Security must : run service as "automatically"

[jimmy1987]

In the tutorial is listed now you have to edit your games install files, could you please tell me where I can find those ? I just started using Tcadmin and I thought it would be best setting this up before we're going to setup gameservers.

[dimitrifrom31]

In the tutorial is listed now you have to edit your games install files, could you please tell me where I can find those ? I just started using Tcadmin and I thought it would be best setting this up before we're going to setup gameservers.

 

I assume you mean the install script? Thats in each game config > Install/uninstall script

[jimmy1987]

Ah yes found it. I was looking in the directory on the server itself and it was listed on the tcadmin website

[jimmy1987]

I seup a tmn server and I got an error listed in the monitor console:

 

7-5-2010 21:39:44 : Warning: Installation script for TM Nations Forever 20 Slots on gamepanel.vt16.com:2350 returned an exit code 1639

 

So I copied the installation script into a bat and changed the variables to values:

@echo off&setlocal enableextensions
for %%* in (.) do set serviceid=TC01614656858364825645343
if not defined serviceid set serviceid=%CD:\=%
net user 1.1.1.12350 **** /add /passwordchg:no
net localgroup tcagroup 1.1.1.12350 /add
net localgroup users 1.1.1.1 /delete
net accounts /maxpwage:unlimited
cacls "D:\TCAdmin Control Panel\Monitor\Services\TC01614656858364825645343\" /t /e /g 1.1.1.12350:f
cacls "D:\UserFiles\test\GameServers\TC01614656858364825645343" /t /e /g 1.1.1.12350:f
sc config TC01614656858364825645343 obj= .\1.1.1.12350 password=*****
pause

 

When I run it I get this:

 

processed file: D:\UserFiles\vt16\GameServers\TC01614656858364820626570
ntrolExamples\PhpRemote\GbxRemote.inc.php
processed file: D:\UserFiles\vt16\GameServers\TC01614656858364820626570
ntrolExamples\PhpRemote\ListMethods.php
processed file: D:\UserFiles\vt16\GameServers\TC01614656858364820626570
ntrolExamples\PhpRemote\SpectatorUi.php
DESCRIPTION:
       Modifies a service entry in the registry and Service Database.
USAGE:
       sc <server> config [service name] <option1> <option2>...

OPTIONS:
NOTE: The option name includes the equal sign.
     A space is required between the equal sign and the value.
type= <own|share|interact|kernel|filesys|rec|adapt>
start= <boot|system|auto|demand|disabled|delayed-auto>
error= <normal|severe|critical|ignore>
binPath= <BinaryPathName>
group= <LoadOrderGroup>
tag= <yes|no>
depend= <Dependencies(separated by / (forward slash))>
obj= <AccountName|ObjectName>
DisplayName= <display name>
password= <password>
Press any key to continue . . .

 

What am I doing wrong in the script? I use 2008 R2

[dimitrifrom31]

password=*****

 

 

add a space between password= and your password

 

Also on 2008 you need to use upper case and lower case letters in the password.

[jimmy1987]

Yes now that error is gone

I get the following when executing:

 

The account already exists.

More help is available by typing NET HELPMSG 2224.

System error 1378 has occurred.

The specified account name is already a member of the group.

There is no such global user or group: 84.26.21.240.

More help is available by typing NET HELPMSG 3783.

The command completed successfully.

The filename, directory name, or volume label syntax is incorrect.
[sC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

Press any key to continue . . .

 

But I figure that it is because the account already exists ?

 

Edit:

 

Updated the install file and tried again with a new gameserver. Worked perfectly this time

 

Offtopic:

Thanks for the guide Dimitri

[gemcneill]

I am looking at the script here and I am wondering why a new user has to be created each time. Couldn't 1 user be created and then that once user is the account used for each server. It would mean that if someone took advantage of the exploit they would have access to all game servers but this is not nearly important as creating an admin account. Also as I understand the SPLA licencing system if you create alot of users on the account you have to switch from per cpu licensing to per user licensing. I am sure if you do not report it you are fine, but if MS does an audit and sees this there might be an issue. I might be wrong on the licensing though.

 

George

[dimitrifrom31]

you can make it with 1 user only however 1 user / server has some advantages. You can for exemple avoid some problems like "file in use by another process" which can help avoiding crashes aswell (personal experience). As you mentionned it also prevents exploits (doesnt cost a thing to create more users so why let an exploit affect ALL your servers ?).

Theres another big advantage if you want to reduce CPU usage of certain processes (cf. paid guide about CPU limitation).

 

About licencing note that those users are not real users and cannot even open local session. They are just meant for access authorizations on certain files. SPLA system is about real users connecting to the server.

[tehrichie]

Dimitri,

 

I have sent you an e-mail to admin[at]roxservers[dot]com regarding an issue with this. Please let me know if this was the appropriate place to contact you, or if you have another form of contact. Thank you.

[Derek]

dimitri, ever since we started using this script reinstalls have been having issues.

 

Example:

 

5/22/2010 10:05:07 PM : GSAutomation.Processes.ReinstallGameServer: Could not extract game server files from C:\GameInstalls\CSS.rar to D:\UserFiles\11233\GameServers\TC84425886481546048475567 Error: Access to the path "D:\UserFiles\11233\GameServers\TC84425886481546048475567\cstrike\maps\cs_assault.nav" is denied.

[bullfrog3459]

dimitri, ever since we started using this script reinstalls have been having issues.

 

Example:

 

5/22/2010 10:05:07 PM : GSAutomation.Processes.ReinstallGameServer: Could not extract game server files from C:\GameInstalls\CSS.rar to D:\UserFiles\11233\GameServers\TC84425886481546048475567 Error: Access to the path "D:\UserFiles\11233\GameServers\TC84425886481546048475567\cstrike\maps\cs_assault.nav" is denied.

 

Derek, what OS? Win Srv 03 or 08? I noticed with my 03 servers they like to complain about this and ill have to look and see the work around i made, but my 08 servers have not had any issues so far.

[Derek]

Derek, what OS? Win Srv 03 or 08? I noticed with my 03 servers they like to complain about this and ill have to look and see the work around i made, but my 08 servers have not had any issues so far.

 

Windows 2008 , we have never had this issue until recently. Reinstalls just don't work.

[ECF]

Try stopping the service before clicking the reinstall button.

[dimitrifrom31]

I had made an update to this script a while ago. The very first version was granting full access to the user on the game server root only. So basicallty if the server was reinstalled ACL's were lost. A few days later I updated the script to grant privileges on the parent folder, this way no more issues after areinstall. Compare your install script with the current one, make sure that you got :

cacls %gameserverroot%.. /t /e /g %serverip%_%serverport%:f

and not

cacls %gameserverroot% /t /e /g %serverip%_%serverport%:f

 

- script updated on 2010/01/20 : fixed ACL's reset on game server root after a server reinstall. ACL's are now set on parent folder to be inherited in case of a reinstallation.

[strikeR-]

I have tested it manually on one gameserver and have a few questions about the using of this script:

 

- If there isn't one uninnstall script, once a new server is created with the same useraccount (on this case the same IPPORT) it will update the files and path to the new localization ?

- I think i will change the useraccount to username of client instead of IPPORT like default, it will create problems ?

- With the use of this script, now we can put all games with "Allways Start on CPU0" so it will be sort automatically on all cores (HL games included) ?

 

I think there is my questions at the moment.

 

Regards,

[dimitrifrom31]

I have tested it manually on one gameserver and have a few questions about the using of this script:

 

- If there isn't one uninnstall script, once a new server is created with the same useraccount (on this case the same IPPORT) it will update the files and path to the new localization ?

- I think i will change the useraccount to username of client instead of IPPORT like default, it will create problems ?

- With the use of this script, now we can put all games with "Allways Start on CPU0" so it will be sort automatically on all cores (HL games included) ?

 

I think there is my questions at the moment.

 

Regards,

 

theres no uninstall script cuz the windows user files are less than 1Mb and when a server is created using an old username it will just use the old windows user files.

 

I used to have uninstall script but the windows user files could not get all deleted without rebooting machine so at the end you had tons of user files. Better not uninstall at all.

 

You can choose anything than ip_port however it has to be unique combo.

 

 

CPU affinity has nothing to do with this, most (recent) games bind to all cores without problem

[strikeR-]

Ok,

 

My question about CPU affinity is about the old HL games, like CS 1.6, etc... With this use of one user to one service it will bind to all cores or will still the same?

 

Actually I have to change manually that services one by one to specific cores.

 

Regards,

[dimitrifrom31]

as I said those are 2 different things so you gota manually edit still

[strikeR-]

Hmm,

 

Do you have something to put that working automatically or is impossible to do it ?

 

Regards,

[dimitrifrom31]

what if u tick always start on cpu 0 in game config

[Drakar]

Hello Dimitri:

 

Have you tested rfactor with a normal user? First I tried it with your script without luck, now I am trying directly like an user in windows and I don't get that the rfactor server read the profiles. If I grant like administrator the user that you create then I get that runs fine.

 

Any idea?

 

I have the userfiles and services with total permission.

 

You have done an excelent job with the script. Thank you.

[dimitrifrom31]

Hello Dimitri:

 

Have you tested rfactor with a normal user? First I tried it with your script without luck, now I am trying directly like an user in windows and I don't get that the rfactor server read the profiles. If I grant like administrator the user that you create then I get that runs fine.

 

Any idea?

 

I have the userfiles and services with total permission.

 

You have done an excelent job with the script. Thank you.

 

I have mentionned that somewhere (maybe even in the guide). I keep running rfactor under system account, if you figure out what permissions are required to run it as a simple user let me know.

[Drakar]

I am going to try to discover the problem.

 

A lot of people ask to put dlls like hotlaps, liveviews and so on and it will be perfect running under simple user.

 

Thank you for your repuly Dimitri

[dimitrifrom31]

I got hotlaps preinstalled by default with every server :

http://188.165.211.87:26012/rFactorHotlaps

[Drakar]

I install the same hotlaps like secondary application, I think that it is a good way. Do you install with rfactor directly?

 

The customers usually ask more like webview with IIS and I am deciding now if put it or not.

 

I don't like that these plugins usually are services o require installations, it looks that the programmers don't think that we are here.