I have not tested any other version, but I would have to guess it would be the same for all given that the Linux image they're using is the same.
First you will need to make sure that the MSSQL Server DB is configured for Kerberos authentication:
Run this SQL (requires higher level permissions):
select distinct auth_scheme from sys.dm_exec_connections
After testing your connection to MSSQL the results should show:
If you don't see KERBEROS in the list then get your DBA to add it to the list or ask if the Software Instance has been given a Service Principal Name (SPN for short). SPN is necessary for this to work when the database has encryption and integratedSecurity set to true. It might require a chance ticket so get this done as soon as possible.
Next you need to make sure that the Kerberos client libraries are present on the linux box. Remember you're not running the Kerberos server, that's going to be already running on some other host. So just make sure that you configure it for client settings.
Configure this file in the /etc folder of the scanning robot (for example BMC ADDM):
Code: Select all
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log [libdefaults] default_realm = EXAMPLE.COM (<--Replace with your company's domain suffix. Must be capitalized) dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = [ <-- Replace with you domain suffix. As in this example: BLACKHOLESURFER.COM kdc = mykerberos.server.com (<-- Replace with your company kerberos server ) admin_server = mykerberos.server.com (<-- Replace with your company kerberos host) } [domain.realm] .example.com = EXAMPLE.COM <-- Replace with you domain suffix. As in this example: BLACKHOLESURFER.COM example.com = EXAMPLE.COM <-- Replace with you domain suffix. As in this example: BLACKHOLESURFER.COM
rpm -qa | grep -i krb5
rpm -ql krb5-appl-clients-1.0.1-7.e16_2.1.x86_64
and so on ..
You will need to restart the robot (ADDM) once you have that setup.
You will also need to kinit the user that will be used by the robot.
<it will prompt you for password so keep it ready>
After this you will have token created in the /tmp folder that corresponds to the userid in passwd
Verify with "klist"
It should show your user in the list and show the expiration dates.