Configure ODBC and vsql clients on non-windows platforms

To configure an ODBC or vsql client on Linux or MAC OSX, you must first install the Kerberos 5 client package.

To configure an ODBC or vsql client on Linux or MAC OSX, you must first install the Kerberos 5 client package. See Configuring Kerberos authentication.

After you install the Kerberos 5 client package, you must provide clients with a valid Kerberos configuration file (krb5.conf). To communicate with the KDC, each client participating in Kerberos authentication must have a valid, identically configured krb5.conf file. The default location for the Kerberos configuration file is /etc/krb5.conf.

The Kerberos configuration (krb5.conf) file contains Kerberos-specific information, including:

  • How to reach the KDC

  • Default realm name

  • Domain

  • Path to log files

  • DNS lookup

  • Encryption types to use

  • Ticket lifetime

The default location for the Kerberos configuration file is /etc/krb5.conf.

When configured properly, the client can authenticate with Kerberos and retrieve a ticket through the kinit utility (see Acquire an ODBC Authentication Request and Connection below). Likewise, the server can then use ktutil to store its credentials in a keytab file

Authenticating ODBC and vsql clients requests and connections on non-windows platforms

ODBC and vsql use the client's ticket established by kinit to perform Kerberos authentication. These clients rely on the security library's default mechanisms to find the ticket file and the and Kerberos configuration file.

To authenticate against Kerberos, call the kinit utility to obtain a ticket from the Kerberos KDC server. The following two examples show how to send the ticket request using ODBC and vsql clients.

Acquire an ODBC authentication request and connection

  1. On an ODBC client, acquire a ticket for the kuser user by calling the kinit utility.

    $ kinit kuser@EXAMPLE.COM
    Password for kuser@EXAMPLE.COM:
    
  2. Connect to Vertica, and provide the principals in the connection string:

    char outStr[100];
    SQLLEN len;
    SQLDriverConnect(handle, NULL, "Database=VMart;User=kuser;
    Server=myserver.example.com;Port=5433;KerberosHostname=vcluster.example.com",
    SQL_NTS, outStr, &len);
    

Acquire a vsql authentication request connection

If the vsql client is on the same machine you are connecting to, vsql connects through a UNIX domain socket. This connection bypasses Kerberos authentication. When you authenticate with Kerberos, especially if the client authentication method is configured as 'local', you must include the -h hostname option. See Command Line Options.

  1. On the vsql client, call the kinit utility:

    $ kinit kuser@EXAMPLE.COM
    Password for kuser@EXAMPLE.COM:
    
  2. Connect to Vertica, and provide the host and user principals in the connection string:

    $ ./vsql -K vcluster.example.com -h myserver.example.com -U kuser
    Welcome to vsql, the Vertica Analytic Database
    interactive terminal.
    
    Type:  \h or \? for help with vsql commands
    \g or terminate with semicolon to execute query
    \q to quit
    

In the future, when you log in to vsql as kuser, vsql uses your cached ticket without prompting you for a password.

Verify the authentication method

You can verify the authentication method by querying the SESSIONS system table:

=> SELECT authentication_method FROM sessions;
 authentication_method
-----------------------
GSS-Kerberos
(1 row)

See also