Mixlib::ShellOut - Windows 模拟失败

【问题标题】:Mixlib::ShellOut - Windows Impersonation failsMixlib::ShellOut - Windows 模拟失败
【发布时间】:2015-08-07 01:51:47
【问题描述】:

我有一个 TeamCity 项目,它构建二进制文件,将说明书上传到 Chef Server 并使用 Windows PowerShell 会话远程聚合节点。

$s = New-PSSession -ComputerName $nd -Credential $cred
$result = Invoke-Command -Session $s -ScriptBlock { 
    Cd c:\chef
    chef-client --once -L client.%build.number%.log
    return $LastExitCode
} 
Remove-PSSession $s

一切正常,直到...
我需要在不同的凭据下执行一些二进制文件:

shell = Mixlib::ShellOut.new(cmd, :user => username,
    :domain => domain, :password => password)
shell.run_command
shell.error!

然后我收到以下错误:

[2015-08-06T14:17:13+02:00] DEBUG: Re-raising exception: Errno::NOERROR - idm_is3cli[configure_clients_and_scopes] (idm::is3cli line 30) had an error: Errno::NOERROR: No error - CreateProcessAsUserW (You must hold the 'Replace a process level token' permission)
C:/opscode/chef/embedded/lib/ruby/gems/2.0.0/gems/mixlib-shellout-2.1.0-universal-mingw32/lib/mixlib/shellout/windows/core_ext.rb:310:in `create'
    C:/opscode/chef/embedded/lib/ruby/gems/2.0.0/gems/mixlib-shellout-2.1.0-universal-mingw32/lib/mixlib/shellout/windows.rb:86:in `run_command'
    C:/opscode/chef/embedded/lib/ruby/gems/2.0.0/gems/mixlib-shellout-2.1.0-universal-mingw32/lib/mixlib/shellout.rb:259:in `run_command'
    c:/chef/cache/cookbooks/idm/providers/is3cli.rb:23:in `block in class_from_file'
    C:/opscode/chef/embedded/apps/chef/lib/chef/provider/lwrp_base.rb:160:in `instance_eval'
    C:/opscode/chef/embedded/apps/chef/lib/chef/provider/lwrp_base.rb:160:in `block in action'
    C:/opscode/chef/embedded/apps/chef/lib/chef/provider.rb:144:in `run_action'
    C:/opscode/chef/embedded/apps/chef/lib/chef/resource.rb:586:in `run_action'
    C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:49:in `run_action'
    C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:81:in `block (2 levels) in converge'
    C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:81:in `each'
    C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:81:in `block in converge'
    C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/resource_list.rb:83:in `block in execute_each_resource'
    C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:116:in `call'
    C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:116:in `call_iterator_block'
    C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
    C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:104:in `iterate'
    C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
    C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/resource_list.rb:81:in `execute_each_resource'
    C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:80:in `converge'
    C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:654:in `block in converge'
    C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:649:in `catch'
    C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:649:in `converge'
    C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:688:in `converge_and_save'
    C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:269:in `run'
    C:/opscode/chef/embedded/apps/chef/lib/chef/application.rb:252:in `run_with_graceful_exit_option'
    C:/opscode/chef/embedded/apps/chef/lib/chef/application.rb:229:in `block in run_chef_client'
    C:/opscode/chef/embedded/apps/chef/lib/chef/local_mode.rb:39:in `with_server_connectivity'
    C:/opscode/chef/embedded/apps/chef/lib/chef/application.rb:212:in `run_chef_client'
    C:/opscode/chef/embedded/apps/chef/lib/chef/application/client.rb:375:in `run_application'
    C:/opscode/chef/embedded/apps/chef/lib/chef/application.rb:60:in `run'
    C:/opscode/chef/embedded/apps/chef/bin/chef-client:26:in `<top (required)>'
    C:/opscode/chef/bin/chef-client:65:in `load'
    C:/opscode/chef/bin/chef-client:65:in `<main>'

有什么想法吗?谢谢。

【问题讨论】:

    标签: powershell chef-infra


    【解决方案1】:

    Looks like you have to update Group Policy on that machine to give that account the ability to replace a process level token:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    说明

    确定哪些用户帐户可以启动进程以替换与已启动子进程关联的默认令牌。 此用户权限在默认域控制器组策略对象 (GPO) 以及工作站和服务器的本地安全策略中定义。

    默认情况下,只有 LocalSystem 帐户拥有此权限。

    According to the MSDN documentation on privilege constants,这相当于SE_ASSIGNPRIMARYTOKEN_NAME/SeAssignPrimaryTokenPrivilege 权限。 Carbon PowerShell 模块有一个Grant-Privilege 函数,您可以使用它从控制台授予此权限。 (披露:我是 Carbon 的所有者/维护者。

    【讨论】:

    • 对于域帐户,在某些情况下添加SeAssignPrimaryTokenPrivilege 不起作用。如果我以本地用户身份连接,我可以在不同的凭据下执行代码,但在以域用户身份调用 chef-client 时无法使其工作。
    猜你喜欢
    • 2014-10-07
    • 1970-01-01
    • 1970-01-01
    • 2016-05-16
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2016-01-02
    • 2014-05-18
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode