|
||
|
Title: Authentication against MIT Kerberos on RHEL clone Post by Pete Finnigan on May 26th, 2008, 9:07pm Hello, Does anybody know how to configure ASO to authenticate against MIT Kerberos. I successfully install MIT Kerberos and LDAP on localhost (CentOS 5). The Kerberos and LDAP is working. I follow up the Oracle instructions on (http://download.oracle.com/docs/cd/B19306_01/network.102/b14268/asokerb.htm#ASOAG060) I'am able to use all Oracle's Kerberos tools such as okinit, oklist, etc. But I'm not able to use sqlplus (sqlplus /@SID). The connect ends up with the : ORA-12638: Credential retrieval failed Cause: The authentication service failed to retrieve the credentials of a user. Action: Enable tracing to determine the exact error. I think that problem is in the sqlnet.ora configuration. Here is the sqlnet.ora. SQLNET.KERBEROS5_REALMS = /etc/krb5.conf SQLNET.KERBEROS5_CC_NAME = /tmp/krb5cc_501 SQLNET.AUTHENTICATION_SERVICES= (BEQ, KERBEROS5) TRACE_LEVEL_CLIENT = SUPPORT TRACE_UNIQUE_CLIENT = on NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT) TRACE_LEVEL_SERVER = SUPPORT SQLNET.KERBEROS5_CONF = /etc/krb5.conf SQLNET.KERBEROS5_CONF_MIT = TRUE SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = Kservice Thanks in advance. |
||
|
Title: Re: Authentication against MIT Kerberos on RHEL cl Post by Pete Finnigan on May 30th, 2008, 1:36pm No help needed anymore, i solved it finally ;D |
||
|
Title: Re: Authentication against MIT Kerberos on RHEL cl Post by Pete Finnigan on May 31st, 2008, 7:46pm Great, can you tell us the solution so that anyone in the future looking to solve the same issue will also get some help? cheers and thanks Pete |
||
|
Title: Re: Authentication against MIT Kerberos on RHEL cl Post by Pete Finnigan on Jun 1st, 2008, 9:00am Yes of course, There were two problems. 1. Service name - i was not sure which value is correct, so from the KDC log i get the name for service. I have case sensitive host name and in the KDC log was lowercase. Therefore i re-create the principal with the correct host name 2. Encryption key compatibility - Oracle supports only the DES-CBC-CRC. So I re-create the principal for service with this key and also when exporting keytab for service I specify the DES-CBC-CRC. |
||
|
Title: Re: Authentication against MIT Kerberos on RHEL cl Post by Pete Finnigan on Jun 1st, 2008, 4:30pm Thank you |
||
|
Title: Re: Authentication against MIT Kerberos on RHEL cl Post by Pete Finnigan on Jun 2nd, 2008, 8:27am Hi, I have comment regarding the used version. The problem mention here was in 10g. When I try the same with 11g there is also some problem. I set up the configuration in the same way as for 10g, but the connection end with another interesting error :) ORA-01637: Packet receive failed. In 11g docs there is some comment regarding this error but in another context. After upgrading from a 32-bit version of Oracle Database, the first use of the Kerberos authentication adapter causes an error message: ORA-01637: Packet receive failed. Workaround: After upgrading to the 64-bit version of the database and before using Kerberos external authentication method, check for a file named /usr/tmp/oracle_service_name.RC on your computer, and remove it. |
||
|
Title: Re: Authentication against MIT Kerberos on RHEL cl Post by Pete Finnigan on Jun 2nd, 2008, 11:14pm The problem was with the FQDN of the host in the /etc/hosts |
||
|
Powered by YaBB 1 Gold - SP 1.4! Forum software copyright © 2000-2004 Yet another Bulletin Board |