无需 CredSSP 即可复制文件的双跳访问权限 [英] Double hop access to copy files without CredSSP

问题描述

你好，

我们拥有包含数百个虚拟机的大型环境.在我们的服务部署期间，我们需要将一些文件从 build drop 复制到所有这些机器上.

We have large environment with hundreds of virtual machines. During our services deployment we need to copy some files from build drop to all these machines.

所以，我们有:

• 用户机器，部署脚本在其中执行
• 构建放置机器，文件所在的位置
• 目标机器

Powershell 用作脚本语言.类似的东西:

Powershell is used as script language. Something like:

$buildDrop     = "\\sourceMachine\Build"
$machineTarget = "targetMachine"

Invoke-Command -ComputerName $machineTarget -ArgumentList $buildDrop -ScriptBlock {
     Param( $buildDrop )
     Test-Path $buildDrop # Will return False
}

这种方法导致 双跳问题，由于 XP 和 2k3 机器不支持 CredSSP 功能，我无法解决该问题.并且在用户机器上调用的副本会导致性能瓶颈(数据通过用户机器传输).

This approach leads to double hop issue, which I'm not able to solve due to CredSSP feature is not supported on XP and 2k3 machines. And copy invoked on user machine leads to performance bottle neck (data travels through user machine).

有什么方法可以让所有目标机器始终可以看到构建删除?可能以某种方式将它们添加到受信任的位置或类似的东西?

Is there any way to make build drop always visible from all target machines? May be somehow add them to trusted location or something like this?

提前致谢！

推荐答案

我找到了适用于我们环境的解决方案.

I found solution which works in our environment.

在没有 Cred-SSP 的情况下无法通过双跳传输凭据，但您可以在没有第一跳的情况下在目标机器上运行某些东西.

It is not possible to transfer credentials through double hop without Cred-SSP, but you can run something on target machine without first hop.

最简单的方法是使用 psexec 和 -s 标志(在系统帐户中运行远程进程)，最终字符串是这样的:

The simplest way is to use psexec with -s flag (run remote process in the System account), final string was something like this:

psexec \\someHost -s robocopy "\\stagingHost\Staging" "\\someHost\C$\Staging" /MIR

你也可以用同样的方式启动一些 PS 脚本，只要确保 允许执行脚本 在远程机器上:

Also you can start some PS script in same way, just ensure that script execution is allowed on remote machine:

psexec \\someHost -s "\\stagingHost\Staging\Script.ps1" SomeArg1 SomeArg2

查看这篇文章，了解 psexec 的工作原理.在 someHost 上服务时

Check this article, to understand how psexec works. While service on someHost

这篇关于无需 CredSSP 即可复制文件的双跳访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！