16.10 - Using Appended Domain Name - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

Appending the domain name to the username may be necessary to ensure that every logon name is unique across all domains for users that are authenticated externally. For example, without the domain name, joe in domain1 is indistinguishable from joe in domain2.

You can configure the database to append the domain name for external authentication for mechanisms that provide domain information, including the following:

  • KRB5
  • SPNEGO
Teradata strongly recommends that you do not begin using the Append Domain Name feature with Teradata Database 14.10 and above, because it is risky to have different users share the same name, even if they are in different domains. If all users have unique names, this feature is not needed. If there are different users with the same name in different domains, it is better to reassign them unique names than it is to use this feature. If you are already using this feature, you should discontinue use as soon as it is convenient to do so. If you have different users with the same name in different domains, you should reassign them unique names, so the domain name is not needed to distinguish between them.

To check on whether the Append Domain Name feature is already set up, do the following:

  1. Query the Append Domain Name value of the Gateway Control GDO -d option to determine what name the system uses to identify the user.
    • If Append Domain is set to no, the system uses the username contained in the logon.
    • If Append Domain is set to yes, the name the system uses depends on the mechanism:
      • If the mechanism does not provide a domain name, the system uses username.
      • If the mechanism provides a domain name, the system uses username@domain.
  2. To change the current value, toggle it with the -F option for the gtwcontrol command:
    gtwcontrol -F

    For further information about the gtwcontrol utility, see Utilities.

  3. The database accepts appended domain names only if the corresponding usernames are defined in the database as username@domain, for example, for user “joe” in domain “domain1”, you must define the user similarly to:
    CREATE USER "joe@domain1" AS PERM=10000000, PASSWORD=pw1234;
    GRANT LOGON ON ALL TO "joe@domain" WITH NULL PASSWORD;
Use this special format only for users that require an appended domain name.