1

I'm trying to connect from a Linux machine to SQL Server with a domain user.

I've found some solutions for doing it from Windows on another domain. For example this one

When the Linux is in the domain I can connect to the domain using kinit from the domain user and then access the DB, but kinit fails when my Linux is not in the domain (maybe I need to supply extra parameters?)

I can successfully connect as a domain user using Samba, to a shared directory, even if my Linux is not in the domain, using a username, password, and domain name. This gives me the idea it should be possible.

So, my question is: Can it be configured without adding the Linux machine to the SQL Server domain?

Improve this question
1
  • Do you specify your full principal name for kinit? What exact failure mode do you get? It's going to be difficult to answer without knowing which of the 5-6 different ways it's failing.
    – u1686_grawity
    Commented Jun 10 at 22:04

1 Answer 1

Reset to default
2

Yes, it is possible to connect to SQL server from a Linux machine without joining the machine to the domain by leveraging Kerberos authentication.

Make sure you have the necessary Kerberos client tools installed. On Ubuntu Linux distributions, you can install them running:

curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key -
sudo add-apt-repository "$(wget -qO- https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/prod.list)"
sudo apt-get update
sudo apt-get install mssql-tools unixodbc-dev

Update your Kerberos configuration (/etc/krb5.conf) to include the domain information. Example:

[libdefaults]
   default_realm = YOUR.DOMAIN.COM
   dns_lookup_realm = true
   dns_lookup_kdc = true

[realms]<br>
   YOUR.DOMAIN.COM = {
   kdc = your.kdc.server
   admin_server = your.admin.server
 }

[domain_realm]
   .your.domain.com = YOUR.DOMAIN.COM
   your.domain.com = YOUR.DOMAIN.COM
  • Connect

Obtain a Ticket Granting Ticket (TGT) with kinit:

kinit [email protected]

You will be prompted to enter the password for the domain user. If successful, this command will cache your Kerberos ticket locally. Then verify the Kerberos ticket:

klist

That will show the cached ticket, confirming that you have successfully obtained a TGT.

Connect to SQL server using Kerberos authentication:

sqlcmd -S your_sql_server -d your_database -U [email protected] -P your_password

if you have Kerberos properly configured, you might be able to omit the password:

sqlcmd -S your_sql_server -d your_database -K -E

The -K option indicates the use of Kerberos authentication, and -E uses the trusted connection (which leverages the Kerberos ticket).

Additional configuration (sometimes needed) Make sure that the SQL Server has the correct Service Principal Name (SPN) configured. This typically needs to be done on the domain controller. Example:

setspn -A MSSQLSvc/your.sql.server:1433 your_domain_user

If your Kerberos credential cache is not in the default location, you might need to set the KRB5CCNAME environment variable:

export KRB5CCNAME=/tmp/krb5cc_$(id -u)

That should do it!

You can find help for connecting other Linux versions in my university's documentation https://www.pdc.kth.se/support/documents/login/linux_login.html , you'll find plenty of helpful documents there, KTH and MIT are the Kerberos maintainers.

Good luck!

Improve this answer
1
  • 1
    It worked after added permited_enc_types = rc4-hmac ,default_tkt_enctypes = rc4-hmac and default_tgs_enctypes = rc4-hmacto 'krb5.conf'
    – SHR
    Commented Jul 1 at 9:41

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .