16.10 - Prerequisites - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K
  • The KRB5 and SPNEGO (if used) mechanisms are enabled.
  • The AuthorizationSupported property for the mechanisms is set to:
    • ‘no’ if users are authorized privileges by the database
    • ‘yes’ if users are authorized privileges in a directory
  • External authentication is set up in the database. See About External Authentication Controls and About External Authentication Requirements.
  • Teradata clients and Teradata Database(s) are connected to the network. Teradata clients are already capable of executing Kerberos logons elsewhere in the network, and the Teradata Database is accessible to your client system.
  • For sites that use Unity, complete the configuration of the PROXY connection and related procedures shown in Teradata Unity Installation, Configuration, and Upgrade Guide for Customers, before doing the Kerberos configuration in this chapter.
  • KDCs are set up for Kerberos authentication (except for the specialized Teradata Database requirements shown in the procedures that follow), and are operational.
  • KDCs must run either Windows Kerberos or MIT Kerberos on Linux. Heimdal Kerberos is not supported.
  • Users who plan to access Teradata Database using Kerberos authentication are already fully set up to use Kerberos for other non-Teradata network logons. For Kerberos authentication the authorized username must match a Teradata Database user having WITH NULL PASSWORD privileges, but the Teradata Database username does not have to be the same as the authenticated username for the user. If there is no authorization, the Kerberos username and Teradata Database name must match and be granted WITH NULL PASSWORD. For a description of valid Kerberos username forms, see the topics on “Single Sign-on” and “Sign-on As” in Logging on to Teradata Database.
  • If a Teradata Database (service) in one realm can be accessed by a client situated in a different realm, a cross-realm trust must exist between the realms.