Okay all, the subject is a pretty poor one, but I'm not sure how else to put it. I have Server 2012 with a bunch of jobs, all owned by sa. They all worked fine ever since I began working here in January 2016, but we recently made major changes to our servers. Currently, we have a few servers off the domain, and set up together as a workgroup. They're clones of what we were running before the shakeup, so include all the data/logins. The main difference is that they can't talk to our Active Directory anymore.
Back to SQL Server. Some of the jobs on the server have to read from and write to an FTP folder on one of the servers which is in the same workgroup. That is, both the 2012 server and the FTP server are on the same workgroup, so should talk to each other with no problem. However, some of the jobs keep failing because of logon errors when trying to connect to the FTP server. I'm not using FTP, but rather network locations, like \\1.2.3.4\ftp\folder\file.txt in my job code. This worked perfectly until the servers moved. Skipping the long and confusing reasons why, suffice it to say that this server won't be back in contact with Active Directory for some time. Indeed, letting it be so can't happen until we can shut down its on-domain counterpart. However, we can't do that until I get this working sans domain contact. Again, long story behind that catch-22.
My questions after dealing with all this are:
If the job in question is owned by sa, why do the logs show logon attempts by nt access\network authority?
How/where can I change the username/password the 2012 server is using to talk to the FTP server?
Is there a way I could access the FTP server, given the workgroup setup in place, that's easier than what I'm trying to do now? Sharing settings on the FTP folder, for instance?
Thanks for any explanations anyone can offer. I'm thoroughly confused about permissions, accounts, credentials, and remote access and have no idea where to turn, having googled all of this exhaustively.
I have not worked with servers that were not domain joined, but I have had similar issues when using SSIS accross sub-domains (see original answer below for more detail). I would look at the setup of sql server and see what service accounts were used for the sql database service and the sql agent service (check out https://msdn.microsoft.com/en-us/library/ms143504.aspx). ALso, make sure that the server accounts have permissions to the file system locations (you likely already did that, but just in case).
Original Answer for SSIS Situations ( I misunderstood that the asker wasn't using SSIS):
You might need to set up a proxy to control what account is used. There is a section on proxies in this article that you might find helpful. I suggest reading the entire article, it might shed some light.
https://www.simple-talk.com/sql/database-administration/setting-up-your-sql-server-agent-correctly/
Related
I posted a similar question before, but I have now came back to the point where I need to deal with this and after some tuning I have managed to get rid of all the errors, except one warning that basically tells me that the path provided to the package not finding any files in the directory (which is false). This almost makes me want to believe this is again a permissions issue. As when I run the package locally it all works fine. Here is the warning:
Same message appears when I right click SSIS package under the catalogue and directly try to execute the job.
I made sure that the caller has full permissions to the folder in question
SQL Server Agent Job calls the job like so
With a single step in it to execute the SSIS package from the catalogue:
The history of the executions is all successful and the history of SQL Agent job is all green
One of the suggestions I got was to open SQL Server Configuration manager but I don't appear to have access to that. I am new to this whole process so I am not sure if authentication has something to do with it or the sa account's permissions.
Note: I am working on this on a remote dev server and not directly on my pc.
Any help would be greatly appreciated.
Since you're running the package as the Agent Service Account:
The permissions need to be applied to the SQL Server Agent Service Account or its per-service SID.
You can see the service account with PowerShell like this:
PS C:\Users\david> (Get-WmiObject win32_service | where Name -eq "SQLSERVERAGENT").StartName
NT Service\SQLSERVERAGENT
Turns out the database instance was on a whole different server that I wasn't even given access to. That server obviously didn't have the path specified in the SSIS package, so what I had to do is create a folder for files in the correct server, reroute my files there, and change the SSIS package path after obtaining the access to the server where DB instance lives. Me being new to all this, it was absolute frustration especially since our team is small and I am new in it I can't just ask someone questions about this all the time. Hopefully this will save someone a lot of time.
Having an issue getting a SQL Server linked server to Oracle working while using a tnsnames.ora file on a network share.
If I copy the tnsnames.ora file to the local server, the linked servers work fine. However, we keep the file on a network share. My sql service accounts have read access to the share. I configure TNS_ADMIN system variable to the network share, the linked servers no longer work. I get ora-12154: could not resolve the connect identifier specified. tnsping and sqlplus work on the server. When I use process monitor to investigate further, I see:
Operation: createFile
Result: ACCESS DENIED
...
Impersonating: domain\MyLogin
This seems like an issue, but is maybe a false positive? If a process is trying to impersonate my account and access a remote resource it will fail since we don't have Kerberos configured to handle double-hop.
SQLPlus and TNSPing work just fine with the network share configured.
I've looked at this post and tried the items that seemed relevant, but had no success.
Additional Info:
sqlnet.ora has this:
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
I am able to open a file browser as a service account and open the tnsnames file.
I had this same issue while trying to connect a oracle 10g database via my WCF serivce developed in .NET 4.0 framework.
I was having multiple instances of ORACLE installed in my system. So, I modified the ORACLE_HOME to point to the Oracle 10g and it worked.
Also check the following:
Your service name might have an alias, so Make sure that your listener is listening for the same service name that you are using and check for both local and global entries. Check:
$ORACLE_HOME/network/admin/tnsnames.ora
Check your global_name setting with this SQL:
select * from global_name;
Also, Please make sure you add the Key TNS_ADMIN in the registry and create a enviroinment variable with name TNS_ADMIN
Regedit->HKEY_LOCAL_MACHINE->Software->Oracle->RightClick NEW->StringValue and name
Specify the correct path where the oracle is installed for Example
X:oracleproduct32bit10.0.1.0.0NETWORKADMIN
Edit
The below video also looks quite helpful. Please check.
https://www.youtube.com/watch?v=Sec8WG8gQPg
As an Oracle DBA I sometimes have to work with Windows. Maybe you can adopt from my experiences with Oracle on Windows.
Scenario:
An Oracle DB runs under a domain user. I want to restore a database from a backup which is located on a Windows share (sounds like "read" but it obviously isn't). I (or let's say the windows team) did not manage to find the proper way to grant the required permissions.
After many tries, the admins grant "everything" to the entire Oracle server.
Even though the Oracle process runs in a user context we did not find a set of permissions for the user only. Only the permissions for the entire server enabled the restore process to access the data.
From security point of view this is a horrible solution! But maybe it will help you to come closer to a solution (and if so, please share :-)).
I'm not an expert with TSQL so have patience with me please. So recently I was doing a project in TSQL on my local server using SQL Server 2008 R2 Management Studio. I was reading my files from a temp file on my C: drive and bulk inserting them into tables at the time.
Then I went and moved to a regular server instead of my local server on my machine.
It took me a bit to realize that I no longer had access to my local machine folders and files, and that is causing me issues.
I've read that one solution is to create a mapped drive on the server, but this is not an option for me.
So my question is what are other options for me? Could I use UNC paths to access my files or anything else?
The files I want to access are regular text files that are comma-delimited and newline terminated.
(I saw somewhat similar questions to mine, but there's seemed server specific or specific to their particular issues. Also none of their questions were answered.)
Actually a mapped drive won't work either because the account SQL runs under by default (local system if I recall) will not have network access.
So, the more reliable way to do this is definitely with a UNC path BUT there is more! (I've done this several times when I've needed to move database backups and log backups across servers for mirroring).
How?
On the SQL server machine AND the other server that will host the share, create a new user (same username and password on both machines) - assuming your not using AD. The user needs not be in any groups at all other than the users group but it must be called the same in both servers and the password must match.
On the SQL server machine change the account that SQL SERVER is running under. This is done in the SQL server configuration tool. Do not try to do this yourself via windows services. Choose the user that you created in no 1 above. Note you have to enter the pw. Restart SQL after you've changed it and verify SQL still runs fine. It should run just as before but now is running as a particular user with all the permissions of that user (which actually are very limited anyhow, but at least the user can access network resources).
On the remote server, make sure the new user has NTFS permissions on the folders that will host your share. Read/write perhaps or just read if SQL is only reading data.
On the remote server, create a share pointing to the appropriate folder that you set permissions for above. Make sure if you're using share permissions that the new user also has permissions on the share (not just on NTFS on the drive).
Once all of this is setup, your SQL scripts simply use the UNC path that points to the remote share and since SQL is running "as" a user with access to that share, SQL will see the files just fine!
I am having trouble sorting through all the information / various options in regards to Access 2007 used in a multi-user environment. Here is a brief description of my current situation. At work there is the "Business LAN" which I can log on and use to monitor two other servers via remote desktop. The business LAN is strictly controlled by our IT department and no one is permitted to install any software or drivers without their consent. I do have administrative privileges on both servers though.
The two servers that I log on to using RD are used for essentially the same task, which is to monitor and control the heat to different process lines. Each server runs a different program to accomplish this task but both programs use SQL Server as a back end.
I created two access databases (one on each server because they are currently behind seperate firewalls) in order to query information from the backend SQL side of these programs and combine it with relative information I have compiled in tables in order to add more detail to the data the programs are collecting. My program is still in the debug stage but ultimately this information can then be accessed by field techs / maintenance in order to make their job easier. Maintenance staff can also add even more information based on the status of repairs etc....Last, I have created reports which can be run by Managers / Engineers who are looking for an overall status of their area.
Both access db's are split so that the back ends are seperate from the forms, queries, etc... I use an ODBC data source to import a link to SQL. I am using vba for user authentication, user logging record updates, and user / group access control. Everything works the way I intended except the fact I everyone who logs on the server will be trying to run the same copy of the front end. For example, I had a co-worker log on to the server via RD to test the program and I logged on from my desk. After logging in I could see the forms he had open. Access was already running. Without being able to install access locally (or even runtime, due to IT restrictions) on to each individuals workstation, I'm not sure what approach to take to resolve this.
Additional info, Server 1
One of the servers is considered to be the "master server" in which a number of client stations "slave servers" all communicate with. The only way to access folders on themaster server is log on to the client station and run RD.
Server 2
This server is considered to be the "historian". It communicates with a terminal server in which users log on using RD and run applications which use SQL backend which resides on the historian. I have been able to set up shares so that certain folders are visible on the historian from the terminal server.
Can anyone tell me what my best option is?
Thanks in advance.
CTN
It's really crazy the way some IT departments do everything possible to make it hard to do your job well.
You allude to users logging on via Terminal Server. If so, perhaps you can store the front ends in the user profiles of their Terminal Server logons? This assumes they're not just using the two default admininstrative Terminal Server logons, of course.
The other thing that's not clear to me is why you need a back end at all in Access/Jet/ACE -- why not just link via ODBC to the SQL Server and use that data directly? The only reason to have an independent Jet/ACE file with data tables in it in that scenario is if there is data you're storing for your Access application that is not stored in the SQL Server. You might also have temp tables (e.g., for staging complicated reports, etc.), but those should be in a temp database on a per-user basis, not in a shared back end.
Here is a suggestion how to implement what David Fenton wrote: write a simple batch script which copies your frontend from the installation path to %TEMP% (the temporary folder of the current user session) and runs the frontend from there. Something along the lines of
rem make sure current directory is where the script is
cd /d %~d0%~p0
rem assume frontend.mdb is in the same folder as the script
copy /y frontend.mdb %temp%
start %temp%\frontend.mdb
Tell your users not to run the frontend directly, only via the batch script, then everyone should get his own copy of the frontend. Or, give your frontend a different suffix in the installation path and rename it to "frontend.mdb" when copying to %temp%.
I am a software developer with devlopment experience in C#, C++ .Net alongwith SQL Server 2005/08, Oracle and mysql. But somehow i dont get jBASE to work at Windows XP SP3 machine.
My goal is setup user accounts, create database on a JBASE ainstallation, authenticate and backup/restore few table via a C++ program. And i dont need to do it with builtin backup/restore tools of jBASE.
I am able to install jBASe 4.1 aling with all its accessories on my WINXPSP3 machine. I was able to run the jSlimserver and TEMENOUS server along with licnesing server. I was able to add the license key as well. But after that what i was supposed to do? i have no idea about it.
The docs and online help doesnt answer a simple question of how to create a database! The google search results from the jbase site all go to the 404 Pages!
Can a jBASE expert guide to the following steps:
Create a jBASE database.
Create users
Authenticate via those users
Connect to database
Create tables and insert data.
Connect via a C++ or C# program to connect to jBASE DB and backup/restore tables.
I know that this is too much too ask but i dont get to get the JBASE system. I cant get it to work on my System somehow. Btw, jdc and jexloree doesnt seem to do anything. I have checked that enironmental variables for jBASE are setup correctly and i have verified them. There are no extra JRE or JDK installations on my system. Besides all that, only licensing client, slim server and temenous server seem to run and listen for connections and no other execuatable ever seems to work.
A simple tutorial to achieve the objective will be highly appreciated. Also if anyone can point out the mistake that i have done or anything i might need to check, then please do so. I will be highly encouraged and obliged.
Thanks
Steve
I hope this will help, if you have not already found a why to do this.
Setup jBase User and Database
Create a Security Group called
'Jbase' or what every you want to
call it
Add a User to this group. I would
recommend adding your administrator
user to it as well
Create a folder in you file system
to save the database information
into
Assign the 'Jbase' Security group to
the folder, and give it "Full"
read/write/execute access.
Creating the database:
Make sure the current users you
are logged on with is the 'Jbase'
security group.
go to the command prompt, and CD
to the folder you create to store
the database
run the jShell 'jsh' from that
location
use CREATE-FILE to create the
files/tables you want to store your
information in.
Inserting data:
There are several ways to enter data. You can use ED, your can your programming environment, or you can create a quick MultiValue/jBase compiled server script to ask for the data and write them to a file/table.