16.10 - Setting Up the krb5.conf Kerberos Configuration File - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

The krb5.conf Kerberos configuration file requires a special setup on each database node, and on the Unity server, if used. The sample krb5.conf file is located by default in the /etc directory.

MIT Kerberos contains several sections and tags that are not required for Teradata Database nodes or the Unity server, and are not shown in the configuration that follows. Teradata recommends that you do not use these options for Kerberos implementation unless it is absolutely necessary and you have fully researched their effects.

For more detailed information on MIT Kerberos sections and tags, go to:

http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.3/doc/krb5-admin/krb5.conf.html

Example: krb5.conf

The example below shows the structure of the sample krb5.conf file. You must modify the example to conform to the requirements of your system, using the guidelines contained in the syntax table that follows the example.

[libdefaults]
	default_realm = default_kerberos_realm
	clockskew = allowable_skew

[realms]
	default_kerberos_realm = {
	kdc = kdchost1_fqdn
	kdc = kdchost2_fqdn
	kdc = kdchost3_fqdn
      }

[domain_realm]
	host_dnsdomain = kerberos_realm
	host_fqdn = kerberos_realm

[logging]
	kdc = FILE:/tmp/krb5kdc.log

[appdefaults]
pam = {
	ticket_lifetime = ticket_duration
	renew_lifetime = renew_duration
	forwardable = true/false
	proxiable = true/false
	retain_after_close = false
	minimum_uid = 0
	try_first_pass = true
}

where:

Section, TagName, and TagValue Description
[libdefaults] The section that contains default values that the Kerberos library uses to authenticate a logon.
default_realm = default_kerberos_realm The realm that contains the Kerberos logon, including both the KDC host (Windows domain controller) and the Teradata Database nodes, for example:

SUBDOMAIN.DOMAIN.COM

The realm information must match the Windows domain name exactly, including case.
clockskew = allowable_skew The maximum allowable difference, in seconds, for time synchronization between Teradata Database and the client domain. The maximum suggested value is +/- 300 (five minutes).

You must enter this value as a whole, positive integer.

[realms] Subsections keyed by Kerberos realm names. Each subsection describes realm-specific information, including where to find the Kerberos servers for that realm.
default_kerberos_realm = { See default_realm = default_kerberos_realm above.
  • kdc = kdchost1_fqdn
  • kdc = kdchost2_fqdn
  • kdc = kdchost3_fqdn
Required. The KDC host is a domain controller for the Windows domain. The FQDN is similar to:

hostname.subdomain.domain.com

Only one KDC host may be required, but if you configured Teradata Database system nodes in multiple domains Working with Kerberos Setup on the KDC, you need to define a KDC host for each domain.
additional_kerberos_realm = } Required if realms other than the default Kerberos realms contain functioning KDC hosts, for example:

ALTSUBDOMAIN.DOMAIN.COM

Specify the realm according to the rules for default_kerberos_realm shown above.

kdc = additional_kdchost_fqdn Required, if there is an additional KDC host.

The FQDN of the additional KDC host, for example:

additionalhostname.subdomain.domain.com
The KDC host is an alternate domain controller for the Windows domain.
[domain_realm] The section that contains relationships that map domains and subdomains onto Kerberos realm names. This determines a host realm location by its FQDN.
host_dnsdomain = kerberos_realm Required. Maps the DNS domain containing one or more hosts, for example:

.subdomain.domain.com

to the Kerberos realm, for instance,

SUBDOMAIN.DOMAIN.COM

The leading dot in the host_dnsdomain expression indicates that the expression maps all hosts that reside in the domain to the Kerberos realm.

Specify the DNS domain in lower case. The Kerberos realm is case sensitive, and must exactly match the Windows domain.
host_fqdn = kerberos_realm Required. Maps a specific host FQDN (Teradata Database node), for example:

subdomain.domain.com

to the Kerberos realm, for example:

SUBDOMAIN.DOMAIN.COM

The lack of a leading dot in the host_fqdn expression indicates that the expression maps only the host with the exact specified FQDN to the Kerberos realm.

The host_fqdn value is case sensitive. The kerberos_realm value is not case sensitive, but must exactly match the Windows domain.
[logging] The section that contains instructions for Kerberos logging.
default = FILE:/tmp/krb5lib.log Recommended. The location of the default Kerberos log on the Teradata Database node.
The file location can be expressed as either:
  • FILE: appends each new log entry to the existing log file.
  • FILE= overwrites the previous log entry.
[appdefaults] Each tag in this section specifies an application or option. The tag value defines the behavior of the owning application.
pam = { Identifies the start of a list of settings for the PAM application, which defines security policy parameters. Teradata installs PAM when it initially configures the system.
Do not change any of the settings in this list.
ticket_lifetime = ticket_duration
renew_lifetime = renew_duration
forwardable = true/false
proxiable = true/false
retain_after_close = false
minimum_uid = 0
try_first_pass = true