Configure ODBC and vsql clients on non-windows platforms
To configure an ODBC or vsql client on Linux or MAC OSX, you must first install the Kerberos 5 client package. See Configuring Kerberos authentication.
After you install the Kerberos 5 client package, you must provide clients with a valid Kerberos configuration file (krb5.conf). To communicate with the KDC, each client participating in Kerberos authentication must have a valid, identically configured krb5.conf file. The default location for the Kerberos configuration file is /etc/krb5.conf.
Tip
To enforce consistency among clients, Vertica Analytic Database, and the KDC, copy the /etc/krb5.conf file from the KDC to the client's/etc directory.The Kerberos configuration (krb5.conf
) file contains Kerberos-specific information, including:
-
How to reach the KDC
-
Default realm name
-
Domain
-
Path to log files
-
DNS lookup
-
Encryption types to use
-
Ticket lifetime
The default location for the Kerberos configuration file is /etc/krb5.conf
.
When configured properly, the client can authenticate with Kerberos and retrieve a ticket through the kinit
utility (see Acquire an ODBC Authentication Request and Connection below). Likewise, the server can then use ktutil to store its credentials in a keytab file
Authenticating ODBC and vsql clients requests and connections on non-windows platforms
ODBC and vsql use the client's ticket established by kinit
to perform Kerberos authentication. These clients rely on the security library's default mechanisms to find the ticket file and the and Kerberos configuration file.
To authenticate against Kerberos, call the kinit
utility to obtain a ticket from the Kerberos KDC server. The following two examples show how to send the ticket request using ODBC and vsql clients.
Acquire an ODBC authentication request and connection
-
On an ODBC client, acquire a ticket for the
kuser
user by calling thekinit
utility.$ kinit kuser@EXAMPLE.COM Password for kuser@EXAMPLE.COM:
-
Connect to Vertica, and provide the principals in the connection string:
char outStr[100]; SQLLEN len; SQLDriverConnect(handle, NULL, "Database=VMart;User=kuser; Server=myserver.example.com;Port=5433;KerberosHostname=vcluster.example.com", SQL_NTS, outStr, &len);
Acquire a vsql authentication request connection
If the vsql client is on the same machine you are connecting to, vsql connects through a UNIX domain socket. This connection bypasses Kerberos authentication. When you authenticate with Kerberos, especially if the client authentication method is configured as 'local', you must include the -h hostname option. See Command Line Options.
-
On the vsql client, call the
kinit
utility:$ kinit kuser@EXAMPLE.COM Password for kuser@EXAMPLE.COM:
-
Connect to Vertica, and provide the host and user principals in the connection string:
$ ./vsql -K vcluster.example.com -h myserver.example.com -U kuser Welcome to vsql, the Vertica Analytic Database interactive terminal. Type: \h or \? for help with vsql commands \g or terminate with semicolon to execute query \q to quit
In the future, when you log in to vsql as kuser
, vsql uses your cached ticket without prompting you for a password.
Verify the authentication method
You can verify the authentication method by querying the SESSIONS system table:
=> SELECT authentication_method FROM sessions;
authentication_method
-----------------------
GSS-Kerberos
(1 row)