A A A

Please consider registering
guest

Log In

Lost password?
Advanced Search:

— Forum Scope —



— Match —



— Forum Options —




Wildcard usage:
*  matches any number of characters    %  matches exactly one character

Minimum search word length is 4 characters - maximum search word length is 84 characters

Topic RSS
Netezza Kerberos authentication setup
February 24, 2016
1:54 pm
Lo0oM
Admin
Forum Posts: 217
Member Since:
September 30, 2012
Offline

Hi

 

Description:

Netezza skimmer 100 appliance. DB version 7.2. Kerberos setup. RHEL Kerberos domain will be used.

 

Solution:

1. Create kerberos configuration file (as nz user):

$ nzsql -uadmin
Password:
Welcome to nzsql, the IBM Netezza SQL interactive terminal.

Type:  h for help with SQL commands
       ? for help on internal slash commands
       g or terminate with semicolon to execute query
       q to quit

SYSTEM.ADMIN(ADMIN)=> SET AUTHENTICATION KERBEROS;

SYSTEM.ADMIN(ADMIN)=> CREATE USER TESTKERB WITH PASSWORD 'test';   (this user will be used for kerberos)

SYSTEM.ADMIN(ADMIN)=> q

$ vi /nz/data.1.0/config/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DAT.LOCAL              (DAT.LOCAL is kerberos realm name)
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
 ignore_acceptor_hostname = true
# default_tkt_enctypes = rc4-hmac
# default_tgs_enctypes = rc4-hmac

[realms]
 DAT.LOCAL = {
 kdc = KRB5SRV.DAT.LOCAL:88                     (KRB5SRV is kerveros server hostname)
 admin_server = KRB5SRV.DAT.LOCAL
 default_domain = DAT.LOCAL
}

[domain_realm]
 .ndc.local = DAT.LOCAL         
 ndc.local = DAT.LOCAL

[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}

2. Add following lines to .bashrc file of nz user (as nz user)

$ vi .bashrc

export KRB5_KTNAME=/nz/data.1.0/config/krb5.keytab

export KRB5_CONFIG=/nz/data.1.0/config/krb5.conf

#export NZ_USER=admin        # Default NZ usernam, comment out it if present
#export NZ_PASSWORD=password # Default NZ password, comment out it if present

 

3. Create keytab file. I did it on kerberos server and then copied it to /nz/data.1.0/config/krb5.keytab

Pay attention that username in database and kerberos domain must be the same, password too. All names in netezza are capital, so in kerberos create it in capital too. In  my case username is TESTKERB

 

# mkdir -p /opt/inst

# kadmin.local -q "ktadd -norandkey -k /opt/inst/krb5.keytab TESTKERB@DAT.LOCAL"        (worked in my case)

 

IBM also suggest to add this principal:

#kadmin.local -q "ktadd -norandkey -k /opt/inst/krb5.keytab TESTKERB/netezza_hostname@DAT.LOCAL" 

but in my case it was useless.

 

Now copy file on netezza server to /nz/data.1.0/config/krb5.keytab

$ ls -la /nz/data.1.0/config/krb5.keytab
-rw——- 1 nz nz 1990 Jan 12 10:59 /nz/data.1.0/config/krb5.keytab

 

 

4. Test kerberos connection

$ kinit TESTKERB
Password for TESTKERB@DAT.LOCAL:

$ nzsql  -u TESTKERB
Password:
Welcome to nzsql, the IBM Netezza SQL interactive terminal.

Type:  h for help with SQL commands
       ? for help on internal slash commands
       g or terminate with semicolon to execute query
       q to quit

SYSTEM.ADMIN(TESTKERB)=>

 

5. Troubleshooting. Those steps will help you to understand if something not working correctly:

a).krb5.conf  (Presence in  /nz/data/config )
b).krb5.keytab file (presence in /nz/data/config or if customized location having set the KRB5_KTNAME environment variable to define the custom location)
c).authentication type  ( nzsql -c "show authentication") should be kerberos
d).presence of  user in database (verify the username in database by select * from _t_user)
e).kinit <username >   ( for ticket generation from KDC server)
(username should be same as database username and also shoud match to username in KDC server)

f).you can verify the  username in KDC server by kadmin
e.g.kadmin –p KerberosAdmin/admin (ensure to appropriate KDC user credentials)
kdmin : listprincs
g).keberos server log file for tikcet generation for username can be found at /var/log/krb5kdc.log  on kdc sever
h).linux based kerberos is generally speaking case-sensitive – please verify you usernames and domain both on NPS and Kerbros
i).can you try kerberos authentication  by running nzsql  -u <username>  or   with nzsql -h <host>  -u <user>  -w  -d <database>
example:
$ kdestroy -A
$ kinit TESTKERB
$ nzsql -u TESTKERB -w -d test

Thank you.

 

Forum Timezone: UTC 0

Most Users Ever Online: 31

Currently Online:
2 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Member Stats:

Guest Posters: 0

Members: 0

Moderators: 0

Admins: 1

Forum Stats:

Groups: 3

Forums: 20

Topics: 214

Posts: 214

Newest Members: Lo0oM

Administrators: Lo0oM (217)