Oracle Advanced Security Option and Kerberos

Rodney M Dyer rmdyer at
Wed Mar 1 10:11:51 EST 2006

At 03:57 PM 2/24/2006, Douglas E. Engert wrote:
>Rodney M Dyer wrote:
>>We've been using Kerberized Oracle for over a year now without problems, 
>>although we did have some initial problems getting everything working, 
>>specifically the KRB5CCNAME issue you mentioned,
>How did you get around it? As a test, converting from  FILE:/tmp/...
>to FILE://tmp/... worked, as it would strip FILE:/ from the variable to
>get the file name. Unix will treat //tmp/... and /tmp/... as the same.

Well I can't speak for UNIX since I'm a Windows systems programmer.  My 
Solaris/Linux coworker says remove the "FILE:" and just use 

On Windows we use "API:" in the KRB5CCNAME.  Oracle doesn't.  So that was 
out.  So we configured Oracle to use the Microsoft SSPI.  Our Sqlnet.ora 
file looks something like this...


>It appeared to work for me using 10g. And forward tickets via ssh
>with gssapi worked too.

We are using Oracle 9i ( on both client and server.

>What about having to use principal names as the database users, did you do 
>anything about this?

We create full principle names in Oracle such as:  "RMDYER at UNCC.EDU"

>>As for improvements it would be nice if it was fully MIT compatible as 
>>well as Microsoft's SSPI.

Oops, it is compatible with Microsoft's SSPI.  In fact that is how we are 
using it now.  The Oracle client requests its service tickets through the 
Microsoft API.  The service principles are on our trusted MIT kdc.

>Have you talked to your Oracle rep?

About that specific, not since we got everything working.  But I 
remember 2 years ago we had a rather lengthy conference call with them over 
Kerberos connectivity issues.


More information about the Kerberos mailing list