On Tue, Mar 27, 2018 at 6:02 PM, Markus Kuhn <[email protected]> wrote: > Microsoft's ODBC driver for SQLServer appends a port number > after a colon to the domain name in a service principal name, > as in > > MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@ > ^^^^^ > > and even relies on that port number to distinguish different > service instances on the same host: > > "For a TCP/IP connection the SPN is registered in the > format MSSQLSvc/<FQDN>:<tcpport>. Both named instances > and the default instance are registered as MSSQLSvc, > relying on the <tcpport> value to differentiate the instances." > > > https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections > > Since Microsoft's ODBC Driver for SQL Server is now also available > for Linux and macOS > > > https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/system-requirements > > people like myself are now commonly using it with MIT's Kerberos > client libraries. > > This driver requests tickets for service principal names such as > > MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@ > > i.e., with included port number: > > > https://docs.microsoft.com/en-us/sql/connect/odbc/linux-mac/known-issues-in-this-version-of-the-driver > > I suspect that a lot of the mechanics in the MIT Kerberos > client libraries (e.g., to look up in DNS what > the realm associated with db0.ad.cl.cam.ac.uk or ad.cl.cam.ac.uk > is in a cross-realm environment) does not cope with the > presence of the colon and port number in the SPN (NT-SRV-HST). > > For example, the above SPN works in kvno (krb5-1.13.2, Ubuntu 16.04) > only after I remove the port number (whereas both SPNs are registered > in our Active Directory KDC): > > $ kvno MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@ > kvno: Server not found in Kerberos database while getting credentials for > MSSQLSvc/db0.ad.cl.cam.ac.uk:1433@ > > $ kvno MSSQLSvc/db0.ad.cl.cam.ac.uk@ > MSSQLSvc/db0.ad.cl.cam.ac.uk@: kvno = 2
Note, I tried to simulate in lab, using version 1.15.2 (fedora), and it seems to work ok. On the DC I ran: setspn -S MSSQLSvc/myhost.acme.com:1433 ACME\apache setspn -S MSSQLSvc/myhost.acme.com:1444 ACME\tomcat setspn -S MSSQLSvc/myhost.acme.com ACME\ngix And then the above kvno gets a ticket to each. See tshark traces at: https://pastebin.com/Hb80rs6s ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
