Oracle Advanced Services with Kerberos

preetam R rpreetam2001 at yahoo.com
Fri Oct 19 04:25:48 EDT 2007 

Hi,

   Oracle has most of these kerberos issues fixed in
11g which was recently released.

Thanks,
Preetam

--- Markus Moeller <huaraz at moeller.plus.com> wrote:

> So it sounds Oracle uses a very old MIT 1.2.x
> release. It seems the best is 
> to wait for Oracle 12 which is hopefully based on a
> newer MIT release or 
> uses independant GSSAPI libraries (e.g. Solaris 10).
> When will release 12 
> with ASO be available ?
> 
> Thank you
> Markus
> 
> "smelt" <jotones at gmail.com> wrote in message 
>
news:1192702258.818566.314770 at v29g2000prd.googlegroups.com...
> On 17 oct, 22:10, "Markus Moeller"
> <hua... at moeller.plus.com> wrote:
> > Has anybody experience using Oracle Advances
> Services with Kerberos ?
> >
> > Markus
> 
> Hi Markus,
> 
> We want to start to using it in the next months. We
> have made some
> tests and reported errors to Oracle.
> 
> Some of them are typical errors already reported by
> other people in
> the group. Also the Oracle impletantion of Kerberos
> is very old.
> 
> They told me that in the 12 release they will solve
> some problems and
> will add new functionality (more encryption
> algorithms, etc..).
> 
> We have tested it with an Oracle 9.2 versión and AIX
> MIT based
> kerberos server. The problems reported were:
> 
> Typical KRB5CCNAME parsing problem.
> 
> If you user the Oracle implementation you could have
> problems if you
> use aliases in network interfaces as this
> implementation include the
> addresses in the requests to the KDC. In our case
> the addresses were
> duplicated and the aliases of the NIC's don't appear
> in the requests.
> As our clusters uses the alias of the NIC like a
> service address we
> can't get tickets.
> 
> If we decide to get the initial credentials with the
> OS Kerberos
> software we must use the ccache_type = 3 parameter
> in the krb5.conf
> file. Then we get initial tickets with kinit and we
> can see them with
> oklist after exporting the correct KRB5CCNAME
> variable.
> 
> The last problem is that only des-cbc-crc encryption
> methods is
> supported.
> 
> This is a quick review , if you want details about
> some of the
> problems tell me and I will try to give you more
> details.
> 
> Otto
> 
> 
> 
> 
> 
>
--------------------------------------------------------------------------------
> 
> 
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> 
> 
> > ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Kerberos mailing list