I've got a FreeIPA domain in a domain trust with a windows 2012r2 domain.
SQL Server 2014 is a member of the windows domain and is configured to
accept both windows and native authentication. From a box thats a member
of my FreeIPA domain I'm able to get a ticket as a user from the windows
domain and connect to the server without issue, if I use the sql server's
fqdn.
Where I run into an issue is where I create a CNAME for my sql server. I
add an SPN to AD:
setspn -A MSSQLSvc/sqlserver2.ent2k12.domain.com:1433 ENT2K12\sqlserverspn
when i try to access the db using the CNAME I get the following error:
cn = pyodbc.connect('DRIVER={ODBC Driver 13 for SQL Server};Server=
sqlserver2.ent2k12.domain.com; DATABASE=testdb;Trusted_Connection=yes;')
pyodbc.Error: ('HY000', '[HY000] [unixODBC][Microsoft][ODBC Driver 13 for
SQL Server]SSPI Provider: Message stream modified (851968)
(SQLDriverConnect)')
I know this error usually means that the case of the domain is off but I
can't seem to create an SPN that kerberos likes. Here's my klist:
Ticket cache: KEYRING:persistent:0:0
Default principal: freeipa3(a)ENT2K12.DOMAIN.COM
Valid starting Expires Service principal
08/15/2018 11:22:16 08/15/2018 21:21:36
MSSQLSvc/sqlserver2.ent2k12.domain.com:1433@ENT2K12.DOMAIN.COM
renew until 08/16/2018 11:21:32
08/15/2018 11:21:36 08/15/2018 21:21:36 krbtgt/
ENT2K12.DOMAIN.COM(a)ENT2K12.DOMAIN.COM
renew until 08/16/2018 11:21:32
So I'm getting the ticket. not really sure where to go from here. Any
help would be greatly appreciated.
Thanks
Marc Boorshtein