Blog Post

SQL Server Blog
2 MIN READ

Introducing adutil - A tool to ease configuration of AD authentication for SQL on Linux/Containers

amvin87's avatar
amvin87
Icon for Microsoft rankMicrosoft
Dec 11, 2020
We are excited to introduce adutil in public preview, this is a CLI based utility developed to ease the AD authentication configuration for both SQL Server on Linux and SQL Server Linux containers. A...
Updated Dec 11, 2020
Version 1.0
sqlserverprotocols
sqlserversecurity
SQLServerTiger
IlsaL's avatar
IlsaL
Copper Contributor
Nov 23, 2021



Is there somewhere we can make bug reports?  I don't know how much testing this thing got against a regular domain cause I'm running into endless strange random problems.  For example, sometimes when I run:

adutil user create --name "$AD_USER" --distname "$AD_DN" --password "$AD_PASS"

I get the below error for no explicable reason, and I end up with a disabled AD user.  

"Failed to set password for '$AD_USER': Authentication error"

If I rerun the command, it works.

Or If I do:

adutil user delete --distname "$AD_DN"
adutil user create --name "$AD_USER" --distname "$AD_DN" --password "$AD_PASS"

I get the error:

Failed to modify attributes for object '$DISTINGUISHED_NAME' in '$REALM': Server is unwilling to perform
The LDAP server may not perform the requested action due to restrictions set on the server.

I've gone through the instructions countless times but still can't get authentication to work. When I try, I get the following in the log:


SSPI handshake failed with error code 0x80090304, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The operating system error code indicates the cause of failure. The Local Security Authority cannot be contacted [CLIENT: $MY_DOCKER_BRIDGE_IP]
2021-11-23 19:15:47.89 Logon Error: 18452, Severity: 14, State: 1.
2021-11-23 19:15:47.89 Logon Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. [CLIENT:$MY_DOCKER_BRIDGE_IP]

Similarly, if I login as SA and try to add a login, it just tells me that "Windows NT user or group '$MY_DOMAIN_ACCOUNT' not found. Check the name again." I'm starting to think that something has changed with the SQL Server container Microsoft provides and nobody bothered updating the documentation, because I can't find any trace of SSSD or kerberos tools in the container image.

 

Edit:  I solved my authentication issue at least.  The instructions for setting up SQL Server are incorrect.  You still need to include all those --add-host entries because the DNS lookup within the container doesn't work properly.  You also MUST used arcfour-hmac encryption or authentication just doesn't work.  Also, save yourself a whole lot of grief by creating a logger.ini file inside your mssql data directory with the following contents:

 

[Output:sql]
type=File
filename=/var/opt/mssql/log/kerberos.log

[Logger:security.ldap]
level=debug
outputs=sql

[Logger:security.kerberos]
level=debug
outputs=sql

 

and the log file should hopefully tell you where things were going wrong.