The example shows how to use tdgssauth to debug a Kerberos configuration:
$ kinit jdoe Password for jdoe@EXAMPLE.COM: $ tdgssauth -m KRB5 -n TERADATA/dbc1.example.com -i 10.0.1.195 Status: authenticated, not authorized Database user: jdoe [permanent user] Authenticating domain: EXAMPLE.COM Actual mechanism employed: KRB5 [OID 1.2.840.113554.1.2.2] Security context capabilities: mutual authentication confidentiality integrity protection ready exportable security context Minimum quality of protection: none Options: none
The example first uses kinit to establish a credential for user jdoe in the default domain (example.com in this case).
The next command is the tdgssauth command specifying the KRB5 mechanism (with the -m option), the service principal name consisting of the string TERADATA/ followed by the fully qualified primary DNS name of the node being tested (-n option) and the IP address of the client (the –i option).
If you omit the –i option, you get the following output:
$ kinit jdoe Password for jdoe@EXAMPLE.COM: $ tdgssauth -m KRB5 -n TERADATA/dbc1.example.com Status: authenticated, not authorized Database user: jdoe [permanent user] Authenticating domain: EXAMPLE.COM Actual mechanism employed: KRB5 [OID 1.2.840.113554.1.2.2] Security context capabilities: mutual authentication confidentiality integrity protection ready exportable security context *** WARNING: Policy checks will not be made; IP address and/or user name was not specified. *** Please include -i and -u options if policy checks are to be made.