Blog Post

SQL Server Blog
4 MIN READ

Announcing the Availability of adutil for RHEL 9 and Ubuntu 22.04 !

amvin87's avatar
amvin87
Icon for Microsoft rankMicrosoft
Jun 25, 2024

We’re thrilled to share that adutil, the Active Directory Utility for SQL Server, is now officially supported on RHEL 9 and Ubuntu 22.04. If you’ve been waiting for this, your patience has paid off! Let’s dive into the details.

 

What Is adutil?

adutil is a powerful tool that simplifies Active Directory integration with SQL Server on Linux-based deployments. It enables seamless authentication, user management, and keytab configuration. Whether you’re running SQL Server on RHEL 9 or Ubuntu 22.04, you can now harness the full capabilities of adutil.

 

Getting Started

  1. Join Your Host Machine to the Domain: Before diving into adutil, ensure that your host machine is part of the domain. Follow the steps outlined in our article: Join SQL Server on Linux to Active Directory - SQL Server | Microsoft Learn.

  2. Installing adutil on RHEL 9: Execute the following commands to add the RHEL 9 Prod repository and install adutil:
    sudo curl -o /etc/yum.repos.d/msprod.repo https://packages.microsoft.com/config/rhel/9/prod.repo
## Now you are ready to install adutil using the command:
sudo ACCEPT_EULA=Y yum install -y adutil
## you can check the adutil version using the command and ensure the version is 1.1.138
adutil --version
  3. Installing adutil on Ubuntu 22.04: Follow these steps to add the repository and install adutil:
    ## add the repo and required package signature
curl https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc
curl https://packages.microsoft.com/config/ubuntu/22.04/prod.list | sudo tee /etc/apt/sources.list.d/msprod.list
## now update the repo and install adutil 
sudo apt-get update
sudo ACCEPT_EULA=Y apt-get install -y adutil

Explore adutil’s Features

  • Account Creation: Easily create and manage user accounts tied to Active Directory.
  • Keytab Configuration: Set up keytabs for secure authentication.
  • User Management: Handle user permissions and access.

For detailed guidance, refer to our comprehensive article: Introduction to adutil - Active Directory Utility - SQL Server | Microsoft Learn

Updated on 22nd November 2024: Streamlining User Account Security with Adutil: AES 128/256-bit Encryption Now Supported

With the release of Adutil version 1.1.143 and later, you can now easily create and modify user accounts to enable or disable AES 128/256-bit encryptions for kerberos. This update, available starting from version 1.1.143, includes built-in support for Kerberos AES 128-bit and AES 256-bit encryption by default. A few samples to help you get started.

## You can see the -D parameter to diable the AES 128/256 encryption for the account, by default when you use the adutil create command it creates with these options set for the account
$ adutil user create --help
create - Creates a new AD user account

  Usage:
        create [name]

        Positional Variables:
    name   Name of the user account to create
  Flags:
       --version             Displays the program version string.
    -h --help                Displays help with available flag, subcommand, and positional value parameters.
    -n --name                Name of the user account to create
       --distname            Distinguished name of the account
    -o --ouname              Organizational Unit of the account (takes precedence over distinguished name)
       --upn                 OPTIONAL: User principal name for the created account
       --desc                OPTIONAL: Description for the account being created
       --password            OPTIONAL: Password for the user being created
    -D --disableaessupport   OPTIONAL: Disable AES 128 and 256 support
    -d --debug               Display additional debugging information when making LDAP/Kerberos calls.
       --accept-eula         Accepts the current EULA for adutil. This has no effect if the EULA has already been accepted.
If --ouname and --distname are omitted, the value set by `adutil config set ou` will be used


## Similarly you see the -E and -D command to enable and disable the AES account options respectively when using the adutil user modify command:

$ adutil user modify --help
modify - Modify an existing AD user account

  Usage:
        modify [name]

        Positional Variables:
    name   Name of the user account to modify
  Flags:
       --version             Displays the program version string.
    -h --help                Displays help with available flag, subcommand, and positional value parameters.
    -n --name                Name of the user account to modify
       --distname            Distinguished name of the account
    -o --ouname              Organizational Unit of the account (takes precedence over distinguished name)
    -E --enableaessupport    OPTIONAL: Enable AES 128 and 256 support
    -D --disableaessupport   OPTIONAL: Disable AES 128 and 256 support
    -d --debug               Display additional debugging information when making LDAP/Kerberos calls.
       --accept-eula         Accepts the current EULA for adutil. This has no effect if the EULA has already been accepted.
If --ouname and --distname are omitted, the value set by `adutil config set ou` will be used

## When you use the adutil user create command as shown below the user is created with the AES 128/256 encryptions set for the account
$adutil user create --name testuser --distname CN=testuser,CN=Users,DC=CONTOSO,DC=COM

## If you intend to create a user without this properties set then use the -D option as shown below

$adutil user create --name AESdisableduser --distname CN=AESdisableduser ,CN=Users,DC=CONTOSO,DC=COM -D

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

## if you wish to modify the kerberos AES encryption for an account here is a sample for the same:

$ adutil user modify --name testuser --distname CN=testuser,CN=Users,DC=CONTOSO,DC=COM -D
Successfully disabled AES encryption for ('testuser', 'CONTOSO.COM')

## you could also enable the kerberos AES encryption for an account as shown below:
$ adutil user modify --name aesdisableduser --distname CN=aesdisableduser,CN=Users,DC=CONTOSO,DC=COM -E
Successfully enabled AES encryption for ('aesdisableduser', 'CONTOSO.COM')

You can now use Adutil to modify existing user accounts to enable or disable these encryption options. This new feature eliminates the need for manually enabling these settings in Active Directory, as detailed in step #2 of this document

Fun Fact: Ansible and adutil

Did you know that Ansible can simplify your SQL Server deployment? The Ansible-based SQL Server collection leverages adutil behind the scenes to enable AD authentication for SQL Server on Linux. Explore more in the Red Hat Hybrid Cloud Console documentation: Automation Hub - microsoft.sql | Ansible Automation Platform (redhat.com) and our official documentation: Quickstart: Deploy SQL Server on Linux using an Ansible playbook - SQL Server | Microsoft Learn

 

Get ready to enhance your SQL Server experience with adutil on RHEL 9 and Ubuntu 22.04!

 

Thanks,

Engineering Lead: Vaibhao Tatte

Engineering Team: Dwaipayan Barman, Parameswara Reddy Bodeddula

 

 

Updated Nov 22, 2024
Version 2.0
sqlserveronlinux
No CommentsBe the first to comment