时间戳

首页 > 解决方案 > SSIS:将文件打包写入网络共享 - 调用包(RDP 与远程)

sql-server - SSIS:将文件打包写入网络共享 - 调用包(RDP 与远程)

问题描述

我有一个将 .TXT 数据文件写入文件夹的 SSIS 包。我在本地机器上对此进行了测试:SSIS 包成功写入(到我的 C 驱动器--C:\myPath)。

然后部署到服务器:包无法写入(网络文件共享--\myDomain\Folder1\Folder2)。

我的用户帐户有权访问该文件夹。在服务器上,我尝试了两种不同的方式执行包:

1) 通过 SSMS 使用我的用户凭据从我的计算机远程连接(程序包无法写入文件)。 Remote session execution on my PC is not working.

2) 使用我的用户凭据通过 SSMS 远程桌面连接到 MYSERVER 的 RDP(包成功写入文件)。 I am able to run it from the RDP session on MYSERVER and the file was written succesfully.

总结:该软件包有效,但不起作用。我们的一位网络管理员添加了 MYSERVER 以访问该文件夹——这可能是我可以从 RDP 会话执行它的原因。

确切的错误消息是“无法打开数据文件”: 在此处输入图像描述

我的问题:

A) 有谁知道当我使用相同的用户帐户以两种不同的方式(本地连接与服务器 RDP)执行包时为什么包会失败?

B)有人对我如何授予用户自己调用包的访问权限有建议吗?该包有两个输入参数(带有默认值)供用户输入。

_

来自我的网络管理员的消息: 

Your id is in the proper group to access the share and I even see numerous updates to the folder from your ID and yet I also find this.

Log Name:      Microsoft-Windows-SMBServer/Security
Source:        Microsoft-Windows-SMBServer
Date:          6/12/2018 9:01:21 AM
Event ID:      1006
Task Category: (1006)
Level:         Error
Keywords:      Audit Failure,(8)
User:          SYSTEM
Computer:      mySERVER.myDOMAIN
Description:
The share denied access to the client.
Client Name: \\10.26.151.96
Client Address: 10.26.151.96:57626
User Name: myDOMAIN\myUser
Session ID: 0x16C029C000581
Share Name: \\*\DIXFDev
Share Path: \??\D:\Shares\DIXFDev
Status: {Access Denied}
A process has requested access to an object, but has not been granted those access rights. (0xC0000022)
Mapped Access: 0x80080
Granted Access: 0x0
Security Descriptor: 0x0100048058000000680000000000000014000000020044000200000000031800FF011F000102000000000005200000002002000000002400BF011300010500000000000515000000007B755294545B7AB2192C25066D000001020000000000052000000020020000010500000000000515000000007B755294545B7AB2192C2500020000
Guidance:
You should expect access denied errors when a principal accesses a share without the necessary permissions. Usually, this indicates that the principal does not have direct security permissions or lacks membership in a group that has direct access permissions. To determine and correct the permissions on the specified share, an administrator can use the Security tab in File Explorer Properties dialog, the SMBSHARE Windows PowerShell module, or the NET SHARE command. You can also use the Effective Access tab in File Explorer to help diagnose the issue.
Applications may generate access denied errors if they attempt to open files in a writable mode first, and then reopen the files in a read-only mode. In this case, no user action is required.
If access to the share is denied and this event is not logged, you can examine the file and folder NTFS/REFS permissions.
This error does not indicate a problem with authentication, only authorization.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-SMBServer" Guid="{D48CE617-33A2-4BC3-A5C7-11AA4F29619E}" />
    <EventID>1006</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>1006</Task>
    <Opcode>0</Opcode>
    <Keywords>0x810000000000008</Keywords>
    <TimeCreated SystemTime="2018-06-12T14:01:21.342045500Z" />
    <EventRecordID>357496420</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="2680" />
    <Channel>Microsoft-Windows-SMBServer/Security</Channel>
    <Computer>mySERVER.myDOMAIN</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <UserData>
    <EventData xmlns="Smb2Namespace">
      <ShareNameLength>11</ShareNameLength>
      <ShareName>\\*\DIXFDev</ShareName>
      <SharePathLength>21</SharePathLength>
      <SharePath>\??\D:\Shares\DIXFDev</SharePath>
      <ClientAddressLength>128</ClientAddressLength>
      <ClientAddress>0200E11A0A1A976000000000000000000000FFFF0A1A97600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</ClientAddress>
      <UserNameLength>14</UserNameLength>
      <UserName>myDOMAIN\bl0040</UserName>
      <ClientNameLength>14</ClientNameLength>
      <ClientName>\\10.26.151.96</ClientName>
      <MappedAccess>0x80080</MappedAccess>
      <GrantedAccess>0x0</GrantedAccess>
      <ShareSecurityDescriptorLength>132</ShareSecurityDescriptorLength>
      <ShareSecurityDescriptor>0100048058000000680000000000000014000000020044000200000000031800FF011F000102000000000005200000002002000000002400BF011300010500000000000515000000007B755294545B7AB2192C25066D000001020000000000052000000020020000010500000000000515000000007B755294545B7AB2192C2500020000</ShareSecurityDescriptor>
      <Status>0xc0000022</Status>
      <TranslatedStatus>0xc0000022</TranslatedStatus>
      <SessionID>0x16c029c000581</SessionID>
    </EventData>
  </UserData>
</Event>

从具有参数值的 SSMS RDP 会话创建的脚本:

DECLARE
        @execution_id bigint EXEC [SSISDB].[catalog].[create_execution] @package_name=N'FYE AP AuditFile_rep238.dtsx', @execution_id=@execution_id OUTPUT, @folder_name=N'IsolatedPackages', @project_name=N'FYE AP AuditFile_rep238', @use32bitruntime=False, @reference_id=56
        SELECT
                @execution_id DECLARE @var0 sql_variant = N'\\MYSERVER\folder1\folder2\SSISPackages\FYEAPAuditFile\audit-file-ap_ax-export_REP238_piped.txt' EXEC [SSISDB].[catalog].[set_execution_parameter_value] @execution_id,
                @object_type                            =                                                                                                                                                                30           ,
                @parameter_name                         =N'paramFilePath'                                                                                                                                                             ,
                @parameter_value                        =@var0 DECLARE @var1 sql_variant = N'2017' EXEC [SSISDB].[catalog].[set_execution_parameter_value] @execution_id                                                              ,
                @object_type                            =                                                                                                  30                                                                         ,
                @parameter_name                         =N'paramYear'                                                                                                                                                                 ,
                @parameter_value                        =@var1 DECLARE @var2 SMALLINT = 1 EXEC [SSISDB].[catalog].[set_execution_parameter_value] @execution_id                                                                       ,
                @object_type                            =                                                                                         50                                                                                  ,
                @parameter_name                         =N'LOGGING_LEVEL'                                                                                                                                                             ,
                @parameter_value                        =@var2 EXEC [SSISDB].[catalog].[start_execution] @execution_id GO

调用包的SSMS图像: 在此处输入图像描述

标签: sql-serverssisclient-serverdata-fileswindows-networking

解决方案

在这两种情况下,您都使用您的用户帐户连接到 SQL Server,该用户帐户在您登录时由域控制器进行身份验证

  1. 您的客户端计算机
  2. 运行 SQL Server 和 SSIS 的服务器

在第二种情况下(RDP),就像您在服务器上访问文件共享一样。在第一种情况下(远程 SSMS),您在客户端计算机上要求远程 SQL Server 使用您的安全上下文访问文件共享。这称为Active Directory 委派(或“Kerberos 委派”),需要进行配置。要求您的域管理员为 SQL Server(或其服务帐户)和文件服务器(仅当不存在时)创建 SPN。然后他们必须配置(允许委派从 SQL Server(或其服务帐户)到文件服务器(例如使用“Active Directory 用户和计算机”)。这将允许远程计算机上的 SQL Server 与域控制器通信,以便代表您(或连接的任何其他人)为文件服务器请求服务票证(即 Kerberos 语言)。然后将该服务票证提交给文件服务器上的“SMB 服务器”服务,以检查您的文件共享和 NTFS 权限。

PS:如果您计划使用 SQL Server 代理的凭据通过 SQL Server 代理作业执行包,则不需要所有委托。只需设置作业,它也可以从您的远程 SSMS 会话启动而没有任何问题,前提是 SQL Server 代理具有对文件共享的相应访问权限。

推荐阅读