我有一个“文件共享”类型的集群资源,但是当我尝试配置“安全”参数时出现以下错误(摘录):
Set-ClusterParameter : Parameter 'security' does not exist on the cluster object
使用 cluster.exe 时,我得到了更好的结果,即命令生效时通常没有任何结果。但是当我在故障转移群集管理器中检查时,权限没有改变。在 Server 2003 中,cluster.exe 方法有效。
有任何想法吗?
更新:
整个命令和错误。
PS C:\> $resource=get-clusterresource testshare
PS C:\> $resource
Name State Group ResourceType
---- ----- ----- ------------
testshare Offline Test File Share
PS C:\> $resource|set-clusterparameter security "domain\account,grant,f"
Set-ClusterParameter : Parameter 'security' does not exist on the cluster object 'testshare'. If you are trying to upda
te an existing parameter, please make sure the parameter name is specified correctly. You can check for the current par
ameters by passing the .NET object received from the appropriate Get-Cluster* cmdlet to "| Get-ClusterParameter". If yo
u are trying to update a common property on the cluster object, you should set the property directly on the .NET object
received by the appropriate Get-Cluster* cmdlet. You can check for the current common properties by passing the .NET o
bject received from the appropriate Get-Cluster* cmdlet to "| fl *". If you are trying to create a new unknown paramete
r, please use -Create with this Set-ClusterParameter cmdlet.
At line:1 char:31
+ $resource|set-clusterparameter <<<< security "domain\account,grant,f"
+ CategoryInfo : NotSpecified: (:) [Set-ClusterParameter], ClusterCmdletException
+ FullyQualifiedErrorId : Set-ClusterParameter,Microsoft.FailoverClusters.PowerShell.SetClusterParameterCommand
答案1
我找到了一个简单易用且显而易见的答案。它非常简单,以至于人们可能不相信这是微软的解决方案。
$permissions 是一个权限数组,包含一个帐户(domain\user)、一个权限(fullcontrol)和一个类型(allow)。
# create access rule based on permissions
$rule = new-object system.security.accesscontrol.filesystemaccessrule $permissions
# get an acl, remove access rules, add our rule
$acl = get-acl "c:\" # need to get acl from root of drive to avoid inheritance
$acl.access | foreach-object {$acl.removeaccessrule($_)}
$acl.setaccessrule($rule)
# get security descriptor from acl and convert to binary security descriptor
$sddl = $acl.sddl
$sdhelper = [wmiclass]"win32_securitydescriptorhelper"
$binarysd = ($sdhelper.sddltobinarysd($sddl)).binarysd
# get cluster resources from registry
$resources = get-childitem "hklm:\cluster\resources"
# ...with paths that powershell will understand
$resources = $resources | foreach-object {$_.pspath}
# find clustershare resource path
$resource = $resources | where-object {(get-itemproperty $_ name).name -eq $clustershare}
# derive path to resource parameters
$parameters = "$resource\parameters"
# configure security descriptor
set-itemproperty $parameters "security descriptor" $binarysd
真的就这么简单。
唯一的问题是,这只适用于一个节点,并且必须在每个节点上重复执行。它确实在故障转移后仍然存在(并且当共享故障恢复到节点时,节点上设置的权限将重新出现)。此外,它仅适用于“完全控制”,而不适用于“读取”或其他权限。不知道为什么。
我不会接受这个答案,因为它确实不是。但它似乎是最接近于这个问题的解决方案,在 Windows Server 2003 中根本不存在(cluster.exe 可以设置共享权限),而且微软似乎没有在任何地方解决这个问题。