we use pymssql in our project running on CentOS. Below is our code:
pymssql.connect(server=dns, port=port, database=dbname, user=uid, password=pwd,
charset=»UTF-8″,timeout=timeout, login_timeout=connect_timeout)
which runs fine. Suddently, it continues to throws error: «Adaptive Server connection failed». We have another working client that can connect to sql server successfully. We compared the TDS sending packet for both failed and successful clients. and the TDS sending packet are exactly the same. at that time, we have no idea, and found this discussion thread. our workaround is to specify TDS version to 7.0 like below:
pymssql.connect(server=dns, port=port, database=dbname, user=uid, password=pwd,
charset=»UTF-8″,timeout=timeout, login_timeout=connect_timeout,
tds_version=»7.0″)
the final solution is to ask network security team to remove the security policy. looks like AC policy related, but I don’t know the security policy detail.
.. We identified that network security has a change.
They add a security policy, and the network packet was dropped/altered by the policy.
Once they remove the policy, FreeTDS connecting to SQL Server is OK.
So if you experience the similar issue, you can also ask network security team whether they have any change.can you documented exactly what kind of change for freetds project ? please @yurongga !
Problem Description
After running the MSSQL wizards your new service has a CRITICAL or UNKNOWN state with the following error:
CRITICAL: Could not connect to dblib:host=mssql01.box293.local:1433;dbname=Sample as BOX293nagios
(Exception: SQLSTATE[01002] Adaptive Server connection failed (mssql01.box293.local:1433) (severity 9)).
OR
CRITICAL: Could not connect to dblib:host=mssql01.box293.local:1433;dbname=Sample as BOX293nagios
(Exception: SQLSTATE[01002] Adaptive Server connection failed (severity 9)).
OR
DB-Lib error message 20002, severity 9:
Adaptive Server connection failed
In the first two errors above the first line is almost identical except for the username in the output, this is the key to identifying the problem as there are two separate solutions to this problem. The last two errors have the same solution.
A similar error is generated for a separate issue:
PHP Notice: Undefined variable: db_connstr in /usr/local/nagios/libexec/check_mssql on line 416
CRITICAL: Could not connect to as nagios (Exception: SQLSTATE[01002] Adaptive Server connection failed (severity 9)).
Please refer to the Custom Port solution in this KB article to resolve this issue.
Username Not Enclosed In Quotes
This addresses the following error:
CRITICAL: Could not connect to dblib:host=mssql01.box293.local:1433;dbname=Sample as BOX293nagios
(Exception: SQLSTATE[01002] Adaptive Server connection failed (mssql01.box293.local:1433) (severity 9)).
The service in Nagios XI has the username in the domainuser format however it is NOT enclosed in quotes. This screenshot of the service in Core Configuration Manager shows without the quotes:
This screenshot shows the service after quotes have been added (this is required to fix the problem):
After making this change save the service and Apply Configuration. Then go and force an immediate check of the service to test that it is working correctly.
System Configuration File Change
This addresses the following error:
CRITICAL: Could not connect to dblib:host=mssql01.box293.local:1433;dbname=Sample as BOX293nagios
(Exception: SQLSTATE[01002] Adaptive Server connection failed (severity 9)).
OR
DB-Lib error message 20002, severity 9:
Adaptive Server connection failed
The plugins require a change to the /etc/freetds.conf configuration file to allow them to work with Windows Authentication.
Execute the following command to open the /etc/freetds.conf file in vi:
vi /etc/freetds.conf
When using the vi editor, to make changes press i on the keyboard first to enter insert mode. Press Esc to exit insert mode.
Under the [global] section find the following:
[global]
# TDS protocol version
; tds version = 4.2
Remove the semi-colon (;) at the beginning of the tds version line and change the value to 7.2as follows:
[global]
# TDS protocol version
tds version = 7.2
When you have finished, save the changes in vi by typing:
:wq
and press Enter.
After making these changes go back into the XI web interface and force an immediate check of the service to test that it is working correctly.
Custom Port
This addresses the following error:
PHP Notice: Undefined variable: db_connstr in /usr/local/nagios/libexec/check_mssql on line 416
CRITICAL: Could not connect to as nagios (Exception: SQLSTATE[01002] Adaptive Server connection failed (severity 9)).
Notice this:
Could not connect to as nagios
See how the server name is not shown. The problem here is that the check_mssql plugin has a bug, it is not using the custom TCP port you defined when running the wizard (instead of the default 1433). This problem has been resolved in version 1.6.1 of the MSSQL Query wizard. To update to the latest version of the wizard navigate to Admin > System Extensions > Manage Config Wizards. On this page you can check for updates and install the latest available version.
Final Thoughts
For any support related questions please visit the Nagios Support Forums at:
http://support.nagios.com/forum/
#sql-server #macos #pyodbc #freetds
#sql-сервер #macos #pyodbc #freetds
Вопрос:
Я использовал это руководство для подключения к базе данных через pyodbc: https://github.com/mkleehammer/pyodbc/wiki/Connecting-to-SQL-Server-from-Mac-OSX
Мои конфигурационные файлы выглядят так, параллельно с учебным пособием: В freetds.conf:
[MYMSSQL]
host = localhost
port = 1433
tds version = 7.3
В odbc.ini:
[MYMSSQL]
Description = Testing SQLServer
Driver = FreeTDS
Servername = MYMSSQL
В odbcinst.ini:
[FreeTDS]
Description=FreeTDS Driver for Linux amp; MSSQL
Driver=/usr/local/lib/libtdsodbc.so
Setup=/usr/local/lib/libtdsodbc.so
UsageCount=1
Когда я проверяю соединение с помощью «tsql -S MYMSSQL -U myuser -P mypassword», я получаю сообщение об ошибке:
Error 20002 (severity 9):
Adaptive Server connection failed
There was a problem connecting to the server
Аналогично, «isql MYMSSQL myuser mypassword» также возвращает ошибку:
[ISQL]ERROR: Could not SQLConnect
РЕДАКТИРОВАТЬ: в консоли запросов:
«SELECT @@SERVERNAME» возвращает «4a70ffff1294»
«SELECT @@SERVICENAME» возвращает «MSSQLSERVER»
«ВЫБЕРИТЕ @@VERSION» возвращает «Microsoft SQL Server 2019 (RTM-CU8) (KB4577194) — 15.0.4073.23 (X64)»
tsql -S MYMSSQL
ВОЗВРАТ
locale is "en_US.UTF-8"
locale charset is "UTF-8"
using default charset "UTF-8"
Error 20002 (severity 9):
Adaptive Server connection failed
There was a problem connecting to the server
Сервер запущен в образе docker. Я могу подключиться к нему через инструмент базы данных pycharm с помощью порта 1433 и соответствующего пароля. К сожалению, я не очень разбираюсь в управлении серверами. Вся помощь очень ценится.
Комментарии:
1. К какой версии SQL Server вы пытаетесь подключиться? Версия TDS 7.3 относится только к SQL Server 2008, который больше не поддерживается. Вероятно, вы хотите использовать как минимум TDS версии 7.4 для SQL Server 2012 и более поздних версий.
2. TDS 7.1, 7.2, 7.3 и 7.4 будут работать для SQL Server 2008 , но не со всеми новейшими функциями. Его версия FreeTDS может не поддерживать 7.4.
3. Команда «ВЫБРАТЬ @@VERSION» в консоли запросов возвращает «Microsoft SQL Server 2019 (RTM-CU8) (KB4577194) — 15.0.4073.23 (X64) 23 сентября 2020 16:03:08 Авторское право (C) 2019 Microsoft Corporation Developer Edition (64-разрядная версия) на Linux (Ubuntu 18.04.5 LTS) <X64>»
Ответ №1:
Если вы хотите продолжить этот путь, нам понадобится дополнительная информация. Что в вашем freetds.conf ? Можете ли вы подключиться к своему SQL Server с компьютера, на который вы пытаетесь установить FreeTDS telnet mssql.myhost.com 1433 ?
Тем не менее, мне проще избежать использования freetds.conf and odbc.ini и просто сохранить все в Python. Если вы правильно настроили odbcinst.ini , вы должны быть в состоянии сделать что-то вроде этого:
import pyodbc
con = pyodbc.connect(
"DRIVER={FreeTDS};"
"SERVER=mssql.yourserver.com;"
"PORT=1433;"
"DATABASE=your_db;"
"UID=your_user;"
"PWD=your_pass;"
"TDS_Version=7.3;"
)
cursor = conn.cursor()
cursor.execute("SELECT 1")
for row in cursor.fetchall():
print(row)
Удачи!
Комментарии:
1. conn = pyodbc.connect( «ДРАЙВЕР ={FreeTDS};» «СЕРВЕР = MYMSSQL;» «ПОРТ = 1433;» «БАЗА ДАННЫХ = ArtGallery;» «UID= SA;» «PWD=4916Hyperbolic *;» «TDS_Version=7.3;» ) возвращает: pyodbc. Операционная ошибка: (‘08001’, ‘[08001] [ FreeTDS][SQL Server]Не удается подключиться к источнику данных (0) (SQLDriverConnect)’)
2. Используйте полное доменное имя, а не
MYMSSQL— например,mssql.myserver.com. Или IP-адрес. Кроме того, что происходит, когда вы пытаетесьtelnet mssql.myhost.com 1433выполнить команду на вашем хосте MSSQL? Подключается ли он или просто зависает при попытке?3. Я заменил «SERVER = MYMSSQL;» на «SERVER = 178.241.125.37;» , который является моим IP-адресом. Теперь он перестает отвечать. Я предполагаю, что он пытается дождаться ответа от сервера? большое спасибо за ваше время btw_
Introduction
This tutorial walks through enabling TLS/SSL encryption between a FreeTDS application and an Microsoft SQL Server 2014 database, including basic encryption, certificate validation, and common name validation.
Unfortunately MS SQL Server doesn’t support mutual authentication via TLS/SSL; that is, the database cannot validate the application’s certficate and common name. This is just as well though, as there is also no obvious way to configure FreeTDS to use a private key and certificate on the client-side.
Assumptions
For the purposes of this tutorial, the following assumptions are made:
- An MS SQL Server 2014 database is running on a Windows system named db.firstworks.com.
- The database contains an instance named EXAMPLEDB which is accessible using exampleuser/examplepass credentials.
- An application which accesses the database is installed on a linux server named app.firstworks.com and currently configured to access the database without encryption.
- The application uses FreeTDS to access the database.
- A private key and certificate for the database don’t currently exist, but will be created, and will be named db.key and db.crt.
- A certificate chain for the certificate authority which will sign db.crt exists, named ca.pem.
Basic Encryption
First, we will configure basic TLS/SSL encryption of the communications between the database and application server.
Database Server Configuration
By default, MS SQL Server 2015 supports encryption, and enables it if the application so requests. We can configure the database to require encrypted connections, though, as follows.
- Open the Start menu.
- Select the Microsoft SQL Server 2014 program group.
- Select the SQL Server Configuration Manager.
- Expand SQL Server Network Configuration.
- Right-Click Protocols for EXAMPLEDB and select Properties.
- Select the Flags Tab.
- Change Force Encryption to Yes.
- Click OK.
- Click OK.
- Exit the SQL Server Configuration Manager.
Restart the database server.
- Press Windows-key-R.
- Type «services.msc» and hit return.
- Scroll down to SQL Server (EXAMPLEDB) and select it.
- Click Restart the service.
That’s all on the database server.
Application Server Configuration
MS SQL Server speaks versions 7.0 — 7.4 of the TDS (Tabular Data Stream) protocol. Version 7.0 doesn’t support encryption, but versions 7.1 and higher do.
FreeTDS requests encryption when it’s configured to use TDS version 7.1 or higher. Just to be sure, though, we can also configure the connection to require encryption, rather than just request it.
Edit the FreeTDS configuration file (usually /etc/freetds.conf), find the server entry that you use to connect to the EXAMPLEDB, verify that the TDS version is set to 7.1 or higher, and add a line to require encryption, as follows:
[EXAMPLEDB] host = db.firstworks.com port = 1433 tds version = 7.3 encryption = require
Note that in this example, «tds version» is set to 7.3. I have had trouble with 7.4 resulting in «Unexpected EOF from the server» errors. Your mileage may vary.
That’s all on the application server.
Testing With tsql
Connect to the database from the application server using the FreeTDS-supplied tsql program as follows:
tsql -S EXAMPLEDB -U exampleuser -P examplepass
Unfortunately there is no easy way to verify that the connection is encrypted. If you access the database as the «sa» user, then you can run:
1> select encrypt_option from sys.dm_exec_connections where session_id = @@SPID 2> go encrypt_option TRUE (1 row affected)
But non-admin users don’t typically have access to sys.dm_exec_connections.
Another way to verify that the connection is encrypted is to run tsql with TDSDUMP enabled:
TDSDUMP=stdout tsql -S EXAMPLEDB -U exampleuser -P examplepass
If you see lines in the output like:
REC[0x55a2216316b0]: Decrypted Packet[1] Application Data(23) with length: 421
then the connection is encrypted.
If the connection fails, it will most likely fail with:
- Error 20017 (severity 9): Unexpected EOF from the server
- The server didn’t like something about the protocol and hung up.
- Verify that you are using tds version 7.1 — 7.3 in your freetds.conf server entry.
Updating Your Application
Your application shouldn’t actually require any changes. As long as it is configured to use the EXAMPLEDB server entry, all communications between it and the database will be encrypted.
Adding Database Certificate Validation
So far, we have encrypted communications between the application and the database, but we can make the application more secure by installing a certificate on the database server, and configuring the application to validate the certificate.
Database Server Configuration
The database server must have has host name «db» and primary DNS suffix «firstworks.com». But, Windows servers are commonly configured without a primary DNS suffix.
To set the primary DNS suffix:
- Press Windows-key-R.
- Type «control panel» and hit return.
- Click System and Security.
- Click System.
- Under «Computer name, domain name, and workgroup settings», click Change settings.
- Next to «To rename this computer or change its domain or workgroup, click Change», click Change.
- Click More.
- Under «Primary DNS suffix of this computer» enter «firstworks.com».
- Click OK.
- Click OK.
- Click OK.
- Reboot the database server.
Generate the certificate for the database server.
The certificate can be generated by a well-known certificate authority, generated by an in-house certificate authority, or can even be self-signed.
In any case, MS SQL Server places some specific requirements on the certificate:
- The common name MUST match the fully qualified domain name of the database server. In this case: db.firstworks.com.
- The Enhanced Key Usage property MUST include Server Authentication.
- In openssl terms, the extendedKeyUsage extension must include serverAuth in the extfile used to generate the certificate signing request.
Combine this certificate, its associated private key, and certificate for the certificate authority that signed it into a PKCS#12 certificate chain file named db.pfk.
There are various ways to do this, but with openssl you can run:
PASSWORD="" openssl pkcs12 -export -passout env:PASSWORD -in db.crt -inkey db.key -certfile ca.crt -out db.pfx
When the pfk is created, it MUST be created with KeySpec set to AT_KEYEXCHANGE. Or, in openssl terms, the -keyext option must be used when creating the pfk file. Actually though, -keyext is the default, so just DON’T create the pfk file using -keysig.
The C:ProgramDataMicrosoftCryptoRSAMachineKeys folder often has the wrong permissions. Verify that both Administrators and Everyone have Full Control. If they don’t, then give them both Full Control. You may get an error when you do this, indicating that permissions couldn’t be changed on an individual file, but this seems safe to ignore.
Now that the prerequisites are taken care of…
Copy db.pfk to the database server, and install it in the Windows certificate store:
- Press Windows-key-R.
- Type «mmc» and hit return.
- Click File.
- Click Add/Remove Snap-in.
- From Available snap-ins, double-click Certificates.
- Select Computer Account.
- Click Next.
- Select Local Computer.
- Click Finish.
- Click OK.
- Expand Certificates (Local Computer).
- Right-Click Personal.
- Click All Tasks.
- Click Import…
- Click Next.
- Click Browse.
- Select All Files *.* from the file-types pulldown.
- Select db.pfk
- Click OK.
- Enter a private key password, if your private key has one.
- Click Next.
- Click Next.
- Click Finish.
- Exit
- Don’t save settings.
Configure MS SQL Server to use the certificate.
- Open the Start menu.
- Select the Microsoft SQL Server 2014 program group.
- Select the SQL Server Configuration Manager.
- Expand SQL Server Network Configuration.
- Right-Click Protocols for EXAMPLEDB and select Properties.
- Select the Certificates Tab.
- Select db.firstworks.com from the pulldown list.
- If db.firstworks.com is missing from the list, then either:
- The common name in the certificate is something other than «db.firstworks.com».
- The best solution is to generate a new certificate.
- The database server’s host name is something other than «db».
- See instructions above for setting the host name.
- The database server’s primary DNS suffix is something other than «firstworks.com».
- See instructions above for setting the primary DNS suffix.
- Click OK.
- Click OK.
- Exit the SQL Server Configuration Manager.
Restart the database server.
- Press Windows-key-R.
- Type «services.msc» and hit return.
- Scroll down to SQL Server (EXAMPLEDB) and select it.
- Click Restart the service.
- If the service fails to start, then either:
- The Enhanced Key Usage property of the certificate is missing or doesn’t include Server Authentication.
- Generate a new certificate with the parameter set correctly.
- Replace the bad certificate.
- Restart SQL Server (EXAMPLEDB)
- C:ProgramDataMicrosoftCryptoRSAMachineKeys has the wrong permissions.
- See instructions above for setting the permissions.
- Restart SQL Server (EXAMPLEDB)
- Exit the Services manager.
That’s all on the database server.
Application Server Configuration
Configuring the application server is much simpler.
Copy ca.pem to the application server and install it in a convenient place, like /etc.
FreeTDS will validate the database’s certificate if it is provided with a certificate chain to validate it against.
On the application server, edit the FreeTDS configuration file (usually /etc/freetds.conf), find the server entry that you use to connect to the EXAMPLEDB, and add a ca file line, as follows:
[EXAMPLEDB] host = db.firstworks.com port = 1433 tds version = 7.3 encryption = require ca file = /etc/ca.pem check certificate hostname = no
Note that «check certificate hostname» is set to no. At this point, we’re just validating that the database server is a host that we trust. We’re not worried about whether it’s the exact host we intend to be talking to.
That’s all on the application server.
Testing With tsql
Connect to the database from the application server using the FreeTDS-supplied tsql program as follows:
tsql -S EXAMPLEDB -U exampleuser -P examplepass
If the connection fails, it will most likely fail with:
Error 20002 (severity 9): Adaptive Server connection failed
Which isn’t very helpful. Running tsql with TDSDUMP enabled…
TDSDUMP=stdout tsql -S EXAMPLEDB -U exampleuser -P examplepass
…may be slightly more revealing.
It may say:
tls.c:484:handshake failed: Error in the certificate.
That usually means that the ca.pem’s certificate authority didn’t sign the database’s certificate. Double-check it.
If it also says something like this:
tls.c:368:Certificate hostname does not match
Then «check certificate hostname» is probably misspelled.
Adding Database Certificate Common Name Validation
So far, we are encrypting communications between the application and the database and validating the database server’s certificate, but we can also make the application more secure by validating the common name in the database server’s certificate.
This is actually pretty simple. In fact we had to do additional work to disable it earlier.
On the application server, modify /etc/freetds.conf and set «check certificate hostname» to yes.
[EXAMPLEDB] host = db.firstworks.com port = 1433 tds version = 7.3 encryption = require ca file = /etc/ca.pem check certificate hostname = yes
Or, optionally just remove the parameter altogether, as checking the certificate’s common name is the default behavior.
You can test the configuration using tsql:
tsql -S EXAMPLEDB -U exampleuser -P examplepass
Again, it may fail with the not-so-helpful:
Error 20002 (severity 9): Adaptive Server connection failed
Running tsql with TDSDUMP enabled…
TDSDUMP=stdout tsql -S EXAMPLEDB -U exampleuser -P examplepass
…might be more revealing.
It may say:
... tls.c:368:Certificate hostname does not match ... tls.c:484:handshake failed: Error in the certificate. ...
This means that the common name in the database’s certificate didn’t match the host parameter in the freetds.conf file.
- Verify the common name in the freetds.conf file and in the database’s certificate.
- If the host name in the freetds.conf file is wrong then change it and try again.
- If the common name in the certificate is wrong, then:
- Ideally the certificate should be regenerated and re-deployed.
- If that’s not an option, then you can add a DNS entry (or /etc/hosts entry) for the name that is in the certificate, and update the freetds.conf file with that name.
- Remove From My Forums
-
Question
-
Ive tried
import pyodbc
conn = pyodbc.connect(‘DSN=<dsn>;UID=<uid>@<host>;PWD=<pwd>’)with my credentials but just get an error:
pyodbc.Error: (‘IM002’, ‘[IM002] [unixODBC][Driver Manager]Data source name not found, and no d
efault driver specified (0) (SQLDriverConnect)’)or when I try
TDSVER=8.0 tsql -H XXXXXXXX.database.windows.net -U Username -D DatabaseName -p 1433 -PPasswordI get
Error 20002 (severity 9):
Adaptive Server connection failed
There was a problem connecting to the serverWhat’s the easiest/best way to access an SqlAzure database from an azure VM?
Answers
-
-
Marked as answer by
Friday, October 31, 2014 11:36 AM
-
Unmarked as answer by
Mekh Subba
Friday, October 31, 2014 11:36 AM -
Proposed as answer by
Mekh Subba
Friday, October 31, 2014 11:36 AM -
Marked as answer by
Lakshmeesha Phaneesha
Tuesday, November 4, 2014 6:26 AM
-
Marked as answer by