3

我正在使用带有 unixODBC 的 Freetds 从 linux 连接到远程 SQL 服务器实例。linux 服务器集成了 AD,我使用域登录 ssh 进入服务器。

但是 TDS(7.1 版)无法连接并失败并显示错误消息

locale is "en_US.UTF-8"
locale charset is "UTF-8"
using default charset "UTF-8"
Error 20002 (severity 9):
        Adaptive Server connection failed
There was a problem connecting to the server

设置 TDS Dump 变量,我运行了命令

tsql -H server.domain.local -p 52890

使用非标准端口,因为我连接到在 1433 以外的端口上运行的命名实例

下面是调试日志

net.c:1370:handshake succeeded!!
gssapi.c:215:kerberos name MSSQLSvc/<server Name>
login.c:466:login packet rejected
util.c:156:Changed query state from IDLE to DEAD
util.c:331:tdserror(0x2139160, 0x2139400, 20002, 0)
util.c:361:tdserror: client library returned TDS_INT_CANCEL(2)
util.c:384:tdserror: returning TDS_INT_CANCEL(2)

我能够连接到启用了 SQL Server 身份验证的另一台服务器,因此 ODBC 连接本身没有问题。此特定服务器仅启用了域身份验证,因此我无法检查 SQL Server 身份验证是否正常工作。

** * *编辑* ** * ** * *

使用 KRB5_TRACE 变量添加了 Kerberos 跟踪。很抱歉日志文件太长

[21067] 1382697575.336792: ccselect module realm chose cache FILE:/tmp/krb5cc_1411389785 with client principal username@domain for server principal MSSQLSvc/servername.domain:52820@domain
[21067] 1382697575.337100: Retrieving username@domain -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_1411389785 with result: -1765328243/Matching credential not found
[21067] 1382697575.337153: Getting credentials username@domain -> MSSQLSvc/servername.domain:52820@domain using ccache FILE:/tmp/krb5cc_1411389785
[21067] 1382697575.337267: Retrieving username@domain -> MSSQLSvc/servername.domain:52820@domain from FILE:/tmp/krb5cc_1411389785 with result: -1765328243/Matching credential not found
[21067] 1382697575.337379: Retrieving username@domain -> krbtgt/domain@domain from FILE:/tmp/krb5cc_1411389785 with result: 0/Success
[21067] 1382697575.337394: Found cached TGT for service realm: username@domain -> krbtgt/domain@domain
[21067] 1382697575.337406: Requesting tickets for MSSQLSvc/servername.domain:52820@domain, referrals on
[21067] 1382697575.337472: Generated subkey for TGS request: rc4-hmac/2124
[21067] 1382697575.337488: etypes requested in TGS request: rc4-hmac
[21067] 1382697575.337844: Sending request (1455 bytes) to domain
[21067] 1382697575.341048: Resolving hostname onau-dc01.domain.
[21067] 1382697575.351850: Sending initial UDP request to dgram <dns_server_ip>:port
[21067] 1382697575.352702: Received answer from dgram <dns_server_ip>:port
[21067] 1382697575.353576: Response was not from master KDC
[21067] 1382697575.353616: TGS request result: -1765328377/Server not found in Kerberos database
[21067] 1382697575.353629: Requesting tickets for MSSQLSvc/servername.domain:52820@domain, referrals off
[21067] 1382697575.353667: Generated subkey for TGS request: rc4-hmac/3F66
[21067] 1382697575.353687: etypes requested in TGS request: rc4-hmac
[21067] 1382697575.353804: Sending request (1455 bytes) to domain
[21067] 1382697575.355027: Resolving hostname server.domain.
[21067] 1382697575.355854: Sending initial UDP request to dgram <dns_server_ip2>:88
[21067] 1382697575.358398: Received answer from dgram <dns_server_ip2>:88
[21067] 1382697575.359061: Response was not from master KDC
[21067] 1382697575.359094: TGS request result: -1765328377/Server not found in Kerberos database
Error 20002 (severity 9):
        Adaptive Server connection failed
4

1 回答 1

2

由于您使用的是命名实例,因此它很可能只接受为特定端口的 SPN (MSSQLSvc/<服务器名称>:52890) 发出的票证,因此您的客户端软件应该获得此主体的票证。此外,运行 MSSQL 服务器的帐户应该存在此特定于端口的 SPN。

查看 FreeTDS 实现,我可以看到如果在连接的配置中没有设置“server_spn”,它会自动尝试选择特定于端口的 SPN。

我建议您为此连接删除 freetds.conf 中的显式 server_spn 设置。

于 2013-10-25T11:53:29.853 回答