Time Machine backup fails with Authentication Error 80 on TBS-h574TX

English Backup and data protection
9

So I made it work finally. And it’s really nasty.

macOS 26.4 silently broke Time Machine over SMB — and every fix online only covers HALF of the bug

TL;DR: There are two bugs. Every thread online only talks about the first. That’s why nothing works.

Symptoms

  • Backup fails instantly with BACKUP_FAILED_AUTHENTICATION_ERROR (29) / error 80
  • You can mount the exact same share via Finder with the same creds, no issue
  • smbutil view //USER@nas.local works fine
  • An older Synology/NAS destination added before Tahoe keeps working. Only the newly re-added destinations fail.

The two bugs

Bug A — “isKnownServer 0”: Tahoe gates stored SMB creds on a whitelist plist. Every fix online covers this:

sudo /usr/libexec/PlistBuddy -c 'Add :nas.local bool true' \
  '/private/var/root/Library/Group Containers/group.com.apple.NetworkAuthorization.ServerMarkers/serverMarkers.plist'

Add every hostname form that appears in your TM URL, including the raw Bonjour FQDN with trailing dot like NAS(TimeMachine)._smb._tcp.local..

Bug B — keychain ACL regression (the one nobody talks about):

  • NetAuthSysAgent in 26.4 runs as your user uid (501), not root.
  • So per-item ACLs on /Library/Keychains/System.keychain matter.
  • The new TM-Settings GUI writes items with a partition_id=apple: ACL entry that NetAuthSysAgent can’t pass → Unable to find matching items -25300OpenSession failed 80.
  • Intuitive instinct fails: security add-internet-password -A (allow any app) writes applications: <null> which the agent reads as “no apps allowed”, not “any app allowed”. Still broken.

The full fix

Log signature that means you have Bug B:

isKnownServer 1
Unable to find matching items -25300   (x8-10)
OpenSession failed 80

Recreate the keychain entry with explicit -T grants, NOT -A:

read -r -s "TMPW?SMB password: " && echo

for S in 'NAS(TimeMachine)._smb._tcp.local.' 'nas.local'; do
  sudo security delete-internet-password -a USER -s "$S" /Library/Keychains/System.keychain 2>/dev/null
  sudo security add-internet-password \
    -a USER -s "$S" -p /YourShare -r 'smb ' \
    -D 'Time Machine Network Password' \
    -T /System/Library/CoreServices/NetAuthAgent.app \
    -T /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthSysAgent \
    -T /System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc \
    -T /System/Library/CoreServices/TimeMachine/backupd \
    -T /System/Library/CoreServices/TimeMachine/backupd-helper \
    -w "$TMPW" \
    /Library/Keychains/System.keychain
done
unset TMPW

Substitute USER, hostnames, /YourShare (leading slash, NOT URL-encoded).

Verify

sudo security dump-keychain -a /Library/Keychains/System.keychain | less

Find your entry. A working ACL has 3 entries, decrypt lists the Apple helpers, NO partition_id. If you see 4 entries with partition_id → apple:, or 3 entries with applications: <null> on decrypt — you need the command above.

Gotchas

  • Never use -A. Use -T.
  • Always pass -w "$PASSWORD". If you omit -w, security silently reads stdin; in scripts/non-TTY that’s empty → exit 0 → you just created an item with no password.
  • The share -p value is the literal path (/Time Machine - Server), NOT URL-encoded.
  • The protocol -r 'smb ' has a trailing space (4-char OSType).
  • NetAuthSysAgent’s uid-501 behavior is the real reason DiskStation (added pre-Tahoe with a different ACL shape) keeps working while your newly-added destinations don’t.
  • The Reddit-famous /etc/nsmb.conf signing_required=yes fix solves a different SMB problem. It does not touch Bug B.

Backup ran first try after this. Hope it saves someone days of log-chasing.