Forum


Notice to all users

We are migrating towards a new forum system located at community.teamspeak.com, as such this forum will become read-only on January 29, 2020

Results 1 to 7 of 7
  1. #1
    Join Date
    February 2012
    Location
    Germany
    Posts
    577

    How to create query user for server monitoring

    I want to setup a query user for monitoring my Teamspeak server with an automated monitoring tool (cacti in my case), and I'm wondering as how to create a query account that exactly has the required permissions, but no more permissions.
    Is the solution below "best practice" and the intended way to achieve the result?

    For monitoring, I need permission for these query commands:

    - serverlist (this is for cacti to enumerate and display all existing virtual servers at discovery)
    - use (this is for changing to the virtual server)
    - serverinfo (this is for regular monitoring of one virtual server)

    So the monitoring user needs these permissions:

    - b_serverinstance_virtualserver_list (for serverlist)
    - b_virtualserver_select (for use)
    - b_virtualserver_info_view (for serverinfo)

    All web-viewer applications need something like this, but no one says how to create a tailored user for this. Instead, they either say you use your serveradmin or you give the guest query additional permissions. But both are not acceptable from a security point of view.

    So we need a user with a new query group with the above permissions. It must be a query group independent from a virtual server, because there is no virtual server known at the time of virtual server discovery.

    So I create a new global query group by copying the serverquery guest group:

    servergroupcopy ssgid=1 tsgid=0 name=monitor type=2

    Then I give the new group the required permissions: (here it was created as id 9)

    servergroupaddperm sgid=9 permsid=b_serverinstance_virtualserver_list permvalue=1 permnegated=0 permskip=0
    servergroupaddperm sgid=9 permsid=b_virtualserver_info_view permvalue=1 permnegated=0 permskip=0

    Then I create a new query user by doing this:
    - create a new identity in my Teamspeak Client
    - connect to the server with the Teamspeak client with this identity
    - add "Server Admin" group to the new user
    - create server query login in the client GUI for the new user
    - remove "Server Admin" group from the user (it was only to be able to create the query login)

    - finally, add the new user to the new group: (my user has id=5 and the group has id=9)
    servergroupaddclient sgid=9 cldbid=5

    Now I can login with the new query login and perform exactly the required commands and nothing more.

    Is this the correct way? It seems straightforward, but I never saw anyone doing this. Instead I often read that someone destroyed the database of their server by making something with query accounts or query groups especially with serveradmin group.
    Unfortunately, it was never clear what exactly was wrong - nobody ever describes exactly what he did - just the database was reported as broken at some point.

    The only thing that bothers me is that it is perhaps not so straightforward to create the query group by copying the guest query group and assigning the user to it. Is this the way to go? I assume yes, because I used the tools the server gave me.

  2. #2
    Join Date
    June 2008
    Posts
    18,513
    This will work for the virtual server where the user was added into that group.
    But a way where user add normal clients into a Query group is not supported from us.
    I know the feature is missing in the server which allows to create such real Query logins for a Query group. I think this would change a lot for some user out there.

    The correct and supported way from your how to is to create and use a normal non Query server group for this.

    Edit
    There are more ways to solve this.
    • Change the Query port and add the desired permissions into the GuestQuery and then use this group without any login.
    • Close the Query port and connect from localhost to the Query and now you can use serveradmin login.
    Last edited by dante696; February 28th, 2017 at 10:02 AM.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  3. #3
    Join Date
    June 2011
    Location
    Germany
    Posts
    4,368
    Adding normal users to query groups does not have any advantage over adding them to non-query groups. So this whole thread is entirely pointless.
    I don't even know why it is possible to add more query groups. There is only one query user who takes advantage of them and only one group only he is supposed to have, so everything could be stored in one group.

  4. #4
    Join Date
    June 2008
    Posts
    18,513
    There is one advantage.
    You do not have to create this group on each server. you just have to add the user on each virtual server.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  5. #5
    Join Date
    June 2011
    Location
    Germany
    Posts
    4,368
    If you ask me, saving the time to copy a template group (updating can be done with servergroupautoaddperm) is not worth possisbly destroying one's database.

  6. #6
    Join Date
    June 2008
    Posts
    18,513
    Yep, I agree to that.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  7. #7
    Join Date
    February 2012
    Location
    Germany
    Posts
    577
    The problem with a normal group instead of a query group is, that you must "use <sid>" to get advantage of the permission. Otherwise, the user cannot do serverlist:

    TS3
    Welcome to the TeamSpeak 3 ServerQuery interface, type "help" for a list of commands and "help <command>" for information on a specific command.
    login cacti xxxxxxxxx
    error id=0 msg=ok
    serverlist
    error id=2568 msg=insufficient\sclient\spermissions failed_permid=4
    use 1
    error id=0 msg=ok
    serverlist
    virtualserver_id=1 virtualserver_port=9987 virtualserver_status=online virtualserver_clientsonline=4 virtualserver_queryclientsonline=2 virtualserver_maxclients=32 virtualserver_uptime=3354990 virtualserver_name=TeamSpeak\s]I[\sServer virtualserver_autostart=1 virtualserver_machine_id
    error id=0 msg=ok
    See the first serverlist that failed. The problem is that the sid of a virtual server isn't available at discovery. This is what the discovery does: discover the existing virtual servers without no prior knowledge.

    By using the query group, it works:
    TS3
    Welcome to the TeamSpeak 3 ServerQuery interface, type "help" for a list of commands and "help <command>" for information on a specific command.
    login cacti xxxxxxxx
    error id=0 msg=ok
    serverlist
    virtualserver_id=1 virtualserver_port=9987 virtualserver_status=online virtualserver_clientsonline=3 virtualserver_queryclientsonline=1 virtualserver_maxclients=32 virtualserver_uptime=3355323 virtualserver_name=TeamSpeak\s]I[\sServer virtualserver_autostart=1 virtualserver_machine_id
    error id=0 msg=ok
    I also don't understand what "destroys the database" if you add a normal user to a query group. Why "destroys it the database"?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 4
    Last Post: April 3rd, 2019, 06:00 PM
  2. Replies: 1
    Last Post: December 16th, 2014, 07:34 AM
  3. [Not possible] Create a secondary global server query account
    By djneubs in forum Permission System
    Replies: 0
    Last Post: August 27th, 2013, 05:32 PM
  4. Server Query Chan Depth? Can't Move or Create
    By FierceFrankie in forum Permission System
    Replies: 3
    Last Post: May 7th, 2011, 03:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •