Kerberos authentication

If your environment uses Kerberos authentication to validate users, you can use Kerberos instead of local or LDAP authentication to validate your Netezza Performance Server database user accounts.

With Kerberos authentication, users are first validated against the user name and password that is stored on the Kerberos server. After successful Kerberos authentication, the system then confirms that the user account is defined as a Netezza Performance Server database user.

The Kerberos administrator is responsible for adding and managing the user accounts and passwords and deactivating accounts on the Kerberos server. The Netezza Performance Server administrator must ensure that each Netezza Performance Server database user is also defined within the Netezza Performance Server system catalog.

Important: The Kerberos and Netezza Performance Server user names must match. When you configure the system to use Kerberos authentication, you can specify USERCASE=MATCHDB to convert unescaped Kerberos names to the Netezza Performance Server system letter case, which is uppercase by default. If you specify USERNAME=KEEP, the Kerberos names are not converted, and the Kerberos and Netezza Performance Server names must match exactly, including letter casing. If the user names do not match, the Netezza Performance Server administrator can use the ALTER USER command to change the Netezza Performance Server user name to match the Kerberos user name, or contact the Kerberos administrator to change the Kerberos name to match the Netezza Performance Server user name.

If you choose to use Kerberos authentication, then all database user accounts except admin are authenticated by Kerberos. You can configure database user accounts to be locally authenticated as an exception. This implementation does not support mixed Kerberos and LDAP authentication modes; that is, you cannot authenticate some users by LDAP authentication and some by Kerberos.

About the Kerberos software

The Netezza Performance Server implementation of Kerberos support uses MIT Kerberos 5 Release 1.12.1. (Kerberos is a trademark of the Massachusetts Institute of Technology (MIT).) The Netezza Performance Server software kit includes all the required libraries and binaries to run Kerberos on the Netezza Performance Server hosts. The NPS client kits include the libraries required to use the NPS clients, ODBC, JDBC, and OLE DB connectors with Kerberos authentication of the database user accounts. Your IT or system administrators are responsible for the setup of the Kerberos environment on your client systems including the configuration files and the tools for managing tickets.

If your environment is using an earlier or different release of Kerberos, note that Netezza Performance Server requires a minimum of Kerberos 1.10. It is recommended that you upgrade to the latest Kerberos 1.12.1 release for compatibility. The Netezza Performance Server Kerberos support has not been tested with other Kerberos releases and may not function correctly with Kerberos releases before 1.12.1. If your Kerberos environment uses an earlier release, you may not have the support for multi-user/concurrent database connections from the same client (which is used by the ODBC, JDBC, and OLE DB clients, for example), or for the ability to connect to the Netezza Performance Server system using its floating host name and IP address. Both of these features are in release 1.12.1 and later.

The following table lists the supported operating systems and revisions for the Netezza Performance Server CLI clients.

Table 1. Netezza® supported platforms for Kerberos authentication
Operating system 32-bit 64-bit
Windows
Windows 2008, Vista, 7, 10 Intel / AMD Intel / AMD
Windows Server 2012 N/A Intel / AMD
Linux®
Red Hat Enterprise Linux 5.3, 5.5, 5.7, 5.9, 6.1, 6.2, 6.4, 6.5 (see note below table) Intel / AMD Intel / AMD
Red Hat Enterprise Linux 6.2+ N/A PowerPC®
SUSE Linux Enterprise Server 11 Intel / AMD Intel / AMD
SUSE Linux Enterprise Server 10 and 11, and Red Hat Enterprise Linux 5.x IBM® System z® IBM System z
UNIX
IBM AIX® 6.1 with 5.0.2.1 C++ runtime libraries, 7.1 N/A PowerPC
HP-UX 11i versions 1.6 and 2 (B.11.22 and B.11.23) Itanium Itanium
Oracle Solaris 9, 10, 11 SPARC SPARC
Oracle Solaris 10 x86 x86
Note: For many client platforms, Kerberos 1.12 support might not be available from the operating system vendor. In these cases, you must download the Kerberos source code from the MIT Kerberos website and build it on your local systems. A minimum of release 1.10 is required for full support of features, but version 1.12 is recommended.

On Windows platforms, you must use MIT Kerberos for Windows 4.0.1 to enable multiple-user support.