Yes, it is possible to connect to SQL server from a Linux machine without joining the machine to the domain by leveraging Kerberos authentication.
Make sure you have the necessary Kerberos client tools installed. On Ubuntu Linux distributions, you can install them running:
curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key -
sudo add-apt-repository "$(wget -qO- https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/prod.list)"
sudo apt-get update
sudo apt-get install mssql-tools unixodbc-dev
Update your Kerberos configuration (/etc/krb5.conf) to include the domain information. Example:
[libdefaults]
default_realm = YOUR.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]<br>
YOUR.DOMAIN.COM = {
kdc = your.kdc.server
admin_server = your.admin.server
}
[domain_realm]
.your.domain.com = YOUR.DOMAIN.COM
your.domain.com = YOUR.DOMAIN.COM
Obtain a Ticket Granting Ticket (TGT) with kinit:
kinit [email protected]
You will be prompted to enter the password for the domain user. If successful, this command will cache your Kerberos ticket locally.
Then verify the Kerberos ticket:
klist
That will show the cached ticket, confirming that you have successfully obtained a TGT.
Connect to SQL server using Kerberos authentication:
sqlcmd -S your_sql_server -d your_database -U [email protected] -P your_password
if you have Kerberos properly configured, you might be able to omit the password:
sqlcmd -S your_sql_server -d your_database -K -E
The -K option indicates the use of Kerberos authentication, and -E uses the trusted connection (which leverages the Kerberos ticket).
Additional configuration (sometimes needed)
Make sure that the SQL Server has the correct Service Principal Name (SPN) configured. This typically needs to be done on the domain controller.
Example:
setspn -A MSSQLSvc/your.sql.server:1433 your_domain_user
If your Kerberos credential cache is not in the default location, you might need to set the KRB5CCNAME environment variable:
export KRB5CCNAME=/tmp/krb5cc_$(id -u)
That should do it!
You can find help for connecting other Linux versions in my university's documentation https://www.pdc.kth.se/support/documents/login/linux_login.html , you'll find plenty of helpful documents there, KTH and MIT are the Kerberos maintainers.
Good luck!
kinit
? What exact failure mode do you get? It's going to be difficult to answer without knowing which of the 5-6 different ways it's failing.