Поддерживает ли FreeTDS аутентификацию Kerberos на сервере Sybase?
Я скомпилировал freetds 1.1.33 с использованием библиотек MIT KRB. При выполнении утилиты t sql для подключения к серверу sybase с включенной аутентификацией Kerberos произошел сбой с 2 ошибками
>tsql -S ASE16_SRVR
locale is "en_US.UTF-8" locale charset is "UTF-8" using default charset "UTF-8"
Error 20017 (severity 9):
Unexpected EOF from the server
Error 20002 (severity 9):
Adaptive Server connection failed
При подключении к серверу, указанному в freetds.conf
*, возникла проблема. 1007 *
freetds.conf [global]
tds version = auto
debug flags = 0xffff
[ASE16_SRVR]
host = asesrvr
port = 6000
tds version = 7.0
enable gssapi delegation = on
SPN = ASE16_SRVR@MYDOMAIN.COM
realm = ASE16_SRVR@MYDOMAIN.COM
TDSDUMP
ПРИМЕЧАНИЕ. Я прокомментировал строку tds / login. c: 995 - как я хотел проверить детали пакета.
11:49:31.118599 6996 (log.c:168):Starting log file for FreeTDS 1.1.33
on 2020-04-20 11:49:31 with debug flags 0xffff.
11:49:31.118721 6996 (iconv.c:326):tds_iconv_open(0x1dae3f0, UTF-8)
11:49:31.118982 6996 (iconv.c:186):local name for ISO-8859-1 is ISO-8859-1
11:49:31.119016 6996 (iconv.c:186):local name for UTF-8 is UTF-8
11:49:31.119024 6996 (iconv.c:186):local name for UCS-2LE is UCS-2LE
11:49:31.119030 6996 (iconv.c:186):local name for UCS-2BE is UCS-2BE
11:49:31.119036 6996 (iconv.c:348):setting up conversions for client charset "UTF-8"
11:49:31.119204 6996 (iconv.c:350):preparing iconv for "UTF-8" <-> "UCS-2LE" conversion
11:49:31.119428 6996 (iconv.c:389):tds_iconv_open: done
11:49:31.119458 6996 (net.c:391):Connecting with protocol version 7.0
11:49:31.119582 6996 (net.c:318):Connecting to 10.x.x.x port 6000
11:49:31.119851 6996 (net.c:340):tds_setup_socket: connect(2) returned "Operation now in progress"
11:49:31.119899 6996 (net.c:528):tds_open_socket() succeeded
11:49:31.119919 6996 (login.c:926):using GSS authentication
11:49:31.120092 6996 (gssapi.c:225):using kerberos name ASE16_SRVR@MYDOMAIN.COM
11:49:31.120146 6996 (gssapi.c:237):gss_import_name: GSS_S_COMPLETE: gss_import_name completed successfully.
11:49:31.178096 6996 (gssapi.c:325):gss_init_sec_context: actual mechanism at 0x7f65232c05a0
11:49:31.178134 6996 (gssapi.c:327):actual mechanism
0000 2a 86 48 86 f7 12 01 02-02 |*.H..... .|
11:49:31.178182 6996 (login.c:994):quietly sending TDS 7+ login packet
11:49:31.178222 6996 (packet.c:808):Sending packet
0000 10 01 06 32 00 00 00 00-2a 06 00 00 00 00 00 70 |...2.... *......p|
.............
11:49:31.178957 6996 (token.c:416):tds_process_login_tokens()
11:49:31.179468 6996 (packet.c:436):Received packet
0000 00 01 00 08 00 00 00 00- |........|
11:49:31.179652 6996 (util.c:165):Changed query state from IDLE to DEAD
11:49:31.179676 6996 (util.c:319):tdserror(0x1dae150, 0x1dae730, 20017, 0)
11:49:31.179698 6996 (util.c:349):tdserror: client library returned TDS_INT_CANCEL(2)
11:49:31.179705 6996 (util.c:372):tdserror: returning TDS_INT_CANCEL(2)
11:49:31.179714 6996 (packet.c:546):Read attempt when state is TDS_DEAD
11:49:31.179721 6996 (token.c:420):looking for login token, got 0()
11:49:31.179733 6996 (token.c:129):tds_process_default_tokens() marker is 0()
11:49:31.179739 6996 (token.c:132):leaving tds_process_default_tokens() connection dead
11:49:31.179745 6996 (login.c:584):login packet accepted
11:49:31.179751 6996 (util.c:319):tdserror(0x1dae150, 0x1dae730, 20002, 0)
11:49:31.179766 6996 (util.c:349):tdserror: client library returned TDS_INT_CANCEL(2)
11:49:31.179773 6996 (util.c:372):tdserror: returning TDS_INT_CANCEL(2)
11:49:31.179780 6996 (mem.c:656):tds_free_all_results()
KRB_TRACE Log
[6996] 1587350971.133162: ccselect module realm chose cache KEYRING:persistent:1001:1001 with client principal demouser@MYDOMAIN.COM for server principal ASE16_SRVR@MYDOMAIN.COM
[6996] 1587350971.133163: Getting credentials demouser@MYDOMAIN.COM -> ASE16_SRVR@MYDOMAIN.COM using ccache KEYRING:persistent:1001:1001
[6996] 1587350971.133164: Retrieving demouser@MYDOMAIN.COM -> ASE16_SRVR@MYDOMAIN.COM from KEYRING:persistent:1001:1001 with result: 0/Success
[6996] 1587350971.133166: Retrieving demouser@MYDOMAIN.COM -> krbtgt/MYDOMAIN.COM@MYDOMAIN.COM from KEYRING:persistent:1001:1001 with result: 0/Success
[6996] 1587350971.133167: Get cred via TGT krbtgt/MYDOMAIN.COM@MYDOMAIN.COM after requesting krbtgt/MYDOMAIN.COM@MYDOMAIN.COM (canonicalize off)
[6996] 1587350971.133168: Generated subkey for TGS request: aes256-cts/CD0C
[6996] 1587350971.133169: etypes requested in TGS request: aes256-cts
[6996] 1587350971.133171: Encoding request body and padata into FAST request
[6996] 1587350971.133172: Sending request (983 bytes) to MYDOMAIN.COM
[6996] 1587350971.133173: Resolving hostname krb-srvr.MYDOMAIN.COM
[6996] 1587350971.133174: Sending initial UDP request to dgram krb-srvr:88
[6996] 1587350971.133175: Received answer (967 bytes) from dgram krb-srvr:88
[6996] 1587350971.133176: Response was not from master KDC
[6996] 1587350971.133177: Decoding FAST response
[6996] 1587350971.133178: FAST reply key: aes256-cts/A56A
[6996] 1587350971.133179: TGS reply is for demouser@MYDOMAIN.COM -> krbtgt/MYDOMAIN.COM@MYDOMAIN.COM with session key aes256-cts/1328
[6996] 1587350971.133180: Got cred; 0/Success
[6996] 1587350971.133182: Creating authenticator for demouser@MYDOMAIN.COM -> ASE16_SRVR@MYDOMAIN.COM, seqnum 1065081822, subkey aes256-cts/F15A, session key aes256-cts/13CC
Файл журнала Sybase Server
00:0006:00000:00018:2020/04/20 11:49:31 server Error: 1621, Severity: 18, State: 1
00:0006:00000:00018:2020/04/20 11:49:31 server Type '10' not allowed before login.
Я подтвердил, что утилита isql_r64 собственного открытого клиента sybase может установить sh соединение с сервером Sybase. Поэтому я предполагаю, что конфигурация на серверах Kerberos и Sybase правильная.
Я использовал утилиту Sybase Ribo для перехвата пакетов TDS - но они не открываются из-за неизвестной ошибки пакета.