Problem: Some of the user account newly created in ldap/AD and database. These new users failing to login into database using ldap/AD password where these users can login database using database password. Strangely these new users can connect to Viewpoint with their ldap/AD password but not in database. Other previously created user can also connect to the database using ldap/AD password only some of these newly created users impacting and failing to connect to the database using ldap/AD password and getting 244 error. In that example user “JAMES007” failing to login to the database using ldap/AD password.
#
bteq
Solution: First, we need to check logon rules in database and its looks good for the user. >sel
* from dbc.logonrules where username in('JAMES007'); Now Let’s check the log for the user. #tdsbind -u JAMES007 -V2 > /tmp/tdsbind_ JAMES007.out 2>&1 # cat /tmp/tdsbind_ JAMES007.out tdgss_configure warning:
JWT Mechanism Disabled:(Error in setting verification key.) ldap_write: want=165, written=165 0000: 30 81 a2 02 01 01 63 81 9c 04 00 0a 01 00 0a 01 0.....c......... 0010: 00 02 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 ............obje 0020: 63 74 43 6c 61 73 73 30 7c 04 0b 6f 62 6a 65 63 ctClass0|..objec 0030: 74 43 6c 61 73 73 04 15 73 75 70 70 6f 72 74 65 tClass..supporte 0040: 64 43 61 70 61 62 69 6c 69 74 69 65 73 04 14 64 dCapabilities..d 0050: 65 66 61 75 6c 74 4e 61 6d 69 6e 67 43 6f 6e 74 efaultNamingCont 0060: 65 78 74 04 10 6e 65 74 73 63 61 70 65 6d 64 73 ext..netscapemds 0070: 75 66 66 69 78 04 12 73 75 70 70 6f 72 74 65 64 uffix..supported 0080: 45 78 74 65 6e 73 69 6f 6e 04 1a 63 6f 6e 66 69 Extension..confi 0090: 67 75 72 61 74 69 6f 6e 4e 61 6d 69 6e 67 43 6f gurationNamingCo 00a0: 6e 74 65 78 74 ntext ldap_read: want=8, got=8 0000: 30 84 00 00 01 b3 02 01 0....... ldap_read: want=433, got=433 0000: 01 64 84 00 00 01 aa 04 00 30 84 00 00 01 a2 30 .d.......0.....0 0010: 84 00 00 00 2d 04 14 64 65 66 61 75 6c 74 4e 61 ....-..defaultNa 0020: 6d 69 6e 67 43 6f 6e 74 65 78 74 31 84 00 00 00 mingContext1.... 0030: 11 04 0f 44 43 3d 73 61 6d 62 61 2c 44 43 3d 6e ...DC=samba,DC=n 0040: 65 74 30 84 00 00 00 44 04 1a 63 6f 6e 66 69 67 et0....D..config 0050: 75 72 61 74 69 6f 6e 4e 61 6d 69 6e 67 43 6f 6e urationNamingCon 0060: 74 65 78 74 31 84 00 00 00 22 04 20 43 4e 3d 43 text1....". CN=C 0070: 6f 6e 66 69 67 75 72 61 74 69 6f 6e 2c 44 43 3d onfiguration,DC= 0080: 73 61 6d 62 61 2c 44 43 3d 6e 65 74 30 84 00 00 samba,DC=net0... 0090: 00 99 04 15 73 75 70 70 6f 72 74 65 64 43 61 70 ....supportedCap 00a0: 61 62 69 6c 69 74 69 65 73 31 84 00 00 00 7c 04 abilities1....|. 00b0: 16 31 2e 32 2e 38 34 30 2e 31 31 33 35 35 36 2e .1.2.840.113556. 00c0: 31 2e 34 2e 38 30 30 04 17 31 2e 32 2e 38 34 30 1.4.800..1.2.840 00d0: 2e 31 31 33 35 35 36 2e 31 2e 34 2e 31 36 37 30 .113556.1.4.1670 00e0: 04 17 31 2e 32 2e 38 34 30 2e 31 31 33 35 35 36 ..1.2.840.113556 00f0: 2e 31 2e 34 2e 31 37 39 31 04 17 31 2e 32 2e 38 .1.4.1791..1.2.8 0100: 34 30 2e 31 31 33 35 35 36 2e 31 2e 34 2e 31 39 40.113556.1.4.19 0110: 33 35 04 17 31 2e 32 2e 38 34 30 2e 31 31 33 35 35..1.2.840.1135 0120: 35 36 2e 31 2e 34 2e 32 30 38 30 30 84 00 00 00 56.1.4.20800.... 0130: 80 04 12 73 75 70 70 6f 72 74 65 64 45 78 74 65 ...supportedExte 0140: 6e 73 69 6f 6e 31 84 00 00 00 66 04 16 31 2e 33 nsion1....f..1.3 0150: 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 36 2e 32 30 .6.1.4.1.1466.20 0160: 30 33 37 04 1a 31 2e 33 2e 36 2e 31 2e 34 2e 31 037..1.3.6.1.4.1 0170: 2e 31 34 36 36 2e 31 30 31 2e 31 31 39 2e 31 04 .1466.101.119.1. 0180: 17 31 2e 32 2e 38 34 30 2e 31 31 33 35 35 36 2e .1.2.840.113556. 0190: 31 2e 34 2e 31 37 38 31 04 17 31 2e 33 2e 36 2e 1.4.1781..1.3.6. 01a0: 31 2e 34 2e 31 2e 34 32 30 33 2e 31 2e 31 31 2e 1.4.1.4203.1.11. 01b0: 33 3 ldap_read: want=8, got=8 0000: 30 84 00 00 00 10 02 01 0....... ldap_read: want=14, got=14 0000: 01 65 84 00 00 00 07 0a 01 00 04 00 04 00 .e............ ldap_write: want=26, written=26 0000: 30 18 02 01 02 60 13 02 01 03 04 00 a3 0c 04 0a 0....`.......... 0010: 44 49 47 45 53 54 2d 4d 44 35 DIGEST-MD5 ldap_read: want=8, got=8 0000: 30 84 00 00 00 fb 02 01 0....... ldap_read: want=249, got=249 0000: 02 61 84 00 00 00 f2 0a 01 0e 04 00 04 00 87 82 .a.............. 0010: 00 e7 71 6f 70 3d 22 61 75 74 68 2c 61 75 74 68 ..qop="auth,auth 0020: 2d 69 6e 74 2c 61 75 74 68 2d 63 6f 6e 66 22 2c -int,auth-conf", 0030: 63 69 70 68 65 72 3d 22 33 64 65 73 2c 72 63 34 cipher="3des,rc4 0040: 22 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d 64 35 2d ",algorithm=md5- 0050: 73 65 73 73 2c 6e 6f 6e 63 65 3d 22 2b 55 70 67 sess,nonce="+Upg 0060: 72 61 64 65 64 2b 76 31 36 32 31 33 63 31 37 64 raded+v16213c17d 0070: 32 35 37 66 35 34 63 37 64 38 32 30 37 35 34 37 257f54c7d8207547 0080: 63 34 30 63 32 61 35 64 33 37 36 36 63 63 35 30 c40c2a5d3766cc50 0090: 36 34 31 34 64 35 30 31 64 35 65 37 38 34 37 35 6414d501d5e78475 00a0: 33 66 61 38 64 66 39 63 34 64 65 64 31 39 37 63 3fa8df9c4ded197c 00b0: 33 63 30 38 65 31 63 65 36 39 62 36 61 36 39 30 3c08e1ce69b6a690 00c0: 66 64 35 66 30 35 63 63 61 36 63 37 32 36 62 37 fd5f05cca6c726b7 00d0: 31 37 32 36 32 37 34 63 22 2c 63 68 61 72 73 65 1726274c",charse 00e0: 74 3d 75 74 66 2d 38 2c 72 65 61 6c 6d 3d 22 73 t=utf-8,realm="s 00f0: 61 6d 62 61 2e 6e 65 74 22 amba.net" ldap_write: want=389, written=389 0000: 30 82 01 81 02 01 03 60 82 01 7a 02 01 03 04 00 0......`..z..... 0010: a3 82 01 71 04 0a 44 49 47 45 53 54 2d 4d 44 35 ...q..DIGEST-MD5 0020: 04 82 01 61 75 73 65 72 6e 61 6d 65 3d 22 41 39 ...ausername="A9 0030: 34 34 37 36 22 2c 72 65 61 6c 6d 3d 22 73 61 6d 4476",realm="sam 0040: 62 61 2e 6e 65 74 22 2c 6e 6f 6e 63 65 3d 22 2b ba.net",nonce="+ 0050: 55 70 67 72 61 64 65 64 2b 76 31 36 32 31 33 63 Upgraded+v16213c 0060: 31 37 64 32 35 37 66 35 34 63 37 64 38 32 30 37 17d257f54c7d8207 0070: 35 34 37 63 34 30 63 32 61 35 64 33 37 36 36 63 547c40c2a5d3766c 0080: 63 35 30 36 34 31 34 64 35 30 31 64 35 65 37 38 c506414d501d5e78 0090: 34 37 35 33 66 61 38 64 66 39 63 34 64 65 64 31 4753fa8df9c4ded1 00a0: 39 37 63 33 63 30 38 65 31 63 65 36 39 62 36 61 97c3c08e1ce69b6a 00b0: 36 39 30 66 64 35 66 30 35 63 63 61 36 63 37 32 690fd5f05cca6c72 00c0: 36 62 37 31 37 32 36 32 37 34 63 22 2c 63 6e 6f 6b71726274c",cno 00d0: 6e 63 65 3d 22 57 66 59 46 70 2b 4b 59 39 6c 4f nce="WfYFp+KY9lO 00e0: 41 4e 50 49 52 2f 59 4f 6b 71 56 35 69 62 78 44 ANPIR/YOkqV5ibxD 00f0: 62 62 44 6c 77 54 33 6b 36 33 30 52 4d 69 68 4d bbDlwT3k630RMihM 0100: 3d 22 2c 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 =",nc=00000001,q 0110: 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 op=auth-conf,cip 0120: 68 65 72 3d 72 63 34 2c 6d 61 78 62 75 66 3d 31 her=rc4,maxbuf=1 0130: 36 37 37 37 32 31 35 2c 64 69 67 65 73 74 2d 75 6777215,digest-u 0140: 72 69 3d 22 6c 64 61 70 2f 61 64 73 72 76 30 31 ri="ldap/adsrv01 0150: 2e 73 61 6d 62 61 2e 6e 65 74 22 2c 72 65 73 70 .samba.net",resp 0160: 6f 6e 73 65 3d 37 39 33 31 31 64 34 65 64 33 35 onse=79311d4ed35 0170: 32 63 32 31 39 64 37 38 61 66 63 38 64 63 38 65 2c219d78afc8dc8e 0180: 66 62 34 39 61 fb49a ldap_read: want=8, got=8 0000: 30 84 00 00 00 68 02 01 0....h.. ldap_read: want=102, got=102 0000: 03 61 84 00 00 00 5f 0a 01 31 04 00 04 58 38 30 .a...._..1...X80 0010: 30 39 30 33 30 43 3a 20 4c 64 61 70 45 72 72 3a 09030C: LdapErr: 0020: 20 44 53 49 44 2d 30 43 30 39 30 35 33 45 2c 20 DSID-0C09053E, 0030: 63 6f 6d 6d 65 6e 74 3a 20 41 63 63 65 70 74 53 comment: AcceptS 0040: 65 63 75 72 69 74 79 43 6f 6e 74 65 78 74 20 65 ecurityContext e 0050: 72 72 6f 72 2c 20 64 61 74 61 20 35 32 65 2c 20 rror, data 52e, 0060: 76 31 64 62 31 00 v1db1. ldap_write: want=7, written=7 0000: 30 05 02 01 04 42 00 0....B. LdapGroupBaseFQDN: OU=CP Users,DC=samba,DC=net LdapUserBaseFQDN: OU=CP Users,DC=samba,DC=net LdapSystemFQDN: LdapServerName: ad001.samba.net LdapServerPort: 389 LdapServerRealm: samba.net LdapClientUseTls: no LdapClientTlsReqCert: never LdapClientMechanism: SASL/DIGEST-MD5 LdapServiceBindRequired: no LdapClientTlsCRLCheck: none LdapAllowUnsafeServerConnect: yes UseLdapConfig: no AuthorizationSupported: no
tds_authenticate_authorize_user failed! tdssasl_bind: Directory error - Invalid credentials additional info: 8009030C: LdapErr: DSID-0C09053E, comment: AcceptSecurityContext error, data 52e, v1db1
Ldap/AD have two type of binding method, “DIGEST-MD5 Binds” (Default) and “Simple Bind”. Here our theory is that the password for the users that fail is encrypted in AD whereas it is not encrypted in AD for the users that work. Whether or not the password is encrypted in AD does not matter for “simple binds,” but encrypted passwords will cause “DIGEST-MD5” binds to fail. Viewpoint using “simple binds” therefore the impacted user can login into viewpoint using their AD password. “Simple binds” are recommended, “DIGEST-MD5” binds are soon to be deprecated in the relatively near future. Therefore, we have changed the binding method from “DIGEST-MD5 Binds” to “Simple binds” which solved the issue.
Example of changing the binding method to “Simple bind”
Following configuration need to be configure in file /opt/teradata/tdat/tdgss/site/ TdgssUserConfigFile.xml file
LdapServerName="ad001.samba.net" LdapServerPort="389" LdapServerRealm="samba.net" LdapSystemFQDN="" LdapBaseFQDN="OU=CP Users,DC=samba,DC=net" LdapClientMechanism="simple" LdapServiceBindRequired="yes" LdapServiceFQDN="CN= Teradata Service,OU=Service accounts,OU=Administration,DC=samba,DC=net" LdapServicePassword="********" LdapServicePasswordProtected="no" />
<IdentitySearch Match="(.*)" Base="OU=CP Users,DC=samba,DC=net" Scope="subtree" Filter="(sAMAccountName=${1})"/>
You will need to add service account password in “LdapServicePassword” attribute. That can also be encrypted if needed.
#
/opt/teradata/tdat/tdgss/16.20.24.01/bin/tdsbind -u JAMES007
If it looks ok, then next step would be to schedule a DBS RESTART |