Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security tools >> Authentication against MIT Kerberos on RHEL clone
(Message started by: Pete Finnigan on May 26th, 2008, 9:07pm)

Title: Authentication against MIT Kerberos on RHEL clone
Post by Pete Finnigan on May 26th, 2008, 9:07pm
Hello,

Does anybody know how to configure ASO to authenticate against MIT Kerberos.

I successfully install MIT Kerberos and LDAP on localhost (CentOS 5). The Kerberos and LDAP is working.

I follow up the Oracle instructions on (http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/asokerb.htm#ASOAG060)

I'am able to use all Oracle's Kerberos tools such as okinit, oklist, etc. But I'm not able to use sqlplus (sqlplus /@SID). The connect ends up with the : ORA-12638: Credential retrieval failed
   Cause: The authentication service failed to retrieve the credentials of a user.
   Action: Enable tracing to determine the exact error.

I think that problem is in the sqlnet.ora configuration.

Here is the sqlnet.ora.

SQLNET.KERBEROS5_REALMS = /etc/krb5.conf

SQLNET.KERBEROS5_CC_NAME = /tmp/krb5cc_501

SQLNET.AUTHENTICATION_SERVICES= (BEQ, KERBEROS5)

TRACE_LEVEL_CLIENT = SUPPORT

TRACE_UNIQUE_CLIENT = on

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

TRACE_LEVEL_SERVER = SUPPORT

SQLNET.KERBEROS5_CONF = /etc/krb5.conf

SQLNET.KERBEROS5_CONF_MIT = TRUE

SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = Kservice

Thanks in advance.

Title: Re: Authentication against MIT Kerberos on RHEL cl
Post by Pete Finnigan on May 30th, 2008, 1:36pm
No help needed anymore, i solved it finally  ;D

Title: Re: Authentication against MIT Kerberos on RHEL cl
Post by Pete Finnigan on May 31st, 2008, 7:46pm
Great, can you tell us the solution so that anyone in the future looking to solve the same issue will also get some help?

cheers and thanks

Pete

Title: Re: Authentication against MIT Kerberos on RHEL cl
Post by Pete Finnigan on Jun 1st, 2008, 9:00am
Yes of course,

There were two problems.  
1. Service name - i was not sure which value is correct, so from the KDC log i get the name for service. I have case sensitive host name and in the KDC log was lowercase. Therefore i re-create the principal with the correct host name

2. Encryption key compatibility - Oracle supports only the DES-CBC-CRC. So I re-create the principal for service with this key and also when exporting keytab for service I specify the DES-CBC-CRC.

Title: Re: Authentication against MIT Kerberos on RHEL cl
Post by Pete Finnigan on Jun 1st, 2008, 4:30pm
Thank you

Title: Re: Authentication against MIT Kerberos on RHEL cl
Post by Pete Finnigan on Jun 2nd, 2008, 8:27am
Hi,

I have comment regarding the used version. The problem mention here was in 10g.

When I try the same with 11g there is also some problem. I set up the configuration in the same way as for 10g, but the connection end with another interesting error :)

ORA-01637: Packet receive failed.

In 11g docs there is some comment regarding this error but in another context.

After upgrading from a 32-bit version of Oracle Database, the first use of the Kerberos authentication adapter causes an error message: ORA-01637: Packet receive failed.

Workaround: After upgrading to the 64-bit version of the database and before using Kerberos external authentication method, check for a file named /usr/tmp/oracle_service_name.RC on your computer, and remove it.

Title: Re: Authentication against MIT Kerberos on RHEL cl
Post by Pete Finnigan on Jun 2nd, 2008, 11:14pm
The problem was with the FQDN of the host in the /etc/hosts



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright 2000-2004 Yet another Bulletin Board