FreeTDS User Guide: A Guide to Installing, Configuring, and Running FreeTDS
PrevChapter 5. Advanced ConfigurationsNext

Domain Logins

Note

Domain logins can be used only with TDS protocol versions 7.0 and 8.0.

As mentioned in the installation chapter, Microsoft SQL Server includes the ability to use domain logins instead of standard server logins. The advantage of doing this is that the passwords are encrypted on the wire using a challenge-response protocol. FreeTDS began supporting domain logins in version 0.60.

To use domain logins, use the 'DOMAIN\username' syntax for the username and use the domain password.

Example 5-4. Logging in with a domain login

$ tsql -S camelot -U 'NOTTINGHAM\lancelot' -P roundtable
locale is "C"
locale charset is "646"
Msg 5703, Level 0, State 1, Server CPRO200, Line 0
Changed language setting to middle_english.
1>

When FreeTDS sees the "\" character, it automatically chooses a domain login.

Note

The term domain in this context is a Microsoft term. It refers to what's sometimes called an NT domain. It's unrelated to the DNS domain. DNS domains are used for name resolution. NT domains are used for authentication. Authentication is done by the domain controller, often the Primary Domain Controller (PDC).

The SQL Server machine may belong to an NT domain. FreeTDS provides an encrypted password — a domain password, known to the domain controller — that the server will ask the domain controller to verify.

Implementation details

Support for domain logins in FreeTDS is limited to the TCP/IP network protocol stack. FreeTDS does not currently implement support for Named Pipe-based SQL connections — that is, connections transported over the DCE/RPC interface, which uses TCP port 139, 445, or 135 on Win32 machines depending on the type of encapsulation used for DCE/RPC itself. Supporting this would require a fairly extensive DCE/RPC library for Unix. Samba has one that is licensed under the GPL and therefore not usable by LGPL-licensed projects such as FreeTDS .

Your domain controller must allow authentication over TCP/IP, or you will be unable to log in. One symptom of a server that requires Named Pipes for authentication is an error message such as: 

Login failed for user '(null)'. 
Reason: Not associated with a trusted SQL Server connection.

The telltale sign being user '(null)'.

If you suspect a problem along these lines, you could ask your friendly system administrator to check the following setting: 

Computer Configuration
 	\Windows Settings
		\Security Settings
			\Local Policies
				\Security Options
					\LAN Manager Authentication Level
The setting should be "Send LM & NTLM responses".

For a technical description of the protocol used for domain logins, see http://davenport.sourceforge.net/ntlm.html

PrevHomeNext
Localization and TDS 7.0UpAppending Dump Files