Oracle Advanced Security Option and Kerberos
Rodney M Dyer
rmdyer at uncc.edu
Wed Mar 1 10:11:51 EST 2006
At 03:57 PM 2/24/2006, Douglas E. Engert wrote:
>Rodney M Dyer wrote:
>>We've been using Kerberized Oracle for over a year now without problems,
>>although we did have some initial problems getting everything working,
>>specifically the KRB5CCNAME issue you mentioned,
>
>How did you get around it? As a test, converting from FILE:/tmp/...
>to FILE://tmp/... worked, as it would strip FILE:/ from the variable to
>get the file name. Unix will treat //tmp/... and /tmp/... as the same.
Well I can't speak for UNIX since I'm a Windows systems programmer. My
Solaris/Linux coworker says remove the "FILE:" and just use
"/path/to/cache/file".
On Windows we use "API:" in the KRB5CCNAME. Oracle doesn't. So that was
out. So we configured Oracle to use the Microsoft SSPI. Our Sqlnet.ora
file looks something like this...
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.KERBEROS5_CONF=C:\WINNT\krb5.ini
SQLNET.AUTHENTICATION_SERVICES=(BEQ, KERBEROS5)
SQLNET.KERBEROS5_CC_NAME=OSMSFT://
>It appeared to work for me using 10g. And forward tickets via ssh
>with gssapi worked too.
We are using Oracle 9i (9.2.0.6) on both client and server.
>What about having to use principal names as the database users, did you do
>anything about this?
We create full principle names in Oracle such as: "RMDYER at UNCC.EDU"
>>As for improvements it would be nice if it was fully MIT compatible as
>>well as Microsoft's SSPI.
Oops, it is compatible with Microsoft's SSPI. In fact that is how we are
using it now. The Oracle client requests its service tickets through the
Microsoft API. The service principles are on our trusted MIT kdc.
>Have you talked to your Oracle rep?
About that specific issue...no, not since we got everything working. But I
remember 2 years ago we had a rather lengthy conference call with them over
Kerberos connectivity issues.
Rodney
More information about the Kerberos
mailing list