Kerberos errors and troubleshooting
This topic describes some common Kerberos-related problems and troubleshooting steps.
If you use Kerberos authentication, note that detailed messages and error conditions are written to the /nz/kit/log/postgres/pg.log file.
Kerberos setup issues
If you are encountering login problems after you enabled Kerberos authentication, ensure that the krb5.keytab file includes the correct information for both of the Netezza Performance Server hosts and the floating hostname. You use the Kerberos ktutil command to examine the contents of a keytab file.
In addition, make sure that the name of the NPS service machine was added correctly to the KDC server by the Kerberos administrator.
Kerberos is enabled, but the database user is configured for local authentication
After you enable Kerberos authentication, the database users that you create uses Kerberos authentication as well. (You can create locally authenticated users as an exception.) If a Netezza Performance Server administrator creates a local authentication user account without the AUTH "local" exception syntax, and the user attempts to start a database connection, the connection fails with the error Password authentication failed for user 'user_name'. Make sure that your Kerberos users are configured to use DEFAULT authentication when you enable Kerberos as your authentication method for the database system. You must have a matching Kerberos user for every database user except the admin user.
Kerberos names formatting issues
To create usernames with lowercase letters when the system name is provided in uppercase letters, enclose the username in double quotation marks. You must also add single quotation marks around the username because the CREATE USER command connects to the shell terminal.
SYSTEM.ADMIN(ADMIN)=> create user '"localuser1@NZSQA.IBM.COM"' with password 'password' auth local;
CREATE USER
[nz@gt10-app-npshost ~]$ nzsql -u '"localuser1@NZSQA.IBM.COM"' -pw password