2

Cannot get Kerberos auth working from linux to MS-SQL server on windows. Added new user in AD.

New-ADUser -Name "user" -GivenName "user" -SamAccountName "user" -UserPrincipalName "user@my.domain"  –AccountPassword (ConvertTo-SecureString "password" -AsPlainText -force) -Enabled $true

Generated keytab file.

ktpass -out krb5.keytab -mapUser user@MY.DOMAIN -pass password  -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ MSSQLSvc/sql.my.domain:1433@MY.DOMAIN

Added config of krb5.conf to linux server

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = MY.DOMAIN
[realms]

 MY.DOMAIN = {
 }

[domain_realm]
 my.domain = MY.DOMAIN
 .my.domain = MY.DOMAIN

copied keytab to linux serv

did kinit

kinit -k  MSSQLSvc/sql.my.domain:1433@MY.DOMAIN

klist shows

klist
Ticket cache: FILE:/etc/krb/cache
Default principal: MSSQLSvc/sql.my.domain:1433@MY.DOMAIN

Valid starting     Expires            Service principal
05/27/21 07:24:27  05/27/21 17:24:27  krbtgt/MY.DOMAIN@MY.DOMAIN
    renew until 06/03/21 07:24:27

and failure...

/opt/mssql-tools/bin/sqlcmd -S sql.my.domain
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : SSPI Provider: Message stream modified.
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Cannot generate SSPI context.
DevMops
  • 21
  • 3

1 Answers1

0

The issue was in SPN record on Active Directory side. Microsoft SQL Kerberos Tool helped a lot. If kerberos tool is not starting on the SQL server try to remove your AD user from Local Admins on SQL server.

https://docs.microsoft.com/en-us/troubleshoot/sql/connect/kerberos-configuration-manager-available

DevMops
  • 21
  • 3