Kerberos configuration file
The Netezza Performance Server system requires a Kerberos configuration file to establish Kerberos authentication support. The krb5.conf file specifies configuration parameters that are required for Kerberos authentication.
There are two methods for creating a configuration file:
- Use a site-wide configuration file that is supplied by your Kerberos administrator.
- Obtain specific information and create a basic Kerberos configuration file.
In many Kerberos environments, the krb5.conf file is already available for the Kerberos client support. Consult with your Kerberos administrator to see if a copy of the krb5.conf file is available that you can store on the Netezza Performance Server system. Optionally, a Netezza Performance Server administrator can generate a minimal version of the file, or update the file, for a simple configuration setup using the SET AUTHENTICATION command.
Use a site-wide configuration file
If your Kerberos administrator supplies a krb5.conf file for each client that is added into the Kerberos authentication environment, follow these steps to add that configuration file to the Netezza Performance Server system and enable Kerberos authentication.
- Log in to the Netezza Performance Server active host as the nz user.
- Change to the $NZ_DATA/config directory (usually /nz/data/config).
- Save your Kerberos configuration file as krb5.conf in the config directory.
- Connect to the NPS database as the admin user or any database user who has Manage System privileges.
- Type the following command to enable system-wide Kerberos authentication:
SYSTEM.ADMIN(ADMIN)=> SET AUTHENTICATION KERBEROS; NOTICE: Updating /nz/data.1.0/config/krb5.conf and other files. NOTICE: Re-log-in or open a new shell for changes to take effect. SET VARIABLE
The SET AUTHENTICATION KERBEROS command adds the KRB5_CONFIG environment variable to the nz user's .bashrc file. The variable is set to the location of the krb5.conf file (/nz/data/config/krb5.conf). Log out of the database connection and the nz user account, then log in again as nz to ensure that your session adopts the new Kerberos environment settings. The change does not affect users who are currently logged in to the Performance Server database until they log out and open a new connection to the database.
Create a Kerberos configuration file
If your environment does not have a specific Kerberos configuration file, you can create one for the Netezza Performance Server system with the basic required information. Before you begin, make sure that you obtain the name of the Kerberos realm and KDC from your Kerberos administrator.
- Log in to the Netezza Performance Server system as the nz user.
- Connect to the NPS database as the admin user or any database user who has Manage System privileges.
- Type the following command:
SYSTEM.ADMIN(ADMIN)=> SET AUTHENTICATION KERBEROS REALM 'myrealm' KDC 'mykdc'; NOTICE: Updating /nz/data.1.0/config/krb5.conf and other files. NOTICE: Re-log-in or open a new shell for changes to take effect. SET VARIABLE
In the sample command, the myrealm value is the Kerberos realm for your environment, which is typically the domain name for the Kerberos domain. The mykdc value is the Kerberos authentication server, usually called the Key Distribution Center (KDC).
This command creates a basic /nz/data/config/krb5.conf configuration file with the realm and KDC information, and enables Kerberos authentication for your system.
The SET AUTHENTICATION KERBEROS command adds the KRB5_CONFIG environment variable to the nz user's .bashrc file. The variable is set to the location of the krb5.conf file (/nz/data/config/krb5.conf). Log out of the database connection and the nz user account, then log in again as nz to ensure that your session adopts the new Kerberos environment settings. The change does not affect users who are currently logged in to the Performance Server database until they log out and open a new connection to the database.