16.10 - Prerequisites - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)
  • The KRB5 and SPNEGO (if used) mechanisms are enabled.
  • The AuthorizationSupported property for the mechanisms is set to:
    • ‘no’ if users are authorized privileges by the database
    • ‘yes’ if users are authorized privileges in a directory
  • External authentication is set up in the database. See About External Authentication Controls and About External Authentication Requirements.
  • Teradata clients and Teradata Database(s) are connected to the network. Teradata clients are already capable of executing Kerberos logons elsewhere in the network, and the Teradata Database is accessible to your client system.
  • For sites that use Unity, complete the configuration of the PROXY connection and related procedures shown in Teradata Unity Installation, Configuration, and Upgrade Guide for Customers, before doing the Kerberos configuration in this chapter.
  • KDCs are set up for Kerberos authentication (except for the specialized Teradata Database requirements shown in the procedures that follow), and are operational.
  • KDCs must run either Windows Kerberos or MIT Kerberos on Linux. Heimdal Kerberos is not supported.
  • Users who plan to access Teradata Database using Kerberos authentication are already fully set up to use Kerberos for other non-Teradata network logons. For Kerberos authentication the authorized username must match a Teradata Database user having WITH NULL PASSWORD privileges, but the Teradata Database username does not have to be the same as the authenticated username for the user. If there is no authorization, the Kerberos username and Teradata Database name must match and be granted WITH NULL PASSWORD. For a description of valid Kerberos username forms, see the topics on “Single Sign-on” and “Sign-on As” in Logging on to Teradata Database.
  • If a Teradata Database (service) in one realm can be accessed by a client situated in a different realm, a cross-realm trust must exist between the realms.