The krb5.conf Kerberos configuration file requires a special setup on each database node. The sample krb5.conf file is located by default in the /etc directory.
For more detailed information on MIT Kerberos sections and tags, go to:
http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.3/doc/krb5-admin/krb5.conf.html
Example: krb5.conf
The following example shows the structure of a krb5.conf file. You must modify the example to conform to the requirements of your system, using the guidelines contained in the syntax table that follows the example.
[libdefaults] default_realm = default_kerberos_realm clockskew = allowable_skew [realms] default_kerberos_realm = { kdc = kdchost1_fqdn kdc = kdchost2_fqdn kdc = kdchost3_fqdn } [domain_realm] host_dnsdomain = kerberos_realm host_fqdn = kerberos_realm [logging] kdc = FILE:/tmp/krb5kdc.log [appdefaults] pam = { ticket_lifetime = ticket_duration renew_lifetime = renew_duration forwardable = true/false proxiable = true/false retain_after_close = false minimum_uid = 0 try_first_pass = true }
Section, TagName, and TagValue | Description |
---|---|
[libdefaults] | The section that contains default values that the Kerberos library uses to authenticate a logon. |
default_realm = default_kerberos_realm | The realm that contains the Kerberos logon, including both the KDC host (Windows domain controller) and the Vantage nodes, for example: SUBDOMAIN.DOMAIN.COM The realm information must match the Windows domain name exactly, including case.
|
clockskew = allowable_skew | The maximum allowable difference, in seconds, for time synchronization between Vantage and the client domain. The maximum suggested value is between -300 and 300 (five minutes). You must enter this value as a whole, positive integer. |
[realms] | Subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm. |
default_kerberos_realm = { | See default_realm = default_kerberos_realm. |
|
[Required] The KDC host is a domain controller for the Windows domain. The FQDN is similar to: hostname.subdomain.domain.com Only one KDC host may be required, but if you configured Vantage system nodes in multiple domains Working with Kerberos Setup on the KDC, you need to define a KDC host for each domain.
|
additional_kerberos_realm = } | Required if realms other than the default Kerberos realms contain functioning KDC hosts, for example: ALTSUBDOMAIN.DOMAIN.COM Specify the realm according to the rules for default_kerberos_realm shown. |
kdc = additional_kdchost_fqdn | Required if there is an additional KDC host. The FQDN of the additional KDC host, for example: additionalhostname.subdomain.domain.com The KDC host is an alternate domain controller for the Windows domain.
|
[domain_realm] | The section that contains relationships that map domains and subdomains onto Kerberos realm names. This determines a host realm location by its FQDN. |
host_dnsdomain = kerberos_realm | [Required] Maps the DNS domain containing one or more hosts, for example: .subdomain.domain.com to the Kerberos realm, for instance, SUBDOMAIN.DOMAIN.COMThe leading dot in the host_dnsdomain expression indicates that the expression maps all hosts that reside in the domain to the Kerberos realm. Specify the DNS domain in lower case. The Kerberos realm is case sensitive, and must exactly match the Windows domain.
|
host_fqdn = kerberos_realm | [Required] Maps a specific host FQDN (Teradata Vantage node), for example: subdomain.domain.com to the Kerberos realm, for example: SUBDOMAIN.DOMAIN.COMThe lack of a leading dot in the host_fqdn expression indicates that the expression maps only the host with the exact specified FQDN to the Kerberos realm. The host_fqdn value is case sensitive. The kerberos_realm value is not case sensitive, but must exactly match the Windows domain.
|
[logging] | The section that contains instructions for Kerberos logging. |
default = FILE:/tmp/krb5lib.log | [Recommended] The location of the default Kerberos log on the Vantage node. The file location can be expressed as either:
|
[appdefaults] | Each tag in this section specifies an application or option. The tag value defines the behavior of the owning application. |
pam = { | Identifies the start of a list of settings for the PAM application, which defines security policy parameters. Vantage installs PAM when it initially configures the system. Do not change any of the settings in this list.
|
ticket_lifetime = ticket_duration | |
renew_lifetime = renew_duration | |
forwardable = true/false | |
proxiable = true/false | |
retain_after_close = false | |
minimum_uid = 0 | |
try_first_pass = true |