Domain Logins

Note

Domain logins can be used only with TDS protocol versions 7.0 or above.

As mentioned in the installation chapter, Microsoft SQL Server includes the ability to use domain [1] logins instead of standard server logins. Passwords are encrypted on the wire using a challenge-response protocol. FreeTDS plays nice with such logins.

FreeTDS supports single sign-on (connecting without prompting for a username & password) or not, depending on how it was configured. For Windows hosts (both 32- and 64-bit), if SSPI is enabled, FreeTDS will log in using so-called "trusted authentication". For non-Windows hosts, enabling Kerberos provides similar functionality.

When neither option is enabled, FreeTDS can still log in using the domain account, but the user must supply the username & password.

To use domain logins without SSPI or Kerberos, use the 'DOMAIN\username' syntax for the username and use the domain password.

Example 5-4. Logging in with a domain login

	$ tsql -S camelot -U 'NOTTINGHAM\lancelot' -P roundtable
	locale is "C"
	locale charset is "646"
	Msg 5703, Level 0, State 1, Server CPRO200, Line 0
	Changed language setting to middle_english.
	1>

When FreeTDS sees the "\" character, it automatically chooses a domain login.

Implementation details

Support for domain logins in FreeTDS is limited to the TCP/IP network protocol stack. FreeTDS does not currently implement support for Named Pipe-based SQL connections — that is, connections transported over the DCE/RPC interface, which uses TCP port 139, 445, or 135 on Win32 machines depending on the type of encapsulation used for DCE/RPC itself. Supporting this would require a fairly extensive DCE/RPC library for Unix. Samba has one that is licensed under the GPL and therefore not usable by LGPL-licensed projects such as FreeTDS .

For a technical description of the protocol used for domain logins, see http://davenport.sourceforge.net/ntlm.html

Notes

[1]

The term domain in this context is a Microsoft term. It refers to what's sometimes called an NT domain. It's unrelated to the DNS domain. DNS domains are used for name resolution. NT domains are used for authentication. Authentication is done by the domain controller, often the Primary Domain Controller (PDC).

The SQL Server machine may belong to an NT domain. FreeTDS provides an encrypted password — a domain password, known to the domain controller — that the server will ask the domain controller to verify.