Results 1 to 4 of 4
  1. #1
    Join Date
    Jan 2010
    Posts
    335

    Unanswered: DB2 with Kerberos

    Hi,

    i want to configure a Database for Kerberos Authentication. (Requested by Application/Users)

    The System is DB2 10.1 FP2 on SLES 11 SP2.
    I've set CLNT_KRB_PLUGIN to IBMkrb5 and AUTHENTICATION to KRB_SERVER_ENCRYPT. I've copied the IBMkrb5.so and IBMOSauthserver.so to
    ~/sqllib/security64/plugin/server/.

    I've create a User in Active Directory and create a keytab-File with ktpass.
    Copied the keytab to /etc/. kinit works fine with <INST-OWNER>/<HOSTNAME>@<DOMAIN>.

    At this point i got stuck. How can i grant Users to connect to the Database? I wanted to test connectivity with DataStudio 3.1 and the Driver Kerberos Support, but this fails aswell.

    How can i grant users from Domain on the Database?
    How can i check Connectivity locally on the Box and has someone used DataStudio for that? The InfoCenter didn't help me...

  2. #2
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    Quote Originally Posted by nvk@vhv View Post
    How can i grant Users to connect to the Database?
    Unless you created the database as RESTRICTIVE, anyone (i.e. PUBLIC) will have CONNECT privileges for that database.

    Quote Originally Posted by nvk@vhv View Post
    How can i grant users from Domain on the Database?
    By issuing appropriate GRANT statements.

    Quote Originally Posted by nvk@vhv View Post
    How can i check Connectivity locally on the Box
    Which "box"? Did you try "db2 connect to <your db>"?
    ---
    "It does not work" is not a valid problem statement.

  3. #3
    Join Date
    Jan 2010
    Posts
    335
    Quote Originally Posted by n_i View Post
    Unless you created the database as RESTRICTIVE, anyone (i.e. PUBLIC) will have CONNECT privileges for that database.
    The database was not created with "RESRICTIVE" and PUBLIC still has connect-priviledge.

    Quote Originally Posted by n_i View Post
    By issuing appropriate GRANT statements.
    And how does an appropriate GRANT-Statement for Users from the Domain look like? To be more specific how do i have to specify the authorization name for Users?

    Quote Originally Posted by n_i View Post
    Which "box"? Did you try "db2 connect to <your db>"?
    Yep, i meant the server. connect works fine for Users from the Server. Well there's only instance-Owner and fenced-User ...

  4. #4
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    Quote Originally Posted by nvk@vhv View Post
    And how does an appropriate GRANT-Statement for Users from the Domain look like? To be more specific how do i have to specify the authorization name for Users?
    Only the username part of the ID is mapped to the DB2 authorization ID, so that's what you need to specify. You will have a problem if you have the same username with different authorization requirements in different domains.
    ---
    "It does not work" is not a valid problem statement.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •