Environment
===
Domain:contoso.com
Linux server:red1(Redhat 7.6)
MSA:msa01
SQL Server 2017 CU17
Red1 has joined the domain contoso.com(For information on how to join an active directory domain, see Join SQL Server on a Linux host to an Active Directory domain.)
New-ADServiceAccount -Name msa01 -Enabled $true -AccountPassword (Read-Host -AsSecureString "Enter Password") -RestrictToSingleComputer
kinit msa01@CONTOSO.COM
kvno MSSQLSvc/red1.contoso.com:1433
get-ADServiceAccount -Identity msa01 -property msDS-KeyVersionNumber
ktpass /princ MSSQLSvc/red1.CONTOSO.COM:1433@CONTOSO.COM /ptype KRB5_NT_PRINCIPAL /crypto aes256-sha1 /mapuser contoso\msa01 /out mssql.keytab -setpass -setupn /kvno 2 /pass Password1
ktpass /princ MSSQLSvc/red1:1433@CONTOSO.COM /ptype KRB5_NT_PRINCIPAL /crypto aes256-sha1 /mapuser contoso\msa01 /in mssql.keytab /out mssql.keytab -setpass -setupn /kvno 2 /pass Password1
ktpass /princ MSSQLSvc/red1.CONTOSO.COM:1433@CONTOSO.COM /ptype KRB5_NT_PRINCIPAL /crypto rc4-hmac-nt /mapuser contoso\msa01 /in mssql.keytab /out mssql.keytab -setpass -setupn /kvno 2 /pass Password1
ktpass /princ MSSQLSvc/red1:1433@CONTOSO.COM /ptype KRB5_NT_PRINCIPAL /crypto rc4-hmac-nt /mapuser contoso\msa01 /in mssql.keytab /out mssql.keytab -setpass -setupn /kvno 2 /pass Password1
ktpass /princ msa01@CONTOSO.COM /ptype KRB5_NT_PRINCIPAL /crypto aes256-sha1 /mapuser contoso\msa01 /in mssql.keytab /out mssql.keytab -setpass -setupn /kvno 2 /pass Password1
ktpass /princ msa01@CONTOSO.COM /ptype KRB5_NT_PRINCIPAL /crypto rc4-hmac-nt /mapuser contoso\msa01 /in mssql.keytab /out mssql.keytab -setpass -setupn /kvno 2 /pass Password1
sudo /opt/mssql/bin/mssql-conf set network.privilegedadaccount msa01
systemctl restart mssql-server.service
sudo chown mssql:mssql /var/opt/mssql/secrets/mssql.keytab
sudo chmod 400 /var/opt/mssql/secrets/mssql.keytab
sudo /opt/mssql/bin/mssql-conf set network.kerberoskeytabfile /var/opt/mssql/secrets/mssql.keytab
sudo systemctl restart mssql-server
There is a known issue in AES 256 encryption in krb5 library in redhat/centos and Ubuntu. There has been a patch in krb5 library, but the patch hasn't shipped on distributions we support.
If SPN entries are added using adden, you can't even connect to SQL Server using Windows Authentication. And you will see following messages in PALLOG.
Request ticket server MSSQLSvc/red1:1433@CONTOSO.COM kvno 2 enctype aes256-cts found in keytab but cannot decrypt ticket
If MSA entries are added using adden, you will fail to run 'create login','sp_addsrvrolemember', or other privileged operation and get following message
Could not obtain information about Windows NT group/user '%ls', error code 0x80090304
I’ll discuss the issue in other articles.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.