Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
820 views
in Technique[技术] by (71.8m points)

windows - Double hop access to copy files without CredSSP

hello,

We have large environment with hundreds of virtual machines. During our services deployment we need to copy some files from build drop to all these machines.

So, we have:

  • User machine, where deployment scripts executing
  • Build drop machine, where files are
  • Target machine

Powershell is used as script language. Something like:

$buildDrop     = "\sourceMachineBuild"
$machineTarget = "targetMachine"

Invoke-Command -ComputerName $machineTarget -ArgumentList $buildDrop -ScriptBlock {
     Param( $buildDrop )
     Test-Path $buildDrop # Will return False
}

This approach leads to double hop issue, which I'm not able to solve due to CredSSP feature is not supported on XP and 2k3 machines. And copy invoked on user machine leads to performance bottle neck (data travels through user machine).

Is there any way to make build drop always visible from all target machines? May be somehow add them to trusted location or something like this?

Thanks in advance!

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I found solution which works in our environment.

It is not possible to transfer credentials through double hop without Cred-SSP, but you can run something on target machine without first hop.

The simplest way is to use psexec with -s flag (run remote process in the System account), final string was something like this:

psexec \someHost -s robocopy "\stagingHostStaging" "\someHostC$Staging" /MIR

Also you can start some PS script in same way, just ensure that script execution is allowed on remote machine:

psexec \someHost -s "\stagingHostStagingScript.ps1" SomeArg1 SomeArg2

Check this article, to understand how psexec works. While service on someHost


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...