Please consider registering

Log In

Lost password?
Advanced Search:

— Forum Scope —

— Match —

— Forum Options —

Wildcard usage:
*  matches any number of characters    %  matches exactly one character

Minimum search word length is 4 characters - maximum search word length is 84 characters

Topic RSS
Teradata Kerberos configuration
July 12, 2017
8:44 am
Forum Posts: 217
Member Since:
September 30, 2012



I have TD 16.0 Express VM (one node) and i need to configure Kerberos authentication against Windows DC (2012 server).



1. Create a new computer in OU=Computers in Active Directory Users and Computers. Computer should have the same name as your Teradata Linux VM. You can check Linux server name by "hostname" command. (in my case hostname is tera1)


2. Create new A Host and PRT records in DNS management tool for Linux Teradata VM IP. 

3. Create new user in OU=Users in Active Directory Users and Computers. Username should be the same as computer hostname 

(tera1 in my case)

4. Create SPN with keytab file (on windows DC)

c: ktpass -princ TERADATA/tera1.dixie.qalocal@DIXIE.QALOCAL -mapuser tera1 -pass Barbapapa1@                                -ptype KRB5_NT_PRINCIPAL -out dixie_qalocal.tera1.keytab



TERADATA left this field as it is.

tera1.dixie.qalocal is full name of my Linux Teradata VM.

DIXIE.QALOCAL is domain name

tera1 and Barbapapa1@ are user and password of user created for Kerberos authentication in Active Directory

dixie_qalocal.tera1.keytab is a file name (can be any) which you need to copy to Lunux Teradata VM


5. Rename and copy dixie_qalocal.tera1.keytab and place to /etc/teradata.keytab on Linux Teradata VM

6. Check if your AD server configured on Linux /etc/resolv.conf 

# nslookup tera1.dixie.qalocal


7. Configure kerberos file on Linux /etc/krb5.conf

default_realm = DIXIE.QALOCAL
clockskew = 300

#dns_lookup_realm = false
#dns_lookup_kdc = false
#ticket_lifetime = 24h
#forwardable = yes
# ignore_acceptor_hostname = true
# default_tkt_enctypes = rc4-hmac
# default_tgs_enctypes = rc4-hmac

kdc = ALABAMA.DIXIE.QALOCAL:88                                 (that is my windows DC hostname)
default_domain = DIXIE.QALOCAL

.ndc.local = DIXIE.QALOCAL
ndc.local = DIXIE.QALOCAL

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log


8. Check kerberos from Linux:

# kinit tera1

# klist -ke /etc/teradata.keytab

Keytab name: FILE:/etc/dixie_qalocal.tera1.keytab
KVNO Principal
—- ————————————————————————--
3 TERADATA/tera1.dixie.qalocal@DIXIE.QALOCAL (ArcFour with HMAC/md5)


# klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tera1@DIXIE.QALOCAL

Valid starting Expires Service principal
07/11/17 03:54:36 07/11/17 13:55:14 krbtgt/DIXIE.QALOCAL@DIXIE.QALOCAL
renew until 07/12/17 03:54:36
07/11/17 10:11:05 07/11/17 13:55:14 TERADATA/tera1.dixie.qalocal@DIXIE.QALOCAL
renew until 07/12/17 03:54:36

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


# cd /opt/teradata/client/16.00/bin

# ./gethost -c -v tera1.dixie.qalocal              (SPN checking)

Running on client machine: tera1.dixie.qalocal
Running in DNS Domain: dixie.qalocal

Teradata Host Servers
tera1.dixie.qalocal: tera1.dixie.qalocal

Checking Service Principal Name (SPN) for each Teradata Host Server
TERADATA/tera1.dixie.qalocal ok

Detailed Client Information

Client Hosts File (/etc/hosts) tera1.dixie.qalocal tera1

Domain Information

Default realm = DIXIE.QALOCAL

KDC = false


Realm = pam

Detailed Host Information

Host name: tera1.dixie.qalocal
Official name of host: tera1.dixie.qalocal
Aliases for this host: 1
Address type: 2
Address length: 4
Addresses for this host: 1


9. Now log in to the DB:

# bteq

Teradata BTEQ for LINUX. PID: 16304
Copyright 1984-2016, Teradata Corporation. ALL RIGHTS RESERVED.
Enter your logon or BTEQ command:
.logon tera1.dixie.qalocal/,,


.logon tera1.dixie.qalocal/,
UserId:                                                    (do not provide any userid it will be taken from the kerberos ticket) 
Password:                                                (do not provide any password it will be taken from the kerberos ticket) 


*** Logon successfully completed.
*** Teradata Database Release is
*** Teradata Database Version is
*** Transaction Semantics are BTET.
*** Session Character Set Name is 'ASCII'.

*** Total elapsed time was 1 second.


10. If you want to check if you really used Kerberos to log in, log in as dbc/dbc and issue a query:

select username, event, mechanismname from dbc.logonoff where logdate=date order by 1,2;


UserName Event MechanismName
—————————— ———— ——————————-
DBC    Logon TD2
TERA1 Logoff KRB5
TERA1 Logon KRB5


Also you can check /var/log/messages for failed log in attempts.


Thank you.


Forum Timezone: UTC 0

Most Users Ever Online: 31

Currently Online:
2 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Member Stats:

Guest Posters: 0

Members: 0

Moderators: 0

Admins: 1

Forum Stats:

Groups: 3

Forums: 20

Topics: 214

Posts: 214

Newest Members: Lo0oM

Administrators: Lo0oM (217)