GSSAPI plug-in

The GSSAPI plug-in, centrifydc_db2gsskrb5, supports single sign on to a DB2 instance using the user’s Active Directory account. This plug-in assumes that the user requesting access to the database is already logged in to the client computer and has been authenticated through the Kerberos mechanism.

The GSSAPI plug-in allows users to run the connect and attach commands without specifying a user name and password even if the user is connecting from a remote DB2 client. It requires the user to have a valid Kerberos ticket. Generally, users obtain a Kerberos ticket automatically when they log in as an Active Directory user. However, in the following situations the user does not obtain a ticket automatically:

  • The user logs in to the DB2 server as a local, non-Active Directory user.
  • The user enters the UNIX command su - user as root to get a shell owned by another Active Directory user or local user.
  • The user logs in as a user who has both an Active Directory account and a local user account. However, the Active Directory account is not in the same zone as the machine you logged in to.

In each of these cases, the user needs to obtain Kerberos tickets before single sign-on support is provided.

To obtain tickets for an Active Directory user, type kinit user. The user is prompted for a password. To avoid being prompted, you can create a keytab file in advance using the adkeytab command, set the environment variable KRB5_KTNAME to the full path of your keytab file, and then run kinit -k user@DOMAIN to obtain the tickets.

Note:   If a user name is explicitly provided when only the GSSAPI plug-in is installed (for example, by entering the DB2 command connect to testdb user username using password), the plug-in first authenticates the given user to the Kerberos Key Distribution Center (KDC), and then obtains a ticket-granting ticket (TGT) upon success. The plug-in next uses the TGT to get a service ticket for the DB2 server.