16.10 - Setting Up Kerberos on Linux and UNIX Clients - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

The following discusses how to configure Kerberos for Linux and UNIX clients (except IBM z/OS).

The Teradata Tools and Utilities (TTU) client packages must be installed on your client system prior to configuring Kerberos. See the appropriate installation guide for your platform:

Operating System Installation Documentation
Red Hat Linux Teradata Tools and Utilities for Red Hat Enterprise Linux Installation Guide. (B035-3121)
SUSE Linux Teradata Tools and Utilities for SUSE Linux Installation Guide (B035-3122)
AIX Teradata Tools and Utilities for IBM AIX Installation Guide (B035-3125)
HP-UX Teradata Tools and Utilities for HP-UX Installation Guide (B035-3124)
Apple OS X Teradata Tools and Utilities for Apple OS X Installation Guide (B035-3129)
Solaris (Intel) Teradata Tools and Utilities for Oracle Solaris on AMD Opteron Systems Installation Guide (B035-3126)
Solaris (SPARC) Teradata Tools and Utilities for Oracle Solaris on SPARC Systems Installation Guide (B035-3127)
Kerberos installation and configuration on Linux and UNIX clients does not require any Teradata-specific customizations. The following steps are guidelines only. For specific instructions on installing and configuring Kerberos, follow your vendor's instructions.
  1. Add the client system name and IP address to your Active Directory.
  2. Install Kerberos on the client system:
  3. Edit /etc/resolv.conf on the client system and include the Active Directory server name and IP address.
  4. Include Active Directory information in krb5.conf.
    • On Linux and UNIX clients add the following to krb5.conf, for example:
      [libdefaults]
             default_realm = example.com
             clockskew = 300
             dns_lookup_realm = true
             dns_lookup_kdc = true
       
      [realms]
      AREALM.example.com = {
                      kdc = kdc.example.com:88
                      admin_server = AREALM.example.com:749
                      default_domain = AREALM.example.com
              }
      
      [domain_realm]
              .example.com = AREALM.example.com
             example.com = AREALM.example.com
      
    • On AIX clients, run:
      mkkrb5clnt -c <KDC> -r <Realm> -s <Serve>r -d <Domain>

      For example:

      mkkrb5clnt -c kdc.example.com -r AREALM.example.com -s AREALM.example.com -d example.com
  5. Verify the connection. Run nslookup from the client system and look up the Active Directory server (the KDC).
  6. Run kinit on the client system to get a ticket granting ticket for your user:
    #kinit <username>
  7. Run klist on the client system to confirm the ticket granting ticket for your user was issued:
    #klist