Problem Note 44638: Using Standard AIX Kerberos configuration generates PAG style Kerberos Tickets resulting in tickets not being found
When AIX is configured to use LAM (Loadable Authentication Module) and LAM is configured to use the standard AIX Kerberos configuration, AIX generates a credentials cache file that is not the default expected by Kerberos applications and the Generic Security Services Application Program Interface (GSS API).
AIX Kerberos generates a Process Authentication Group- (PAG) style Kerberos ticket in the credentials cache as opposed to a Unique Identification- (UID) style Kerberos ticket.
If an application using Kerberos authentication relies on finding the default UID-based cache, that application fails to authenticate unless the application can override this behavior and use the PAG-based cache instead. The SQL Server Driver for AIX from DataDirect can fail to authenticate if the driver is configured to use Kerberos authentication.
To override the defaults, the following environment variables must be set accordingly:
- export ELSPAGCACHE=1
Setting this variable to 1 enables the code to override the defaults and look for PAG-style Kerberos tickets instead of UID-style tickets.
- export ELSREALMNAME=Kerberos Realm Name
Set this variable to the Kerberos Realm Name only if the auth_domain variable is not already set in /etc/security/user file.
- export ELSCACHELOC=Location of the PAG cache files
Set this variable to the location of the PAG cache files if they are not in the default location, which is /var/krb5/security/creds.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
SAS System | Base SAS | 64-bit Enabled AIX | 9.21_M3 | 9.3_M1 | 9.2 TS2M3 | 9.3 TS1M2 |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Type: | Problem Note |
Priority: | high |
Topic: | Data Management ==> Data Sources ==> External Databases ==> MS SQL Server System Administration ==> Security ==> Authentication
|
Date Modified: | 2011-10-21 08:59:07 |
Date Created: | 2011-10-12 17:40:41 |