Use DB Client CA when connecting to SQL Server using PKINIT#48772
Merged
gabrielcorado merged 3 commits intomasterfrom Nov 13, 2024
Merged
Use DB Client CA when connecting to SQL Server using PKINIT#48772gabrielcorado merged 3 commits intomasterfrom
gabrielcorado merged 3 commits intomasterfrom
Conversation
greedy52
approved these changes
Nov 12, 2024
Contributor
greedy52
left a comment
greedy52
left a comment
There was a problem hiding this comment.
thanks for the quick fix!
Tener
approved these changes
Nov 12, 2024
strideynet
approved these changes
Nov 13, 2024
public-teleport-github-review-bot
Bot
removed request for
GavinFrazar and
Joerger
gabrielcorado
deleted the
gabrielcorado/fix-sqlserver-pkinit-wrong-ca
branch
|
@gabrielcorado See the table below for backport results.
|
This was referenced Nov 13, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #48517
Brief overview: For the SQL Server with PKINIT, we use the
kinitCLI to authenticate with Kerberos. To use this CLI, we need to generate the user certificates (DB Client CA) and add the LDAP cert to the anchors file so it can trust the AD/KDC certificates.This issue is related to
kinitnot trusting our certificates as we're using the DB Server CA (instead of DB Client, which was used to generate the connection certificates). This causeskinitto fail while verifying our certificates.Note: This solution isn't ideal (as we're adding a new exception for the
GenerateDatabaseCert). However, given this function will be replaced withGenerateDatabaseClientCertandGenerateDatabaseHostCert(as per RFD 0168), we can bring this into the discussion when introducing these new RPC calls so it can be solved without having those protocol-specific exceptions.changelog: Fixed users not being able to connect to SQL server instances with PKINIT integration when the cluster is configured with different CAs for database access.