Utegrad's questions

我正在研究一种为 AAD / O365 用户启用 MFA 的方法。我指的是 MS 文档中的这篇文章：

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates

如果我安装 MSOnline 模块，导入它，然后使用 PS 版本 5.1 连接 msolservice，它的工作原理与描述的一样。如果我尝试使用 PS 版本 6.2 执行此操作，我会得到：

Connect-MsolService : Could not load file or assembly 'System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'. The system cannot find the file specified.

这是因为 PS 6.2 是基于 .Net Core 构建的，并且它无法加载作为 MSOnline 模块一部分的早期版本 .Net 的库吗？

我真正追求的是一种为 AAD / O365 用户自动启用 MFA 的方法，我正在考虑使用带有 PowerShell 的 Azure Function App。这似乎是将它与我​​们的 ITSM 系统结合在一起的好方法，该系统调用通过 Function App 提供的网络挂钩。显然，要做到这一点，需要制定一些许可和安全元素。但是，如果我无法将 MSOnline 模块加载到 PS 6.2（可用作函数应用程序的 PS 平台），我认为使用 PowerShell 函数应用程序是行不通的。

我看不到在图形 API 中为 AAD 用户启用 MFA 的方法，但也许我遗漏了一些东西。除了 MSOnline PS 模块或 Web UI 之外，是否还有其他方法可以为 AzureAD 用户启用 MFA？

我一直在熟悉 Ansible 和 Puppet，它们可用作配置和配置管理工具。我可能不会误解 Anisble 的使用方式，但我认为 Ansible 确保定期重复配置一致的唯一方法是使用 cron 作业定期运行剧本，如果我想坚持社区来源。如果我购买 Ansible Tower，看起来我可以在那里安排剧本。

相比之下，当使用 Puppet 代理时，代理会定期与 Puppet Master 签入，如果发生变化而偏离 Puppet Master 上定义的内容，代理会将其放回 Puppet Master 上定义的内容。如果我不需要购买商业支持，我可以使用 Puppet 的社区版来做到这一点。

除了使用 cron 作业之外，购买和使用 Ansible Tower 是否是使用计划作业运行 Ansible playbook 的传统方式？

我希望有人能看到我做错了什么并提供帮助以运行 keepalived track_script。

我在主 keepalived 框的 vrrp_instance 上将优先级设置为 101，在故障转移框上设置为 100。断开网络或停止主盒子上的 keepalived 会导致 VIP 按预期转移到辅助盒子。

如果脚本要运行，如果脚本返回成功，我希望它将优先级添加 2。但是 atcpdump始终显示优先级不变。即使我设置了一个虚假的脚本定义，我也从来没有在 /var/log/messages 中看到任何关于它的脚本。停止 HAProxy 服务没有任何效果，我用脚本完成的其他测试表明它永远不会运行。

输出tcpdump：

172.18.8.2 > 224.0.0.18: vrrp 172.18.8.2 > 224.0.0.18: VRRPv2, Advertisement, vrid 51, prio 101, authtype simple, intvl 1s, length 20, addrs: 172.18.8.4 auth "password"

这是keepalived配置：

global_defs {
   router_id BETAPROXYSLC01
}

vrrp_script chk_haproxy {
        script "killall -0 haproxy"
        interval 2
        weight 2
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 51
    priority 101
    advert_int 1
    notify /usr/local/bin/notify.sh
    authentication {
        auth_type PASS
        auth_pass password
    }
    virtual_ipaddress {
        172.18.8.4
    }
   track_script{
        chk_haproxy
    }
}

这是使用“-D -d”启动keepalived的日志：

Oct 15 11:50:31 BETAPROXYSLC01 systemd: Starting LVS and VRRP High Availability Monitor...
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived[2702]: Starting Keepalived v1.2.10 (06/10,2014)
Oct 15 11:50:31 BETAPROXYSLC01 systemd: Started LVS and VRRP High Availability Monitor.
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived[2703]: Starting Healthcheck child process, pid=2704
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived[2703]: Starting VRRP child process, pid=2705
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: Netlink reflector reports IP 172.18.8.2 added
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: Netlink reflector reports IP fe80::215:5dff:fe01:108 added
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: Registering Kernel netlink reflector
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: Registering Kernel netlink command channel
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: Opening file '/etc/keepalived/keepalived.conf'.
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: Configuration is using : 6133 Bytes
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: ------< Global definitions >------
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: Router ID = BETAPROXYSLC01
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: Smtp server connection timeout = 30
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: Email notification from = root@betaproxyslc01
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Netlink reflector reports IP 172.18.8.2 added
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Netlink reflector reports IP fe80::215:5dff:fe01:108 added
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Registering Kernel netlink reflector
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Registering Kernel netlink command channel
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Registering gratuitous ARP shared channel
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Opening file '/etc/keepalived/keepalived.conf'.
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Configuration is using : 63558 Bytes
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: ------< Global definitions >------
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Router ID = BETAPROXYSLC01
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Smtp server connection timeout = 30
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Email notification from = root@betaproxyslc01
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP IPv4 mcast group = 224.0.0.18
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP IPv6 mcast group = 224.0.0.18
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: SNMP Trap disabled
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: ------< VRRP Topology >------
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP Instance = VI_1
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Want State = BACKUP
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Runing on device = eth0
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Virtual Router ID = 51
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Priority = 101
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Advert interval = 1sec
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Authentication type = SIMPLE_PASSWORD
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Password = password
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Virtual IP = 1
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: 172.18.8.4/32 dev eth0 scope global
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Generic state transition script = '/usr/local/bin/notify.sh'
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: ------< VRRP Scripts >------
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP Script = chk_haproxy
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Command = /usr/local/bin/chk_haproxy
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Interval = 2 sec
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Timeout = 0 sec
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Weight = 2
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Rise = 1
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Fall = 1
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Status = INIT
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: Using LinkWatch kernel netlink reflector...
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP_Instance(VI_1) Entering BACKUP STATE
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP sockpool: [ifindex(2), proto(112), unicast(0), fd(10,11)]
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: VRRP IPv4 mcast group = 224.0.0.18
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: VRRP IPv6 mcast group = 224.0.0.18
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: SNMP Trap disabled
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: ------< SSL definitions >------
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: Using autogen SSL context
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: Using LinkWatch kernel netlink reflector...
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP_Instance(VI_1) forcing a new MASTER election
Oct 15 11:50:31 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP_Instance(VI_1) forcing a new MASTER election
Oct 15 11:50:32 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP_Instance(VI_1) Transition to MASTER STATE
Oct 15 11:50:33 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP_Instance(VI_1) Entering MASTER STATE
Oct 15 11:50:33 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP_Instance(VI_1) setting protocol VIPs.
Oct 15 11:50:33 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP_Instance(VI_1) Sending gratuitous ARPs on eth0 for 172.18.8.4
Oct 15 11:50:33 BETAPROXYSLC01 avahi-daemon[510]: Registering new address record for 172.18.8.4 on eth0.IPv4.
Oct 15 11:50:33 BETAPROXYSLC01 Keepalived_healthcheckers[2704]: Netlink reflector reports IP 172.18.8.4 added
Oct 15 11:50:38 BETAPROXYSLC01 Keepalived_vrrp[2705]: VRRP_Instance(VI_1) Sending gratuitous ARPs on eth0 for 172.18.8.4

我可能不明白这应该如何工作，但我无法弄清楚为什么具有这个基本 vrrp_instance 的 BACKUP 系统会立即转换为 master 并且似乎永远不会尊重优先级。

为什么虚拟 IP 地址不会在备份系统都健康且在线时从备份系统中删除？

看起来两个系统都在广播 vrrp 广告。从tcpdump备份系统：

betaproxyslc01.fakecorp.com > vrrp.mcast.net: vrrp betaproxyslc01.fakecorp.com > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 150 , authtype simple, intvl 1s, length 20, >addrs: virtual-app .fakecorp.com auth "password" 15:52:24.541637 IP (tos 0xc0, ttl 255, id 1611, offset 0, flags [none], proto VRRP (112), length 40)

betaproxyslc02.fakecorp.com > vrrp.mcast.net: vrrp betaproxyslc02.fakecorp.com > vrrp.mcast.net: VRRPv2, Advertisement, vrid 51, prio 100, authtype simple, intvl 1s, length 20, >addrs: virtual-app .fakecorp.com auth "password" 15:52:25.410073 IP (tos 0xc0, ttl 255, id 1779, offset 0, flags [none], proto VRRP (112), length 40)

但是虚拟IP地址在两个主机上都显示了一个ip addr命令。

这是配置：

global_defs {
   notification_email {
   [email protected]
   }
   notification_email_from [email protected]
   smtp_server mysmtpserver.fakecorp.com
   smtp_connect_timeout 30
   router_id BETAPROXYSLC01
}

vrrp_script chk_haproxy{
   script "killall -0 haproxy"
   interval 2 # check every 2 seconds
   weight 2   # add 2 points of prio if OK
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 150
    advert_int 1
    notify /usr/local/bin/notify.sh
    authentication {
        auth_type PASS
        auth_pass keep0ut!
    }
    virtual_ipaddress {
        10.10.0.40
    }
    track_script{
        chk_haproxy
    }
}

BACKUP服务器的router_id不同，状态为BACKUP，优先级为100。其他设置相同。

这是在 CentOS 7 上安装的，带有 Keepalived v1.2.10 (06/10,2014)，一个 Hyper-V 来宾 VM，具有 3.10.0-123.8.1.el7.x86_64 内核。