ServerAdmin : this is a nightmare

[Mackovich]

Hello.

Yes this is a nightmare. Bu before complaining and crying, let me simply explain the situation.

On last october I subscribed for a non-commercial license of a TS3 512 slots server.
I installed TS3 sever on my server box (OS : Debian server last version 64bits).
I lauchned it, connected to it via my PC and enter the priviledge key that was shown to be upon launching.

So far, so good.
Unfortunately, I had to format my PC so I lost my Super Admin priviledge but that wasn't a problem because a server admin gave my rights back.
This was months ago and I didn't realise that I had lost the Super Admin priviledge (SAp).
Because a friend of mine asked me to do some permissions modifications so that he can add my TS server in his forum via "TS Viewer". Don't ask why, but the fact remained that since I lost my SAp, I couldn't do that.

So I wanted to get it back by recreating a token.
How so ? Using the Query Admin Control.
But couldn't get through step : "login serveradmin password". I lost them too...

So I took the courage to delete the crucial file "ts3server.sqlitedb" and then restarted the server by ./ts3server_startscript.sh restart.
Doing so made the server back to first time launch with nothing. Then I got automatically reconnected (yes because I remained connected the whole time) with a couple of friends.
On the server box (through putty the whole time I might add), some details were added such as my Query Admin Command and the privilede key. Just to be sure I made a screenshot of it !

Back to my PC, the TS server ask me to enter the priviledge key so that's what I did.
The server logs stated :

Code:

 ServerAdmin privilege key created, please use the line below
2012-03-09 22:22:15.224378|WARNING |VirtualServer |  1| token=YLkyTOorjbLknJfL3cYNHC3e3Orp2sCt1X3NM96U
2012-03-09 22:22:15.224391|WARNING |VirtualServer |  1| --------------------------------------------------------
2012-03-09 22:22:15.233162|INFO    |CIDRManager   |   | updated query_ip_whitelist ips: 127.0.0.1,
2012-03-09 22:22:15.233489|INFO    |Query         |   | listening on 0.0.0.0:10011
2012-03-09 22:23:11.080383|INFO    |VirtualServer |  1| client (id:2) was added to servergroup 'Server Admin'(id:6) by client 'server'(id:0)
2012-03-09 22:23:11.082206|INFO    |VirtualServer |  1| client 'Mackovich'(id:2) used privilege key 'YLkyTOorjbLknJfL3cYNHC3e3Orp2sCt1X3NM96U' and was added to servergroup 'Server Admin'(id:6)

Thus far I thought I got my SAp back. Hell I didn't.
And what's the weirdest thing ?
These lines (especially the last one) from the logs :

Code:

2012-03-09 22:55:24.644389|INFO    |VirtualServer |  1| client (id:6) was added to servergroup 'Server Admin'(id:6) by client 'Mackovich'(id:2)
2012-03-09 22:58:19.876219|INFO    |VirtualServer |  1| client (id:2) was removed from servergroup 'Server Admin'(id:6) by client 'Mackovich'(id:2)
2012-03-09 22:58:24.934704|INFO    |VirtualServer |  1| client (id:2) was added to servergroup 'Server Admin'(id:6) by client '14e_Col_Verdieb'(id:6)

My very nice friend, here, "Verdieb" (to make it short) got a nice seat at the lonely SAp commity. HOW THE HELL DID HE GET THE ID6 level ?
What's worse ?
This is the same guy who wanted to display my server via TS Viewer and make me change some permissions to do so. Back then, he was an ID2 and now he is an ID6 ?
And who I am ? A SIMPLE ID2 ? WHAT THE HELL ??

I think I missed something here.
And finally (yes, the conclusion) I wanted to regenerate a token again through Query Server Admin.
Thanks to my brilliant idea of making a screenshot of the logins (serveadmin + password) I tried the "login serveradmin password" thing. But guess what ? DIDN'T WORK AT ALL.
Damn it.


So this is where I stand.
I am completely lost and this a real nightmare.
Please be kind and save me ! Thanks !!!

[Tomas]

Sadly why you deleted "ts3server.sqlitedb", you made more mess than actually needed.
You can search either on this forum or using google/youtube to get the answer for your questions.

how to get serveradmin password when you lose it.
http://forum.teamspeak.com/showthrea...word-Look-here!

how to get new privilege key(read at least first 10 posts to understand those serverQuery commands)
http://forum.teamspeak.com/showthrea...+privilege+key

[Mackovich]

Thank you for help.
I will look into the thread you pointed out to me.

See you.

[Mackovich]

UP

So I checked the threads and I was able to create another token.

But when I used it, there was an error saying

Code:

Failed to use Privilege Key: duplicate entry

Then I try this command-line on the Server Query :

Code:

servergroupaddclient sgid=6 cldbid=2
Yes, my database ID is indeed 2

Which got me this following error :

Code:

error id=2561 msg=duplicate\sentry

Looks like to be the exact same error I get in both cases.

If you recall my previous problem, I entirely recreated my TS3 server, by deleting "ts3server.sqlitedb".
So I was able to use another token.

Now the issue, is that I can't ban a "simple" Server Admin. The error messages says :

Code:

insufficient client permissions (failed on b_client_ignore_bans)

When I check the Permission Group page for Server Admin, it says that Server Admin can ban Server Admin.
But I can't.... and the other SA can't too ...

And as I explained in the first message some guy got the SAD (Super Server Admin) priviledge and could access Permissions I can't in order to add my server in TS Viewer ... Even so, him also couldn't ban another SA ... like me.

Here are the pictures from "Permissions".
From his side :
menu "Permission" http://desmond.imageshack.us/Himg708...ng&res=landing
Permission Window http://desmond.imageshack.us/Himg62/...ng&res=landing
From mine :
menu "Permission" http://www.noelshack.com/2012-16-133...ermi_macko.png
Permission Window http://www.noelshack.com/2012-16-133..._mackovich.png

We can definitely see the differences ...

Can you explain to me what to do to gain back this SAD priviledge ?


Thanks !

[SilentStorm]

Thus far I thought I got my SAp back. Hell I didn't.
And what's the weirdest thing ?
These lines (especially the last one) from the logs :

Code:

2012-03-09 22:55:24.644389|INFO    |VirtualServer |  1| client (id:6) was added to servergroup 'Server Admin'(id:6) by client 'Mackovich'(id:2)
2012-03-09 22:58:19.876219|INFO    |VirtualServer |  1| client (id:2) was removed from servergroup 'Server Admin'(id:6) by client 'Mackovich'(id:2)
2012-03-09 22:58:24.934704|INFO    |VirtualServer |  1| client (id:2) was added to servergroup 'Server Admin'(id:6) by client '14e_Col_Verdieb'(id:6)

My very nice friend, here, "Verdieb" (to make it short) got a nice seat at the lonely SAp commity. HOW THE HELL DID HE GET THE ID6 level ?
What's worse ?
This is the same guy who wanted to display my server via TS Viewer and make me change some permissions to do so. Back then, he was an ID2 and now he is an ID6 ?
And who I am ? A SIMPLE ID2 ? WHAT THE HELL ??

You added Verdieb to the ServerAdmin Group (See first line of your Log)
You removed yourself from the ServerAdmin Group (See second Line of your Log)
Finally you were added to the ServerAdmin Group by Verdieb (See third line of your Log)
The (id: xxx) Stuff behind the Clients is just the DatabaseID which is used internally by the Server to manage clients and their permissions. It has no meaning at all and doesn't matter what number it is. The first User to connect to a fresh ServerInstance will receive ID 2 and that number is just incremented for each new client that connects.
So after you reset the Server you were the first to connect (thus you got ID 2) and Verdieb was the 5th to connect to the Server. But as I said the numbers really don't mean anything.

I think I missed something here.
And finally (yes, the conclusion) I wanted to regenerate a token again through Query Server Admin.
Thanks to my brilliant idea of making a screenshot of the logins (serveadmin + password) I tried the "login serveradmin password" thing. But guess what ? DIDN'T WORK AT ALL.

Make sure you are connected to the correct Server (as in the Server that is running your TS Server).
PS: You should never ever add regular Clients to the Query Admin Group! Its dangerous and very easy to screw your Server if you do not know what you are doing and / or are not careful.

UP

So I checked the threads and I was able to create another token.

But when I used it, there was an error saying

Code:

Failed to use Privilege Key: duplicate entry

Then I try this command-line on the Server Query :

Code:

servergroupaddclient sgid=6 cldbid=2
Yes, my database ID is indeed 2

Which got me this following error :

Code:

error id=2561 msg=duplicate\sentry

That error just tells you that you are already in the group you are trying to add yourself into, which is true as from your first Post you are already in the Serveradmin group which is what that command would do.
So that error is perfectly alright.

Now the issue, is that I can't ban a "simple" Server Admin. The error messages says :

Code:

insufficient client permissions (failed on b_client_ignore_bans)

When I check the Permission Group page for Server Admin, it says that Server Admin can ban Server Admin.
But I can't.... and the other SA can't too ...

ServerAdmins by default are allowed to circumvent Bans, so they can connect to the server regardless of whether any active Ban in the Banlist would usually affect them or not.
As a side effect this means ServerAdmins cannot be banned in the first place, since the Server is smart enough to realize that banning the person would have no effect anyway as checking Bans is skipped for this Client (because he ignores bans). So the Server refuses to enter such a Ban into the Banlist as it would just clutter the banlist without any benefit.

You would need to turn off the b_ignore_bans Permission in the ServerAdmin group, which would be potentially dangerous as you could end up banning all your Serveradmins and none of them would be able to connect to the server to lift the bans.
You would then need to use the query Console to lift the bans using the serveradmin Account.


If you want some of your Users to have elevated permissions (beeing able to kick / ban / whatever) but still have lower permissions than you have just create a copy of the regular ServerAdmin (ID 6 on the first server of an instance) and reduce the permissions of the copy accordingly then give the copy to your trusted users and keep yourself in the original Serveradmin group.
That way you could make it so that you can still ban and kick them but they wouldn't be able to kick or ban themselves or yourself while still beeing able to kick regular users (and even ban them if desired).

[Mackovich]

Thank you for this detailes answer, but this still not resolves my situation.

First, why does my friend verdieb have access to stuff I don't ?
See the differences here :

Here are the pictures from "Permissions".
From his side :
menu "Permission" http://desmond.imageshack.us/Himg708...ng&res=landing
Permission Window http://desmond.imageshack.us/Himg62/...ng&res=landing
From mine :
menu "Permission" http://www.noelshack.com/2012-16-133...ermi_macko.png
Permission Window http://www.noelshack.com/2012-16-133..._mackovich.png

And now, I created a sub-group just like you suggested. Thing is, this group is set as "Server Admin", which means I can't still ban them ... I tried lower by setting this groupe as "normal" and it worked like a charm. However, they can't create groupes or servers groupes although I gave them the right to ... very weird :
http://image.noelshack.com/fichiers/...ermissions.png

So to summerize everything up, this is what I would like to have :

I would like to be some sort of a super server admin, aknowleged as the one and unique founder and creator of the TS3 server, which implies that he is above all and cannot be touched in any way at all. Like a god ^^
And thus I'll have my Server Admins Minions/Underlings who cannot ban themselves, who cannot revoke their ranks (themselves and the other as well), but can act like second-rank-gods in front of all the others users (not me, of course, since I am THE God lol)

And therefore I don't want to see people such as verdieb having access to stuff I don't even see !


Thank you all again.

[SilentStorm]

Simple, he enabled a Setting in the Client to view the Advanced permissions, you did not.
Thats all the difference there is...
Enable to Advanced Permission System in Settings -> Options -> Application and you will see the same stuff he does...
He cannot do anything you can't do, and he also doesn't have any more permissions than you do... it's just that he opted to see more stuff while you did not.

[Mackovich]

Thanks for the quick reply ! I'll try it out after my asnwer.


Anyway, do you have a solution regarding my group of "second-ranked-gods" ? ^^

[SilentStorm]

As said in Post #5 copy the serveradmin group and remove / lower the Permissions you don't want them to have.
Popular / Advised candidates include:
i_client_kick_from_*_power
i_client_ban_power
i_group_member_add_power
i_group_member_remove_power

[Mackovich]

Why, thank you, but I as you may come to know, I don't know very well how to do such things.

I do, however, understand your point.

But I need to know how to do it.
Isn't there some sort of tutorial or guide I could follow ?

Thank you for your great help so far !

---
EDIT
I think I got it : since I activated the Advance Settings for permissions, I can see stuff like "i_client_kick_from_*_power".
I'll look into it !