Oracle Advanced Services with Kerberos

Markus Moeller huaraz at moeller.plus.com
Thu Oct 18 15:06:32 EDT 2007


So it sounds Oracle uses a very old MIT 1.2.x release. It seems the best is 
to wait for Oracle 12 which is hopefully based on a newer MIT release or 
uses independant GSSAPI libraries (e.g. Solaris 10). When will release 12 
with ASO be available ?

Thank you
Markus

"smelt" <jotones at gmail.com> wrote in message 
news:1192702258.818566.314770 at v29g2000prd.googlegroups.com...
On 17 oct, 22:10, "Markus Moeller" <hua... at moeller.plus.com> wrote:
> Has anybody experience using Oracle Advances Services with Kerberos ?
>
> Markus

Hi Markus,

We want to start to using it in the next months. We have made some
tests and reported errors to Oracle.

Some of them are typical errors already reported by other people in
the group. Also the Oracle impletantion of Kerberos is very old.

They told me that in the 12 release they will solve some problems and
will add new functionality (more encryption algorithms, etc..).

We have tested it with an Oracle 9.2 versión and AIX MIT based
kerberos server. The problems reported were:

Typical KRB5CCNAME parsing problem.

If you user the Oracle implementation you could have problems if you
use aliases in network interfaces as this implementation include the
addresses in the requests to the KDC. In our case the addresses were
duplicated and the aliases of the NIC's don't appear in the requests.
As our clusters uses the alias of the NIC like a service address we
can't get tickets.

If we decide to get the initial credentials with the OS Kerberos
software we must use the ccache_type = 3 parameter in the krb5.conf
file. Then we get initial tickets with kinit and we can see them with
oklist after exporting the correct KRB5CCNAME variable.

The last problem is that only des-cbc-crc encryption methods is
supported.

This is a quick review , if you want details about some of the
problems tell me and I will try to give you more details.

Otto





--------------------------------------------------------------------------------


> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list