我们在 CentOS 上安装了 SQL Server 2017,并根据本教程连接到域 -https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-active-directory-authentication?view=sql-server-2017。
每天每12-24小时SQL拒绝AD域登录:
sssd[18880]: ; TSIG error with server: tsig verify failure
# Error: 17806, Severity: 20, State: 14.
# SSPI handshake failed with error code 0x80090308, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The operating system error code indicates the cause of failure. The token supplied to the function is invalid
# Error: 18452, Severity: 14, State: 1
# Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
为了使 AD 域登录再次正常工作,我必须在域控制器上运行两个命令:
setspn -D MSSQLSvc/**fqdn**:1433 mssql
setspn -A MSSQLSvc/**fqdn**:1433 mssql
如果是权限问题,我检查并将 mssql 用户(检索了 kerberos 票证)更改为管理员,但 SQL Server 仍然没有更新 SPN。
也许有人可以提示我我遗漏了什么?
配置步骤:
$ yum install sssd ntp authconfig krb5-workstation openldap-clients sssd-tools
$ realm join domain.com -U "[email protected]"
$ kinit [email protected]
在 Windows 上
setspn -A MSSQLSvc/mssql.domain.com:1433 mssql
回到 Centos:
$ kinit [email protected]
$ kvno MSSQLSvc/mssql.domain.com:1433
$ ktutil
$ ktutil: addent -password -p MSSQLSvc/mssql.domain.com:[email protected] -k **<kvno from above>** -e aes256-cts-hmac-sha1-96
$ ktutil: addent -password -p MSSQLSvc/mssql.domain.com:[email protected] -k **<kvno from above>** -e rc4-hmac
$ ktutil: wkt /var/opt/mssql/secrets/mssql.keytab
$ ktutil: quit
$ ktutil: rkt /etc/krb5.keytab
$ ktutil: list
$ ktutil: delent <slot num> # delete all hosts which are not UPN
$ ktutil: wkt /var/opt/mssql/secrets/mssql.keytab
$ ktutil: quit
$ chown mssql:mssql /var/opt/mssql/secrets/mssql.keytab
$ chmod 400 /var/opt/mssql/secrets/mssql.keytab
$ /opt/mssql/bin/mssql-conf set network.kerberoskeytabfile /var/opt/mssql/secrets/mssql.keytab
$ systemctl restart mssql-server