MSSQL Server SPN 连接:Linux 到 MSSQL Server(setspn、kinit、kerberos 身份验证)
[英]MSSQL Server SPN Connections: Linux to MSSQL Server (setspn, kinit, kerberos authentication)
问题描述
After AD Admin added a SQL server SPN using the setspn tool, the linux server is not able to use the SPN using MS SQL Server ODBC Driver 18 with error "[HY000] [Microsoft][ODBC Driver 18 for SQL Server]SSPI Provider: Server not found in Kerberos database" 
AD 管理员使用 setspn 工具添加 SQL 服务器 SPN 后,linux 服务器无法使用 SPN 使用 MS SQL 服务器 ODBC 驱动程序 18,错误为“[HY000] [Microsoft][ODBC Driver 18 for 881299228PIr5 ProvideSSPIr]615在 Kerberos 数据库中找不到服务器”
I have a working kerberos based authentication to one server (dev), and I am trying to implement the same connection setup to a new server (rel).我对一台服务器 (dev) 进行了基于 kerberos 的身份验证,并且我正在尝试对新服务器 (rel) 实施相同的连接设置。 To configure dev, my AD admin set the server SPN using the SPN setting tool:要配置开发人员,我的 AD 管理员使用 SPN 设置工具设置服务器 SPN:
setspn -S MSSQLSvc/dev:dev_sql_port domain\dev_service_user
And we can verify that the spn has been created using我们可以验证 spn 是否已使用创建
setspn -Q MSSQLSvc/dev*
There are many domain controlers on the ad domain (7 or so, as determined by using the command adcli info domain.org from linux server).广告域上有很多域控制器(大约 7 个,通过使用命令adcli info domain.org从 linux 服务器确定)。 At first we were not able to connect to dev using ODBC, but after a few months the following pattern started to work:起初我们无法使用 ODBC 连接到 dev,但几个月后以下模式开始起作用:
kinit
Password for user@domain.org: ********
Followed by a connection using the connection string:然后是使用连接字符串的连接:
Driver={ODBC Driver 18 for SQL Server};Server=dev;Trusted_Connection=yes;Encrypt=No;TrustServerCertificate=yes
The AD admin duplicated everything from the dev setup for rel, using the correct information for the rel sql server instance. AD 管理员使用 rel sql 服务器实例的正确信息,从 rel 的开发设置中复制了所有内容。 I am able to use the following to initialize a kerberos ticket for the new server:我可以使用以下内容为新服务器初始化 kerberos 票证:
kinit -S "MSSQLSvc\rel:rel_port"
Password for user@domain.org: ********
However, the python pattern:但是,python 模式:
cnxn_str = ("Driver={ODBC Driver 18 for SQL Server};Server=rel;Trusted_Connection=yes;Encrypt=No;TrustServerCertificate=yes")
cnxn = pyodbc.connect(cnxn_str)
Gives error:给出错误:
Error: ('HY000', '[HY000] [Microsoft][ODBC Driver 18 for SQL Server]SSPI Provider: Server not found in Kerberos database (851968) (SQLDriverConnect)')
There are minimal changes to the krb5.conf configuration besides top section:除了顶部部分之外,对 krb5.conf 配置的更改很小:
[libdefaults]
default_realm = domain.org
dns_lookup_realm = true
dns_lookup_kdc = true
I have access to appropriate admins to make changes that are researched, however, we (I) am at a bit of a loss why dev works, why it took several months for dev to work, and why rel does not work (yet).我可以联系适当的管理员进行已研究的更改,但是,我们(我)有点不知所措,为什么 dev 可以工作,为什么 dev 需要几个月的时间才能工作,以及为什么 rel 还不能工作。 It has been 2 weeks since we made the changes to rel.我们对 rel 进行更改已经 2 周了。
1 个解决方案
解决方案1
0 已采纳 2022-11-14 18:29:11
To fix this, we determined that there was a typo in the original rel setspn statement, and that there were two listed under setspn -L realm\rel_sql_service_account one with the incorrect port, and one with no port.为了解决这个问题,我们确定原始 rel setspn 语句中存在错字,并且在setspn -L realm\rel_sql_service_account出了两个错误端口,一个没有端口。 We used the commands我们使用了命令
setspn -D MSSQLSvc/rel.domain:wrong_port realm\rel_sql_service_account
setspn -D MSSQLSvc/rel.domain realm\rel_sql_service_account
setspn -S MSSQLSvc/rel.domain:right_port realm\rel_sql_service_account
There is chance this was done from a command window on a different windows server than where it was originally set.这有可能是在与最初设置的服务器不同的 windows 服务器上通过命令 window 完成的。 Double checking that was all the same.仔细检查都是一样的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.