Issue with AD on mssql-docker linux > CU9 (Ubuntu 22.04 vs 20.04)

Question

Issue with AD on mssql-docker linux > CU9 (Ubuntu 22.04 vs 20.04)

dsand1234 opened this issue 7 months ago · 3 comments

dsand1234 commented 7 months ago

My container works if I downgrade to: mcr.microsoft.com/mssql/server:2022-CU9-ubuntu-20.04

I am able to do this step without error:

create login [domain\administrator] From Windows

but when I try to login, I get an error about the login being from an untrusted domain.

The debug logs show:

02/27/2024 16:49:21.454605635 Debug [security.kerberos] <0000000246/0x00000378> Processing SSPI operation 0x00000002
02/27/2024 16:49:21.454734357 Debug [security.kerberos] <0000000246/0x00000378> Resetting ccache name to FILE:/tmp/krb5cc_10001
02/27/2024 16:49:21.454982910 Error [security.kerberos] <0000000246/0x00000378> GSS MAJOR: 458752 GSS MINOR: 100001 Error from accept_sec_context
02/27/2024 16:49:21.454999320 Error [security.kerberos] <0000000246/0x00000378> No credentials were supplied, or the credentials were unavailable or inaccessible
02/27/2024 16:49:21.455007200 Error [security.kerberos] <0000000246/0x00000378> SPNEGO cannot find mechanisms to negotiate
02/27/2024 16:49:21.455117742 Error [security.kerberos] <0000000246/0x00000378> GSS MAJOR: 458752 GSS MINOR: -1765328189 Error in gss_inquire_cred in AutoCCache's constructor
02/27/2024 16:49:21.455127172 Error [security.kerberos] <0000000246/0x00000378> No credentials were supplied, or the credentials were unavailable or inaccessible
02/27/2024 16:49:21.455133662 Error [security.kerberos] <0000000246/0x00000378> No credentials cache found
02/27/2024 16:49:21.455172913 Info [security.kerberos] <0000000246/0x00000378> Created temporary ccache [MEMORY:pw019sC] for principal [].

I've also encountered this issue:

02/27/2024 16:53:44.062423966 Debug [security.kerberos.libos] <0000000141/0x000001d8> LookupAccountSid() return value: 0x00000001
02/27/2024 16:53:44.063661212 Debug [security.kerberos] <0000000269/0x000003d4> Processing SSPI operation 0x0000000D
02/27/2024 16:53:44.063778354 Debug [security.kerberos] <0000000269/0x000003d4> Resetting ccache name to FILE:/tmp/krb5cc_10001
02/27/2024 16:53:44.064081878 Error [security.ldap] <0000000269/0x000003d4> Could not look up short domain name due to error: Name or service not known.
02/27/2024 16:53:44.064096798 Debug [security.kerberos] <0000000269/0x000003d4> SSPI operation 0x0000000D returned status: File: KerberosStream.cpp:1677 [Status: 0xC0000001 Operation unsuccessful]
02/27/2024 16:53:44.064168909 Debug [security.kerberos.libos] <0000000141/0x000001d8> LookupAccountName() return value: 0x00000000
02/27/2024 16:53:44.805230141 Debug [security.kerberos.libos] <0000000141/0x000001d8> AcquireCredentialsHandle(): EmptyPrincipalName: true, fCredentialUse: 00000002, CurrentImpersonationHandle: 0000000000000000, Package: negotiate
02/27/2024 16:53:44.805278511 Debug [security.kerberos.libos] <0000000141/0x000001d8> Calling LibOS version of AcquireCredentialsHandle()

Again, it works on earlier versions of the container (<= CU9).

Answer 1 · 2024-04-30T13:42:29.000Z

Same Issue here. Same Error Message. Thanks a lot for mentioning that mcr.microsoft.com/mssql/server:2022-CU9-ubuntu-20.04
works. We had been debugging this issue for a couple of weeks now, probably still wouldn't be up and running without you.

THANKS A LOT MATE :-)

Answer 2 · 2024-05-02T10:51:44.000Z

did you get it to work with docker compose or directly with a docker run command? because we seem to have problems with getting it to work with docker compse (portainer) too.

thx, regards

tom

Answer 3 · 2024-05-30T03:05:47.000Z

Seeing the same issue and error messages deploying on AmazonLinux2023 in AWS. Reused the same Docker Run command with CU9 and everything worked. Thanks @dsand1234