Oracle Advanced Services with Kerberos

smelt jotones at gmail.com
Thu Oct 18 06:10:58 EDT 2007


On 17 oct, 22:10, "Markus Moeller" <hua... at moeller.plus.com> wrote:
> Has anybody experience using Oracle Advances Services with Kerberos ?
>
> Markus

Hi Markus,

We want to start to using it in the next months. We have made some
tests and reported errors to Oracle.

Some of them are typical errors already reported by other people in
the group. Also the Oracle impletantion of Kerberos is very old.

They told me that in the 12 release they will solve some problems and
will add new functionality (more encryption algorithms, etc..).

We have tested it with an Oracle 9.2 versión and AIX MIT based
kerberos server. The problems reported were:

Typical KRB5CCNAME parsing problem.

If you user the Oracle implementation you could have problems if you
use aliases in network interfaces as this implementation include the
addresses in the requests to the KDC. In our case the addresses were
duplicated and the aliases of the NIC's don't appear in the requests.
As our clusters uses the alias of the NIC like a service address we
can't get tickets.

If we decide to get the initial credentials with the OS Kerberos
software we must use the ccache_type = 3 parameter in the krb5.conf
file. Then we get initial tickets with kinit and we can see them with
oklist after exporting the correct KRB5CCNAME variable.

The last problem is that only des-cbc-crc encryption methods is
supported.

This is a quick review , if you want details about some of the
problems tell me and I will try to give you more details.

Otto





More information about the Kerberos mailing list