139 as they're blocked by the ISP.)
I would greatly appreciate if you could help me! Thank you in advance.
macOS Catalina 10.15.4 on MacBook Pro 13" 2018.
Linux kernel 5.1.18.
Samba 4.11.5.
Best Answer
Setting up this on the client resolved the issue