Puppet:将多个AD用户添加到本地组

时间:2017-03-13 08:38:08

标签: puppet

我正在尝试将Windows Server 2012上的多个AD用户添加到Administrators组,但是它会抛出错误。如果我在params.pp文件中只指定了一个用户,那么它可以正常工作。

params.pp 

$user_to_add = [
    'ad8\iisuser',
    'ad8\dbuser',
],
$group_name = 'Administrators',

add_user_to_local_group.pp 

class common::add_user_to_local_group (
    $user_to_add = $common::params::user_to_add,
    $group_name  = $common::params::group_name,
) inherits common::params {
    $user_to_add.each |$user_name| {
        group { "Add $user_name to local group":
            ensure  => present,
            name    => $group_name,
            members => [ $user_name ],
        }
    }
}

错误:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: {"message":"Server Error: Evaluation Error: Error while eval
uating a Resource Statement, Cannot alias Group[Add ad8\\dbuser to local group] to [\"Administrators\"] at /etc/puppetlabs/code/en
vironments/automation/modules/common/manifests/add_user_to_local_group.pp:6; resource [\"Group\", \"Administrators\"] already declared
at /etc/puppetlabs/code/environments/automation/modules/common/manifests/add_user_to_local_group.pp:6 at /etc/puppetlabs/code/environme
nts/automation/modules/common/manifests/add_user_to_local_group.pp:6:9 on node lab.ad8.com","issue_kind":"RUNTIME_ERROR","stacktrace
":["Warning: The 'stacktrace' property is deprecated and will be removed in a future version of Puppet. For security reasons, stacktrac
es are not returned with Puppet HTTP Error responses."]}

1 个答案:

答案 0 :(得分:3)

您试图通过为两个资源提供不同的标题来规避资源唯一性/多个声明,但资源也必须具有唯一的名称字https://docs.puppet.com/puppet/4.9/lang_resources.html#namenamevargroup资源的namevar是name,如果未在属性中指定,则从标题中显示别名(因此错误消息输出就是它)https://docs.puppet.com/puppet/latest/type.html#group-attribute-name

因此,当您为

声明两个资源时 
group { "Add $user_name to local group":
  ensure  => present,
  name    => $group_name,
  members => [ $user_name ],
}

具有与您在迭代哈希时所做的相同name属性(因为$group_name对于两者都相同),那么您将抛出多个声明错误。这也是为什么当您只指定一个用户时它适用于您,因为您具有namevar唯一性。

要解决此问题,您需要只有一个group资源,可以同时添加两个用户,而不是按顺序添加。

class common::add_user_to_local_group (
  $user_to_add = $common::params::user_to_add,
  $group_name  = $common::params::group_name,
) inherits common::params {
  group { $group_name:
    ensure  => present,
    members => $user_to_add,
  }
}

我还建议多次使用“用户”这个词来澄清($user_to_add - > $users_to_add)。另一个改进可能是允许传递多个组并迭代那些具有关联成员哈希的组,但您可以自己决定。

相关问题
最新问题