Example: Using tdgssauth to Debug Kerberos - Analytics Database - Teradata Vantage

Security Administration

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2024-02-29
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™

The example shows how to use tdgssauth to debug a Kerberos configuration:

$ kinit jdoe
Password for jdoe@EXAMPLE.COM: 

$ tdgssauth -m KRB5 -n TERADATA/dbc1.example.com -i 10.0.1.195
                        Status: authenticated, not authorized
                 Database user: jdoe [permanent user]
         Authenticating domain: EXAMPLE.COM
     Actual mechanism employed: KRB5 [OID 1.2.840.113554.1.2.2]

 Security context capabilities: mutual authentication
                                confidentiality
                                integrity
                                protection ready
                                exportable security context

 Minimum quality of protection: none
                       Options: none

The example first uses kinit to establish a credential for user jdoe in the default domain (example.com in this case).

The next command is the tdgssauth command specifying the KRB5 mechanism (with the -m option), the service principal name consisting of the string TERADATA/ followed by the fully qualified primary DNS name of the node being tested (-n option) and the IP address of the client (the –i option).

If you omit the –i option, you get the following output:

$ kinit jdoe
Password for jdoe@EXAMPLE.COM: 

$ tdgssauth -m KRB5 -n TERADATA/dbc1.example.com
                        Status: authenticated, not authorized
                 Database user: jdoe [permanent user]
         Authenticating domain: EXAMPLE.COM
     Actual mechanism employed: KRB5 [OID 1.2.840.113554.1.2.2]

 Security context capabilities: mutual authentication
                                confidentiality
                                integrity
                                protection ready
                                exportable security context

*** WARNING: Policy checks will not be made; IP address and/or user name was not specified.
***          Please include -i and -u options if policy checks are to be made.