rumplesmyboy's questions

我试图像这样将一行回显到 sudoers 文件中，但我无法找出该特定命令所需的正确语法。

gwconfig:
  cmd.run:
    {% if grains['ip4_gw'] == '192.168.1.1' %}
    - name: echo "%account_name ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
    {% elif grains['ip4_gw'] == '192.168.1.2' %}
    - name: echo "not working" >> /tmp/gwtest.txt
    {% endif %}

这失败了

渲染 SLS 'base:linux.oshardening' 失败：此处不允许映射值；12号线

我可以手动运行这个命令，它工作得很好。

如果我将 sudoers 行替换为类似这样的其他内容，那么也可以正常工作：

gwconfig:
  cmd.run:
    {% if grains['ip4_gw'] == '192.168.1.1' %}
    - name: echo "working" >> /tmp/gwtest.txt
    {% elif grains['ip4_gw'] == '192.168.1.2' %}
    - name: echo "not working" >> /tmp/gwtest.txt
    {% endif %}


vmname:
    ----------
    gwconfig:
        ----------
        __env__:
            base
        __sls__:
            linux.test
        cmd:
            |_
              ----------
              name:
                  echo "working" >> /tmp/gwtest.txt
            - run
            |_
              ----------
              order:
                  10000

我已启用 winrm，禁用防火墙，启用远程处理，winrm 的 GPO，启用 SMBv1 并首先完成更新作为故障排除，但我仍然收到错误。我也可以ping DC。

我得到的错误是：

Add-Computer: Computer "server2019' failed to join domain 'dev.domain.com' from its current workgroup 'WORKGROUP' with following error message: An internal error occurred.
At line:1 char:1
Add-Computer -DomainName dev.domain.com -OUPath "OU=$OU,dc=dev,dc=domain,dc=com" ...

CategorvInfo :Operation5topped: (server2019:5tring) [Add-Computer]
. InvalidoperationException
+ FullvOualifiedErrorId:FailToJoinDomainFromworkgroup,Microsoft.PowerShell.Commands.AddComputerCommand

这是我的脚本中执行连接的部分：

     [String]$OU,
     [PSCredential]$Credential
     )
    
 $ErrorActionPreference="SilentlyContinue"
 Stop-Transcript | out-null
 $ErrorActionPreference = "Continue"
    
    
 if ([Environment]::UserInteractive) {
     if (!$OU) { $OU = Read-Host "Enter Resource Pool Name (exactly as appears in vCenter inventory)" }
     if (!$Credential) { $Credential = Get-Credential -Message "Enter dev domain credentials" }
 }
    
 # Add Computer to Dev domain
    
 try {
     Add-Computer -DomainName dev.domain.com -OUPath "OU=$OU,dc=dev,dc=domain,dc=com" -ErrorAction stop -Credential $Credential
     }
 catch {
     Write-Warning "Failed to join to domain."
         Read-Host -Prompt "Press Enter to exit"
     Throw $_
     }

PS C:\Windows\ system32> nltest.exe/dsgetdc:dev.domain.com
DC: \\devad02.dev.domain.com
Address: \\10.1.214.29
Do Guid: ae3bef55-dd18-4598-b809-2058516e6abl
Dom Name: dev.domain.com
Forest Name: dev.domain.com
De Site Name: SITE
Our Site Name: SITE
Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRE
TWS D5_8 D5_9 D5_10 0x20000
The command completed successfully

编辑：服务器管理器显示 NetJoin 的错误事件，它给出了错误代码 1359 我尝试运行：

nltest /dclist:MYDOMAIN并得到： You don't have access to DsBind to dev.domain.com

我也尝试运行：nltest /server:UserSyncServer /sc_reset:domain\devdc并得到：I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE

如何在 CloudFormation 模板中引用现有的 EC2 安全组，而不必设置入口和出口规则？

   Resources:
      EC2Instance:
        Type: AWS::EC2::Instance
        Properties:
          InstanceType:
            Ref: InstanceType
          SecurityGroups:
          - Ref: InstanceSecurityGroup
          KeyName:
            Ref: KeyName
          ImageId:
            Fn::FindInMap:
            - AWSRegionArch2AMI
            - Ref: AWS::Region
            - Fn::FindInMap:
              - AWSInstanceType2Arch
              - Ref: InstanceType
              - Arch
      InstanceSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
          GroupDescription: Existing Groups
          SecurityGroupIds:
          - Ref: sg-12345
          - Ref: sg-12312

  SecurityGroupIngress:
  - IpProtocol: tcp
    FromPort: 80
    ToPort: 80
    CidrIp: 0.0.0.0/0
  SecurityGroupEgress:
  - IpProtocol: tcp
    FromPort: 80
    ToPort: 80
    CidrIp: 0.0.0.0/0

此时是否只是正常的 Linux 用户创建？

我已将 NAT 和堡垒设置为使用 SSH 转发登录：

ssh -A ec2-user@bastionhost
ssh ec2-user@privateSubnetServer

此时在私有子网中的主机之间处理 ssh 和用户的最佳方法是什么？

此时我无法设置或连接到目录服务。