Introducing adutil - A tool to ease configuration of AD authentication for SQL on Linux/Containers

Published Dec 11 2020 08:59 AM 4,859 Views
Microsoft

We are excited to introduce adutil in public preview, this is a CLI based utility developed to ease the AD authentication configuration for both SQL Server on Linux and SQL Server Linux containers. AD authentication enables domain-joined clients on either Windows or Linux to authenticate to SQL Server using their domain credentials and the Kerberos protocol.

 

Until today, when configuring the AD authentication for SQL on Linux, for creation of "AD user for SQL Server and setting SPNs" you needed to switch from Linux to Windows machine and then switch back to Linux machine to continue with the rest of steps. With adutil released we aim to make this experience seamless, where from the Linux machine itself you can interact and manage the Active Directory domains through the CLI.

 

Overall adutil is a utility for interacting with and managing Active Directory domains through the CLI. adutil is designed as a series of commands and subcommands, with additional flags that can be specified for further input. Each top-level command represents a category of administrative functions. Each subcommand is an operation within that category. Using adutil you can manage  with users, SPNs, keytabs, groups etc.

 

To start using adutil please see adutil installation for the install steps

 

For details on how you can configure AD authentication with adutil for SQL on Linux and containers please refer below:

 

Configure Active Directory authentication for SQL Server on Linux using adutil

Configure Active Directory authentication for SQL Server on Linux containers using adutil

 

Thanks,

Engineering lead: Mike Habben

Engineering: Dylan Gray; Dyllon (Owen) Gagnier; Ethan Moffat; Madeline MacDonald

Amit Khandelwal Senior Program Manager

11 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1976944%22%20slang%3D%22en-US%22%3EIntroducing%20adutil%20-%20A%20tool%20to%20ease%20configuration%20of%20AD%20authentication%20for%20SQL%20on%20Linux%2FContainers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1976944%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20excited%20to%20introduce%20%3CSTRONG%3Eadutil%20in%3C%2FSTRONG%3E%20%3CSTRONG%3Epublic%20preview%3C%2FSTRONG%3E%2C%20this%20is%20a%20CLI%20based%20utility%20developed%20to%20ease%20the%20AD%20authentication%20configuration%20for%20both%20SQL%20Server%20on%20Linux%20and%20SQL%20Server%20Linux%20containers.%26nbsp%3B%3CSPAN%3EAD%20authentication%20enables%20domain-joined%20clients%20on%20either%20Windows%20or%20Linux%20to%20authenticate%20to%20SQL%20Server%20using%20their%20domain%20credentials%20and%20the%20Kerberos%20protocol.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUntil%20today%2C%20when%20configuring%20the%20AD%20authentication%20for%20SQL%20on%20Linux%2C%20for%20creation%20of%20%22AD%20user%20for%20SQL%20Server%20and%20setting%20SPNs%22%20you%20needed%20to%20switch%20from%20Linux%20to%20Windows%20machine%20and%20then%20switch%20back%20to%20Linux%20machine%20to%20continue%20with%20the%20rest%20of%20steps.%20With%20adutil%20released%20we%20aim%20to%20make%20this%20experience%20seamless%2C%20where%20from%20the%20Linux%20machine%20itself%20you%20can%20interact%20and%20manage%20the%20Active%20Directory%20domains%20through%20the%20CLI.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOverall%20adutil%20is%20a%20utility%20for%20interacting%20with%20and%20managing%20Active%20Directory%20domains%20through%20the%20CLI.%20adutil%20is%20designed%20as%20a%20series%20of%20commands%20and%20subcommands%2C%20with%20additional%20flags%20that%20can%20be%20specified%20for%20further%20input.%20Each%20top-level%20command%20represents%20a%20category%20of%20administrative%20functions.%20Each%20subcommand%20is%20an%20operation%20within%20that%20category.%20Using%20adutil%20you%20can%20manage%26nbsp%3B%20with%20users%2C%20SPNs%2C%20keytabs%2C%20groups%20etc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20start%20using%20adutil%20please%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-ad-auth-adutil-tutorial%3Fview%3Dsql-server-ver15%23install-adutil-preview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eadutil%20installation%3C%2FA%3E%20for%20the%20install%20steps%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20details%20on%20how%20you%20can%20configure%20AD%20authentication%20with%20adutil%20for%20SQL%20on%20Linux%20and%20containers%20please%20refer%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-ad-auth-adutil-tutorial%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20Active%20Directory%20authentication%20for%20SQL%20Server%20on%20Linux%20using%20adutil%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-containers-ad-auth-adutil-tutorial%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20Active%20Directory%20authentication%20for%20SQL%20Server%20on%20Linux%20containers%20using%20adutil%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EEngineering%20lead%3A%20Mike%20Habben%3C%2FP%3E%0A%3CP%3EEngineering%3A%20Dylan%20Gray%3B%20Dyllon%20(Owen)%20Gagnier%3B%20Ethan%20Moffat%3B%20Madeline%20MacDonald%3C%2FP%3E%0A%3CP%3EAmit%20Khandelwal%20Senior%20Program%20Manager%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1976944%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESQLServerProtocols%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESQLServerSecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESQLServerTiger%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2222556%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20adutil%20-%20A%20tool%20to%20ease%20configuration%20of%20AD%20authentication%20for%20SQL%20on%20Linux%2FContaine%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2222556%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20running%20create%20user%20command%20I%20receive%20an%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%23%20adutil%20user%20create%20--distname%20CN%3Duser%2COU%3DUsers%2CDC%3DDOMAIN%2CDC%3DORG%20--password%20'password'%20--debug%0A%0Aadutil%20Configuration%3A%0A%20%20%20%20%20%20%20%20KeytabDir%3A%20'%2Fvar%2Frun%2Fsecrets%2Fkeytabs%2Fadutil'%0A%20%20%20%20%20%20%20%20UseLdaps%3A%20'false'%0A%20%20%20%20%20%20%20%20IsWindowsDomain%3A%20'true'%0A%20%20%20%20%20%20%20%20OUDistinguishedName%3A%20''%0A%20%20%20%20%20%20%20%20UseDefaultSystemCCache%3A%20'true'%0AUsing%20configuration%20file%20from%20%2Froot%2F.adutil%2Fadutil.json%0ADetected%20parameters%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20Debug%3A%20true%0A%20%20%20%20%20%20%20%20%20%20%20%20%20Name%3A%20mssql2019%0A%20%20%20%20%20NameDistName%3A%20CN%3Dmssql2019%2CDC%3DDOMAIN%2CDC%3DORG%0AChecking%20for%20valid%20kerberos%20ticket%0AUserHasKrb5Credentials%3A%20Enumerating%20credentials%20in%20default%20system%20CCache%0AUserHasKrb5Credentials%3A%20Found%20local%20TGT%20for%20realm%20DOMAIN.ORG%0AUserHasKrb5Credentials%3A%20Found%20valid%20credentials%0ARunning%20command%3A%20create%20user%0AAttempting%20to%20get%20password%20from%20--password%20flag%0ACreating%20user%20account%20mssql2019%20(CN%3Dmssql2019%2CDC%3DDOMAIN%2CDC%3DORG)%20in%20DOMAIN.ORG%0AFailed%20interactive%20bind%20to%20'DOMAIN.ORG'%20in%20CreateLdapConnection%3A%20Local%20error%0AFailed%20to%20connect%20to%20'DOMAIN.ORG'%20when%20adding%20object%20'CN%3Dmssql2019%2CDC%3DDOMAIN%2CDC%3DORG'%0A%0AFailed%20to%20connect%20to%20'DOMAIN.ORG'%20when%20adding%20object%20'CN%3Dmssql2019%2CDC%3DDOMAIN%2CDC%3DORG'%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22kinit%22%20runs%20correctly%20and%20also%20does%20%22id%22%20and%20%22getent%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat's%20wrong%3F%3C%2FP%3E%3CP%3EI%20actually%20can't%20install%20SQLServer%202019%20since%20I%20can't%20use%20the%20%22setspn%22%20commands%20(no%20Windows%20servers%20here%2C%20AD%20is%20on%20Samba4...).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Dec 11 2020 08:58 AM
Updated by: