Using Appended Domain Name - Analytics Database - Teradata Vantage

Security Administration

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2024-04-05
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™
Teradata strongly recommends that you do not use the Append Domain Name feature. Allowing different users to have the same username, even if they are in different domains, is not compatible with a strong security policy. If you are already appending domain names to distinguish identical usernames, discontinue the practice as soon as possible for better security. Reassign these users unique usernames.
Appending a domain name to a username ensures that every logon name is unique across all domains for users that are authenticated externally. You can configure the database to append the domain name for external authentication for mechanisms that provide domain information, including the following:
  • KRB5
  • SPNEGO

To check on whether the Append Domain Name feature is already set up, do the following:

  1. Query the Append Domain Name value of the Gateway Control GDO -d option to determine what name the system uses to identify the user.
    • If Append Domain is set to no, the system uses the username contained in the logon.
    • If Append Domain is set to yes, the name the system uses depends on the mechanism:
      • If the mechanism does not provide a domain name, the system uses username.
      • If the mechanism provides a domain name, the system uses username@domain.
  2. To change the current value, toggle it with the -F option for the gtwcontrol command:
    gtwcontrol -F

    For further information about the gtwcontrol utility, see Teradata Vantage™ - Database Utilities, B035-1102.

  3. The database accepts appended domain names only if the corresponding usernames are defined in the database as username@domain, for example, for user “joe” in domain “domain1”, you must define the user similarly to:
    CREATE USER "joe@domain1" AS PERM=10000000, PASSWORD=pw1234;
    GRANT LOGON ON ALL TO "joe@domain" WITH NULL PASSWORD;
Use this special format only for users that require an appended domain name.