I have mariadb server, which contains database and i have my website on apache server that connects to this database through PHP and my general logs seems like this:
logs and i dont like it shows "as anonymous" instead of for example "as apache". Can i somehow configure my apache server to integrate with it? Or should i use other logs than general_logs to get information what exactly send that query? My system is Fedora 33.
Some MySQL installations permit users to connect as the anonymous (unnamed) user to the server running on the local host.1
and if you head over to dba forum you find this on how to disable those:
https://dba.stackexchange.com/questions/51452/how-do-you-disable-anonymous-login
Subsequently you want to update your PHP configuration to login with the new credentials.
Related
I'm trying to create a login on our test server with:
CREATE LOGIN [<DOMAIN>\<LOGIN>] FROM WINDOWS;
GO
As opposed to the live server the test server does not have any active directory. So it fails with:
Windows NT user or group 'DOMAIN\LOGIN' not found. Check the name again.
Worth to be mentioned, that on the test server we use a backup of a database dump from the last release and apply new migrations to this dump. This means, that this error would not occur, if a more recent dump from the live server was used, where the active directory login already exists.
To enable proper testing, we discussed three possible options:
Recreate the active directory on the test server: I would like to avoid this, because nobody really wants to administer an additional active directory clone for testing purposes.
Use a more recent database dump: The problem here is, that the live server is not ours and we only have restricted access to it. It is possible, but still not the optimal solution in regard to practicability. Also, it would mean, that we would play in migrations to the live server before having tested them on the test server.
Alternative SQL syntax: I am aware, that there alternative ways of creating logins, e.g., CREATE LOGIN <login_name> WITH PASSWORD. But I could not think of any way, which allows us to create logins depending on which system we are on.
Option 3 is our strong favorite, but we are missing a piece to the puzzle. Anything we are missing here?
You can create a new user on your local computer.
And then add this new user to the instance.
CREATE LOGIN [<domainName or your hostName>\<login_name>] FROM WINDOWS;
I have been able to set up an active directory login for my Azure database.
Now I want to add additional active directory logins and set their permissions
I understand that I need to use Management Studio to do this and have installed SSMS v17.8.1
I have been studying docs but I can't find the instructions
[Update]
After reading Conor's answer I was able to create the user
CREATE USER [jobuser#mydomain] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA=[dbo]
However if I try to login using MSSMS with Active Directory - Password authentication I get
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' (MIcrosoft SQL Server, Error 18456)
[Update]
In the Connection Properties Tab
I had to overtype with the database name
That particular page only shows an example using a SQL login/user, so I can understand why you are confused.
Please read through this page:
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-2017
Specifically, you want to create a user using the AS EXTERNAL PROVIDER example. This tells SQL Azure (and SQL DW) to use Azure Active Directory instead of creating a SQL user. Please note that this does not (as of today) work in SQL Server. (SQL Server supports integrated authentication against a local Active Directory, but it just does not currently support the Azure Active Directory service).
Also, there is no specific requirement that you use SSMS to do this step. You can do it within SSMS, SQL Operation Studio, through one of the SQL client drivers in a program you write (or some third party program that can invoke SQL over them), sqlcmd, etc. You don't even need to have the latest SSMS to make things work (though it is recommend to get the best experience against SQL Azure including syntax highlighting).
Please give that a try and see if it gets you unblocked.
Best of Luck!
I have WebLogic 11G (10.3.6) on Linux Server and SQL Server 2012 on Windows 2012. I would like to create the connection pool to SQL Server from WebLogic using Windows Active Directory Kerberos authentication.
I am looking for steps to accomplish the above. I found information in bits and pieces but looking for clear steps. Any help is greatly appreciated.
I have access to WebLogic 10.3.3. So all version numbers are according to that. But the principals are the same.
Login through the console
Lock and Edit. If this isn't a production mode server, you won't need to do this.
Go to Services > JDBC > Data Sources and click "New".
Give it a name and JNDI name. I probably don't need to mention that the JNDI name is the important one. Also, choose the "Database Type" as "MS SQL Server".
Next you'll have to choose the driver. I didn't observe anything about distribute transactions in your question. Thus, I'm assuming you won't need an "XA" driver.
Again, I didn't see anything about Global Transactions in your quesiotn. So in the next step, disable it.
Next is the information about your Database; its name, Host's IP, and Port. If you have a named instance, add the name after the IP like this: \\instance_name. Since you want to use Kerberos, don't enter the Username and Password.
In the next step, you need to tell your datasource to use kerberos. Add ";AuthenticationMethod=kerberos" to end of the URL field. Connection properties are separated with a ";". For example, jdbc:sqlserver://192.168.10.56:17888;AuthenticationMethod=kerberos
Next, specify which Servers in your Domain will have access to this DataSource. Basically, specifying the DataSource's target servers.
Side notes and other important settings:
When you specify the "AuthenticationMethod" connection property with the value of "kerberos", any username or password will be ignored.
Your database server must be administered by the same Domain Controller that administers the Weblogic server.
Under $WL_HOME/server/lib find krb5.conf (Kerberos configuration file containing values for the Kerberos realm and the KDC name for that realm) and open it in a text editor. Specify the system properties java.security.krb5.realm and java.security.krb5.kdc. In Windows Active Directory, the Kerberos realm name is the Windows domain name and the KDC name is the Windows domain controller name.
The application and driver code bases must be granted security permissions in the security policy file of the Java 2 Platform. Something like this:
grant codeBase "file:/WL_HOME/server/lib/-" {
permission javax.security.auth.AuthPermission
"createLoginContext.DDTEK-JDBC";
permission javax.security.auth.AuthPermission "doAs"
permission javax.security.auth.kerberos.ServicePermission
"krbtgt/your_realm#your_realm", "initiate";
permission javax.security.auth.kerberos.ServicePermission
"MSSQLSvc/db_hostname:SQLServer_port#your_realm", "initiate";
};
where:
WL_HOME is the directory in which you installed WebLogic Server.
your_realm is the Kerberos realm (or Windows Domain) to which the database host machine belongs.
db_hostname is the host name of the machine running the database.
SQLServer_port is the TCP/IP port on which the Microsoft SQL Server instance is listening.
I must say though I don't think you searched hard enough. Because almost everything I wrote here came from the online documentation:
http://docs.oracle.com/cd/E12839_01/web.1111/e13753/mssqlserver.htm
I have an issue with logging a Support user into an Application that has a SQL Server backend.
When configuring the application itself, the SQL set-up asked me to assign whether the Security to access the Application would be Windows Authentication or SQL: server Authentication, I chose Windows Authentication, and as I was using a login called
'LabUser1' I have been able to login to the application fine.
However, when I logon to the server using a different windows login, this time 'Support', SQL keeps giving me the error:
Error accessing the database DSN
Now I know the reason is because the install of SQL happened using the 'Labuser1' profile, but how can I create a script that will allow me to add the 'Support' user to the 'Allowed Logins' so that I can logon to the app server and at least open the Application? (I have seperate logins for when I see the applicatiojn login window, so please don't confuse the matter by thinking it is a simple case of creating a login for Support....I am talking about logging into the server)
The current batch file I am trying to run is:
sqlcmd -S localhost\OCDBB01 -i createSupportlogin.sql
Then I run this batch file after having created the following SQL script:
CREATE LOGIN OCDMW1\Support FROM WINDOWS
GO
Your description of the situation is a bit confusing to me however it appears that the "SQL setup" that is part of the application configuration created a ODBC DSN that uses the credentials of person logging into the machine as the login for SQL Server.
Simply creating a new (correct) login to the SQL instance may not resolve this issue since that does nothing to modify the DSN. If you are tied to using Window Authentication for SQL access it might be necessary to create multiple DSNs for the application to use and find a way to have the correct DSN associated to the right login for the application to use.
I am trying to figure out what is going on. Here is our setup:
We have four SQL servers that are in replication with each other.
We add a new user to Windows Active Directory and add them to a group that is in SQL Server that we have been using for ages.
The new user, when trying to authenticate using Windows authenication returns that error in the subject line. But, any users that were previously in Active directory work fine.
At one point I had gotten SQL Server "caught up" becauuse we had a group of users that could not log in because of this error. I did some changes to the SPNs and ended up making it so no one could log in. Then I realized how the SPNs were supposed to look and fixed it. Then I guess some magic happened and those users were able to authenticate. I thought it was fixed, but it is obviously not as we had to add one new user and they cannot authenticate.
What is interesting is that the user can authenticate with three out of the four SQL Servers. It is only this one server that is working incorrectly. I set up two SPNs for the SQl Service on this sql server.
They look like -
MSSQLSvc/[servername].[domain].local:1433
MSSQLSvc/[servername]:1433
These are actually registered to the Service account that we use for the SQL Servers. What is interesting is that I can't find the SPNs for the servers that are working anywhere.
Any help would be appreciated!
Edit: Also, another point to note is that if I try to add the user directly as a login into SQL server. I right click Logins and click Add Login then click search. I then type in [Domain]\[Username] and click check names. It validates the name as being correct. Then I click OK. And then OK again, and it gives the Error Windows NT user or group '[Domain]\[Username]' not found. Check the name Again.
I thought it was fixed, but it is obviously not as we had to add one
new user and they cannot authenticate.
The user has to relogin in order to pick up the new group. Otherwise, it's kerberos ticket is still using the old group membership information in its PAC
These are actually registered to the Service account that we use for
the SQL Servers. What is interesting is that I can't find the SPNs for
the servers that are working anywhere.
I think what happen is that you have one SQL Server with SPN setup properly while the other three SQL Servers with no SPN setup at all. So, you are going to use Kerberos on this particular server while NTLM on the other three.
As mentioned before, when you are using Kerberos, you have to either purge the ticket using some tools or you have to relogin in order to pick up the new group membership. You can also try to lock the screen and then unlock it. If I remember correctly, this should also refresh the ticket.
Unlike Kerberos, NTLM doesn't carry the group memberhsip data. After SQL Server authenticated the user using NTLM, it will find the authenticated user's group membership, including the new group you just added.