KRB5 Mechanism | Teradata Vantage - KRB5 Mechanism - Analytics Database - Teradata Vantage

Security Administration

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-11-02
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™

The KRB5 mechanism supports Kerberos user authentication and Teradata Vantage authorization. You can optionally configure the KRB5 mechanism to specify directory authorization of users. This option also requires configuration of the directory. See Option 3: Non-LDAP External Authentication with Directory Authorization.

These are the types of KRB5 mechanisms:
  • SSPI Kerberos appears on Windows clients
  • KRB5 for UNIX appears on Linux clients, on supported TTU UNIX clients (except IBM z/OS clients), and on the database system

To use the KRB5 mechanism, you must complete the set up procedures described in the topics starting with External Authentication Controls.

For clients running .NET Data Provider for Teradata, you must use the SPNEGO mechanism for Kerberos authentication.

Kerberos Multiple LAN Adapter Restriction

When you use Kerberos authentication, for example, when users employ single sign-on, Vantage nodes can have a maximum of one LAN adapter, and the machine name must correspond to the host name (hostid) associated with the target adapter. If a logon uses KRB5 to connect to a node with multiple LAN adapters, the logon fails.

If you decide to use multiple LAN adapters, you can disable the KRB5 mechanism to avoid logon failures. See MechanismEnabled.

Example: KRB5 for Linux Configuration in Teradata Vantage

Linux appears in the TdgssUserConfigFile.xml by default.

If you decide to use directory authorization with Kerberos authentication, you must configure at least some of the LDAP properties. See Option 3: Non-LDAP External Authentication with Directory Authorization.
<!-- KRB5 for TDGSS using GSS-API -->
        <Mechanism Name="KRB5"
            ObjectId="1.2.840.113554.1.2.2"
            LibraryName="gssp2gss"
            Prefix="gssp2gss"
            InterfaceType="gss">
            <RequiredLibrary Path="/usr/lib64/libgssapi_krb5.so"/>
            <MechanismProperties
                AuthenticationSupported="yes"
                AuthorizationSupported="no"
                SingleSignOnSupported="yes"
                DefaultMechanism="no"
                MechanismEnabled="yes"
                MechanismRank="40"
                GenerateCredentialFromLogon="yes"
                DelegateCredentials="no"
                MutualAuthentication="yes"
                ReplayDetection="yes"
                OutOfSequenceDetection="yes"
                ConfidentialityDesired="yes"
                IntegrityDesired="yes"
                AnonymousAuthentication="no"
                DesiredContextTime=""
                DesiredCredentialTime=""
                CredentialUsage="0"
                LdapServerName=""
                LdapSystemFQDN=""
                LdapGroupBaseFQDN=""
                LdapUserBaseFQDN=""
                LdapClientReferrals="off"
                LdapClientDeref="never"
                LdapClientDebug="0"
                LdapClientRebindAuth="yes"
                LdapClientRandomDevice="/dev/urandom"
                LdapClientUseTls="no"
                UseLdapConfig="no"
                TeradataKeyTab="/etc/teradata.keytab"
                />
            <MechQop Value="0"> GLOBAL_QOP_0 </MechQop>
        </Mechanism>