Teradata strongly recommends that you do not use the Append Domain Name feature. Allowing different users to have the same username, even if they are in different domains, is not compatible with a strong security policy. If you are already appending domain names to distinguish identical usernames, discontinue the practice as soon as possible for better security. Reassign these users unique usernames.
Appending a domain name to a username ensures that every logon name is unique across all domains for users that are authenticated externally. You can configure the database to append the domain name for external authentication for mechanisms that provide domain information, including the following:
- KRB5
- SPNEGO
To check on whether the Append Domain Name feature is already set up, do the following:
- Query the Append Domain Name value of the Gateway Control GDO -d option to determine what name the system uses to identify the user.
- If Append Domain is set to no, the system uses the username contained in the logon.
- If Append Domain is set to yes, the name the system uses depends on the mechanism:
- If the mechanism does not provide a domain name, the system uses username.
- If the mechanism provides a domain name, the system uses username@domain.
- To change the current value, toggle it with the -F option for the gtwcontrol command:
gtwcontrol -F
For further information about the gtwcontrol utility, see Teradata Vantage™ - Database Utilities , B035-1102 .
- The database accepts appended domain names only if the corresponding usernames are defined in the database as username@domain, for example, for user “joe” in domain “domain1”, you must define the user similarly to:
CREATE USER "joe@domain1" AS PERM=10000000, PASSWORD=pw1234; GRANT LOGON ON ALL TO "joe@domain" WITH NULL PASSWORD;
Use this special format only for users that require an appended domain name.