Freetds与mssql域身份验证错误 - 登录数据包被拒绝

时间:2013-10-24 04:03:12

标签: sql-server sql-server-2008 authentication freetds unixodbc

我正在使用带有unixODBC的Freetds连接到linux的远程SQL服务器实例。 linux服务器有AD集成,我使用我的域登录ssh到服务器。

然而,TDS(版本7.1)没有连接并且失败并显示错误消息

locale is "en_US.UTF-8"
locale charset is "UTF-8"
using default charset "UTF-8"
Error 20002 (severity 9):
        Adaptive Server connection failed
There was a problem connecting to the server

设置TDS Dump变量,我运行了命令

tsql -H server.domain.local -p 52890

使用非标准端口,因为我连接到在1433以外的端口上运行的命名实例

以下是调试日志

net.c:1370:handshake succeeded!!
gssapi.c:215:kerberos name MSSQLSvc/<server Name>
login.c:466:login packet rejected
util.c:156:Changed query state from IDLE to DEAD
util.c:331:tdserror(0x2139160, 0x2139400, 20002, 0)
util.c:361:tdserror: client library returned TDS_INT_CANCEL(2)
util.c:384:tdserror: returning TDS_INT_CANCEL(2)

我能够连接到另一台启用了SQL Server身份验证的服务器,因此它与ODBC连接本身没有问题。此特定服务器仅启用了域身份验证,因此我无法检查SQL Server身份验证是否正常工作。

** * * 修改 * ** * ** * *

使用KRB5_TRACE变量添加了Kerberos跟踪。抱歉,长日志文件

[21067] 1382697575.336792: ccselect module realm chose cache FILE:/tmp/krb5cc_1411389785 with client principal username@domain for server principal MSSQLSvc/servername.domain:52820@domain
[21067] 1382697575.337100: Retrieving username@domain -> krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from FILE:/tmp/krb5cc_1411389785 with result: -1765328243/Matching credential not found
[21067] 1382697575.337153: Getting credentials username@domain -> MSSQLSvc/servername.domain:52820@domain using ccache FILE:/tmp/krb5cc_1411389785
[21067] 1382697575.337267: Retrieving username@domain -> MSSQLSvc/servername.domain:52820@domain from FILE:/tmp/krb5cc_1411389785 with result: -1765328243/Matching credential not found
[21067] 1382697575.337379: Retrieving username@domain -> krbtgt/domain@domain from FILE:/tmp/krb5cc_1411389785 with result: 0/Success
[21067] 1382697575.337394: Found cached TGT for service realm: username@domain -> krbtgt/domain@domain
[21067] 1382697575.337406: Requesting tickets for MSSQLSvc/servername.domain:52820@domain, referrals on
[21067] 1382697575.337472: Generated subkey for TGS request: rc4-hmac/2124
[21067] 1382697575.337488: etypes requested in TGS request: rc4-hmac
[21067] 1382697575.337844: Sending request (1455 bytes) to domain
[21067] 1382697575.341048: Resolving hostname onau-dc01.domain.
[21067] 1382697575.351850: Sending initial UDP request to dgram <dns_server_ip>:port
[21067] 1382697575.352702: Received answer from dgram <dns_server_ip>:port
[21067] 1382697575.353576: Response was not from master KDC
[21067] 1382697575.353616: TGS request result: -1765328377/Server not found in Kerberos database
[21067] 1382697575.353629: Requesting tickets for MSSQLSvc/servername.domain:52820@domain, referrals off
[21067] 1382697575.353667: Generated subkey for TGS request: rc4-hmac/3F66
[21067] 1382697575.353687: etypes requested in TGS request: rc4-hmac
[21067] 1382697575.353804: Sending request (1455 bytes) to domain
[21067] 1382697575.355027: Resolving hostname server.domain.
[21067] 1382697575.355854: Sending initial UDP request to dgram <dns_server_ip2>:88
[21067] 1382697575.358398: Received answer from dgram <dns_server_ip2>:88
[21067] 1382697575.359061: Response was not from master KDC
[21067] 1382697575.359094: TGS request result: -1765328377/Server not found in Kerberos database
Error 20002 (severity 9):
        Adaptive Server connection failed

1 个答案:

答案 0 :(得分:2)

由于您使用的是命名实例,因此很可能只接受为特定于端口的SPN(MSSQLSvc /&lt;服务器名称&gt;:52890)发出的票证,因此您的客户端软件应获取此主体的票证。此外,此端口特定的SPN应存在于运行MSSQL服务器的帐户。

看看FreeTDS实现,我可以看到,如果在连接的配置中没有设置'server_spn',它会自动尝试选择特定于端口的SPN。

我建议您在freetds.conf中删除此连接的显式server_spn设置。

相关问题
最新问题