我需要在 CentOS 7 上运行的 SQL Server 2019 上启用 Active Directory 身份验证。
服务器 centos-1 alresdy 已经预先配置了 sssd 给我们 AD 认证。但是,我遵循了有关如何在 Linux 上的 SQL Server 上启用 Windows 身份验证的官方 Microsoft 指南:
- 将 Linux 服务器添加到域中
user-1@centos-1:~$ sudo realm join SD.DOMAIN.COM -U 'sduserwithpermissions@sd.domain.com' -v
服务器可以查询域
user-1@centos-1:~$ id sql_server_account
uid=10608(sql_server_account) gid=13502(service_accounts)
- 为用于在 Windows 中运行 MSSQL 的服务帐户创建 SPN
setspn -A MSSQLSvc/centos-1.sd.domain.com:1433 sql_server_account
setspn -A MSSQLSvc/CENTOS-1:1433 sql_server_account
- 创建 keytab 文件并将其复制到使用 SQL Server 的 centos-1 机器
ktpass /princ MSSQLSvc/centos-1.sd.domain.com:1433@SD.DOMAIN.COM /ptype KRB5_NT_PRINCIPAL /crypto aes256-sha1 /mapuser SD\sql_server_account /out mssql.keytab -setpass -setupn /kvno 2 /pass <passw>
ktpass /princ MSSQLSvc/centos-1.sd.domain.com:1433@SD.DOMAIN.COM /ptype KRB5_NT_PRINCIPAL /crypto rc4-hmac-nt /mapuser SD\sql_server_account /in mssql.keytab /out mssql.keytab -setpass -setupn /kvno 2 /pass <passw>
ktpass /princ sql_server_account@SD.DOMAIN.COM /ptype KRB5_NT_PRINCIPAL /crypto aes256-sha1 /mapuser SD\svc_sql_server_dev /in mssql.keytab /out mssql.keytab -setpass -setupn /kvno 2 /pass <passw>
ktpass /princ sql_server_account@SD.DOMAIN.COM /ptype KRB5_NT_PRINCIPAL /crypto rc4-hmac-nt /mapuser SD\svc_sql_server_dev /in mssql.keytab /out mssql.keytab -setpass -setupn /kvno 2 /pass <passw>
- 配置 MSSQL 以使用 keytab
user-1@centos-1:~$ sudo mssql-conf set network.kerberoskeytabfile /var/opt/mssql/secrets/mssql.keytab
user-1@centos-1:~$ sudo service mssql-server restart
虽然 AD 可以对连接到服务器的用户进行身份验证,但 SQL Server 无法创建 Windows 登录。它说
Windows NT user or group 'SD\db_users' not found. Check the name again.
sssd.log 说
(Mon May 24 19:45:11 2020) [sssd[be[SD.DOMAIN.COM]]] [dp_get_account_info_handler] (0x0200): Got request for [0x12][BE_REQ_USER_AND_GROUP][name=sd\db_users@sd.domain.com]
(Mon May 24 19:45:11 2020) [sssd[be[SD.DOMAIN.COM]]] [sss_domain_get_state] (0x1000): Domain SD.DOMAIN.COM is Active
(Mon May 24 19:45:11 2020) [sssd[be[SD.DOMAIN.COM]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=sd,dc=domain,dc=com]
(Mon May 24 19:45:11 2020) [sssd[be[SD.DOMAIN.COM]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=sd\5cdb_users)(objectClass=group)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=sd,dc=domain,dc=com].
(Mon May 24 19:45:11 2020) [sssd[be[SD.DOMAIN.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon May 24 19:45:11 2020) [sssd[be[SD.DOMAIN.COM]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results.
(Mon May 24 19:45:11 2020) [sssd[be[SD.DOMAIN.COM]]] [sysdb_search_object_attr] (0x0400): No such entry.
(Mon May 24 19:45:11 2020) [sssd[be[SD.DOMAIN.COM]]] [sysdb_delete_by_sid] (0x0400): search by sid did not return any results.
我认为问题在于 mssql-server 正在传递sd\db_users
整个帐户名而没有省略域前缀sd
。
是否有让 MSSQL 在我的设置中使用 AD 的设置或方法?