我有一个TeamCity项目,它构建二进制文件,将一本食谱上传到Chef Server,并使用Windows PowerShell会话远程汇聚节点。
$s = New-PSSession -ComputerName $nd -Credential $cred
$result = Invoke-Command -Session $s -ScriptBlock {
Cd c:\chef
chef-client --once -L client.%build.number%.log
return $LastExitCode
}
Remove-PSSession $s
一切正常,直到...... 我需要在不同的凭证下执行一些二进制文件:
shell = Mixlib::ShellOut.new(cmd, :user => username,
:domain => domain, :password => password)
shell.run_command
shell.error!
然后我收到以下错误:
[2015-08-06T14:17:13+02:00] DEBUG: Re-raising exception: Errno::NOERROR - idm_is3cli[configure_clients_and_scopes] (idm::is3cli line 30) had an error: Errno::NOERROR: No error - CreateProcessAsUserW (You must hold the 'Replace a process level token' permission)
C:/opscode/chef/embedded/lib/ruby/gems/2.0.0/gems/mixlib-shellout-2.1.0-universal-mingw32/lib/mixlib/shellout/windows/core_ext.rb:310:in `create'
C:/opscode/chef/embedded/lib/ruby/gems/2.0.0/gems/mixlib-shellout-2.1.0-universal-mingw32/lib/mixlib/shellout/windows.rb:86:in `run_command'
C:/opscode/chef/embedded/lib/ruby/gems/2.0.0/gems/mixlib-shellout-2.1.0-universal-mingw32/lib/mixlib/shellout.rb:259:in `run_command'
c:/chef/cache/cookbooks/idm/providers/is3cli.rb:23:in `block in class_from_file'
C:/opscode/chef/embedded/apps/chef/lib/chef/provider/lwrp_base.rb:160:in `instance_eval'
C:/opscode/chef/embedded/apps/chef/lib/chef/provider/lwrp_base.rb:160:in `block in action'
C:/opscode/chef/embedded/apps/chef/lib/chef/provider.rb:144:in `run_action'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource.rb:586:in `run_action'
C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:49:in `run_action'
C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:81:in `block (2 levels) in converge'
C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:81:in `each'
C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:81:in `block in converge'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/resource_list.rb:83:in `block in execute_each_resource'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:116:in `call'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:116:in `call_iterator_block'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:104:in `iterate'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
C:/opscode/chef/embedded/apps/chef/lib/chef/resource_collection/resource_list.rb:81:in `execute_each_resource'
C:/opscode/chef/embedded/apps/chef/lib/chef/runner.rb:80:in `converge'
C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:654:in `block in converge'
C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:649:in `catch'
C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:649:in `converge'
C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:688:in `converge_and_save'
C:/opscode/chef/embedded/apps/chef/lib/chef/client.rb:269:in `run'
C:/opscode/chef/embedded/apps/chef/lib/chef/application.rb:252:in `run_with_graceful_exit_option'
C:/opscode/chef/embedded/apps/chef/lib/chef/application.rb:229:in `block in run_chef_client'
C:/opscode/chef/embedded/apps/chef/lib/chef/local_mode.rb:39:in `with_server_connectivity'
C:/opscode/chef/embedded/apps/chef/lib/chef/application.rb:212:in `run_chef_client'
C:/opscode/chef/embedded/apps/chef/lib/chef/application/client.rb:375:in `run_application'
C:/opscode/chef/embedded/apps/chef/lib/chef/application.rb:60:in `run'
C:/opscode/chef/embedded/apps/chef/bin/chef-client:26:in `<top (required)>'
C:/opscode/chef/bin/chef-client:65:in `load'
C:/opscode/chef/bin/chef-client:65:in `<main>'
有什么想法吗?感谢。
答案 0 :(得分:1)
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
描述
确定哪些用户帐户可以启动进程以替换与已启动的子进程关联的默认令牌。 此用户权限在默认域控制器组策略对象(GPO)和工作站和服务器的本地安全策略中定义。
默认情况下,只有LocalSystem帐户具有此权限。
According to the MSDN documentation on privilege constants,这相当于SE_ASSIGNPRIMARYTOKEN_NAME
/ SeAssignPrimaryTokenPrivilege
权限。 Carbon PowerShell模块具有Grant-Privilege功能,您可以使用该功能从控制台授予此权限。 (披露:我是Carbon的所有者/维护者。)