I'm trying to connect from Ubuntu 20.04 client to the MS SQL Server 2014 located on windows server 2012R2.
Realm joins and Kinit are fine.
# sudo realm discover org.internal --install=/
org.internal
type: kerberos
realm-name: ORG.INTERNAL
domain-name: org.internal
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U#org.internal
login-policy: allow-realm-logins
# kinit -V user#ORG.INTERNAL
Using default cache: /tmp/krb5cc_0
Using principal: user#ORG.INTERNAL
Password for user#ORG.INTERNAL:
Authenticated to Kerberos v5
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user#ORG.INTERNAL
Valid starting Expires Service principal
12/17/21 10:49:31 12/17/21 20:49:31 krbtgt/ORG.INTERNAL#ORG.INTERNAL
renew until 12/24/21 10:49:24
12/17/21 10:51:21 12/17/21 20:49:31 MSSQLSvc/ws2012r2:1433#ORG.INTERNAL
renew until 12/24/21 10:49:24
12/17/21 10:51:57 12/17/21 20:49:31 user#ORG.INTERNAL
renew until 12/24/21 10:49:24
12/17/21 10:52:30 12/17/21 20:49:31 MSSQLSvc/ws2012r2.org.internal:1433#ORG.INTERNAL
renew until 12/24/21 10:49:24
When I do sqlcmd, I got below error. Note if I specify username and password (sql authentication) it will work.
# sqlcmd -S 20.12.34.567
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : SSPI Provider: Server not found in Kerberos database.
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Cannot generate SSPI context.
SPN is below
setspn -L user
Registered ServicePrincipalNames for CN=User ABC,CN=Users,DC=org,DC=internal:
MSSQLSvc/ws2012r2:1433
Any help is much appreciated!
One question here, I did generate a keytab file. However what's the command to tell SQL Server 2014 on windows server 2012r2 to use the keytab file?
Accessing the server via IP won't allows DNS name-based SPN to work. The SPN with the IP address is not registered. Use the domain name of the server.
Related
I'm using Django and mssql-django backend to connect to SQL Server.
No problems to connect to SQL Server when using sql login. But, when I try to connect using AD user, I get exception:
django.db.utils.InterfaceError:
('28000', "[28000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]
Login failed for user 'DOMAIN\\myuser'. (18456) (SQLDriverConnect);
[28000] [Microsoft][ODBC Driver 17 for SQL Server]Invalid connection string attribute (0);
[28000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed for user 'DOMAIN\\myuser'. (18456);
[28000] [Microsoft][ODBC Driver 17 for SQL Server]Invalid connection string attribute (0)")
My database settings in settings.py are:
DATABASES = {
'default': {
'ENGINE': 'mssql',
'NAME': os.environ.get('DB_NAME', 'djangodb'),
'USER': os.environ.get('USER', 'DOMAIN\myuser'),
'PASSWORD': os.environ.get('USER_PASS', 'mypass'),
'HOST': os.environ.get('HOST', 'server.blabla.net'),
'PORT': '',
'OPTIONS': {
'driver': 'ODBC Driver 17 for SQL Server',
},
},
}
What I am doing wrong?
Active Directory (AD) users can't be specified as the USER in the connection string if attempting to authenticate using Windows Authentication (Trusted Connection/Integrated Security [SSPI])
It is possible to authenticate using this method but you would need to use Kerberos to authenticate against AD in order to receive the appropriate credentials that the driver can use to authenticate with.
In your Django DATABASES options specify, please note the Encrypt=yes option may not be necessary for your instance, but if using the 18 Driver, I find it is necessary, especially if using an unencrypted connection.
"OPTIONS": {
"driver": "ODBC Driver 18 for SQL Server",
"extra_params": "Encrypt=yes;Trusted_Connection=yes",
},
Deploying a Linux or macOS ODBC Driver Application Designed to Run as a Service
Deploying a Linux or macOS ODBC Driver Application Designed to Run as a Service
A system administrator can deploy an application to run as a service that uses Kerberos Authentication to connect to SQL Server.
You first need to configure Kerberos on the client and then ensure that the application can use the Kerberos credential of the default principal.
Ensure that you use kinit or PAM (Pluggable Authentication Module) to obtain and cache the TGT for the principal that the connection uses, via one of the following methods:
Run kinit, passing in a principal name and password.
Run kinit, passing in a principal name and a location of a keytab file that contains the principal's key created by ktutil.
Ensure that the login to the system was done using the Kerberos PAM (Pluggable Authentication Module).
When an application runs as a service, because Kerberos credentials expire by design, renew the credentials to ensure continued service availability. The ODBC driver does not renew credentials itself; ensure that there is a cron job or script that periodically runs to renew the credentials before their expiration. To avoid requiring the password for each renewal, you can use a keytab file.
Also of interest would be looking at the source code in mssql-django, which will give more insight into what options are selected when connecting to a SQL Server instance. mssql-django: base.py
Check this related SO question: Connection string using Windows Authentication
I am upgraded my mssql server on linux from CU12 to CU14, and that broke my windows authorization.
Now when connecting, i'm getting error:
Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. (Microsoft SQL Server, Error: 18452)
If i'm trying to create a Windows user, i'm getting error:
Error 15401: Windows NT user or group ‘username’ not found. Check the name again.
From shell, if i put:
id username
I'm getting normal response, either kinit username and then klist works well.
I noticed, in documentation that i could try to make direct connection to DC from krb5.conf:
sudo mssql-conf set network.disablesssd true
sudo mssql-conf set network.enablekdcfromkrb5conf true
systemctl restart mssql-server
however, it doesn't solve the problem.
SQL Server is set up under OpenSuse Leap 42.3
Error log of sql server contains only error about untrusted domain.
I have SQL Server that uses Kerberos authentication on my company's network. I am trying to setup a Linux system to be able to access that SQL Server using pyodbc. I am new to Kerberos, but have been able to get my Linux (Ubuntu 16.04) box working with Kerberos... Atleast thats what I think. I can do kinit <username> and it recognizes my username and password.
What do I do next?
If I do this:
sqlcmd -S MyDatabase.corp.com
I get this:
sqlcmd: Error: Microsoft ODBC Driver 11 for SQL Server : Cannot generate SSPI context.
Sqlcmd: Error: Microsoft ODBC Driver 11 for SQL Server : SSPI Provider: Cannot find KDC for realm "COMPANYNET.CORP.COM".
I am pretty sure I am just not doing the next step but I haven't found a good source to tell me what to do next. Any help is much appreciated... Thanks!
After much headache and annoying a lot of people at my company I got this to finally work.
Had to get a Service Account setup on the Domain
Had to get a krb5.keytab file made by an AD Admin
Had to setup Kerberos with the correct Domain in my /etc/krb5.conf file
Had to have SPNs set for the target SQL Server (This seems to be the actual cause of the above error message)
Ensure proper permissions set Service Account on SQL Server.
Once above was set I can do:
kinit -k <SERVICE ACCOUNT NAME>
sqlcmd -E -S MyDatabase.corp.com
Getting a message "login failed for user [my_user]"
Of note is that I am capable of connecting to the server with freetds from linux using the same server, username and password and TDS protocol 7.4. The port is the default SQL Server port. Viz. $tsql -S [my_server] -U "my_user" -P "my_pass" succeeds and I am able to poke around in the server.
However, on my windows machine, it simply reports that my login has failed.
Data Source: Microsoft SQL Server
Server Name: [my_server]
Use SQL Server Authentication: User name: [my_user] Password: [my_pass]
Any thoughts on what to try?
UPDATE:
I can connect via pymssql with
pymssql.connect(server=[my_server], user=[my_user], password=[my_pass])
I want to connect my project Symfony2 with SQL Server, so I downloaded the Microsoft Drivers for PHP for SQL Server from this link: https://www.microsoft.com/en-za/download/details.aspx?id=20098
and I extract it into wamp\bin\apache\Apache2.4.4\bin and I restarted the wamp server.
But when I want to create my database and my tables from my symfony project I got this error :
[PDOException]
SQLSTATE[HY000] [1045] Access denied for user
'PC-RAMI\rami'#'localhost' (using password: YES)
This is my parameters.yml file :
parameters:
database_driver: pdo_sqlsrv
database_host: 127.0.0.1
database_port: null
database_name: test
database_user: PC-RAMI\rami
database_password: "password of my PC"
mailer_transport: smtp
mailer_host: 127.0.0.1
mailer_user: null
mailer_password: null
secret: a5142e8af29ca527a8d9f3a6993ba894c4bf5ed9
this is the authentication interface of sql server
SQL server uses two methods for login.
SQL Server Authentication - you have to provide username and password (same like for MySQL etc.). If you want to use it, you have to configure your SQL server for mixed authentication. Default user is sa.
Windows Authentication - you want to use credentials of some local/domain Windows account.
You are trying to use the second method (I guess from your screenshot). Solution is setting up username and password to null (~ in YAML).
database_user: ~
database_password: ~
The reason is in sqlsrv extension. If you provide username and password it always tries to connect by SQL Server Authentication instead of Windows Authentication. But, what will PHP use as credentials? It takes credentials from process itself. Probably, you will have to run Apache2 under target credentials.
If your SQL server is configured in mixed mode. You can also create new database user account (not coming from any Windows account) and use standard username/password approach.