Kerberos on Linux and UNIX Clients | Teradata Vantage - 17.10 - Setting Up Kerberos on Linux and UNIX Clients - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)
Prerequisite

The following discusses how to configure Kerberos for Linux and UNIX clients (except IBM z/OS).

The Teradata Tools and Utilities (TTU) client packages must be installed on your client system prior to configuring Kerberos. See the appropriate installation guide for your platform:

Operating System Installation Documentation
Red Hat Linux Teradata® Tools and Utilities for Linux Installation Guide (Amazon Linux 2, CentOS, OEL, RedHat, SLES, Ubuntu), B035-3160
SUSE Linux Teradata® Tools and Utilities for Linux Installation Guide (Amazon Linux 2, CentOS, OEL, RedHat, SLES, Ubuntu), B035-3160
AIX Teradata® Tools and Utilities for IBM AIX Installation Guide, B035-3125
Apple OS X Teradata® Tools and Utilities for Apple macOS Installation Guide, B035-3129
Solaris (Intel) Teradata® Tools and Utilities for Oracle Solaris on SPARC and AMD Opteron Systems Installation Guide, B035-3136
Solaris (SPARC) Teradata® Tools and Utilities for Oracle Solaris on SPARC and AMD Opteron Systems Installation Guide, B035-3136
Kerberos installation and configuration on Linux and UNIX clients does not require any Vantage-specific customizations. The following steps are guidelines only. For specific instructions on installing and configuring Kerberos, follow your vendor's instructions.
  1. Add the client system name and IP address to your Active Directory.
  2. Install Kerberos on the client system:
    • Install a supported version of Kerberos for Linux and UNIX clients.
    • For AIX, install the NAS Kerberos package from IBM. The IBM Kerberos implementation of Network Authentication Services (NAS) is shipped on their AIX expansion pack.

      Run:

      Installp –aqXYgd . krb5.client
  3. Edit /etc/resolv.conf on the client system and include the Active Directory server name and IP address.
  4. Include Active Directory information in krb5.conf.
    • On Linux and UNIX clients add the following to krb5.conf, for example:
      [libdefaults]
             default_realm = example.com
             clockskew = 300
             dns_lookup_realm = true
             dns_lookup_kdc = true
       
      [realms]
      AREALM.example.com = {
                      kdc = kdc.example.com:88
                      admin_server = AREALM.example.com:749
                      default_domain = AREALM.example.com
              }
      
      [domain_realm]
              .example.com = AREALM.example.com
             example.com = AREALM.example.com
      
    • On AIX clients, run:
      mkkrb5clnt -c <KDC> -r <Realm> -s <Serve>r -d <Domain>

      For example:

      mkkrb5clnt -c kdc.example.com -r AREALM.example.com -s AREALM.example.com -d example.com
  5. Verify the connection. Run nslookup from the client system and look up the Active Directory server (the KDC).
  6. Run kinit on the client system to get a ticket granting ticket for your user:
    #kinit <username>
  7. Run klist on the client system to confirm the ticket granting ticket for your user was issued:
    #klist