CLI error: MTDP: EM_SSOLOGONFAIL(244): SSO logon failed by gateway in Teradata
Problem:
Some of the user account newly created in ldap/AD and database. These new users failing to login into database using ldap/AD password where these users can login database using database password. Strangely these new users can connect to Viewpoint with their ldap/AD password but not in database. Other previously created user can also connect to the database using ldap/AD password only some of these newly created users impacting and failing to connect to the database using ldap/AD password and getting 244 error. In that example user “JAMES007” failing to login to the database using ldap/AD password.
# bteq
Teradata BTEQ 16.20.00.04 for LINUX. PID: 5079
Copyright 1984-2018, Teradata Corporation. ALL RIGHTS RESERVED.
Enter your logon or BTEQ command:
.logmech ldap
.logmech ldap
Teradata BTEQ 16.20.00.04 for LINUX. Enter your logon or BTEQ command:
.logon JAMES007
.logon JAMES007
Password:
* CLI error: MTDP: EM_SSOLOGONFAIL(244): SSO logon failed by gateway.
* Return code from CLI is: 244
* Error: Logon failed!
* Total elapsed time was 15 seconds.
# psh "grep 'May 22' /var/log/messages | grep -i ' JAMES007'"
byn001-11 (1):
May 22 10:08:32 prtd09 gtwgateway[28728]: ldap_sasl_bind_s: server ldap://ad001.samba.net:389, authcid JAMES007, error 49 (Invalid credentials), info (8009030C: LdapErr: DSID-0C09053E, comment: AcceptSecurityContext error, data 52e, v1db1)
# /opt/teradata/tdat/tdgss/16.20.24.01/bin/tdsbind -u JAMES007
Enter LDAP password:
tdgss_configure warning:
JWT Mechanism Disabled:(Error in setting verification key.)
LdapGroupBaseFQDN: OU=CP Users,DC=samba,DC=net
LdapUserBaseFQDN: OU=CP Users,DC=samba,DC=net
LdapSystemFQDN:
LdapServerName: ad001.samba.net
LdapServerPort: 389
LdapServerRealm: samba.net
LdapClientUseTls: no
LdapClientTlsReqCert: never
LdapClientMechanism: SASL/DIGEST-MD5
LdapServiceBindRequired: no
LdapClientTlsCRLCheck: none
LdapAllowUnsafeServerConnect: yes
UseLdapConfig: no
AuthorizationSupported: no
tds_authenticate_authorize_user failed!
tdssasl_bind: Directory error - Invalid credentials
additional info: 8009030C: LdapErr: DSID-0C09053E, comment: AcceptSecurityContext error, data 52e, v1db1
Solution:
First, we need to check logon rules in database and its looks good for the user.
>sel * from dbc.logonrules where username in('JAMES007');
UserName LogicalHostID LogonStatus NullPassword CreatorName CreateTimeStamp
------------------------------ ------------- ----------- ------------ ------------------------------ -------------
JAMES007 1024 G T USERAdmin 2019-05-24 08:31:51
Now Let’s check the log for the user.
#tdsbind -u JAMES007 -V2 > /tmp/tdsbind_ JAMES007.out 2>&1
# cat /tmp/tdsbind_ JAMES007.out
tdgss_configure warning:
JWT Mechanism Disabled:(Error in setting verification key.)
ldap_write: want=165, written=165
0000: 30 81 a2 02 01 01 63 81 9c 04 00 0a 01 00 0a 01 0.....c.........
0010: 00 02 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 ............obje
0020: 63 74 43 6c 61 73 73 30 7c 04 0b 6f 62 6a 65 63 ctClass0|..objec
0030: 74 43 6c 61 73 73 04 15 73 75 70 70 6f 72 74 65 tClass..supporte
0040: 64 43 61 70 61 62 69 6c 69 74 69 65 73 04 14 64 dCapabilities..d
0050: 65 66 61 75 6c 74 4e 61 6d 69 6e 67 43 6f 6e 74 efaultNamingCont
0060: 65 78 74 04 10 6e 65 74 73 63 61 70 65 6d 64 73 ext..netscapemds
0070: 75 66 66 69 78 04 12 73 75 70 70 6f 72 74 65 64 uffix..supported
0080: 45 78 74 65 6e 73 69 6f 6e 04 1a 63 6f 6e 66 69 Extension..confi
0090: 67 75 72 61 74 69 6f 6e 4e 61 6d 69 6e 67 43 6f gurationNamingCo
00a0: 6e 74 65 78 74 ntext
ldap_read: want=8, got=8
0000: 30 84 00 00 01 b3 02 01 0.......
ldap_read: want=433, got=433
0000: 01 64 84 00 00 01 aa 04 00 30 84 00 00 01 a2 30 .d.......0.....0
0010: 84 00 00 00 2d 04 14 64 65 66 61 75 6c 74 4e 61 ....-..defaultNa
0020: 6d 69 6e 67 43 6f 6e 74 65 78 74 31 84 00 00 00 mingContext1....
0030: 11 04 0f 44 43 3d 73 61 6d 62 61 2c 44 43 3d 6e ...DC=samba,DC=n
0040: 65 74 30 84 00 00 00 44 04 1a 63 6f 6e 66 69 67 et0....D..config
0050: 75 72 61 74 69 6f 6e 4e 61 6d 69 6e 67 43 6f 6e urationNamingCon
0060: 74 65 78 74 31 84 00 00 00 22 04 20 43 4e 3d 43 text1....". CN=C
0070: 6f 6e 66 69 67 75 72 61 74 69 6f 6e 2c 44 43 3d onfiguration,DC=
0080: 73 61 6d 62 61 2c 44 43 3d 6e 65 74 30 84 00 00 samba,DC=net0...
0090: 00 99 04 15 73 75 70 70 6f 72 74 65 64 43 61 70 ....supportedCap
00a0: 61 62 69 6c 69 74 69 65 73 31 84 00 00 00 7c 04 abilities1....|.
00b0: 16 31 2e 32 2e 38 34 30 2e 31 31 33 35 35 36 2e .1.2.840.113556.
00c0: 31 2e 34 2e 38 30 30 04 17 31 2e 32 2e 38 34 30 1.4.800..1.2.840
00d0: 2e 31 31 33 35 35 36 2e 31 2e 34 2e 31 36 37 30 .113556.1.4.1670
00e0: 04 17 31 2e 32 2e 38 34 30 2e 31 31 33 35 35 36 ..1.2.840.113556
00f0: 2e 31 2e 34 2e 31 37 39 31 04 17 31 2e 32 2e 38 .1.4.1791..1.2.8
0100: 34 30 2e 31 31 33 35 35 36 2e 31 2e 34 2e 31 39 40.113556.1.4.19
0110: 33 35 04 17 31 2e 32 2e 38 34 30 2e 31 31 33 35 35..1.2.840.1135
0120: 35 36 2e 31 2e 34 2e 32 30 38 30 30 84 00 00 00 56.1.4.20800....
0130: 80 04 12 73 75 70 70 6f 72 74 65 64 45 78 74 65 ...supportedExte
0140: 6e 73 69 6f 6e 31 84 00 00 00 66 04 16 31 2e 33 nsion1....f..1.3
0150: 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 36 2e 32 30 .6.1.4.1.1466.20
0160: 30 33 37 04 1a 31 2e 33 2e 36 2e 31 2e 34 2e 31 037..1.3.6.1.4.1
0170: 2e 31 34 36 36 2e 31 30 31 2e 31 31 39 2e 31 04 .1466.101.119.1.
0180: 17 31 2e 32 2e 38 34 30 2e 31 31 33 35 35 36 2e .1.2.840.113556.
0190: 31 2e 34 2e 31 37 38 31 04 17 31 2e 33 2e 36 2e 1.4.1781..1.3.6.
01a0: 31 2e 34 2e 31 2e 34 32 30 33 2e 31 2e 31 31 2e 1.4.1.4203.1.11.
01b0: 33 3
ldap_read: want=8, got=8
0000: 30 84 00 00 00 10 02 01 0.......
ldap_read: want=14, got=14
0000: 01 65 84 00 00 00 07 0a 01 00 04 00 04 00 .e............
ldap_write: want=26, written=26
0000: 30 18 02 01 02 60 13 02 01 03 04 00 a3 0c 04 0a 0....`..........
0010: 44 49 47 45 53 54 2d 4d 44 35 DIGEST-MD5
ldap_read: want=8, got=8
0000: 30 84 00 00 00 fb 02 01 0.......
ldap_read: want=249, got=249
0000: 02 61 84 00 00 00 f2 0a 01 0e 04 00 04 00 87 82 .a..............
0010: 00 e7 71 6f 70 3d 22 61 75 74 68 2c 61 75 74 68 ..qop="auth,auth
0020: 2d 69 6e 74 2c 61 75 74 68 2d 63 6f 6e 66 22 2c -int,auth-conf",
0030: 63 69 70 68 65 72 3d 22 33 64 65 73 2c 72 63 34 cipher="3des,rc4
0040: 22 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d 64 35 2d ",algorithm=md5-
0050: 73 65 73 73 2c 6e 6f 6e 63 65 3d 22 2b 55 70 67 sess,nonce="+Upg
0060: 72 61 64 65 64 2b 76 31 36 32 31 33 63 31 37 64 raded+v16213c17d
0070: 32 35 37 66 35 34 63 37 64 38 32 30 37 35 34 37 257f54c7d8207547
0080: 63 34 30 63 32 61 35 64 33 37 36 36 63 63 35 30 c40c2a5d3766cc50
0090: 36 34 31 34 64 35 30 31 64 35 65 37 38 34 37 35 6414d501d5e78475
00a0: 33 66 61 38 64 66 39 63 34 64 65 64 31 39 37 63 3fa8df9c4ded197c
00b0: 33 63 30 38 65 31 63 65 36 39 62 36 61 36 39 30 3c08e1ce69b6a690
00c0: 66 64 35 66 30 35 63 63 61 36 63 37 32 36 62 37 fd5f05cca6c726b7
00d0: 31 37 32 36 32 37 34 63 22 2c 63 68 61 72 73 65 1726274c",charse
00e0: 74 3d 75 74 66 2d 38 2c 72 65 61 6c 6d 3d 22 73 t=utf-8,realm="s
00f0: 61 6d 62 61 2e 6e 65 74 22 amba.net"
ldap_write: want=389, written=389
0000: 30 82 01 81 02 01 03 60 82 01 7a 02 01 03 04 00 0......`..z.....
0010: a3 82 01 71 04 0a 44 49 47 45 53 54 2d 4d 44 35 ...q..DIGEST-MD5
0020: 04 82 01 61 75 73 65 72 6e 61 6d 65 3d 22 41 39 ...ausername="A9
0030: 34 34 37 36 22 2c 72 65 61 6c 6d 3d 22 73 61 6d 4476",realm="sam
0040: 62 61 2e 6e 65 74 22 2c 6e 6f 6e 63 65 3d 22 2b ba.net",nonce="+
0050: 55 70 67 72 61 64 65 64 2b 76 31 36 32 31 33 63 Upgraded+v16213c
0060: 31 37 64 32 35 37 66 35 34 63 37 64 38 32 30 37 17d257f54c7d8207
0070: 35 34 37 63 34 30 63 32 61 35 64 33 37 36 36 63 547c40c2a5d3766c
0080: 63 35 30 36 34 31 34 64 35 30 31 64 35 65 37 38 c506414d501d5e78
0090: 34 37 35 33 66 61 38 64 66 39 63 34 64 65 64 31 4753fa8df9c4ded1
00a0: 39 37 63 33 63 30 38 65 31 63 65 36 39 62 36 61 97c3c08e1ce69b6a
00b0: 36 39 30 66 64 35 66 30 35 63 63 61 36 63 37 32 690fd5f05cca6c72
00c0: 36 62 37 31 37 32 36 32 37 34 63 22 2c 63 6e 6f 6b71726274c",cno
00d0: 6e 63 65 3d 22 57 66 59 46 70 2b 4b 59 39 6c 4f nce="WfYFp+KY9lO
00e0: 41 4e 50 49 52 2f 59 4f 6b 71 56 35 69 62 78 44 ANPIR/YOkqV5ibxD
00f0: 62 62 44 6c 77 54 33 6b 36 33 30 52 4d 69 68 4d bbDlwT3k630RMihM
0100: 3d 22 2c 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 =",nc=00000001,q
0110: 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 op=auth-conf,cip
0120: 68 65 72 3d 72 63 34 2c 6d 61 78 62 75 66 3d 31 her=rc4,maxbuf=1
0130: 36 37 37 37 32 31 35 2c 64 69 67 65 73 74 2d 75 6777215,digest-u
0140: 72 69 3d 22 6c 64 61 70 2f 61 64 73 72 76 30 31 ri="ldap/adsrv01
0150: 2e 73 61 6d 62 61 2e 6e 65 74 22 2c 72 65 73 70 .samba.net",resp
0160: 6f 6e 73 65 3d 37 39 33 31 31 64 34 65 64 33 35 onse=79311d4ed35
0170: 32 63 32 31 39 64 37 38 61 66 63 38 64 63 38 65 2c219d78afc8dc8e
0180: 66 62 34 39 61 fb49a
ldap_read: want=8, got=8
0000: 30 84 00 00 00 68 02 01 0....h..
ldap_read: want=102, got=102
0000: 03 61 84 00 00 00 5f 0a 01 31 04 00 04 58 38 30 .a...._..1...X80
0010: 30 39 30 33 30 43 3a 20 4c 64 61 70 45 72 72 3a 09030C: LdapErr:
0020: 20 44 53 49 44 2d 30 43 30 39 30 35 33 45 2c 20 DSID-0C09053E,
0030: 63 6f 6d 6d 65 6e 74 3a 20 41 63 63 65 70 74 53 comment: AcceptS
0040: 65 63 75 72 69 74 79 43 6f 6e 74 65 78 74 20 65 ecurityContext e
0050: 72 72 6f 72 2c 20 64 61 74 61 20 35 32 65 2c 20 rror, data 52e,
0060: 76 31 64 62 31 00 v1db1.
ldap_write: want=7, written=7
0000: 30 05 02 01 04 42 00 0....B.
LdapGroupBaseFQDN: OU=CP Users,DC=samba,DC=net
LdapUserBaseFQDN: OU=CP Users,DC=samba,DC=net
LdapSystemFQDN:
LdapServerName: ad001.samba.net
LdapServerPort: 389
LdapServerRealm: samba.net
LdapClientUseTls: no
LdapClientTlsReqCert: never
LdapClientMechanism: SASL/DIGEST-MD5
LdapServiceBindRequired: no
LdapClientTlsCRLCheck: none
LdapAllowUnsafeServerConnect: yes
UseLdapConfig: no
AuthorizationSupported: no
tds_authenticate_authorize_user failed!
tdssasl_bind: Directory error - Invalid credentials
additional info: 8009030C: LdapErr: DSID-0C09053E, comment: AcceptSecurityContext error, data 52e, v1db1
Ldap/AD have two type of binding method, “DIGEST-MD5 Binds” (Default) and “Simple Bind”. Here our theory is that the password for the users that fail is encrypted in AD whereas it is not encrypted in AD for the users that work. Whether or not the password is encrypted in AD does not matter for “simple binds,” but encrypted passwords will cause “DIGEST-MD5” binds to fail. Viewpoint using “simple binds” therefore the impacted user can login into viewpoint using their AD password. “Simple binds” are recommended, “DIGEST-MD5” binds are soon to be deprecated in the relatively near future. Therefore, we have changed the binding method from “DIGEST-MD5 Binds” to “Simple binds” which solved the issue.
Example of changing the binding method to “Simple bind”
Following configuration need to be configure in file /opt/teradata/tdat/tdgss/site/ TdgssUserConfigFile.xml file
LdapServerName="ad001.samba.net"
LdapServerPort="389"
LdapServerRealm="samba.net"
LdapSystemFQDN=""
LdapBaseFQDN="OU=CP Users,DC=samba,DC=net"
LdapClientMechanism="simple"
LdapServiceBindRequired="yes"
LdapServiceFQDN="CN= Teradata Service,OU=Service accounts,OU=Administration,DC=samba,DC=net"
LdapServicePassword="********"
LdapServicePasswordProtected="no"
/>
<IdentitySearch
Match="(.*)"
Base="OU=CP Users,DC=samba,DC=net"
Scope="subtree"
Filter="(sAMAccountName=${1})"/>
You will need to add service account password in “LdapServicePassword” attribute. That can also be encrypted if needed.
# /opt/teradata/tdat/tdgss/16.20.24.01/bin/tdsbind -u JAMES007
If it looks ok, then next step would be to schedule a DBS RESTART