CLI error: MTDP: EM_SSOLOGONFAIL(244): SSO logon failed by gateway in Teradata

Problem:

Some of the user account newly created in ldap/AD and database. These new users failing to login into database using ldap/AD password where these users can login database using database password. Strangely these new users can connect to Viewpoint with their ldap/AD password but not in database. Other previously created user can also connect to the database using ldap/AD password only some of these newly created users impacting and failing to connect to the database using ldap/AD password and getting 244 error. In that example user “JAMES007” failing to login to the database using ldap/AD password.

 

# bteq

Teradata BTEQ 16.20.00.04 for LINUX. PID: 5079
Copyright 1984-2018, Teradata Corporation. ALL RIGHTS RESERVED.
Enter your logon or BTEQ command:
.logmech ldap

.logmech ldap
Teradata BTEQ 16.20.00.04 for LINUX. Enter your logon or BTEQ command:
.logon JAMES007

.logon JAMES007
Password:

* CLI error: MTDP: EM_SSOLOGONFAIL(244): SSO logon failed by gateway.
* Return code from CLI is: 244
* Error: Logon failed!


* Total elapsed time was 15 seconds.


# psh "grep 'May 22' /var/log/messages | grep -i ' JAMES007'"

byn001-11 (1):
May 22 10:08:32 prtd09 gtwgateway[28728]: ldap_sasl_bind_s: server ldap://ad001.samba.net:389, authcid JAMES007, error 49 (Invalid credentials), info (8009030C: LdapErr: DSID-0C09053E, comment: AcceptSecurityContext error, data 52e, v1db1)

# /opt/teradata/tdat/tdgss/16.20.24.01/bin/tdsbind -u JAMES007
Enter LDAP password:
tdgss_configure warning:

JWT Mechanism Disabled:(Error in setting verification key.)
LdapGroupBaseFQDN: OU=CP Users,DC=samba,DC=net
LdapUserBaseFQDN: OU=CP Users,DC=samba,DC=net
LdapSystemFQDN:
LdapServerName: ad001.samba.net
LdapServerPort: 389
LdapServerRealm: samba.net
LdapClientUseTls: no
LdapClientTlsReqCert: never
LdapClientMechanism: SASL/DIGEST-MD5
LdapServiceBindRequired: no
LdapClientTlsCRLCheck: none
LdapAllowUnsafeServerConnect: yes
UseLdapConfig: no
AuthorizationSupported: no

tds_authenticate_authorize_user failed!
tdssasl_bind: Directory error - Invalid credentials

additional info: 8009030C: LdapErr: DSID-0C09053E, comment: AcceptSecurityContext error, data 52e, v1db1

 

Solution:

First, we need to check logon rules in database and its looks good for the user.

>sel * from dbc.logonrules where username in('JAMES007');

UserName LogicalHostID LogonStatus NullPassword CreatorName CreateTimeStamp
------------------------------ ------------- ----------- ------------ ------------------------------ -------------
JAMES007 1024                     G                   T          USERAdmin      2019-05-24 08:31:51

Now Let’s check the log for the user.

#tdsbind -u JAMES007 -V2 > /tmp/tdsbind_ JAMES007.out 2>&1

# cat /tmp/tdsbind_ JAMES007.out

tdgss_configure warning:

 

JWT Mechanism Disabled:(Error in setting verification key.)

ldap_write: want=165, written=165

  0000:  30 81 a2 02 01 01 63 81  9c 04 00 0a 01 00 0a 01   0.....c......... 

  0010:  00 02 01 00 02 01 00 01  01 00 87 0b 6f 62 6a 65   ............obje 

  0020:  63 74 43 6c 61 73 73 30  7c 04 0b 6f 62 6a 65 63   ctClass0|..objec 

  0030:  74 43 6c 61 73 73 04 15  73 75 70 70 6f 72 74 65   tClass..supporte 

  0040:  64 43 61 70 61 62 69 6c  69 74 69 65 73 04 14 64   dCapabilities..d 

  0050:  65 66 61 75 6c 74 4e 61  6d 69 6e 67 43 6f 6e 74   efaultNamingCont 

  0060:  65 78 74 04 10 6e 65 74  73 63 61 70 65 6d 64 73   ext..netscapemds 

  0070:  75 66 66 69 78 04 12 73  75 70 70 6f 72 74 65 64   uffix..supported 

  0080:  45 78 74 65 6e 73 69 6f  6e 04 1a 63 6f 6e 66 69   Extension..confi 

  0090:  67 75 72 61 74 69 6f 6e  4e 61 6d 69 6e 67 43 6f   gurationNamingCo 

  00a0:  6e 74 65 78 74                                     ntext            

ldap_read: want=8, got=8

  0000:  30 84 00 00 01 b3 02 01                            0.......         

ldap_read: want=433, got=433

  0000:  01 64 84 00 00 01 aa 04  00 30 84 00 00 01 a2 30   .d.......0.....0 

  0010:  84 00 00 00 2d 04 14 64  65 66 61 75 6c 74 4e 61   ....-..defaultNa 

  0020:  6d 69 6e 67 43 6f 6e 74  65 78 74 31 84 00 00 00   mingContext1.... 

  0030:  11 04 0f 44 43 3d 73 61  6d 62 61 2c 44 43 3d 6e   ...DC=samba,DC=n 

  0040:  65 74 30 84 00 00 00 44  04 1a 63 6f 6e 66 69 67   et0....D..config 

  0050:  75 72 61 74 69 6f 6e 4e  61 6d 69 6e 67 43 6f 6e   urationNamingCon 

  0060:  74 65 78 74 31 84 00 00  00 22 04 20 43 4e 3d 43   text1....". CN=C 

  0070:  6f 6e 66 69 67 75 72 61  74 69 6f 6e 2c 44 43 3d   onfiguration,DC= 

  0080:  73 61 6d 62 61 2c 44 43  3d 6e 65 74 30 84 00 00   samba,DC=net0... 

  0090:  00 99 04 15 73 75 70 70  6f 72 74 65 64 43 61 70   ....supportedCap 

  00a0:  61 62 69 6c 69 74 69 65  73 31 84 00 00 00 7c 04   abilities1....|. 

  00b0:  16 31 2e 32 2e 38 34 30  2e 31 31 33 35 35 36 2e   .1.2.840.113556. 

  00c0:  31 2e 34 2e 38 30 30 04  17 31 2e 32 2e 38 34 30   1.4.800..1.2.840 

  00d0:  2e 31 31 33 35 35 36 2e  31 2e 34 2e 31 36 37 30   .113556.1.4.1670 

  00e0:  04 17 31 2e 32 2e 38 34  30 2e 31 31 33 35 35 36   ..1.2.840.113556 

  00f0:  2e 31 2e 34 2e 31 37 39  31 04 17 31 2e 32 2e 38   .1.4.1791..1.2.8 

  0100:  34 30 2e 31 31 33 35 35  36 2e 31 2e 34 2e 31 39   40.113556.1.4.19 

  0110:  33 35 04 17 31 2e 32 2e  38 34 30 2e 31 31 33 35   35..1.2.840.1135 

  0120:  35 36 2e 31 2e 34 2e 32  30 38 30 30 84 00 00 00   56.1.4.20800.... 

  0130:  80 04 12 73 75 70 70 6f  72 74 65 64 45 78 74 65   ...supportedExte 

  0140:  6e 73 69 6f 6e 31 84 00  00 00 66 04 16 31 2e 33   nsion1....f..1.3 

  0150:  2e 36 2e 31 2e 34 2e 31  2e 31 34 36 36 2e 32 30   .6.1.4.1.1466.20 

  0160:  30 33 37 04 1a 31 2e 33  2e 36 2e 31 2e 34 2e 31   037..1.3.6.1.4.1 

  0170:  2e 31 34 36 36 2e 31 30  31 2e 31 31 39 2e 31 04   .1466.101.119.1. 

  0180:  17 31 2e 32 2e 38 34 30  2e 31 31 33 35 35 36 2e   .1.2.840.113556. 

  0190:  31 2e 34 2e 31 37 38 31  04 17 31 2e 33 2e 36 2e   1.4.1781..1.3.6. 

  01a0:  31 2e 34 2e 31 2e 34 32  30 33 2e 31 2e 31 31 2e   1.4.1.4203.1.11. 

  01b0:  33                                                 3                

ldap_read: want=8, got=8

  0000:  30 84 00 00 00 10 02 01                            0.......         

ldap_read: want=14, got=14

  0000:  01 65 84 00 00 00 07 0a  01 00 04 00 04 00         .e............   

ldap_write: want=26, written=26

  0000:  30 18 02 01 02 60 13 02  01 03 04 00 a3 0c 04 0a   0....`.......... 

  0010:  44 49 47 45 53 54 2d 4d  44 35                     DIGEST-MD5       

ldap_read: want=8, got=8

  0000:  30 84 00 00 00 fb 02 01                            0.......          

ldap_read: want=249, got=249

  0000:  02 61 84 00 00 00 f2 0a  01 0e 04 00 04 00 87 82   .a.............. 

  0010:  00 e7 71 6f 70 3d 22 61  75 74 68 2c 61 75 74 68   ..qop="auth,auth 

  0020:  2d 69 6e 74 2c 61 75 74  68 2d 63 6f 6e 66 22 2c   -int,auth-conf", 

  0030:  63 69 70 68 65 72 3d 22  33 64 65 73 2c 72 63 34   cipher="3des,rc4 

  0040:  22 2c 61 6c 67 6f 72 69  74 68 6d 3d 6d 64 35 2d   ",algorithm=md5- 

  0050:  73 65 73 73 2c 6e 6f 6e  63 65 3d 22 2b 55 70 67   sess,nonce="+Upg 

  0060:  72 61 64 65 64 2b 76 31  36 32 31 33 63 31 37 64   raded+v16213c17d 

  0070:  32 35 37 66 35 34 63 37  64 38 32 30 37 35 34 37   257f54c7d8207547 

  0080:  63 34 30 63 32 61 35 64  33 37 36 36 63 63 35 30   c40c2a5d3766cc50 

  0090:  36 34 31 34 64 35 30 31  64 35 65 37 38 34 37 35   6414d501d5e78475 

  00a0:  33 66 61 38 64 66 39 63  34 64 65 64 31 39 37 63   3fa8df9c4ded197c 

  00b0:  33 63 30 38 65 31 63 65  36 39 62 36 61 36 39 30   3c08e1ce69b6a690 

  00c0:  66 64 35 66 30 35 63 63  61 36 63 37 32 36 62 37   fd5f05cca6c726b7 

  00d0:  31 37 32 36 32 37 34 63  22 2c 63 68 61 72 73 65   1726274c",charse 

  00e0:  74 3d 75 74 66 2d 38 2c  72 65 61 6c 6d 3d 22 73   t=utf-8,realm="s 

  00f0:  61 6d 62 61 2e 6e 65 74  22                        amba.net"        

ldap_write: want=389, written=389

  0000:  30 82 01 81 02 01 03 60  82 01 7a 02 01 03 04 00   0......`..z..... 

  0010:  a3 82 01 71 04 0a 44 49  47 45 53 54 2d 4d 44 35   ...q..DIGEST-MD5 

  0020:  04 82 01 61 75 73 65 72  6e 61 6d 65 3d 22 41 39   ...ausername="A9 

  0030:  34 34 37 36 22 2c 72 65  61 6c 6d 3d 22 73 61 6d   4476",realm="sam 

  0040:  62 61 2e 6e 65 74 22 2c  6e 6f 6e 63 65 3d 22 2b   ba.net",nonce="+ 

  0050:  55 70 67 72 61 64 65 64  2b 76 31 36 32 31 33 63   Upgraded+v16213c 

  0060:  31 37 64 32 35 37 66 35  34 63 37 64 38 32 30 37   17d257f54c7d8207 

  0070:  35 34 37 63 34 30 63 32  61 35 64 33 37 36 36 63   547c40c2a5d3766c 

  0080:  63 35 30 36 34 31 34 64  35 30 31 64 35 65 37 38   c506414d501d5e78 

  0090:  34 37 35 33 66 61 38 64  66 39 63 34 64 65 64 31   4753fa8df9c4ded1 

  00a0:  39 37 63 33 63 30 38 65  31 63 65 36 39 62 36 61   97c3c08e1ce69b6a 

  00b0:  36 39 30 66 64 35 66 30  35 63 63 61 36 63 37 32   690fd5f05cca6c72 

  00c0:  36 62 37 31 37 32 36 32  37 34 63 22 2c 63 6e 6f   6b71726274c",cno 

  00d0:  6e 63 65 3d 22 57 66 59  46 70 2b 4b 59 39 6c 4f   nce="WfYFp+KY9lO 

  00e0:  41 4e 50 49 52 2f 59 4f  6b 71 56 35 69 62 78 44   ANPIR/YOkqV5ibxD 

  00f0:  62 62 44 6c 77 54 33 6b  36 33 30 52 4d 69 68 4d   bbDlwT3k630RMihM 

  0100:  3d 22 2c 6e 63 3d 30 30  30 30 30 30 30 31 2c 71   =",nc=00000001,q 

  0110:  6f 70 3d 61 75 74 68 2d  63 6f 6e 66 2c 63 69 70   op=auth-conf,cip 

  0120:  68 65 72 3d 72 63 34 2c  6d 61 78 62 75 66 3d 31   her=rc4,maxbuf=1 

  0130:  36 37 37 37 32 31 35 2c  64 69 67 65 73 74 2d 75   6777215,digest-u 

  0140:  72 69 3d 22 6c 64 61 70  2f 61 64 73 72 76 30 31   ri="ldap/adsrv01 

  0150:  2e 73 61 6d 62 61 2e 6e  65 74 22 2c 72 65 73 70   .samba.net",resp 

  0160:  6f 6e 73 65 3d 37 39 33  31 31 64 34 65 64 33 35   onse=79311d4ed35 

  0170:  32 63 32 31 39 64 37 38  61 66 63 38 64 63 38 65   2c219d78afc8dc8e 

  0180:  66 62 34 39 61                                     fb49a            

ldap_read: want=8, got=8

  0000:  30 84 00 00 00 68 02 01                            0....h..         

ldap_read: want=102, got=102

  0000:  03 61 84 00 00 00 5f 0a  01 31 04 00 04 58 38 30   .a...._..1...X80 

  0010:  30 39 30 33 30 43 3a 20  4c 64 61 70 45 72 72 3a   09030C: LdapErr: 

  0020:  20 44 53 49 44 2d 30 43  30 39 30 35 33 45 2c 20    DSID-0C09053E,  

  0030:  63 6f 6d 6d 65 6e 74 3a  20 41 63 63 65 70 74 53   comment: AcceptS 

  0040:  65 63 75 72 69 74 79 43  6f 6e 74 65 78 74 20 65   ecurityContext e 

  0050:  72 72 6f 72 2c 20 64 61  74 61 20 35 32 65 2c 20   rror, data 52e,  

  0060:  76 31 64 62 31 00                                  v1db1.           

ldap_write: want=7, written=7

  0000:  30 05 02 01 04 42 00                               0....B.          

            LdapGroupBaseFQDN: OU=CP Users,DC=samba,DC=net

             LdapUserBaseFQDN: OU=CP Users,DC=samba,DC=net

               LdapSystemFQDN:

               LdapServerName: ad001.samba.net

               LdapServerPort: 389

              LdapServerRealm: samba.net

             LdapClientUseTls: no

         LdapClientTlsReqCert: never

          LdapClientMechanism: SASL/DIGEST-MD5

      LdapServiceBindRequired: no

        LdapClientTlsCRLCheck: none

 LdapAllowUnsafeServerConnect: yes

                UseLdapConfig: no

       AuthorizationSupported: no

 

tds_authenticate_authorize_user failed!

tdssasl_bind: Directory error - Invalid credentials

   additional info: 8009030C: LdapErr: DSID-0C09053E, comment: AcceptSecurityContext error, data 52e, v1db1

 

 

Ldap/AD have two type of binding method, “DIGEST-MD5 Binds” (Default) and “Simple Bind”.    Here our theory is that the password for the users that fail is encrypted in AD whereas it is not encrypted in AD for the users that work. Whether or not the password is encrypted in AD does not matter for “simple binds,” but encrypted passwords will cause “DIGEST-MD5” binds to fail. Viewpoint using “simple binds” therefore the impacted user can login into viewpoint using their AD password. “Simple binds” are recommended, “DIGEST-MD5” binds are soon to be deprecated in the relatively near future. Therefore, we have changed the  binding method from “DIGEST-MD5 Binds” to “Simple binds” which solved the issue.

 

Example of changing the binding method to “Simple bind”

 

Following configuration need to be configure in file /opt/teradata/tdat/tdgss/site/ TdgssUserConfigFile.xml file

 

               LdapServerName="ad001.samba.net"

                LdapServerPort="389"

                LdapServerRealm="samba.net"

                LdapSystemFQDN=""

                LdapBaseFQDN="OU=CP Users,DC=samba,DC=net"

                LdapClientMechanism="simple"

                LdapServiceBindRequired="yes"

                LdapServiceFQDN="CN= Teradata Service,OU=Service accounts,OU=Administration,DC=samba,DC=net"

                LdapServicePassword="********"

                LdapServicePasswordProtected="no"

               />

 

<IdentitySearch

Match="(.*)"

Base="OU=CP Users,DC=samba,DC=net"

Scope="subtree"

Filter="(sAMAccountName=${1})"/>

 

You will need to add service account password in “LdapServicePassword” attribute. That can also be encrypted if needed.

 

# /opt/teradata/tdat/tdgss/16.20.24.01/bin/tdsbind -u JAMES007

If it looks ok, then next step would be to schedule a DBS RESTART

Comments