When attempting to back up a system protected by the ShadowSnap backup agent, you receive the error message "The .datto file is not found or not accessible," or "Bad HTTP Error 500."
- ShdowSnap Agent
This issue may also present as follows:
When attempting to access a file restore on your Datto appliance via its UNC path, you receive the error message "[UNC path] is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The account is not authorized to log in from this station."
You may also be prompted for a username / password combination when attempting to access the Datto appliance this way.
Local network settings are making the Samba shares on the Datto appliance inaccessible, or a high level of traffic prevents persistent communication between the device and the agents. ShadowSnap backups require a non-interactive connection from the agent to a public Samba share on the Datto appliance in order to transfer the backup data.
- Network Latency / DNS mismatch (possibly due to adding the Protected Machine by hostname and not FQDN or IP).
- Different subnets are being protected and the device cannot access agents on a different subnet.
- Improper routing tables.
- Another service may have generated a conflict, such as those found in Commonly found VSS-Related Services
- Samba communication is disabled on the production machine. This is sometimes done by IT administrators as a defense measure against ransomware such as WannaCry.
- SMB signing settings are mismatched. SMB signing must be disabled on the client or an SMB signing mismatch will occur.
- Low system resources.
- Shares from previous backups have not be cleaned up, causing conflicts.
- The Datto appliance is joined to the Domain.
- From Group Policy, the Protected Machine cannot access the Datto via UNC.
- Set Share Compatibility Mode for the specific agent.
- On protected Windows machines, for the active network connection, enable the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks.
- Unjoin the SIRIS from the Domain. You can do this by selecting Configure > Networking from the Web UI.
- Check the subnet masks and DNS settings for the protected machines to ensure that the Datto device has the correct network settings to allow the device to reach the agents.
- Create a DNS A record on the DNS server using the device's hostname, and reboot the affected server.
If these steps don't solve the problem, proceed to the next sections.
In the registry, check the value of the following two LanmanWorkstation keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Enablesecuritysignature = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanworkstation\Parameters\Requiresecuritysignature = 1
If they are both set to 1, changing the Requiresecuritysignature value to 0 may resolve 500-series errors. For more information about the LanmanWorkstation service, see this article.
Test UNC Functionality
- Create a Public NAS Share on the SIRIS and see if it can be accessed from the protected machine via UNC Path.
- If it cannot be accessed then check to see if the Protected Machine can reach another server via UNC Path.
- If it still cannot be accessed, then change necessary settings on the network to have that Protected Machine be able to connect to the SIRIS via UNC.
- If it still cannot be accessed, check Group Policy regarding the SIRIS and make sure it has all necessary permissions and records in place for resolution.
- If you still continue to encounter this error, contact Tech Support because it could be Samba related.
- Re-enable SMB communication on the machine.
- In the system registry set the registry value to 0:
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature& reboot the machine.
- For Microsoft's official KB article for this issue please visit: http://support.microsoft.com/kb/916846
Sometimes when trying to access a Datto share from a Windows 7, Vista or Server 2008 the authentication window will continuously appear. To remedy this, please try:
- Go to /Start/Run and type in secpol.msc and then hit enter
- Browse the /Local Policies/Security Options/
- Double click Network security: LAN Manager authentication level
- Select Send LM & NTLM -use NTLMv2 session security if negotiated
- Click Apply then OK.
In the case that you get the message, "[UNC path] is not accessible. You might not have permission to use this network resource.", you should be sure that
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature == 0 and that the corresponding group policy is set accordingly.
In the case that you are prompted for credentials (username / password) when attempting to access the Datto via UNC path, you may need to change / add the "security" global configuration parameter.
For Advanced-Trained partners only
See the Additional Resources section of this article for more information about SMB signing.
For 12.04 or 10.04 Devices:
- Change the parameter "security = user" to "security = share" in the global section of /etc/samba/smb.conf
For 16.04 Devices:
- Add the following in the global section of /etc/samba/smb.conf
security = user
map to guest = Bad User
server signing = auto
client signing = auto
Mismatched SMB Protocol
If you are seeing the following error within the samba logs for the protected machine, it's possible that the protected system is trying to connect on a protocol that is not supported by the samba package installed on Datto devices.
init_smb_request: invalid wct number 255
To correct this, support can try adding the following under the "Global" section in /etc/samba/smb.conf:
Max Protocol = SMB2
- Disable SMB v1 in Managed Environments with Group Policy (external link)
- Require SMB Security Signatures (external link)
- The Basics of SMB Signing (external link)
- Windows Server 2012 R2: Which version of the SMB protocol (SMB 1.0, SMB 2.0, SMB 2.1, SMB 3.0 or SMB 3.02) are you using? (external link)