16.10 - Creating Teradata Node and Unity Server Principals - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

You must create a Kerberos principal and password for each node on each Teradata Database system, and for each Unity server (if used), that is served by the MIT Kerberos Linux KDC.

Use the addprinc command to create the principal and password, for example, for a node:

kadmin.local: addprinc TERADATA/principal_name.esrootdom.esdev.tdat

WARNING: no policy specified for TERADATA/principal_name.esrootdom.esdev.tdat@UNIX.ESROOTDOM.ESDEV.TDAT; defaulting to no policy
Enter password for principal "TERADATA/principal_name.esrootdom.esdev.tdat@UNIX.ESROOTDOM.ESDEV.TDAT":
Re-enter password for principal "TERADATA/principal_name.esrootdom.esdev.tdat@UNIX.ESROOTDOM.ESDEV.TDAT":
Principal "TERADATA/principal_name.esrootdom.esdev.tdat@
UNIX.ESROOTDOM.ESDEV.TDAT" created.

where:

Element Description
principal_name.esrootdom.esdev.tdat The FQDN of a Teradata Database node or Unity server.

principal_name should use the naming conventions shown in step 4 of Creating a Computer Component for Database Nodes and Unity Server.

UNIX.ESROOTDOM.ESDEV.TDAT The Kerberos realm in which the Teradata Database node or Unity server principal(s) is being added.

The string: TERADATA/principal_name .esrootdom.esdev.tdat@UNIX.ESROOTDOM.ESDEV.TDAT, used to represent the principal, also constitutes the SPN for the principal. The SPN is used later in Creating the Kerberos Keys and Installing the Kerberos Keys to uniquely identify the keys.

When creating a Unity server principal, the service name is still TERADATA, for example:
kadmin.local: addprinc TERADATA/principal_name.esrootdom.esdev.tdat