Time Machine Server can be great. With enough storage, it’s easy to backup multiple Macs to a single location, leaving the worry about USB drives being stolen or Thunderbolt drives not being plugged in behind. With Mavericks Server OS X Server 3, Apple has improved the service with better disk space controls (as long as all clients are running Mavericks as well) in addition to an easy-to-use dashboard to see what clients are backing up when and how much space the backups are using.
Time Machine isn’t the perfect backup tool, and Time Machine server isn’t a perfect group backup solution, but it works well enough. However, I recently came across a bug with how it authenticates that surprised me.
In short, Time Machine on the local Mac will fail to connect, even if the Mac already knows the user name and password.
When you select a Time Machine Server disk that is shared from a known server, OS X will auto-populate the window with information from Keychain Access:
Usually, Time Machine will accept the credentials and allow the initial backup to begin after the customary 120 second wait time.
With OS X Mavericks, however, I have seen several machines accept the user name and password only to fail while connecting, showing a pop up a box with this dialogue:
The network backup volume could not be mounted because there was a problem with the network username or password. Open System Preferences and choose Time Machine then re-select the Time Machine backup destination to enter the correct username and password.
Of course, that’s a terrible error message. It doesn’t say anything helpful about the problem, it’s suggestion is to simply repeat what the user just did.
This 2012 Apple Support document gave me a clue what was going on, but the System Keychain entry for the Time Machine server was correct on these machines. Deleting the entries and re-trying didn’t solve the issue, either, as many in Apple’s Support Communities implied.
When save a user name and password for a server are saved in Finder, the login keychain learns it and provides it when needed. However, Time Machine requires a System keychain item, as Time Machine works across users. When the above dialog box is shown, OS X is creating a new System keychain item from the information it was presented by the user’s own login keychain.
This is where something is broken. On some machines, this transaction won’t take place, leaving Time Machine unable to connect.
To force Keychain Access to create a new entry and not attempt to copy the login keychain item, I ended up using the shortname for the users in question in Time Machine, and their standard, long name in Finder.
In our organization, the two names are the same, so I’ve given Time Machine the user name in the firstnamelastname format, as users won’t ever see that entry. In Finder, however, I stuck with Firstname Lastname as that is flashed when connecting to a server.
While I came across this with Time Machine Server as my destination, using a NAS or Time Capsule may expose the same flaw.
It’s crazy that this is broken in Mavericks. While I don’t know if the problem exists on other versions of OS X or OS X Server, using a different version of the username took care of it for me.