

8:44 am

September 30, 2012

Hi
Description:
I have TD 16.0 Express VM (one node) and i need to configure Kerberos authentication against Windows DC (2012 server).
Solution:
1. Create a new computer in OU=Computers in Active Directory Users and Computers. Computer should have the same name as your Teradata Linux VM. You can check Linux server name by "hostname" command. (in my case hostname is tera1)
2. Create new A Host and PRT records in DNS management tool for Linux Teradata VM IP.
3. Create new user in OU=Users in Active Directory Users and Computers. Username should be the same as computer hostname
(tera1 in my case)
4. Create SPN with keytab file (on windows DC)
c: ktpass -princ TERADATA/tera1.dixie.qalocal@DIXIE.QALOCAL -mapuser tera1 -pass Barbapapa1@ -ptype KRB5_NT_PRINCIPAL -out dixie_qalocal.tera1.keytab
Where:
TERADATA left this field as it is.
tera1.dixie.qalocal is full name of my Linux Teradata VM.
DIXIE.QALOCAL is domain name
tera1 and Barbapapa1@ are user and password of user created for Kerberos authentication in Active Directory
dixie_qalocal.tera1.keytab is a file name (can be any) which you need to copy to Lunux Teradata VM
5. Rename and copy dixie_qalocal.tera1.keytab and place to /etc/teradata.keytab on Linux Teradata VM
6. Check if your AD server configured on Linux /etc/resolv.conf
# nslookup tera1.dixie.qalocal
7. Configure kerberos file on Linux /etc/krb5.conf
[libdefaults]
default_realm = DIXIE.QALOCAL
clockskew = 300
allow_weak_crypto=true
#dns_lookup_realm = false
#dns_lookup_kdc = false
#ticket_lifetime = 24h
#forwardable = yes
# ignore_acceptor_hostname = true
# default_tkt_enctypes = rc4-hmac
# default_tgs_enctypes = rc4-hmac
[realms]
DIXIE.QALOCAL = {
kdc = ALABAMA.DIXIE.QALOCAL:88 (that is my windows DC hostname)
admin_server = ALABAMA.DIXIE.QALOCAL
default_domain = DIXIE.QALOCAL
}
[domain_realm]
.ndc.local = DIXIE.QALOCAL
ndc.local = DIXIE.QALOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
8. Check kerberos from Linux:
# kinit tera1
# klist -ke /etc/teradata.keytab
Keytab name: FILE:/etc/dixie_qalocal.tera1.keytab
KVNO Principal
—- ————————————————————————--
3 TERADATA/tera1.dixie.qalocal@DIXIE.QALOCAL (ArcFour with HMAC/md5)
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tera1@DIXIE.QALOCAL
Valid starting Expires Service principal
07/11/17 03:54:36 07/11/17 13:55:14 krbtgt/DIXIE.QALOCAL@DIXIE.QALOCAL
renew until 07/12/17 03:54:36
07/11/17 10:11:05 07/11/17 13:55:14 TERADATA/tera1.dixie.qalocal@DIXIE.QALOCAL
renew until 07/12/17 03:54:36
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
# cd /opt/teradata/client/16.00/bin
# ./gethost -c -v tera1.dixie.qalocal (SPN checking)
Running on client machine: tera1.dixie.qalocal
Running in DNS Domain: dixie.qalocal
Teradata Host Servers
tera1.dixie.qalocal: tera1.dixie.qalocal
Checking Service Principal Name (SPN) for each Teradata Host Server
TERADATA/tera1.dixie.qalocal ok
Detailed Client Information
Client Hosts File (/etc/hosts)
127.0.0.2 tera1.dixie.qalocal tera1
Domain Information
Default realm = DIXIE.QALOCAL
KDC = false
Realm = DIXIE.QALOCAL
KDC = ALABAMA.DIXIE.QALOCAL
Realm = pam
Detailed Host Information
Host name: tera1.dixie.qalocal
Official name of host: tera1.dixie.qalocal
Aliases for this host: 1
tera1
Address type: 2
Address length: 4
Addresses for this host: 1
127.0.0.2
9. Now log in to the DB:
# bteq
Teradata BTEQ 16.00.00.00 for LINUX. PID: 16304
Copyright 1984-2016, Teradata Corporation. ALL RIGHTS RESERVED.
Enter your logon or BTEQ command:
.logon tera1.dixie.qalocal/,,
.logon tera1.dixie.qalocal/,
UserId: (do not provide any userid it will be taken from the kerberos ticket)
Password: (do not provide any password it will be taken from the kerberos ticket)
*** Logon successfully completed.
*** Teradata Database Release is 16.00.00.00
*** Teradata Database Version is 16.00.00.00
*** Transaction Semantics are BTET.
*** Session Character Set Name is 'ASCII'.
*** Total elapsed time was 1 second.
10. If you want to check if you really used Kerberos to log in, log in as dbc/dbc and issue a query:
select username, event, mechanismname from dbc.logonoff where logdate=date order by 1,2;
UserName Event MechanismName
—————————— ———— ——————————-
DBC Logon TD2
TERA1 Logoff KRB5
TERA1 Logon KRB5
Also you can check /var/log/messages for failed log in attempts.
Thank you.
Most Users Ever Online: 31
Currently Online:
4 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Member Stats:
Guest Posters: 0
Members: 0
Moderators: 0
Admins: 1
Forum Stats:
Groups: 3
Forums: 20
Topics: 214
Posts: 214
Newest Members: Lo0oM
Administrators: Lo0oM (217)