使用 WindowsAuth/Kerberos 的 Linux Apache+PHP 到 MS SQL Server 的连接问题(“没有可用的 Kerberos 凭据") [英] Connection problem Linux Apache+PHP to MS SQL Server using WindowsAuth / Kerberos ("No Kerberos credentials available")
问题描述
以下设置:我有一台 Linux (Debian) 机器作为网络服务器 (apache) 和 Windows 上的 MS SQL Server.此外,我无法为此获得 SQL 用户,只能通过 AD/Windows 身份验证进行身份验证.
Following setup: I have a Linux (Debian) machine as a webserver (apache) and a MS SQL Server on Windows. Furthermore I am not able to get a SQL user for this, only authentication through AD/Windows Auth.
我使用的是按照 Microsoft 的说明安装的 Microsoft ODBC 驱动程序和 sqlsrv 扩展.
I am using the Microsoft ODBC Driver and sqlsrv extension I installed following the instructions from Microsoft.
我使用主体名称和密码成功运行了 kinit.现在,当使用 sqlcmd 或什至使用 sqlsrv_connect 在交互模式下使用 PHP (php -a) 时,基于 Windows-Auth 的 MSSQL Server 连接可以完美运行,但是当我尝试通过 Apache 从 php 文件运行一个简单的示例连接,它不起作用.我收到如下错误消息:
I run kinit with principal name and password successfully.
Now Windows-Auth based connection to the MSSQL Server works perfectly when using sqlcmd or even when using PHP in interactive mode (php -a) using sqlsrv_connect, but when I try to run a simple example connection from a php-file through Apache, it doesnt't work. I get an error message like this:
Array ( [0] => Array ( [0] => HY000 [SQLSTATE] => HY000 [1] => 851968 [code] => 851968 [2] => [Microsoft][ODBC Driver 17 for SQL Server]SSPI Provider: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_33) [message] => [Microsoft][ODBC Driver 17 for SQL Server]SSPI Provider: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_33) ) [1] => Array ( [0] => HY000 [SQLSTATE] => HY000 [1] => 851968 [code] => 851968 [2] => [Microsoft][ODBC Driver 17 for SQL Server]Cannot generate SSPI context [message] => [Microsoft][ODBC Driver 17 for SQL Server]Cannot generate SSPI context ) )我知道附加 _XX 的缓存代表 UID,所以认为这可能是我已经尝试过不同用户请求票证等的问题,但我无法让它工作.
I know the the cache appended _XX is standing for the UID, so thinking that this might be the problem I already experimented with different user requesting the ticket and whatnot, but I couldn't get it working.
我也尝试使用 unixODBC 并定义 DSN.它在使用 isql 进行测试并在 php 交互模式下使用 odbc_connect 时有效(也使用 python 使用 pyodbc),但是不是来自 php 页面.
I also tried using unixODBC and defining a DSN.It is working when testing with isql and using odbc_connect in php interactive mode (also with python using pyodbc), but not from a php page.
有人知道我错过了什么吗?这可能很明显,但我对这个主题还很陌生,关于从 linux 机器访问基于 Windows 的 MS SQL 服务器而没有额外的 SQL 用户,没有太多东西可以找到.提前感谢您的帮助!
Does anyone have an idea on what i'm missing? It might be pretty obvious, but I'm fairly new to this topic and there is not too much to find regarding access from a linux machine to a Windows based MS SQL server without an extra SQL User. Thanks for your help in advance!
推荐答案
我自己找到了答案,本来可以更早地提出这个问题,但我将把它留在这里以防其他人偶然发现这个问题:
Found the answer myself, could have come up with this earlier, but I'm going to leave this here in case someone else stumbles across this issue:
我已经认为它与访问权限/权限有关,因为它基本上可以在除 Apache 之外的任何地方工作,但我不知道为什么,直到我发现这是由 systemd 引起的:
I already thought it had something to to with access rights/permissions, as it was basically working from everywhere but Apache, but I couldn't figure out why, until I found out that this is caused by systemd:
Systemd 具有防止服务访问 /tmp 的功能,称为 SecureTmp.如 此处 用于测试解决了该问题.我现在将看看如何以不同的方式执行此操作,因为我不想禁用此功能.希望这对某人有帮助:-)
Systemd has a feature preventing services from accessing /tmp called SecureTmp. Deactivating this feature for Apache as described here for testing solved the issue. I will now see how I can do this differently as I do not want to leave this feature disabled. Hope this is helpful for someone :-)
这篇关于使用 WindowsAuth/Kerberos 的 Linux Apache+PHP 到 MS SQL Server 的连接问题(“没有可用的 Kerberos 凭据")的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
