sp_addrolemember not working in Python - sql-server-2005

I am trying to add user permissions using this stored procedure:
exec sp_addrolemember db_datawriter, MYUSER
The database is MS SQL 2005 and within SQL Management Studio the stored procedure works correctly using my authorized windows login.
I created a simple HTML CGI website with Python as the scripting language using pyodbc. I also created a local user 'dataviewer' login that I used when pyodbc connects that has the following server role permissions the same as my windows login:
On the website I echo back the sql command that Python used and copy and paste the exact command in SQL SMS and the stored procedure works correctly. It seems as though there is a security conflict somewhere but not sure what is happening becasue my windows login has the same server roles permission as the dataviewer login.

Either commit the transaction with Connection.commit(), or set autocommit=True in connection string.

Related

Create login with execute

I am working on a project and I have access to SQL Server as external user with limited privileges.
When I want to create a login for example with this command, I get permission denied:
CREATE LOGIN [login] WITH PASSWORD=N'test', DEFAULT_DATABASE=[master],
DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF)
However when I try to create a login with this command I can make it and also I have privileges now to enable xp_cmd shell as well:
EXECUTE('EXECUTE(''CREATE LOGIN [test5] WITH PASSWORD=N''''test'''',
DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "hostname\domain"')
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [test5]'')
EXECUTE('EXECUTE(''ALTER SERVER ROLE [db_owner] ADD MEMBER [test5]'')
Can someone please explain why is that?
EXECUTE('string sql statement') AT "hostname\domain" == the 'string sql statement' is a pass-through command executed at the linked server "hostname/domain".
Has someone created a loop-back linked server (a linked server that points to the sql instance itself)?
Linked servers have their own security configuration/settings. If the security of the linked server is configured (for any login) to be made under the security context of a privileged login(eg. sa) then exec('') at linkedserver will be executed with way more/elevated permissions (than expected). This is a major security issue/hole.
Check the security of the linked server and change accordingly (and do you really need a loopback linked server?)

Executing SSIS Package with SQL Authentication

I have a SSIS package that talks to a remote server over HTTP. I execute the SSIS package using a stored procedure in my database (SQL Server 2012), which is called from a web server. The web server connects to the database using Windows Authentication. I now have a need to run the stored procedure (and therefore, the SSIS package) from a client which does not support Windows Authentication. The SSIS package is complicated enough that migrating to a different solution is not feasible.
The SSIS package has complex variables that are passed. The stored procedure that runs the package looks something like:
CREATE PROCEDURE [dbo].[SSISPackage]
#Parameter1 XML
AS
BEGIN
SET NOCOUNT ON;
DECLARE #execution_id BIGINT
EXEC [SSISDB].[catalog].[create_execution]
#package_name=N'Package.dtsx',
#execution_id=#execution_id OUTPUT,
#folder_name=N'API',
#project_name=N'APIProject',
#use32bitruntime=False,
#reference_id=Null
EXEC [SSISDB].[catalog].[set_execution_parameter_value]
#execution_id,
#object_type=30,
#parameter_name=N'Parameter1',
#parameter_value=#Parameter1
EXEC [SSISDB].[catalog].[start_execution] #execution_id
END
From what I've been reading, it is not possible to run SSIS packages with users authenticated using SQL Server Authentication.
My questions are:
Is it possible to somehow elevate the SQL user to a Windows-auth user, and then execute the stored procedure.
Are there typical approaches in dealing with this problem (e.g. CLR, a queue table, command line call to package)?
This is what I did, maybe it can help someone.
First step,
I created an SQL Authentication login as sysadmin and I allowed this login to impersonate other logins.
And then, I inpersonate a Windows Authentication login that is sysadmin too before calling SSIS packages. To execute scripts as another login, I used TSQL EXECUTE AS. (check the example below)
For instance: server\winuser with Windows Authentication as sysadmin, and a SQL Authentication login sqlauthuser as sysadmin too.
Enable the "Inpersonate Any Login" for sqlauthuser. Login (or use a connection string to connect) as sqlauthuser then impersonate server\winuser to be able to call SSIS packages or procedures:
EXECUTE AS LOGIN = 'server\winuser';
-- call ssis packages
-- call procedures that uses ssis packages
Reference: https://learn.microsoft.com/en-us/sql/t-sql/statements/execute-as-transact-sql?view=sql-server-ver15
I don't think you can execute this using an SQL Server authentication, you will receive the following exception:
The operation cannot be started by an account that uses SQL Server Authentication. Start the operation with an account that uses Windows Authentication
There are many workaround that you can do, check the following links:
The operation cannot be started by an account that uses SQL Server Authentication. SSIS Package
Issues with module signing and SSIS catalog internal procedures

sql server user authentication not working

i created a software in vb.net 2005. i create a database in sql server 2005. i connect it with window authentication. everything works fine.
but problem started when i replace my database with old database copyed from different computer.
i attach screnshot of both database with attached users.
old database
and new database is
when i try to connect my software with old database with window authentication, it is not connected.
can anyone please tell me what the problem is and how to solve this?
When you restore a Microsoft SQL Server database on a different machine, the user could be no more the same on the previous machine. Even if you see the same username listed.
This user is called an 'orphaned user'.
Meaning that there is no login id or password associated with the user since the original SID identifying the user is no more valid on the new machine.
You could check if you have this situation with
EXEC sp_change_users_login 'Report'
and, you could fix with
EXEC sp_change_users_login 'Auto_Fix', 'Gauntam-PC\Gautam'

Taking ownership for SQL Server Management Studio

I'm new to SQL Server 2008. I just installed SQL Server Express. I'm having trouble creating a new database, and I think I don't have permission.
I login like this, please see this screenshot:
Then I tried to create a new database and I got this:
I tried to search for some solution and this what I've got:
http://blogs.msdn.com/b/sqlexpress/archive/2010/02/23/how-to-take-ownership-of-your-local-sql-server-2008-express.aspx
But I can't download the script and the page says:
An error occurred while processing your request.
Please help. Kind regards
I resolved my problem with the following steps:
Set the instance of the SQL Service to single-user mode:
Open SQL Server Configuration Manager. Double click SQL Server Services.
Stop all SQL Server services
Right click SQL service and click Properties, in the Advanced tab, look for 'Startup Parameters'
Insert '-m;' at the beginning of the Startup Parameters value
Start the SQL service
Open SQL Server Management Studio and login with Windows authentication, you can now add user or change password of different users.
Hope this helps!
Try logging in with the sa account and grant permissions to your Windows account.
If you do not know the sa password use sqlcmd and execute the following commands:
Use Master
Go
ALTER LOGIN [sa] WITH PASSWORD=N'NewPassword'
Go
Login with the sa account and GRANT permission to the account.
USE Master;
GRANT CREATE DATABASE TO Jommel;

SQL Server Script to create a new user

I want to write a script to create a admin user ( with abcd password ) in SQL Server Express.
Also I want to assign this user admin full rights.
Based on your question, I think that you may be a bit confused about the difference between a User and a Login. A Login is an account on the SQL Server as a whole - someone who is able to log in to the server and who has a password. A User is a Login with access to a specific database.
Creating a Login is easy and must (obviously) be done before creating a User account for the login in a specific database:
CREATE LOGIN NewAdminName WITH PASSWORD = 'ABCD'
GO
Here is how you create a User with db_owner privileges using the Login you just declared:
Use YourDatabase;
GO
IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'NewAdminName')
BEGIN
CREATE USER [NewAdminName] FOR LOGIN [NewAdminName]
EXEC sp_addrolemember N'db_owner', N'NewAdminName'
END;
GO
Now, Logins are a bit more fluid than I make it seem above. For example, a Login account is automatically created (in most SQL Server installations) for the Windows Administrator account when the database is installed. In most situations, I just use that when I am administering a database (it has all privileges).
However, if you are going to be accessing the SQL Server from an application, then you will want to set the server up for "Mixed Mode" (both Windows and SQL logins) and create a Login as shown above. You'll then "GRANT" priviliges to that SQL Login based on what is needed for your app. See here for more information.
UPDATE: Aaron points out the use of the sp_addsrvrolemember to assign a prepared role to your login account. This is a good idea - faster and easier than manually granting privileges. If you google it you'll see plenty of links. However, you must still understand the distinction between a login and a user.
Full admin rights for the whole server, or a specific database? I think the others answered for a database, but for the server:
USE [master];
GO
CREATE LOGIN MyNewAdminUser
WITH PASSWORD = N'abcd',
CHECK_POLICY = OFF,
CHECK_EXPIRATION = OFF;
GO
EXEC sp_addsrvrolemember
#loginame = N'MyNewAdminUser',
#rolename = N'sysadmin';
You may need to leave off the CHECK_ parameters depending on what version of SQL Server Express you are using (it is almost always useful to include this information in your question).
You can use:
CREATE LOGIN <login name> WITH PASSWORD = '<password>' ; GO
To create the login (See here for more details).
Then you may need to use:
CREATE USER user_name
To create the user associated with the login for the specific database you want to grant them access too.
(See here for details)
You can also use:
GRANT permission [ ,...n ] ON SCHEMA :: schema_name
To set up the permissions for the schema's that you assigned the users to.
(See here for details)
Two other commands you might find useful are ALTER USER and ALTER LOGIN.
If you want to create a generic script you can do it with an Execute statement with a Replace with your username and database name
Declare #userName as varchar(50);
Declare #defaultDataBaseName as varchar(50);
Declare #LoginCreationScript as varchar(max);
Declare #UserCreationScript as varchar(max);
Declare #TempUserCreationScript as varchar(max);
set #defaultDataBaseName = 'data1';
set #userName = 'domain\userName';
set #LoginCreationScript ='CREATE LOGIN [{userName}]
FROM WINDOWS
WITH DEFAULT_DATABASE ={dataBaseName}'
set #UserCreationScript ='
USE {dataBaseName}
CREATE User [{userName}] for LOGIN [{userName}];
EXEC sp_addrolemember ''db_datareader'', ''{userName}'';
EXEC sp_addrolemember ''db_datawriter'', ''{userName}'';
Grant Execute on Schema :: dbo TO [{userName}];'
/*Login creation*/
set #LoginCreationScript=Replace(Replace(#LoginCreationScript, '{userName}', #userName), '{dataBaseName}', #defaultDataBaseName)
set #UserCreationScript =Replace(#UserCreationScript, '{userName}', #userName)
Execute(#LoginCreationScript)
/*User creation and role assignment*/
set #TempUserCreationScript =Replace(#UserCreationScript, '{dataBaseName}', #defaultDataBaseName)
Execute(#TempUserCreationScript)
set #TempUserCreationScript =Replace(#UserCreationScript, '{dataBaseName}', 'db2')
Execute(#TempUserCreationScript)
set #TempUserCreationScript =Replace(#UserCreationScript, '{dataBaseName}', 'db3')
Execute(#TempUserCreationScript)
CREATE LOGIN AdminLOGIN WITH PASSWORD = 'pass'
GO
Use MyDatabase;
GO
IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'AdminLOGIN')
BEGIN
CREATE USER [AdminLOGIN] FOR LOGIN [AdminLOGIN]
EXEC sp_addrolemember N'db_owner', N'AdminLOGIN'
EXEC master..sp_addsrvrolemember #loginame = N'adminlogin', #rolename = N'sysadmin'
END;
GO
this full help you for network using:
1- Right-click on SQL Server instance at root of Object Explorer, click on Properties
Select Security from the left pane.
2- Select the SQL Server and Windows Authentication mode radio button, and click OK.
3- Right-click on the SQL Server instance, select Restart (alternatively, open up Services and restart the SQL Server service).
4- Close sql server application and reopen it
5- open 'SQL Server Configuration Manager' and tcp enabled for network
6-Double-click the TCP/IP protocol, go to the IP Addresses tab and scroll down to the IPAll section.
7-Specify the 1433 in the TCP Port field (or another port if 1433 is used by another MSSQL Server) and press the OK
8-Open in Sql Server: Security And Login And Right Click on Login Name And Select Peroperties And Select Server Roles And
Checked The Sysadmin And Bulkadmin then Ok.
9-firewall: Open cmd as administrator and type:
netsh firewall set portopening protocol = TCP port = 1433 name = SQLPort mode = ENABLE scope = SUBNET profile = CURRENT
This past week I installed Microsoft SQL Server 2014 Developer Edition on my dev box, and immediately ran into a problem I had never seen before.
I’ve installed various versions of SQL Server countless times, and it is usually a painless procedure. Install the server, run the Management Console, it’s that simple. However, after completing this installation, when I tried to log in to the server using SSMS, I got an error like the one below:
SQL Server login error 18456
“Login failed for user… (Microsoft SQL Server, Error: 18456)”
I’m used to seeing this error if I typed the wrong password when logging in – but that’s only if I’m using mixed mode (Windows and SQL Authentication). In this case, the server was set up with Windows Authentication only, and the user account was my own. I’m still not sure why it didn’t add my user to the SYSADMIN role during setup; perhaps I missed a step and forgot to add it. At any rate, not all hope was lost.
The way to fix this, if you cannot log on with any other account to SQL Server, is to add your network login through a command line interface. For this to work, you need to be an Administrator on Windows for the PC that you’re logged onto.
Stop the MSSQL service.
Open a Command Prompt using Run As Administrator.
Change to the folder that holds the SQL Server EXE file; the default for SQL Server 2014 is “C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn”.
Run the following command: “sqlservr.exe –m”. This will start SQL Server in single-user mode.
While leaving this Command Prompt open, open another one, repeating steps 2 and 3.
In the second Command Prompt window, run “SQLCMD –S Server_Name\Instance_Name”
In this window, run the following lines, pressing Enter after each one:
1
CREATE LOGIN [domainName\loginName] FROM WINDOWS
2
GO
3
SP_ADDSRVROLEMEMBER 'LOGIN_NAME','SYSADMIN'
4
GO
Use CTRL+C to end both processes in the Command Prompt windows; you will be prompted to press Y to end the SQL Server process.
Restart the MSSQL service.
That’s it! You should now be able to log in using your network login.