Introducing adutil - A tool to ease configuration of AD authentication for SQL on Linux/Containers

Published 12-11-2020 08:59 AM 3,058 Views
Microsoft

We are excited to introduce adutil in public preview, this is a CLI based utility developed to ease the AD authentication configuration for both SQL Server on Linux and SQL Server Linux containers. AD authentication enables domain-joined clients on either Windows or Linux to authenticate to SQL Server using their domain credentials and the Kerberos protocol.

 

Until today, when configuring the AD authentication for SQL on Linux, for creation of "AD user for SQL Server and setting SPNs" you needed to switch from Linux to Windows machine and then switch back to Linux machine to continue with the rest of steps. With adutil released we aim to make this experience seamless, where from the Linux machine itself you can interact and manage the Active Directory domains through the CLI.

 

Overall adutil is a utility for interacting with and managing Active Directory domains through the CLI. adutil is designed as a series of commands and subcommands, with additional flags that can be specified for further input. Each top-level command represents a category of administrative functions. Each subcommand is an operation within that category. Using adutil you can manage  with users, SPNs, keytabs, groups etc.

 

To start using adutil please see adutil installation for the install steps

 

For details on how you can configure AD authentication with adutil for SQL on Linux and containers please refer below:

 

Configure Active Directory authentication for SQL Server on Linux using adutil

Configure Active Directory authentication for SQL Server on Linux containers using adutil

 

Thanks,

Engineering lead: Mike Habben

Engineering: Dylan Gray; Dyllon (Owen) Gagnier; Ethan Moffat; Madeline MacDonald

Amit Khandelwal Senior Program Manager

3 Comments
Occasional Visitor

When running create user command I receive an error:

 

# adutil user create --distname CN=user,OU=Users,DC=DOMAIN,DC=ORG --password 'password' --debug

adutil Configuration:
        KeytabDir: '/var/run/secrets/keytabs/adutil'
        UseLdaps: 'false'
        IsWindowsDomain: 'true'
        OUDistinguishedName: ''
        UseDefaultSystemCCache: 'true'
Using configuration file from /root/.adutil/adutil.json
Detected parameters:
            Debug: true
             Name: mssql2019
     NameDistName: CN=mssql2019,DC=DOMAIN,DC=ORG
Checking for valid kerberos ticket
UserHasKrb5Credentials: Enumerating credentials in default system CCache
UserHasKrb5Credentials: Found local TGT for realm DOMAIN.ORG
UserHasKrb5Credentials: Found valid credentials
Running command: create user
Attempting to get password from --password flag
Creating user account mssql2019 (CN=mssql2019,DC=DOMAIN,DC=ORG) in DOMAIN.ORG
Failed interactive bind to 'DOMAIN.ORG' in CreateLdapConnection: Local error
Failed to connect to 'DOMAIN.ORG' when adding object 'CN=mssql2019,DC=DOMAIN,DC=ORG'

Failed to connect to 'DOMAIN.ORG' when adding object 'CN=mssql2019,DC=DOMAIN,DC=ORG'

 

"kinit" runs correctly and also does "id" and "getent".

 

What's wrong?

I actually can't install SQLServer 2019 since I can't use the "setspn" commands (no Windows servers here, AD is on Samba4...).

Occasional Visitor

Additional info:

both directory

'/var/run/secrets/keytabs/adutil'

and file

'/root/.adutil/adutil.json'

are missing

Occasional Visitor

@nicorac I had this exact same issue. 

I went back through and followed the instructions to the letter. 

The key difference was following the parts on "Domain Machine Preparation" and "Join the Linux Host machine to your AD domain".

In particular I had to add a reverse DNS zone, setup a PTR record with FQDN of the linux sql host and before joining the realm, ensuring that the hostname of the linux server had the FQDN. 

I haven't determined which of the steps was the key missing piece, but following and verifying all of the steps moved past this issue.

 

I'm not 100% done yet though. I'm now stuck on creating the keytab and getting an error about No credentials found for supported encryption types. Working through that one at the moment. 

 

%3CLINGO-SUB%20id%3D%22lingo-sub-1976944%22%20slang%3D%22en-US%22%3EIntroducing%20adutil%20-%20A%20tool%20to%20ease%20configuration%20of%20AD%20authentication%20for%20SQL%20on%20Linux%2FContainers%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1976944%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20excited%20to%20introduce%20%3CSTRONG%3Eadutil%20in%3C%2FSTRONG%3E%20%3CSTRONG%3Epublic%20preview%3C%2FSTRONG%3E%2C%20this%20is%20a%20CLI%20based%20utility%20developed%20to%20ease%20the%20AD%20authentication%20configuration%20for%20both%20SQL%20Server%20on%20Linux%20and%20SQL%20Server%20Linux%20containers.%26nbsp%3B%3CSPAN%3EAD%20authentication%20enables%20domain-joined%20clients%20on%20either%20Windows%20or%20Linux%20to%20authenticate%20to%20SQL%20Server%20using%20their%20domain%20credentials%20and%20the%20Kerberos%20protocol.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUntil%20today%2C%20when%20configuring%20the%20AD%20authentication%20for%20SQL%20on%20Linux%2C%20for%20creation%20of%20%22AD%20user%20for%20SQL%20Server%20and%20setting%20SPNs%22%20you%20needed%20to%20switch%20from%20Linux%20to%20Windows%20machine%20and%20then%20switch%20back%20to%20Linux%20machine%20to%20continue%20with%20the%20rest%20of%20steps.%20With%20adutil%20released%20we%20aim%20to%20make%20this%20experience%20seamless%2C%20where%20from%20the%20Linux%20machine%20itself%20you%20can%20interact%20and%20manage%20the%20Active%20Directory%20domains%20through%20the%20CLI.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOverall%20adutil%20is%20a%20utility%20for%20interacting%20with%20and%20managing%20Active%20Directory%20domains%20through%20the%20CLI.%20adutil%20is%20designed%20as%20a%20series%20of%20commands%20and%20subcommands%2C%20with%20additional%20flags%20that%20can%20be%20specified%20for%20further%20input.%20Each%20top-level%20command%20represents%20a%20category%20of%20administrative%20functions.%20Each%20subcommand%20is%20an%20operation%20within%20that%20category.%20Using%20adutil%20you%20can%20manage%26nbsp%3B%20with%20users%2C%20SPNs%2C%20keytabs%2C%20groups%20etc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20start%20using%20adutil%20please%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-ad-auth-adutil-tutorial%3Fview%3Dsql-server-ver15%23install-adutil-preview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eadutil%20installation%3C%2FA%3E%20for%20the%20install%20steps%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20details%20on%20how%20you%20can%20configure%20AD%20authentication%20with%20adutil%20for%20SQL%20on%20Linux%20and%20containers%20please%20refer%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-ad-auth-adutil-tutorial%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20Active%20Directory%20authentication%20for%20SQL%20Server%20on%20Linux%20using%20adutil%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Flinux%2Fsql-server-linux-containers-ad-auth-adutil-tutorial%3Fview%3Dsql-server-ver15%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20Active%20Directory%20authentication%20for%20SQL%20Server%20on%20Linux%20containers%20using%20adutil%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EEngineering%20lead%3A%20Mike%20Habben%3C%2FP%3E%0A%3CP%3EEngineering%3A%20Dylan%20Gray%3B%20Dyllon%20(Owen)%20Gagnier%3B%20Ethan%20Moffat%3B%20Madeline%20MacDonald%3C%2FP%3E%0A%3CP%3EAmit%20Khandelwal%20Senior%20Program%20Manager%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1976944%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESQLServerProtocols%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESQLServerSecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESQLServerTiger%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2222556%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20adutil%20-%20A%20tool%20to%20ease%20configuration%20of%20AD%20authentication%20for%20SQL%20on%20Linux%2FContaine%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2222556%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20running%20create%20user%20command%20I%20receive%20an%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%23%20adutil%20user%20create%20--distname%20CN%3Duser%2COU%3DUsers%2CDC%3DDOMAIN%2CDC%3DORG%20--password%20'password'%20--debug%0A%0Aadutil%20Configuration%3A%0A%20%20%20%20%20%20%20%20KeytabDir%3A%20'%2Fvar%2Frun%2Fsecrets%2Fkeytabs%2Fadutil'%0A%20%20%20%20%20%20%20%20UseLdaps%3A%20'false'%0A%20%20%20%20%20%20%20%20IsWindowsDomain%3A%20'true'%0A%20%20%20%20%20%20%20%20OUDistinguishedName%3A%20''%0A%20%20%20%20%20%20%20%20UseDefaultSystemCCache%3A%20'true'%0AUsing%20configuration%20file%20from%20%2Froot%2F.adutil%2Fadutil.json%0ADetected%20parameters%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20Debug%3A%20true%0A%20%20%20%20%20%20%20%20%20%20%20%20%20Name%3A%20mssql2019%0A%20%20%20%20%20NameDistName%3A%20CN%3Dmssql2019%2CDC%3DDOMAIN%2CDC%3DORG%0AChecking%20for%20valid%20kerberos%20ticket%0AUserHasKrb5Credentials%3A%20Enumerating%20credentials%20in%20default%20system%20CCache%0AUserHasKrb5Credentials%3A%20Found%20local%20TGT%20for%20realm%20DOMAIN.ORG%0AUserHasKrb5Credentials%3A%20Found%20valid%20credentials%0ARunning%20command%3A%20create%20user%0AAttempting%20to%20get%20password%20from%20--password%20flag%0ACreating%20user%20account%20mssql2019%20(CN%3Dmssql2019%2CDC%3DDOMAIN%2CDC%3DORG)%20in%20DOMAIN.ORG%0AFailed%20interactive%20bind%20to%20'DOMAIN.ORG'%20in%20CreateLdapConnection%3A%20Local%20error%0AFailed%20to%20connect%20to%20'DOMAIN.ORG'%20when%20adding%20object%20'CN%3Dmssql2019%2CDC%3DDOMAIN%2CDC%3DORG'%0A%0AFailed%20to%20connect%20to%20'DOMAIN.ORG'%20when%20adding%20object%20'CN%3Dmssql2019%2CDC%3DDOMAIN%2CDC%3DORG'%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22kinit%22%20runs%20correctly%20and%20also%20does%20%22id%22%20and%20%22getent%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat's%20wrong%3F%3C%2FP%3E%3CP%3EI%20actually%20can't%20install%20SQLServer%202019%20since%20I%20can't%20use%20the%20%22setspn%22%20commands%20(no%20Windows%20servers%20here%2C%20AD%20is%20on%20Samba4...).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Dec 11 2020 08:58 AM
Updated by: