KRB5 Mechanism | Teradata Vantage - 17.10 - KRB5 Mechanism - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

The KRB5 mechanism supports Kerberos user authentication and Teradata Vantage authorization. You can optionally configure the KRB5 mechanism to specify directory authorization of users. This option also requires configuration of the directory. See Option 3: Non-LDAP External Authentication with Directory Authorization.

These are the types of KRB5 mechanisms:
  • SSPI Kerberos appears on Windows clients
  • KRB5 for UNIX appears on Linux clients, on supported TTU UNIX clients (except IBM z/OS clients), and on the database system

To use the KRB5 mechanism, you must complete the set up procedures described in the topics starting with About External Authentication Controls.

For clients running .NET Data Provider for Teradata, you must use the SPNEGO mechanism for Kerberos authentication.

Kerberos Multiple LAN Adapter Restriction

When you use Kerberos authentication, for example, when users employ single sign-on, Vantage nodes can have a maximum of one LAN adapter, and the machine name must correspond to the host name (hostid) associated with the target adapter. If a logon uses KRB5 to connect to a node with multiple LAN adapters, the logon fails.

If you decide to use multiple LAN adapters, you can disable the KRB5 mechanism to avoid logon failures. See MechanismEnabled.

Example: KRB5 for Linux Configuration in Teradata Vantage

Linux appears in the TdgssUserConfigFile.xml by default.

If you decide to use directory authorization with Kerberos authentication, you must configure at least some of the LDAP properties. See Option 3: Non-LDAP External Authentication with Directory Authorization.
<!-- KRB5 for TDGSS using GSS-API -->
        <Mechanism Name="KRB5"
            ObjectId="1.2.840.113554.1.2.2"
            LibraryName="gssp2gss"
            Prefix="gssp2gss"
            InterfaceType="gss">
            <RequiredLibrary Path="/usr/lib64/libgssapi_krb5.so"/>
            <MechanismProperties
                AuthenticationSupported="yes"
                AuthorizationSupported="no"
                SingleSignOnSupported="yes"
                DefaultMechanism="no"
                MechanismEnabled="yes"
                MechanismRank="40"
                GenerateCredentialFromLogon="yes"
                DelegateCredentials="no"
                MutualAuthentication="yes"
                ReplayDetection="yes"
                OutOfSequenceDetection="yes"
                ConfidentialityDesired="yes"
                IntegrityDesired="yes"
                AnonymousAuthentication="no"
                DesiredContextTime=""
                DesiredCredentialTime=""
                CredentialUsage="0"
                LdapServerName=""
                LdapServerPort="389"
                LdapServerRealm=""
                LdapSystemFQDN=""
                LdapBaseFQDN=""
                LdapGroupBaseFQDN=""
                LdapUserBaseFQDN=""
                LdapClientReferrals="off"
                LdapClientDeref="never"
                LdapClientDebug="0"
                LdapClientRebindAuth="yes"
                LdapClientRandomDevice="/dev/urandom"
                LdapClientMechanism="SASL/DIGEST-MD5"
                LdapClientUseTls="no"
                LdapServiceFQDN=""
                LdapServicePasswordProtected="no"
                LdapServicePasswordFile=""
                LdapServicePassword=""
                LdapClientSaslSecProps=""
                UseLdapConfig="no"
                TeradataKeyTab="/etc/teradata.keytab"
                />
            <MechQop Value="0"> GLOBAL_QOP_0 </MechQop>
        </Mechanism>