Results 1 to 5 of 5
  1. #1
    Join Date
    Aug 2013
    Posts
    3

    Question Unanswered: DB2 KERBEROS Setup on Windows using Windows AD as KDC

    Hello,

    I have done db2 kerberos setup on windows using Windows AD as KDC. I am able to connect from windows client to windows server using Kerberos. But When I connect from linux client to Windows server getting below mentioned error. Please throw some light on this.

    Find the configurations below.

    DB Server:
    OS: Windows 2008 R2
    db2level: DB2 V10.1 FP2

    dbm cfg:
    Client Userid-Password Plugin (CLNT_PW_PLUGIN) =
    Client Kerberos Plugin (CLNT_KRB_PLUGIN) = IBMkrb5
    Group Plugin (GROUP_PLUGIN) =
    GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) =
    Server Plugin Mode (SRV_PLUGIN_MODE) = UNFENCED
    Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) =
    Server Userid-Password Plugin (SRVCON_PW_PLUGIN) =
    Server Connection Authentication (SRVCON_AUTH) = NOT_SPECIFIED
    Cluster manager =

    Database manager authentication (AUTHENTICATION) = KERBEROS
    Alternate authentication (ALTERNATE_AUTH_ENC) = NOT_SPECIFIED
    Cataloging allowed without authority (CATALOG_NOAUTH) = NO
    Trust all clients (TRUST_ALLCLNTS) = YES
    Trusted client authentication (TRUST_CLNTAUTH) = CLIENT
    Bypass federated authentication (FED_NOAUTH) = NO

    DB Clients:
    from Windows client machine, I am able to connect to database using Kerberos. But from linux I am not.

    OS: Linux RHEL 6.4
    I have installed DB2 V10.1 FP2 client and cataloged the database.
    I am able to do kinit for the id which is there on Windows AD. But when I connect to db it says,

    SQL30082N Security processing failed with reason "36" ("UNEXPECTED CLIENT
    ERROR"). SQLSTATE=08001

    from db2diag.log:
    2013-08-21-17.46.17.155998+330 E563376E524 LEVEL: Severe
    PID : 25544 TID : 139909521442592 PROC : db2bp
    INSTANCE: db10inst NODE : 000
    HOSTNAME: IRL64PPD31
    FUNCTION: DB2 UDB, bsu security, sqlexSlcGssPluginSecchk, probe:200
    MESSAGE : ADM13000E Plug-in "IBMkrb5" received error code "851968" from the
    GSS (Generic Security Service) API "gss_init_sec_context" with the
    error message "Unspecified GSS failure. Minor code may provide more
    information".

    2013-08-21-17.46.17.156150+330 E563901E490 LEVEL: Severe
    PID : 25544 TID : 139909521442592 PROC : db2bp
    INSTANCE: db10inst NODE : 000
    HOSTNAME: IRL64PPD31
    FUNCTION: DB2 UDB, bsu security, sqlexSlcGssPluginSecchk, probe:200
    MESSAGE : ADM13000E Plug-in "IBMkrb5" received error code "-1765328377" from
    the GSS (Generic Security Service) API "gss_init_sec_context" with
    the error message "Server not found in Kerberos database".

    dbm cfg from client:
    Client Userid-Password Plugin (CLNT_PW_PLUGIN) =
    Client Kerberos Plugin (CLNT_KRB_PLUGIN) = IBMkrb5
    Group Plugin (GROUP_PLUGIN) =
    GSS Plugin for Local Authorization (LOCAL_GSSPLUGIN) =
    Server Plugin Mode (SRV_PLUGIN_MODE) = UNFENCED
    Server List of GSS Plugins (SRVCON_GSSPLUGIN_LIST) =
    Server Userid-Password Plugin (SRVCON_PW_PLUGIN) =
    Server Connection Authentication (SRVCON_AUTH) = NOT_SPECIFIED
    Cluster manager =

    Database manager authentication (AUTHENTICATION) = KERBEROS
    Cataloging allowed without authority (CATALOG_NOAUTH) = YES
    Bypass federated authentication (FED_NOAUTH) = NO

    krb5.conf from Linux client machine.

    $ cat /etc/krb5.conf
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    default_realm = <realm name>
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

    [realms]
    Original REALM = {
    kdc = <servername>.<realm name>
    admin_server = <servername>.<realm name>
    }

    [domain_realm]
    .<realm name in small letters> = <realm name>
    <realm name in small letters> = <realm name>

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false

    Do we have to do any mapping in Windows AD to linux client machine. Please share your thoughts. Thank you.

  2. #2
    Join Date
    Jul 2013
    Location
    Moscow, Russia
    Posts
    666
    Provided Answers: 55
    Hi,

    You have to do the following things:

    Windows:
    - create an SPN (Service Principal Name like db2inst1/linux.full.name) for the DB2 instance owner (db2inst1) using setspn
    - map this user to the SPN using ktpass

    Linux:
    - use capital letters for domain name and pdc in the krb5.conf
    - create a keytab file, add there an entry from the output of the ktpass using ktutil
    - use this keytab file in the KRB5_KTNAME env variable
    - set DB2_KRB5_PRINCIPAL registry to your SPN
    - db2set DB2ENVLIST=KRB5_KTNAME

    Have you done this already?
    Regards,
    Mark.

  3. #3
    Join Date
    Aug 2013
    Posts
    3
    Hi Mark,

    Thank you for posting on this thread. I have not used setspn. I was using ktpass to map user. I am using Linux as Client only. How do I create a SPN for client? I am providing some more details on this, so that you can help me.

    More Details:

    DB Server: Windows 2008 as DB2 database server and kerberos principal name its created by DB2 is db2admin@INFAKRB.INFADEV.COM where db2admin is the WINDOWS AD account name which has been used to create database and DB2 service has been started using this id itself.

    Now I want to connect to the database from a Linux client machine named xyz.infakrb.infadev.com. I have installed DB2 client using db10inst with local linux operating system account.

    After this I would like to know what are the steps that I need to follow inorder to connect to the db which is in windows serer.

    I am struck with this for long time and if you could help on this, it would be of great help. Really appreciate your time and comments on this.

  4. #4
    Join Date
    Jul 2013
    Location
    Moscow, Russia
    Posts
    666
    Provided Answers: 55
    Hi,

    Sorry, I overlooked that you configure a linux client only, not db2 server instance on linux.

    DB2 doesn't create SPN for an instance owner.
    You can check in by:
    setspn -l db2admin

    You can create this SPN as follows:
    Code:
    setspn -U -S DB2_INSTANCE_NAME/FULL.DB2.SERVER.NAME db2admin
    On the linux side:
    Code:
    db2 "catalog db my_db at node my_node authentication kerberos target principal DB2_INSTANCE_NAME/FULL.DB2.SERVER.NAME"
    db2 "update dbm cfg using CLNT_KRB_PLUGIN IBMkrb5"
    db2set DB2_KRB5_PRINCIPAL=DB2_INSTANCE_NAME/FULL.DB2.SERVER.NAME
    I'm not sure if we must set the latest variable, but I always do this since I saw sometimes that DB2 was not able to derive this information correctly from the database catalog.

    Finally you run kinit using your db user and you should connect successfully to your windows database.
    Regards,
    Mark.

  5. #5
    Join Date
    Aug 2013
    Posts
    3
    Hi Mark,

    Thank you so much. It helped me to resolve the issue and able to connect from Linux client to Windows server.

    Thanks again for your inputs and solution.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •