Oracle Advanced Services with Kerberos
preetam R
rpreetam2001 at yahoo.com
Fri Oct 19 04:25:48 EDT 2007
Hi,
Oracle has most of these kerberos issues fixed in
11g which was recently released.
Thanks,
Preetam
--- Markus Moeller <huaraz at moeller.plus.com> wrote:
> So it sounds Oracle uses a very old MIT 1.2.x
> release. It seems the best is
> to wait for Oracle 12 which is hopefully based on a
> newer MIT release or
> uses independant GSSAPI libraries (e.g. Solaris 10).
> When will release 12
> with ASO be available ?
>
> Thank you
> Markus
>
> "smelt" <jotones at gmail.com> wrote in message
>
news:1192702258.818566.314770 at v29g2000prd.googlegroups.com...
> On 17 oct, 22:10, "Markus Moeller"
> <hua... at moeller.plus.com> wrote:
> > Has anybody experience using Oracle Advances
> Services with Kerberos ?
> >
> > Markus
>
> Hi Markus,
>
> We want to start to using it in the next months. We
> have made some
> tests and reported errors to Oracle.
>
> Some of them are typical errors already reported by
> other people in
> the group. Also the Oracle impletantion of Kerberos
> is very old.
>
> They told me that in the 12 release they will solve
> some problems and
> will add new functionality (more encryption
> algorithms, etc..).
>
> We have tested it with an Oracle 9.2 versión and AIX
> MIT based
> kerberos server. The problems reported were:
>
> Typical KRB5CCNAME parsing problem.
>
> If you user the Oracle implementation you could have
> problems if you
> use aliases in network interfaces as this
> implementation include the
> addresses in the requests to the KDC. In our case
> the addresses were
> duplicated and the aliases of the NIC's don't appear
> in the requests.
> As our clusters uses the alias of the NIC like a
> service address we
> can't get tickets.
>
> If we decide to get the initial credentials with the
> OS Kerberos
> software we must use the ccache_type = 3 parameter
> in the krb5.conf
> file. Then we get initial tickets with kinit and we
> can see them with
> oklist after exporting the correct KRB5CCNAME
> variable.
>
> The last problem is that only des-cbc-crc encryption
> methods is
> supported.
>
> This is a quick review , if you want details about
> some of the
> problems tell me and I will try to give you more
> details.
>
> Otto
>
>
>
>
>
>
--------------------------------------------------------------------------------
>
>
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
>
>
> > ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Kerberos
mailing list