Enabling and disabling Kerberos users authentication with domain name

Learn how to supply usernames with domain names when you are authenticating users on Netezza Performance Server with Kerberos, and how to disable the feature. By default, the function is turned off.

Enabling Kerberos users authentication with domain name

When you are authenticating users, you provide only usernames, not domain names. To supply usernames with domain names during user authentication, set the enable_username_domain variable to true in postgresql.conf.

Important:

To authenticate users with domains (for example, username@domain), the users must have a short username (for example, username) in the database.

For example, to authenticate a krbuser@abc.com user, you must add database users krbuser and krbuser@abc.com into the database.

  1. Set enable_username_domain in /nz/data/postgresql.conf to true.
    enable_username_domain=true
  2. Add username and username@domain to the Netezza Performance Server database.
    1. create user <short_username> with password <password>;
    2. create user <user_with_domain> with password <password>;
  3. Restart Netezza Performance Server:
    1. nzstop
    2. nzstart

Disabling Kerberos users authentication with domain name

If the enabled_username_domain variable is set to false, Netezza Performance Server removes domain names (@domain) from usernames and checks only for short names in the database catalog.

then it strips off the @domain from user name before looking up into the database. Only the short name account has to be created in the database.

With enabled_username_domain set to false, usernames do not have domain names. When you are authenticating users without domain names, you must add only their short usernames to the database.

x

For example, to authenticate krbuser, add krbuser to the database.

  1. Set enable_username_domain in /nz/data/postgresql.conf to false.
    enable_username_domain=false
  2. Restart Netezza Performance Server:
    1. nzstop
    2. nzstart