I was wondering how to Mint an NFT with Metaplex without doing MasterEdition. I want to do a simple edit with a supply of 1.
But in the Metaplex program, you have to call "CreateMasterEdition" and give the MaxSupply. And then call "MintNewEditionFromMasterEdition". However, when I go to Solsea for example and I mint an NFT, I don't have a master edition but a simple edition.
Is it possible to mint a sigle edition directly?
Do marketplaces such as Solsea mint a master edition, then create an edition from it and keep or burn the MasterEdition? I would like to understand.
A master edition serves as proof that the token is non-fungible.
In Solsea, the NFTs made don't have this information. The result is that when the token is viewed in explorer.solana you have "No Master Information". The advantage of having that Master Edition is that, as I've mentioned, it serves as proof that the token is an NFT.
Here is a Twitter thread that talks about not having a Master Edition.
And here is the only information I saw about editions in the Solsea docs.
OK, according to the Metaplex doc to make a "signle" edition I must create a MasterEdition with a supply of 0.
The existence of Metadata and its sister PDA MasterEdition makes a very powerful combination for a mint that enables the entire rest of the Metaplex contract stack. Now you can create:
Normal mints that just have names (Metadata but no MasterEdition)
One of a kind NFTs (Metadata + MasterEdition with max_supply of 0)
NFTs that can print limited edition child NFTs (Metadata + MasterEdition with max_supply of say 10)
NFTs that can print unlimited open edition NFTs (Metadata + MasterEdition with unlimited max_supply)
Related
I am running a windows 2016 server, we are running IIs 10 on it and i need to be able to assert if there is an AppPool setup before i deploy a website. If it doesn't exist i need setup the AppPool with a specific user and password.
All of this is done using a release agent through Azure Devops.
The agent is running as a NON-ADMIN, and i all accounts involved are running as NON-ADMIN. I have no intention at all to run any admin accounts, for security reasons i want to give least privildges to all accounts involved.
when i try to set up a AppPool using appcmd.exe i get the error msg:
KeySet does not exist.
When running everything as admin it works (and i have absolutely no intention in running any of this as admin).
What i have tried:
i have added the non-admin account to the IIS_IUSRS group.
Made sure that the user has read permissions to the file: 76944fb33636aeddb9590521c2e8815a_GUID in the %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys folder.
i have tried everything here: Error when you change the identity of an application pool by using IIS Manager from a remote computer
anyone that actually knows the cause of this problem?
UPDATE:
Microsoft clearly recommends that agents should be run using service accounts, which i am doing and i have no interest in giving build agents administrative rights to 1000s of servers when they clearly don't need that kind of powers actually. I want to restrict their powers to only be allowed to do what they need to do. I can't believe that giving everything admin is apparently the norm.
After a lot of googling, and i mean A LOT. I managed to solve this. And let me say, that it baffles me that "least privileged accounts" is not common practice in the Microsoft and windows world.
I found this excellent post by InfoSecMike locking down azure devops pipelines.
And we both have the exact same requirements and opinions on this topic.
You CLEARLY don't need admin rights to update IIs configurations (because that would be insane, right!?). The IIs configuration API does not care what rights you have, what you do need is access to certain files. But this is not documented. Microsoft themselves, just for simplicity, tells you that you need to be admin, and buries all the details really deep in documentation when this should be best practice. Also what amazes me is that no one questions it.
What you need is the following:
full access to C:\Windows\System32\inetsrv\Config
full acccess to C:\inetpub
read access to three keys in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\
6de9cb26d2b98c01ec4e9e8b34824aa2_GUID (iisConfigurationKey)
d6d986f09a1ee04e24c949879fdb506c_GUID (NetFrameworkConfigurationKey)
76944fb33636aeddb9590521c2e8815a_GUID (iisWasKey)
The 2 first bullet points can be obtained if you make sure your service account is a member of the group IIS_IUSRS.
This group will not give you access to the keys. You need to manually give read permissions to these 3 keys to the agent user.
If you don't give access to these keys you will get the obscure error message
Keyset does not exist ( exception from HRESULT : 0x8009000D)
Which is an incorrect error if you ask me as it should be an IllegalAccessException with proper reason telling you that you don't have access to read the key because the keys are there, they do exist (nice code microsoft, maybe you should open source this so we can fix).
I'll leave with this quote from infosecmike.
The goal was to lock down the permissions of the Azure Pipeline Agent {...}. I started Googling, pretty sure I would find a way to achieve this goal. I didn’t. It’s surprising to not find an answer about this. It seems like the principle of least privilege does not apply anymore in a devops world.
This is why i prefer Linux over Windows. This is a simple task there.
In odoo v10 Enterprise while trying to sync bank accounts for auto feed entries then getting following error.
Once your bank accounts are registered, you will be able to access your statements from the Accounting Dashboard. The available methods for synchronization are as follows.
Direct connection to your bank
Importing your statements in via a supported file format (QIF, OFX,
CODA or CSV format)
Manually enter your transactions using our fast recording interface
I would like to go with first one "Direct connection to your bank"
In that I am facing issue so I want to fix it.
Issue :
Problem Updating Account(507):We're sorry, Yodlee has just started providing data updates for this site, and it may take a few days to be
successful as we get started. Please try again later.
I botched a DC's AD / DNS pretty bad over the course of several years (of learning experiences) to the point where I could no longer join or leave the domain with clients. I have a NAS that used to plug into AD via SMB and that is how all the users (my family) used to access their files.
I have recreated my infrastructure configuration from scratch using Windows 2016 using best practices this time around. Is there any way to easily migrate those permissions to users in a new domain/forest (that are equivalent in value to the old one)?
Could I possibly recreate the SIDs / GUIDs of the new users to match the old? I'm assuming no because they have a Windows installation-unique generated string in there.
Could I possibly do this from the NAS side without having to go through each individual's files to change ownership?
Thank you.
One tool you can use to translate permissions from original SIDs to new SIDs is Microsoft's SubInACL
SubInACL will need from you information which old SID corresponds to which new SID or username and execute translation for all data on NAS server. For example like this
subinacl /subdirectories "Z:\*.*" /replace=S-1-5-1-2-3-4-5=NEWDOMAIN\newuser
How long it will take for translation to complete depends on number of files and folders, if it's tens of thousands expect hours.
There are also other tools like SetACL or PowerShell cmdlets Get-Acl/Set-Acl
You cannot recreate objects with original SIDs and GUIDs unless you're doing restore of the AD infrastructure or cloning/migrating original identities into new ones with original SID in sidHistory attribute.
So if you're already running domain controller with NAS in newly created forest and old one suffered from issues you wanted fixed that option would be probably much more painful and it's easier to go for SID translation.
I'm trying to use impersonation in my application to connect to user mailboxes and add/remove appointments.
I created an account called "EWSAdmin" and ran the following EMS commands on them:
New-ManagementScope -Name:"MyEWSImpersonation" -RecipientRestrictionFilter
{memberofgroup -eq "cn=My User Container,DC=MyDomain,DC=local"}
New-ManagementRoleAssignment -Name:"MyEWSImpersonation" -Role:ApplicationImpersonation
-User:"EWSAdmin#MyDomain.local" -CustomRecipientWriteScope:"MyEWSImpersonation"
Just to confuse the issue, I called my scope EWSImpersonation, too.
When I try to connect to the user's mailbox to view an appointment (Using a third party DLL), I get the following error:
Throwing GeneralException e=The account does not have permission to
impersonate the requested user.
If anybody could help me diagnose this, I'd appreciate it.
Thanks
Nick
We ran into this issue with a different cause, I want to share it here because when searching for the error message this post and a post on TechNet come up, but not the KB Articles that eventually helped us solve the issue.
It turns out that there is a limit to the amount of requests any windows server can do to Active Directory, at some point the NetLogon service just runs out of Threads and all kinds of things start to happen. The process is explained in this blog post and this KB article and this KB article, the fix is pretty simple, increase the number of threads available through a simple change to a Registry key on every CAS server in the Exchange cluster.
The process is simple:
Start Registry Editor.
Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Create the following registry entry:
Name: MaxConcurrentApi
Type: REG_DWORD
Value: Set the value to the larger number, which you tested (any number greater than the default value).
At a command prompt, run net stop netlogon, and then run net start netlogon.
Notes
The maximum value that can be configured depends on the operating system version and whether a hotfix is available.
The maximum configurable setting in Windows Server 2003 is 10.
The maximum configurable setting in Windows Server 2008 (without the hotfix in this article) is 10. With the hotfix, the maximum is 150.
The maximum configurable setting in Windows Server 2008 R2 (without the hotfix in this article) is 10. With the hotfix, the maximum is 150.
If you decide to increase the MaxConcurrentApivalue to greater than 10, the load and the performance of the desired setting should be tested in a nonproduction environment before you implement in production. This is recommended to make sure that increasing this value does not cause other resource bottlenecks.
I know almost nothing about "admin" side of setting up impersonation for EWS but maybe you can take a look at this article and compare your actions with what this guy did to make it work
http://www.thesoftwaregorilla.com/2010/06/exchange-web-services-example-part-3-exchange-impersonation/
in my company admin setup impersonation according to msdn and it works for me so I presume it can't be so hard and probably you missed some steps or maybe that 3rd party dll needs some additional magic.
link to msdn article in case you didn't know it: http://msdn.microsoft.com/en-us/library/bb204095.aspx
It would be nice to have an example for E2010 as it is not as easy as 2007.
Here is an example to creating EWS impersonation for a group. Any member of the group would be impersonated by the service account. Just add additional members to the group as requirements demand. Two steps...create the New Management scope and then the Role assignment.
New-ManagementScope “Scope Name” -RecipientRestrictionFilter {(MemberOfGroup -eq 'CN=group name,CN=Users,DC=Contoso,DC=com')}
New-ManagementRoleAssignment -Name “EWS ROLE NAME” -Role applicationimpersonation -User Domain\Service Account -CustomRecipientWriteScope “Scope Name”
Where “Scope Name” is the management scope created in step one.
If a password is stored with reversable encryption in Active Directory, how does an administrator/developer extract and decrypt this password?
Specifically, I'm referring to this setting.
The following series of blog posts explains some details:
Passwords stored using reversible encryption: how it works (part 1)
Passwords stored using reversible encryption: how it works (part 2)
The author of this blog, Niels Teusink, also made the source code of his tool RevDump available for download.
It goes without saying that reversible encryption should not be used globally and only in very exceptional cases.
Although Dirk's answer is correct, the RevDump tool only works on Windows Server 2003, as newer versions of Windows store the reversibly encrypted passwords in a different way. Therefore I have created a new tool that supports Windows Server 2008+.
Simplest usage example:
Get-ADReplAccount -SamAccountName April -Domain Adatum -Server LON-DC1
Sample output (partial):
DistinguishedName: CN=April Reagan,OU=IT,DC=Adatum,DC=com
Sid: S-1-5-21-3180365339-800773672-3767752645-1375
SamAccountName: April
SamAccountType: User
NTHash: 92937945b518814341de3f726500d4ff
SupplementalCredentials:
ClearText: Pa$$w0rd