As we covered in the beginning of this chapter, here and in the next section, we will see that creating an SMB DSC pull server is much easier than an HTTPS DSC pull server. This is because there are far fewer moving parts to an SMB share and fewer decisions that need to be made. The core set of decisions you need to account for is the service account you will grant full access to the share, the account you will give read access to the share, and the location of the share. In the following example, we use the administrator account for full access, but in production, you'll most likely use a dedicated service account created for this purpose.
The account for read access needs to be the computer account for the target node, as it needs to be able to read the DSC configuration MOFs placed in the share. You can add the computer name, as follows:
ReadAccess = 'DomainNameTarget-Node-Name$'
This will quickly become awkward to keep up to date for large amounts of large nodes. If you are in an AD environment, then you can add the name for the group of all domain joined computers as follows:
ReadAcces = 'DomainNameDomain Computers'
However you choose to give permission, the following DSC configuration script will provision the SMB DSC pull server for you:
configuration SMBDSCPullServer
{
Import-DSCResource -ModuleName PSDesiredStateConfiguration
Import-DSCResource -ModuleName xSmbShare
Import-DSCResource -ModuleName xNtfsAccessControl
Node $AllNodes.Where({ $_.Roles -contains 'PullServer'}).NodeName
{
File SmbShareFolder {
DestinationPath = $Node.SmbSharePath
Type = 'Directory'
Ensure = 'Present'
}
xSMBShare CreateSmbShare {
Name = 'DscSmbShare'
Path = $Node.SmbSharePath
FullAccess = $Node.SmbAccountNameFullAccess
ReadAccess = $Node.SmbAccountNameReadAccess
FolderEnumerationMode = 'AccessBased'
Ensure = 'Present'
DependsOn = '[File]SmbShareFolder'
}
cNtfsPermissionEntry SmbSharePermission {
Ensure = 'Present'
Path = '$Node.SmbSharePath
Principal = $Node.SmbAccountNameReadAccess
AccessControlInformation = @(
cNtfsAccessControlInformation{
AccessControlType = 'Allow'
FileSystemRights = 'ReadAndExecute'
Inheritance = 'ThisFolderSubfoldersAndFiles'
NoPropagateInherit = $false
}
)
DependsOn = '[File]SmbShareFolder'
}
}
}
All of this looks remarkably similar to any DSC configuration script we have done so far. As we keep seeing with DSC, this is explicitly on purpose. These standard ways of expressing the state of a target node allow you to apply the knowledge you gained from deploying one piece of software or system to any piece of software or system. There are a few other ways to assign permissions using DSC Resources, and you can choose the DSC Resource or method that works in your environment.
Keeping with the theme of separating our configuration data from our execution script, we have saved the configuration data in a separate file:
$configData = @{
AllNodes = @(
@{
NodeName = "*"
RefreshMode = "PULL"
ConfigurationMode = "ApplyAndAutocorrect"
AllowModuleOverwrite = $true
RebootNodeIfNeeded = $true
},
@{
NodeName = 'dsc-box1'
Roles = @('PullServer')
SmbSharePath = 'C:DscSmbShare'
SmbAccountNameFullAccess = 'Administrator'
SmbAccountNameReadAccess = 'myDomainContoso-Server$'
},
@{
NodeName = 'dsc-box2'
Roles = @('Target')
ConfigurationId = 'c19fbe22-b664-4a8a-a2a1-477f16ce9659'
WebSiteFolder = 'C: estsite'
IndexFile = 'C: estsiteindex.html'
WebSiteName = 'TestSite'
WebContentText = '<h1>Hello World</h1>'
WebProtocol = 'HTTP'
Port = '80'
}
);
}
return $configData
Running this example is as simple as the following command:
$dataScript = ([IO.Path]::Combine($PSScriptRoot, 'smb_config_data.ps1'))
$configData = &$dataScript
$pullServerMOfDir = ([IO.Path]::Combine($PSScriptRoot, 'SMBPullServer'))
c:vagrantsmb_pull_server.ps1 -OutputPath $pullServerMOfDir `
-ConfigData $configData `
Start-DscConfiguration -Path $pullServerMOfDir -Wait -Verbose -Force