Introducing adutil - A tool to ease configuration of AD authentication for SQL on Linux/Containers

Published Dec 11 2020 08:59 AM 4,218 Views
Microsoft

We are excited to introduce adutil in public preview, this is a CLI based utility developed to ease the AD authentication configuration for both SQL Server on Linux and SQL Server Linux containers. AD authentication enables domain-joined clients on either Windows or Linux to authenticate to SQL Server using their domain credentials and the Kerberos protocol.

 

Until today, when configuring the AD authentication for SQL on Linux, for creation of "AD user for SQL Server and setting SPNs" you needed to switch from Linux to Windows machine and then switch back to Linux machine to continue with the rest of steps. With adutil released we aim to make this experience seamless, where from the Linux machine itself you can interact and manage the Active Directory domains through the CLI.

 

Overall adutil is a utility for interacting with and managing Active Directory domains through the CLI. adutil is designed as a series of commands and subcommands, with additional flags that can be specified for further input. Each top-level command represents a category of administrative functions. Each subcommand is an operation within that category. Using adutil you can manage  with users, SPNs, keytabs, groups etc.

 

To start using adutil please see adutil installation for the install steps

 

For details on how you can configure AD authentication with adutil for SQL on Linux and containers please refer below:

 

Configure Active Directory authentication for SQL Server on Linux using adutil

Configure Active Directory authentication for SQL Server on Linux containers using adutil

 

Thanks,

Engineering lead: Mike Habben

Engineering: Dylan Gray; Dyllon (Owen) Gagnier; Ethan Moffat; Madeline MacDonald

Amit Khandelwal Senior Program Manager

6 Comments
Occasional Visitor

When running create user command I receive an error:

 

# adutil user create --distname CN=user,OU=Users,DC=DOMAIN,DC=ORG --password 'password' --debug

adutil Configuration:
        KeytabDir: '/var/run/secrets/keytabs/adutil'
        UseLdaps: 'false'
        IsWindowsDomain: 'true'
        OUDistinguishedName: ''
        UseDefaultSystemCCache: 'true'
Using configuration file from /root/.adutil/adutil.json
Detected parameters:
            Debug: true
             Name: mssql2019
     NameDistName: CN=mssql2019,DC=DOMAIN,DC=ORG
Checking for valid kerberos ticket
UserHasKrb5Credentials: Enumerating credentials in default system CCache
UserHasKrb5Credentials: Found local TGT for realm DOMAIN.ORG
UserHasKrb5Credentials: Found valid credentials
Running command: create user
Attempting to get password from --password flag
Creating user account mssql2019 (CN=mssql2019,DC=DOMAIN,DC=ORG) in DOMAIN.ORG
Failed interactive bind to 'DOMAIN.ORG' in CreateLdapConnection: Local error
Failed to connect to 'DOMAIN.ORG' when adding object 'CN=mssql2019,DC=DOMAIN,DC=ORG'

Failed to connect to 'DOMAIN.ORG' when adding object 'CN=mssql2019,DC=DOMAIN,DC=ORG'

 

"kinit" runs correctly and also does "id" and "getent".

 

What's wrong?

I actually can't install SQLServer 2019 since I can't use the "setspn" commands (no Windows servers here, AD is on Samba4...).

Occasional Visitor

Additional info:

both directory

'/var/run/secrets/keytabs/adutil'

and file

'/root/.adutil/adutil.json'

are missing

Occasional Visitor

@nicorac I had this exact same issue. 

I went back through and followed the instructions to the letter. 

The key difference was following the parts on "Domain Machine Preparation" and "Join the Linux Host machine to your AD domain".

In particular I had to add a reverse DNS zone, setup a PTR record with FQDN of the linux sql host and before joining the realm, ensuring that the hostname of the linux server had the FQDN. 

I haven't determined which of the steps was the key missing piece, but following and verifying all of the steps moved past this issue.

 

I'm not 100% done yet though. I'm now stuck on creating the keytab and getting an error about No credentials found for supported encryption types. Working through that one at the moment. 

 

Occasional Visitor

@amvin87 This is a great tool! I worked through the instructions and successfully used it. Can you tell me what advantages it has over adcli? http://manpages.ubuntu.com/manpages/trusty/man8/adcli.8.html I have used adcli and I am wondering if adutil was developed for something that adcli did not provide.

 

It's great to see the Microsoft team develop tools like this that help integrate Linux. Thanks for your work in accomplishing this!

New Contributor

As with realmd on RHEL-derived systems,  adcli doesn't solve the problem of setting up a service principal name (SPN).  Without adutil, you'll need to go to a Windows system to run setspn and generate your krb.conf file which you can't do on the Linux side unless you're using RC4 encryption (which is terribly insecure these days).  If you really want to manage everything from Linux, RHEL Identity Manager (freeIPA) does get around this, but it's a more complex infrastructure to setup.

Occasional Visitor

@LouisPTC Thank you for the reply, it is very helpful!

 

As you probably know, adcli does allow setting up SPN with --service-name and generates a keytab, for example:

 

$sudo adcli join --domain CONTOSO.COM --service-name=cifs --computer-name smbserver --host-fqdn smbserver.CONTOSO.COM --host-keytab /etc/smbserver.keytab -v

 

This still doesn't configure krb.conf or sssd but that can be done automagically with realm (which is still recommended with the instructions provided for adutil) :smile:

 

So if I understand you correctly, the primary concern is that adcli is using RC4 encryption which isn't secure? What encryption is adutil utilizing?

 

Just want to be sure I'm not missing some additional functionality provided by adutil that isn't available with adcli - not that better encryption isn't a huge improvement! :smile:

 

Thanks!

%3CLINGO-SUB%20id%3D%22lingo-sub-1976944%22%20slang%3D%22en-US%22%3EIntroducing%20adutil%20-%20A%20tool%20to%20ease%20configuration%20of%20AD%20authentication%20for%20SQL%20on%20Linux%2FContainers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1976944%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20excited%20to%20introduce%20%3CSTRONG%3Eadutil%20in%3C%2FSTRONG%3E%20%3CSTRONG%3Epublic%20preview%3C%2FSTRONG%3E%2C%20this%20is%20a%20CLI%20based%20utility%20developed%20to%20ease%20the%20AD%20authentication%20configuration%20for%20both%20SQL%20Server%20on%20Linux%20and%20SQL%20Server%20Linux%20containers.%26nbsp%3B%3CSPAN%3EAD%20authentication%20enables%20domain-joined%20clients%20on%20either%20Windows%20or%20Linux%20to%20authenticate%20to%20SQL%20Server%20using%20their%20domain%20credentials%20and%20the%20Kerberos%20protocol.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUntil%20today%2C%20when%20configuring%20the%20AD%20authentication%20for%20SQL%20on%20Linux%2C%20for%20creation%20of%20%22AD%20user%20for%20SQL%20Server%20and%20setting%20SPNs%22%20you%20needed%20to%20switch%20from%20Linux%20to%20Windows%20machine%20and%20then%20switch%20back%20to%20Linux%20machine%20to%20continue%20with%20the%20rest%20of%20steps.%20With%20adutil%20released%20we%20aim%20to%20make%20this%20experience%20seamless%2C%20where%20from%20the%20Linux%20machine%20itself%20you%20can%20interact%20and%20manage%20the%20Active%20Directory%20domains%20through%20the%20CLI.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOverall%20adutil%20is%20a%20utility%20for%20interacting%20with%20and%20managing%20Active%20Directory%20domains%20through%20the%20CLI.%20adutil%20is%20designed%20as%20a%20series%20of%20commands%20and%20subcommands%2C%20with%20additional%20flags%20that%20can%20be%20specified%20for%20further%20input.%20Each%20top-level%20command%20represents%20a%20category%20of%20administrative%20functions.%20Each%20subcommand%20is%20an%20operation%20within%20that%20category.%20Using%20adutil%20you%20can%20manage%26nbsp%3B%20with%20users%2C%20SPNs%2C%20keytabs%2C%20groups%20etc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20start%20using%20adutil%20please%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-ad-auth-adutil-tutorial%3Fview%3Dsql-server-ver15%23install-adutil-preview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eadutil%20installation%3C%2FA%3E%20for%20the%20install%20steps%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20details%20on%20how%20you%20can%20configure%20AD%20authentication%20with%20adutil%20for%20SQL%20on%20Linux%20and%20containers%20please%20refer%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-ad-auth-adutil-tutorial%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20Active%20Directory%20authentication%20for%20SQL%20Server%20on%20Linux%20using%20adutil%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-containers-ad-auth-adutil-tutorial%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20Active%20Directory%20authentication%20for%20SQL%20Server%20on%20Linux%20containers%20using%20adutil%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EEngineering%20lead%3A%20Mike%20Habben%3C%2FP%3E%0A%3CP%3EEngineering%3A%20Dylan%20Gray%3B%20Dyllon%20(Owen)%20Gagnier%3B%20Ethan%20Moffat%3B%20Madeline%20MacDonald%3C%2FP%3E%0A%3CP%3EAmit%20Khandelwal%20Senior%20Program%20Manager%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1976944%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESQLServerProtocols%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESQLServerSecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESQLServerTiger%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2222556%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20adutil%20-%20A%20tool%20to%20ease%20configuration%20of%20AD%20authentication%20for%20SQL%20on%20Linux%2FContaine%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2222556%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20running%20create%20user%20command%20I%20receive%20an%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%23%20adutil%20user%20create%20--distname%20CN%3Duser%2COU%3DUsers%2CDC%3DDOMAIN%2CDC%3DORG%20--password%20'password'%20--debug%0A%0Aadutil%20Configuration%3A%0A%20%20%20%20%20%20%20%20KeytabDir%3A%20'%2Fvar%2Frun%2Fsecrets%2Fkeytabs%2Fadutil'%0A%20%20%20%20%20%20%20%20UseLdaps%3A%20'false'%0A%20%20%20%20%20%20%20%20IsWindowsDomain%3A%20'true'%0A%20%20%20%20%20%20%20%20OUDistinguishedName%3A%20''%0A%20%20%20%20%20%20%20%20UseDefaultSystemCCache%3A%20'true'%0AUsing%20configuration%20file%20from%20%2Froot%2F.adutil%2Fadutil.json%0ADetected%20parameters%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20Debug%3A%20true%0A%20%20%20%20%20%20%20%20%20%20%20%20%20Name%3A%20mssql2019%0A%20%20%20%20%20NameDistName%3A%20CN%3Dmssql2019%2CDC%3DDOMAIN%2CDC%3DORG%0AChecking%20for%20valid%20kerberos%20ticket%0AUserHasKrb5Credentials%3A%20Enumerating%20credentials%20in%20default%20system%20CCache%0AUserHasKrb5Credentials%3A%20Found%20local%20TGT%20for%20realm%20DOMAIN.ORG%0AUserHasKrb5Credentials%3A%20Found%20valid%20credentials%0ARunning%20command%3A%20create%20user%0AAttempting%20to%20get%20password%20from%20--password%20flag%0ACreating%20user%20account%20mssql2019%20(CN%3Dmssql2019%2CDC%3DDOMAIN%2CDC%3DORG)%20in%20DOMAIN.ORG%0AFailed%20interactive%20bind%20to%20'DOMAIN.ORG'%20in%20CreateLdapConnection%3A%20Local%20error%0AFailed%20to%20connect%20to%20'DOMAIN.ORG'%20when%20adding%20object%20'CN%3Dmssql2019%2CDC%3DDOMAIN%2CDC%3DORG'%0A%0AFailed%20to%20connect%20to%20'DOMAIN.ORG'%20when%20adding%20object%20'CN%3Dmssql2019%2CDC%3DDOMAIN%2CDC%3DORG'%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22kinit%22%20runs%20correctly%20and%20also%20does%20%22id%22%20and%20%22getent%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat's%20wrong%3F%3C%2FP%3E%3CP%3EI%20actually%20can't%20install%20SQLServer%202019%20since%20I%20can't%20use%20the%20%22setspn%22%20commands%20(no%20Windows%20servers%20here%2C%20AD%20is%20on%20Samba4...).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2222577%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20adutil%20-%20A%20tool%20to%20ease%20configuration%20of%20AD%20authentication%20for%20SQL%20on%20Linux%2FContaine%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2222577%22%20slang%3D%22en-US%22%3E%3CP%3EAdditional%20info%3A%3C%2FP%3E%3CP%3Eboth%20directory%3C%2FP%3E%3CPRE%3E'%2Fvar%2Frun%2Fsecrets%2Fkeytabs%2Fadutil'%3C%2FPRE%3E%3CP%3Eand%20file%3C%2FP%3E%3CPRE%3E'%2Froot%2F.adutil%2Fadutil.json'%3C%2FPRE%3E%3CP%3Eare%20missing%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Dec 11 2020 08:58 AM
Updated by: