mac how to get local admin access to fp7-Files using external authentication

[bernriegeth]

Hi

 

I received the task for a Filemaker 11 migration without having worked with this system before.

The databases are running on a Filemaker Server Advanced 11 whith external authentication to our OD, which is running on a Mac OS X Server (SnowLeopard).

The aim is to migrate the biggest filemaker database to another system, but to migrate the smaller databases as local files to a Windows System with local users only. The latter is the problem.

 

I have full admin rights on the Mac OS X Server as well as on the OD, but I don't have the local filemaker account data (because the responsible person has left).

I'm logged into the Admin Console with an account which is member of the fmsadmin group.

 

But I don't get managed to login to the fp7 files with a local FM account. I tried different versions: closing down the database, copying over the fp7 file to another Mac or to a Windows system.

Within the Admin Console I cannot find any point for inserting new local users or changing passwords.There is only the possibility to insert an admingroup.

 

So my question is: how can I gain local admin access to the fp7-Files when only knowing the credentials of the OD accounts?

 

Bernhard

[Wim Decorte]

The admin console can not manage accounts in a FM file.  You need an account with a Full Access privilege set in the file itself to manage security in a file.

 

So someone needs to give you that account (username & pw) for the internal FM account, or for an OD account that has the Full Access privilege set.

Note that it is not considered best practice to use OD accounts for full access so that may not exist.

[bernriegeth]

Thanks for reply.

I already tried opening a file as an OD user in fsadmin group (this group has full privileges) - choose - > security -> add new local user with full privileges -> but the system does not accept my OD account for this change.

We're running FMS 11.0.3.

[Wim Decorte]

 

I already tried opening a file as an OD user in fsadmin group (this group has full privileges) 

 

How did you determine that it has full access privileges?  Because clearly it does not judging by you not being able to log in...

 

The fmsadmin group is only there for the FMS processes and access to the admin console, membership in that group does NOT let you into any of the hosted FM files.

(if it did, you could not trust any cloud hosted FM provider!)

[bernriegeth]

I didn't manage to attach a screenshot, but I can open a FM database with my account (member of fmsadmin), go to Security and lookup the accounts. It says:

 

Admin - Filemaker - full access

fmsadmin - external server - full access

fmsuser - external server - data access

 

I can add another admin account, but then I'm prompted for a password and my account is not permitted to save this change.

[Wim Decorte]

 

 

I can add another admin account, but then I'm prompted for a password and my account is not permitted to save this change.

 

When the file is hosted or when the file is local?

 

If the file is not hosted then External Authentication does not work and you need a local FM account.  Basically you need the pw to the "Admin" account listed in your list.

The easies way to get there is to open the hosted file and either add a new FM account with Full Access privileges, or reset the pw for that Admin account, and then download the file again.

[bernriegeth]

You wrote: Basically you need the pw to the "Admin" account listed in your list.

 

Well, that's exactly the problem I tried to explain - I don't have this PW of the "Admin" account as the responsible person has left. I only have the external accounts.

Probably we need some sort of password cracker for Filemaker....

[Wim Decorte]

Not really, what I described in my last paragraph explains how you can create a new FM (not EA) account with full access while the file is hosted.  Then you take the file off FMS and use that new FM account for full access.

[Shaan]

 

Probably we need some sort of password cracker for Filemaker....

 

Which is "freely" available. Will not mention it here in respect to the sensibilities of this forum.

[Wim Decorte]

No need to hide it, we're all well aware that they are out there.

 

Remember that these tools can not retrieve a pw, because the pw itself is not stored in the file, only a one-way hash of the pw is there.  What the tools do is brute-force their own hash in there, but since it is brute force it may actually damage your file.  It's been been known to happen.  So while it can be a last-ditch tool to open the file, I would never user it for more than being able to get the data out.  I would consider the file itself damaged and not good enough to keep around as the basis for further development.

 

Additionally, before you use a tool like that, make 1000% that the ownership of the file is established.  If there is an About layout in the file for instance that claims copyright to the developer then you may want to think twice about hacking it.