The KRB5 mechanism supports Kerberos user authentication and Teradata Vantage authorization. You can optionally configure the KRB5 mechanism to specify directory authorization of users. This option also requires configuration of the directory. See Option 3: Non-LDAP External Authentication with Directory Authorization.
- SSPI Kerberos appears on Windows clients
- KRB5 for UNIX appears on Linux clients, on supported TTU UNIX clients (except IBM z/OS clients), and on the database system
To use the KRB5 mechanism, you must complete the set up procedures described in the topics starting with External Authentication Controls.
Kerberos Multiple LAN Adapter Restriction
When you use Kerberos authentication, for example, when users employ single sign-on, Vantage nodes can have a maximum of one LAN adapter, and the machine name must correspond to the host name (hostid) associated with the target adapter. If a logon uses KRB5 to connect to a node with multiple LAN adapters, the logon fails.
If you decide to use multiple LAN adapters, you can disable the KRB5 mechanism to avoid logon failures. See MechanismEnabled.
Example: KRB5 for Linux Configuration in Teradata Vantage
Linux appears in the TdgssUserConfigFile.xml by default.
<!-- KRB5 for TDGSS using GSS-API --> <Mechanism Name="KRB5" ObjectId="1.2.840.113554.1.2.2" LibraryName="gssp2gss" Prefix="gssp2gss" InterfaceType="gss"> <RequiredLibrary Path="/usr/lib64/libgssapi_krb5.so"/> <MechanismProperties AuthenticationSupported="yes" AuthorizationSupported="no" SingleSignOnSupported="yes" DefaultMechanism="no" MechanismEnabled="yes" MechanismRank="40" GenerateCredentialFromLogon="yes" DelegateCredentials="no" MutualAuthentication="yes" ReplayDetection="yes" OutOfSequenceDetection="yes" ConfidentialityDesired="yes" IntegrityDesired="yes" AnonymousAuthentication="no" DesiredContextTime="" DesiredCredentialTime="" CredentialUsage="0" LdapServerName="" LdapSystemFQDN="" LdapGroupBaseFQDN="" LdapUserBaseFQDN="" LdapClientReferrals="off" LdapClientDeref="never" LdapClientDebug="0" LdapClientRebindAuth="yes" LdapClientRandomDevice="/dev/urandom" LdapClientUseTls="no" UseLdapConfig="no" TeradataKeyTab="/etc/teradata.keytab" /> <MechQop Value="0"> GLOBAL_QOP_0 </MechQop> </Mechanism>