Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 17th, 2017, 9:19pm
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security tools
(Moderator: Pete Finnigan)
   Authentication against MIT Kerberos on RHEL clone
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Authentication against MIT Kerberos on RHEL clone  (Read 6779 times)
bona.ondrej
Guest

Email

Authentication against MIT Kerberos on RHEL clone
« on: May 26th, 2008, 9:07pm »
Quote | Modify | Remove

Hello,
 
Does anybody know how to configure ASO to authenticate against MIT Kerberos.  
 
I successfully install MIT Kerberos and LDAP on localhost (CentOS 5). The Kerberos and LDAP is working.  
 
I follow up the Oracle instructions on (http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/asokerb. htm#ASOAG060)
 
I'am able to use all Oracle's Kerberos tools such as okinit, oklist, etc. But I'm not able to use sqlplus (sqlplus /@SID). The connect ends up with the : ORA-12638: Credential retrieval failed
    Cause: The authentication service failed to retrieve the credentials of a user.
    Action: Enable tracing to determine the exact error.
 
I think that problem is in the sqlnet.ora configuration.
 
Here is the sqlnet.ora.
 
SQLNET.KERBEROS5_REALMS = /etc/krb5.conf
 
SQLNET.KERBEROS5_CC_NAME = /tmp/krb5cc_501
 
SQLNET.AUTHENTICATION_SERVICES= (BEQ, KERBEROS5)
 
TRACE_LEVEL_CLIENT = SUPPORT
 
TRACE_UNIQUE_CLIENT = on
 
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
 
TRACE_LEVEL_SERVER = SUPPORT
 
SQLNET.KERBEROS5_CONF = /etc/krb5.conf
 
SQLNET.KERBEROS5_CONF_MIT = TRUE
 
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = Kservice
 
Thanks in advance.
IP Logged
Ondrej
Guest

Email

Re: Authentication against MIT Kerberos on RHEL cl
« Reply #1 on: May 30th, 2008, 1:36pm »
Quote | Modify | Remove

No help needed anymore, i solved it finally  Grin
IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Authentication against MIT Kerberos on RHEL cl
« Reply #2 on: May 31st, 2008, 7:46pm »
Quote | Modify

Great, can you tell us the solution so that anyone in the future looking to solve the same issue will also get some help?
 
cheers and thanks
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Ondrej
Guest

Email

Re: Authentication against MIT Kerberos on RHEL cl
« Reply #3 on: Jun 1st, 2008, 9:00am »
Quote | Modify | Remove

Yes of course,
 
There were two problems.  
1. Service name - i was not sure which value is correct, so from the KDC log i get the name for service. I have case sensitive host name and in the KDC log was lowercase. Therefore i re-create the principal with the correct host name
 
2. Encryption key compatibility - Oracle supports only the DES-CBC-CRC. So I re-create the principal for service with this key and also when exporting keytab for service I specify the DES-CBC-CRC.
« Last Edit: Jun 1st, 2008, 9:01am by bona.ondrej » IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Authentication against MIT Kerberos on RHEL cl
« Reply #4 on: Jun 1st, 2008, 4:30pm »
Quote | Modify

Thank you
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Ondrej
Guest

Email

Re: Authentication against MIT Kerberos on RHEL cl
« Reply #5 on: Jun 2nd, 2008, 8:27am »
Quote | Modify | Remove

Hi,
 
I have comment regarding the used version. The problem mention here was in 10g.  
 
When I try the same with 11g there is also some problem. I set up the configuration in the same way as for 10g, but the connection end with another interesting error Smiley
 
ORA-01637: Packet receive failed.
 
In 11g docs there is some comment regarding this error but in another context.
 
After upgrading from a 32-bit version of Oracle Database, the first use of the Kerberos authentication adapter causes an error message: ORA-01637: Packet receive failed.
 
Workaround: After upgrading to the 64-bit version of the database and before using Kerberos external authentication method, check for a file named /usr/tmp/oracle_service_name.RC on your computer, and remove it.
IP Logged
Ondrej
Guest

Email

Re: Authentication against MIT Kerberos on RHEL cl
« Reply #6 on: Jun 2nd, 2008, 11:14pm »
Quote | Modify | Remove

The problem was with the FQDN of the host in the /etc/hosts
IP Logged
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board