Using Kerberos to authenticate with MSSQL from Linux
Posted: Fri Oct 11, 2019 12:52 pm
These are the exact steps to add Kerberos configuration to BMC's ADDM appliance version 11.2 .
I have not tested any other version, but I would have to guess it would be the same for all given that the Linux image they're using is the same.
First you will need to make sure that the MSSQL Server DB is configured for Kerberos authentication:
Run this SQL (requires higher level permissions):
select distinct auth_scheme from sys.dm_exec_connections
After testing your connection to MSSQL the results should show:
auth__scheme
1 (Unknown)
2 KERBEROS
3 NTLM
4 SQL
If you don't see KERBEROS in the list then get your DBA to add it to the list or ask if the Software Instance has been given a Service Principal Name (SPN for short). SPN is necessary for this to work when the database has encryption and integratedSecurity set to true. It might require a chance ticket so get this done as soon as possible.
Next you need to make sure that the Kerberos client libraries are present on the linux box. Remember you're not running the Kerberos server, that's going to be already running on some other host. So just make sure that you configure it for client settings.
Configure this file in the /etc folder of the scanning robot (for example BMC ADDM):
check with rpm to see if the libraries are already there:
rpm -qa | grep -i krb5
krb5-appl-clients-1.0.1-7.e16_2.1.x86_64
krb5-workstation-1.10.3-65.e16.x86_64
krb5-libs-1.10.3-65.e16.x86_64
rpm -ql krb5-appl-clients-1.0.1-7.e16_2.1.x86_64
and so on ..
You will need to restart the robot (ADDM) once you have that setup.
You will also need to kinit the user that will be used by the robot.
Like this:
kinit addm_read@YOUR.COMPANY.COM
<it will prompt you for password so keep it ready>
After this you will have token created in the /tmp folder that corresponds to the userid in passwd
Verify with "klist"
It should show your user in the list and show the expiration dates.
I have not tested any other version, but I would have to guess it would be the same for all given that the Linux image they're using is the same.
First you will need to make sure that the MSSQL Server DB is configured for Kerberos authentication:
Run this SQL (requires higher level permissions):
select distinct auth_scheme from sys.dm_exec_connections
After testing your connection to MSSQL the results should show:
auth__scheme
1 (Unknown)
2 KERBEROS
3 NTLM
4 SQL
If you don't see KERBEROS in the list then get your DBA to add it to the list or ask if the Software Instance has been given a Service Principal Name (SPN for short). SPN is necessary for this to work when the database has encryption and integratedSecurity set to true. It might require a chance ticket so get this done as soon as possible.
Next you need to make sure that the Kerberos client libraries are present on the linux box. Remember you're not running the Kerberos server, that's going to be already running on some other host. So just make sure that you configure it for client settings.
Configure this file in the /etc folder of the scanning robot (for example BMC ADDM):
Code: Select all
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
[libdefaults]
default_realm = EXAMPLE.COM (<--Replace with your company's domain suffix. Must be capitalized)
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = [ <-- Replace with you domain suffix. As in this example: BLACKHOLESURFER.COM
kdc = mykerberos.server.com (<-- Replace with your company kerberos server )
admin_server = mykerberos.server.com (<-- Replace with your company kerberos host)
}
[domain.realm]
.example.com = EXAMPLE.COM <-- Replace with you domain suffix. As in this example: BLACKHOLESURFER.COM
example.com = EXAMPLE.COM <-- Replace with you domain suffix. As in this example: BLACKHOLESURFER.COM
rpm -qa | grep -i krb5
krb5-appl-clients-1.0.1-7.e16_2.1.x86_64
krb5-workstation-1.10.3-65.e16.x86_64
krb5-libs-1.10.3-65.e16.x86_64
rpm -ql krb5-appl-clients-1.0.1-7.e16_2.1.x86_64
and so on ..
You will need to restart the robot (ADDM) once you have that setup.
You will also need to kinit the user that will be used by the robot.
Like this:
kinit addm_read@YOUR.COMPANY.COM
<it will prompt you for password so keep it ready>
After this you will have token created in the /tmp folder that corresponds to the userid in passwd
Verify with "klist"
It should show your user in the list and show the expiration dates.