16.10 - KRB5 Mechanism - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

The KRB5 mechanism supports Kerberos user authentication and Teradata Database authorization. You can optionally configure the KRB5 mechanism to specify directory authorization of users. This option also requires configuration of the directory. See Option 3: Non-LDAP External Authentication with Directory Authorization.

These are the types of KRB5 mechanisms:

  • SSPI Kerberos appears on Windows clients
  • KRB5 for UNIX appears on Linux clients, on supported TTU UNIX clients (except IBM z/OS clients), and on the database system

To use the KRB5 mechanism, you must complete the set up procedures described in the topics starting with About External Authentication Controls.

For clients running Teradata .Net Data Provider, you must use the SPNEGO mechanism for Kerberos authentication.

Kerberos Multiple LAN Adapter Restriction

When you use Kerberos authentication, for example, when users employ single sign-on, Teradata Database nodes can have a maximum of one LAN adapter, and the machine name must correspond to the host name (hostid) associated with the target adapter. If a logon uses KRB5 to connect to a node with multiple LAN adapters, the logon fails.

If you decide to use multiple LAN adapters, you can disable the KRB5 mechanism to avoid logon failures. See MechanismEnabled.

Example: KRB5 for Linux Configuration in Teradata Database

To use KRB5 for Linux on systems set up before Release 14.0, you may need to copy the KRB5 mechanism from the TdgssLibraryConfigFile.xml and substitute it for the KRB5 mechanism in the TdgssUserConfigFile.xml, which does not include the LDAP or TeradataKeyTab properties.

For new installations of Teradata Database beginning with Release 14.0, KRB5 for Linux appears in the TdgssUserConfigFile.xml by default.

If you decide to use directory authorization with Kerberos authentication, you must configure at least some of the LDAP properties. See Option 3: Non-LDAP External Authentication with Directory Authorization.
<!-- KRB5 for TDGSS using GSS-API -->
        <Mechanism Name="KRB5"
            ObjectId="1.2.840.113554.1.2.2"
            LibraryName="gssp2gss"
            Prefix="gssp2gss"
            InterfaceType="gss">
            <RequiredLibrary Path="/usr/lib64/libgssapi_krb5.so"/>
            <MechanismProperties
                AuthenticationSupported="yes"
                AuthorizationSupported="no"
                SingleSignOnSupported="yes"
                DefaultMechanism="no"
                MechanismEnabled="yes"
                MechanismRank="40"
                GenerateCredentialFromLogon="yes"
                DelegateCredentials="no"
                MutualAuthentication="yes"
                ReplayDetection="yes"
                OutOfSequenceDetection="yes"
                ConfidentialityDesired="yes"
                IntegrityDesired="yes"
                AnonymousAuthentication="no"
                DesiredContextTime=""
                DesiredCredentialTime=""
                CredentialUsage="0"
                LdapServerName=""
                LdapServerPort="389"
                LdapServerRealm=""
                LdapSystemFQDN=""
                LdapBaseFQDN=""
                LdapGroupBaseFQDN=""
                LdapUserBaseFQDN=""
                LdapClientReferrals="off"
                LdapClientDeref="never"
                LdapClientDebug="0"
                LdapClientRebindAuth="yes"
                LdapClientRandomDevice="/dev/urandom"
                LdapClientMechanism="SASL/DIGEST-MD5"
                LdapClientUseTls="no"
                LdapServiceFQDN=""
                LdapServicePasswordProtected="no"
                LdapServicePassword=""
                LdapClientSaslSecProps=""
                UseLdapConfig="no"
                TeradataKeyTab="/etc/teradata.keytab"
                />
            <MechQop Value="0"> GLOBAL_QOP_0 </MechQop>
        </Mechanism>