CLI error: MTDP: EM_SSOLOGONFAIL(244): SSO logon failed by gateway in Teradata

Problem:

Some of the user account newly created in ldap/AD and database. These new users failing to login into database using ldap/AD password where these users can login database using database password. Strangely these new users can connect to Viewpoint with their ldap/AD password but not in database. Other previously created user can also connect to the database using ldap/AD password only some of these newly created users impacting and failing to connect to the database using ldap/AD password and getting 244 error. In that example user “JAMES007” failing to login to the database using ldap/AD password.

# bteq

Teradata BTEQ 16.20.00.04 for LINUX. PID: 5079

Copyright 1984-2018, Teradata Corporation. ALL RIGHTS RESERVED.

Enter your logon or BTEQ command:

.logmech ldap

.logmech ldap

Teradata BTEQ 16.20.00.04 for LINUX. Enter your logon or BTEQ command:

.logon JAMES007

.logon JAMES007

Password:

* CLI error: MTDP: EM_SSOLOGONFAIL(244): SSO logon failed by gateway.

* Return code from CLI is: 244

* Error: Logon failed!

* Total elapsed time was 15 seconds.

# psh "grep 'May 22' /var/log/messages | grep -i ' JAMES007'"

byn001-11 (1):

May 22 10:08:32 prtd09 gtwgateway[28728]: ldap_sasl_bind_s: server ldap://ad001.samba.net:389, authcid JAMES007, error 49 (Invalid credentials), info (8009030C: LdapErr: DSID-0C09053E, comment: AcceptSecurityContext error, data 52e, v1db1)

# /opt/teradata/tdat/tdgss/16.20.24.01/bin/tdsbind -u JAMES007

Enter LDAP password:

tdgss_configure warning:

JWT Mechanism Disabled:(Error in setting verification key.)

LdapGroupBaseFQDN: OU=CP Users,DC=samba,DC=net

LdapUserBaseFQDN: OU=CP Users,DC=samba,DC=net

LdapSystemFQDN:

LdapServerName: ad001.samba.net

LdapServerPort: 389

LdapServerRealm: samba.net

LdapClientUseTls: no

LdapClientTlsReqCert: never

LdapClientMechanism: SASL/DIGEST-MD5

LdapServiceBindRequired: no

LdapClientTlsCRLCheck: none

LdapAllowUnsafeServerConnect: yes

UseLdapConfig: no

AuthorizationSupported: no

tds_authenticate_authorize_user failed!

tdssasl_bind: Directory error - Invalid credentials

additional info: 8009030C: LdapErr: DSID-0C09053E, comment: AcceptSecurityContext error, data 52e, v1db1

Solution:

First, we need to check logon rules in database and its looks good for the user.

>sel * from dbc.logonrules where username in('JAMES007');

UserName LogicalHostID LogonStatus NullPassword CreatorName CreateTimeStamp

------------------------------ ------------- ----------- ------------ ------------------------------ -------------

JAMES007 1024 G T USERAdmin 2019-05-24 08:31:51

Now Let’s check the log for the user.

#tdsbind -u JAMES007 -V2 > /tmp/tdsbind_ JAMES007.out 2>&1

# cat /tmp/tdsbind_ JAMES007.out

tdgss_configure warning:

JWT Mechanism Disabled:(Error in setting verification key.)

ldap_write: want=165, written=165

0000: 30 81 a2 02 01 01 63 81 9c 04 00 0a 01 00 0a 01 0.....c.........

0010: 00 02 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 ............obje

0020: 63 74 43 6c 61 73 73 30 7c 04 0b 6f 62 6a 65 63 ctClass0|..objec

0030: 74 43 6c 61 73 73 04 15 73 75 70 70 6f 72 74 65 tClass..supporte

0040: 64 43 61 70 61 62 69 6c 69 74 69 65 73 04 14 64 dCapabilities..d

0050: 65 66 61 75 6c 74 4e 61 6d 69 6e 67 43 6f 6e 74 efaultNamingCont

0060: 65 78 74 04 10 6e 65 74 73 63 61 70 65 6d 64 73 ext..netscapemds

0070: 75 66 66 69 78 04 12 73 75 70 70 6f 72 74 65 64 uffix..supported

0080: 45 78 74 65 6e 73 69 6f 6e 04 1a 63 6f 6e 66 69 Extension..confi

0090: 67 75 72 61 74 69 6f 6e 4e 61 6d 69 6e 67 43 6f gurationNamingCo

00a0: 6e 74 65 78 74 ntext

ldap_read: want=8, got=8

0000: 30 84 00 00 01 b3 02 01 0.......

ldap_read: want=433, got=433

0000: 01 64 84 00 00 01 aa 04 00 30 84 00 00 01 a2 30 .d.......0.....0

0010: 84 00 00 00 2d 04 14 64 65 66 61 75 6c 74 4e 61 ....-..defaultNa

0020: 6d 69 6e 67 43 6f 6e 74 65 78 74 31 84 00 00 00 mingContext1....

0030: 11 04 0f 44 43 3d 73 61 6d 62 61 2c 44 43 3d 6e ...DC=samba,DC=n

0040: 65 74 30 84 00 00 00 44 04 1a 63 6f 6e 66 69 67 et0....D..config

0050: 75 72 61 74 69 6f 6e 4e 61 6d 69 6e 67 43 6f 6e urationNamingCon

0060: 74 65 78 74 31 84 00 00 00 22 04 20 43 4e 3d 43 text1....". CN=C

0070: 6f 6e 66 69 67 75 72 61 74 69 6f 6e 2c 44 43 3d onfiguration,DC=

0080: 73 61 6d 62 61 2c 44 43 3d 6e 65 74 30 84 00 00 samba,DC=net0...

0090: 00 99 04 15 73 75 70 70 6f 72 74 65 64 43 61 70 ....supportedCap

00a0: 61 62 69 6c 69 74 69 65 73 31 84 00 00 00 7c 04 abilities1....|.

00b0: 16 31 2e 32 2e 38 34 30 2e 31 31 33 35 35 36 2e .1.2.840.113556.

00c0: 31 2e 34 2e 38 30 30 04 17 31 2e 32 2e 38 34 30 1.4.800..1.2.840

00d0: 2e 31 31 33 35 35 36 2e 31 2e 34 2e 31 36 37 30 .113556.1.4.1670

00e0: 04 17 31 2e 32 2e 38 34 30 2e 31 31 33 35 35 36 ..1.2.840.113556

00f0: 2e 31 2e 34 2e 31 37 39 31 04 17 31 2e 32 2e 38 .1.4.1791..1.2.8

0100: 34 30 2e 31 31 33 35 35 36 2e 31 2e 34 2e 31 39 40.113556.1.4.19

0110: 33 35 04 17 31 2e 32 2e 38 34 30 2e 31 31 33 35 35..1.2.840.1135

0120: 35 36 2e 31 2e 34 2e 32 30 38 30 30 84 00 00 00 56.1.4.20800....

0130: 80 04 12 73 75 70 70 6f 72 74 65 64 45 78 74 65 ...supportedExte

0140: 6e 73 69 6f 6e 31 84 00 00 00 66 04 16 31 2e 33 nsion1....f..1.3

0150: 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 36 2e 32 30 .6.1.4.1.1466.20

0160: 30 33 37 04 1a 31 2e 33 2e 36 2e 31 2e 34 2e 31 037..1.3.6.1.4.1

0170: 2e 31 34 36 36 2e 31 30 31 2e 31 31 39 2e 31 04 .1466.101.119.1.

0180: 17 31 2e 32 2e 38 34 30 2e 31 31 33 35 35 36 2e .1.2.840.113556.

0190: 31 2e 34 2e 31 37 38 31 04 17 31 2e 33 2e 36 2e 1.4.1781..1.3.6.

01a0: 31 2e 34 2e 31 2e 34 32 30 33 2e 31 2e 31 31 2e 1.4.1.4203.1.11.

01b0: 33 3

ldap_read: want=8, got=8

0000: 30 84 00 00 00 10 02 01 0.......

ldap_read: want=14, got=14

0000: 01 65 84 00 00 00 07 0a 01 00 04 00 04 00 .e............

ldap_write: want=26, written=26

0000: 30 18 02 01 02 60 13 02 01 03 04 00 a3 0c 04 0a 0....`..........

0010: 44 49 47 45 53 54 2d 4d 44 35 DIGEST-MD5

ldap_read: want=8, got=8

0000: 30 84 00 00 00 fb 02 01 0.......

ldap_read: want=249, got=249

0000: 02 61 84 00 00 00 f2 0a 01 0e 04 00 04 00 87 82 .a..............

0010: 00 e7 71 6f 70 3d 22 61 75 74 68 2c 61 75 74 68 ..qop="auth,auth

0020: 2d 69 6e 74 2c 61 75 74 68 2d 63 6f 6e 66 22 2c -int,auth-conf",

0030: 63 69 70 68 65 72 3d 22 33 64 65 73 2c 72 63 34 cipher="3des,rc4

0040: 22 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d 64 35 2d ",algorithm=md5-

0050: 73 65 73 73 2c 6e 6f 6e 63 65 3d 22 2b 55 70 67 sess,nonce="+Upg

0060: 72 61 64 65 64 2b 76 31 36 32 31 33 63 31 37 64 raded+v16213c17d

0070: 32 35 37 66 35 34 63 37 64 38 32 30 37 35 34 37 257f54c7d8207547

0080: 63 34 30 63 32 61 35 64 33 37 36 36 63 63 35 30 c40c2a5d3766cc50

0090: 36 34 31 34 64 35 30 31 64 35 65 37 38 34 37 35 6414d501d5e78475

00a0: 33 66 61 38 64 66 39 63 34 64 65 64 31 39 37 63 3fa8df9c4ded197c

00b0: 33 63 30 38 65 31 63 65 36 39 62 36 61 36 39 30 3c08e1ce69b6a690

00c0: 66 64 35 66 30 35 63 63 61 36 63 37 32 36 62 37 fd5f05cca6c726b7

00d0: 31 37 32 36 32 37 34 63 22 2c 63 68 61 72 73 65 1726274c",charse

00e0: 74 3d 75 74 66 2d 38 2c 72 65 61 6c 6d 3d 22 73 t=utf-8,realm="s

00f0: 61 6d 62 61 2e 6e 65 74 22 amba.net"

ldap_write: want=389, written=389

0000: 30 82 01 81 02 01 03 60 82 01 7a 02 01 03 04 00 0......`..z.....

0010: a3 82 01 71 04 0a 44 49 47 45 53 54 2d 4d 44 35 ...q..DIGEST-MD5

0020: 04 82 01 61 75 73 65 72 6e 61 6d 65 3d 22 41 39 ...ausername="A9

0030: 34 34 37 36 22 2c 72 65 61 6c 6d 3d 22 73 61 6d 4476",realm="sam

0040: 62 61 2e 6e 65 74 22 2c 6e 6f 6e 63 65 3d 22 2b ba.net",nonce="+

0050: 55 70 67 72 61 64 65 64 2b 76 31 36 32 31 33 63 Upgraded+v16213c

0060: 31 37 64 32 35 37 66 35 34 63 37 64 38 32 30 37 17d257f54c7d8207

0070: 35 34 37 63 34 30 63 32 61 35 64 33 37 36 36 63 547c40c2a5d3766c

0080: 63 35 30 36 34 31 34 64 35 30 31 64 35 65 37 38 c506414d501d5e78

0090: 34 37 35 33 66 61 38 64 66 39 63 34 64 65 64 31 4753fa8df9c4ded1

00a0: 39 37 63 33 63 30 38 65 31 63 65 36 39 62 36 61 97c3c08e1ce69b6a

00b0: 36 39 30 66 64 35 66 30 35 63 63 61 36 63 37 32 690fd5f05cca6c72

00c0: 36 62 37 31 37 32 36 32 37 34 63 22 2c 63 6e 6f 6b71726274c",cno

00d0: 6e 63 65 3d 22 57 66 59 46 70 2b 4b 59 39 6c 4f nce="WfYFp+KY9lO

00e0: 41 4e 50 49 52 2f 59 4f 6b 71 56 35 69 62 78 44 ANPIR/YOkqV5ibxD

00f0: 62 62 44 6c 77 54 33 6b 36 33 30 52 4d 69 68 4d bbDlwT3k630RMihM

0100: 3d 22 2c 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 =",nc=00000001,q

0110: 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 op=auth-conf,cip

0120: 68 65 72 3d 72 63 34 2c 6d 61 78 62 75 66 3d 31 her=rc4,maxbuf=1

0130: 36 37 37 37 32 31 35 2c 64 69 67 65 73 74 2d 75 6777215,digest-u

0140: 72 69 3d 22 6c 64 61 70 2f 61 64 73 72 76 30 31 ri="ldap/adsrv01

0150: 2e 73 61 6d 62 61 2e 6e 65 74 22 2c 72 65 73 70 .samba.net",resp

0160: 6f 6e 73 65 3d 37 39 33 31 31 64 34 65 64 33 35 onse=79311d4ed35

0170: 32 63 32 31 39 64 37 38 61 66 63 38 64 63 38 65 2c219d78afc8dc8e

0180: 66 62 34 39 61 fb49a

ldap_read: want=8, got=8

0000: 30 84 00 00 00 68 02 01 0....h..

ldap_read: want=102, got=102

0000: 03 61 84 00 00 00 5f 0a 01 31 04 00 04 58 38 30 .a...._..1...X80

0010: 30 39 30 33 30 43 3a 20 4c 64 61 70 45 72 72 3a 09030C: LdapErr:

0020: 20 44 53 49 44 2d 30 43 30 39 30 35 33 45 2c 20 DSID-0C09053E,

0030: 63 6f 6d 6d 65 6e 74 3a 20 41 63 63 65 70 74 53 comment: AcceptS

0040: 65 63 75 72 69 74 79 43 6f 6e 74 65 78 74 20 65 ecurityContext e

0050: 72 72 6f 72 2c 20 64 61 74 61 20 35 32 65 2c 20 rror, data 52e,

0060: 76 31 64 62 31 00 v1db1.

ldap_write: want=7, written=7

0000: 30 05 02 01 04 42 00 0....B.

LdapGroupBaseFQDN: OU=CP Users,DC=samba,DC=net

LdapUserBaseFQDN: OU=CP Users,DC=samba,DC=net

LdapSystemFQDN:

LdapServerName: ad001.samba.net

LdapServerPort: 389

LdapServerRealm: samba.net

LdapClientUseTls: no

LdapClientTlsReqCert: never

LdapClientMechanism: SASL/DIGEST-MD5

LdapServiceBindRequired: no

LdapClientTlsCRLCheck: none

LdapAllowUnsafeServerConnect: yes

UseLdapConfig: no

AuthorizationSupported: no

tds_authenticate_authorize_user failed!

tdssasl_bind: Directory error - Invalid credentials

additional info: 8009030C: LdapErr: DSID-0C09053E, comment: AcceptSecurityContext error, data 52e, v1db1

Ldap/AD have two type of binding method, “DIGEST-MD5 Binds” (Default) and “Simple Bind”. Here our theory is that the password for the users that fail is encrypted in AD whereas it is not encrypted in AD for the users that work. Whether or not the password is encrypted in AD does not matter for “simple binds,” but encrypted passwords will cause “DIGEST-MD5” binds to fail. Viewpoint using “simple binds” therefore the impacted user can login into viewpoint using their AD password. “Simple binds” are recommended, “DIGEST-MD5” binds are soon to be deprecated in the relatively near future. Therefore, we have changed the binding method from “DIGEST-MD5 Binds” to “Simple binds” which solved the issue.

Example of changing the binding method to “Simple bind”

Following configuration need to be configure in file /opt/teradata/tdat/tdgss/site/ TdgssUserConfigFile.xml file

LdapServerName="ad001.samba.net"

LdapServerPort="389"

LdapServerRealm="samba.net"

LdapSystemFQDN=""

LdapBaseFQDN="OU=CP Users,DC=samba,DC=net"

LdapClientMechanism="simple"

LdapServiceBindRequired="yes"

LdapServiceFQDN="CN= Teradata Service,OU=Service accounts,OU=Administration,DC=samba,DC=net"

LdapServicePassword="********"

LdapServicePasswordProtected="no"

/>

<IdentitySearch

Match="(.*)"

Base="OU=CP Users,DC=samba,DC=net"

Scope="subtree"

Filter="(sAMAccountName=${1})"/>

You will need to add service account password in “LdapServicePassword” attribute. That can also be encrypted if needed.

# /opt/teradata/tdat/tdgss/16.20.24.01/bin/tdsbind -u JAMES007

If it looks ok, then next step would be to schedule a DBS RESTART