Skip to Main Content
Forums

Database Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Oracle Database 12c and Kerberos

DanielCastellaniApr 1 2014 — edited Jun 3 2014

Hi guys, I have the Kerberos autentication on lunix working well but I can't configure the database to authenticate the users with Kerberos 5.

I followed the official instructions on Configuring Kerberos Authentication. However I'm struck with as error.

The okinit and oklist work. But when I try to connect with "sqlplus /@orcl" it gives me this error:

ERROR:

ORA-12638: Credential retrieval failed

Can anyone help me?

Thanks in advance

Environment information:

Oracle Database 12c: with multitenent support.

Red Hat Enterprise Linux Server release 6.4 (Santiago) - Kernel: 2.6.32-358.18.1.el6.x86_64

     the log in is made with Kerberos.

The content of relevant files are here:

sql.ora

# sqlnet.ora Network Configuration File: ../network/admin/sqlnet.ora

# Generated by Oracle configuration tools.

SQLNET.AUTHENTICATION_SERVICES= (BEQ, KERBEROS5)

SQLNET.KERBEROS5_KEYTAB = /etc/oracle.keytab.03.27.14

SQLNET.KERBEROS5_REALMS = /etc/krb5.realms

SQLNET.KERBEROS5_CC_NAME = /tmp/krb5cc

SQLNET.KERBEROS5_CONF = /etc/krb5.conf

SQLNET.KERBEROS5_CONF_MIT = TRUE

SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = orcl.my-machine.my-domain

SQLNET.KERBEROS5_CLOCKSKEW=6000

NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT)

TRACE_LEVEL_SERVER = ADMIN

TRACE_LEVEL_CLIENT = ADMIN

TRACE_LEVEL_LISTENER = ADMIN

krb5.conf

#File modified by ipa-client-install

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]

  default_realm = MY-DOMAIN

  dns_lookup_realm = false

  dns_lookup_kdc = false

  rdns = false

  ticket_lifetime = 24h

  forwardable = yes

[realms]

  MY.DOMAIN = {

    kdc = kdc-server.my-domain:88

    master_kdc = kdc-server.my-domain:88

    admin_server = kdc-server.my-domain:749

    default_domain = my-domain

    pkinit_anchors = FILE:/etc/ipa/ca.crt

  }

[domain_realm]

  .my-domain = MY-DOMAIN

  my-domain = MY-DOMAIN

krb5.realms

my-domain MY-DOMAIN

tnsnames.ora

# tnsnames.ora Network Configuration File: ../network/admin/tnsnames.ora

# Generated by Oracle configuration tools.

ORCL =

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = TCP)(HOST = my-machine.my-domain)(PORT = 1521))

    (CONNECT_DATA =

      (SERVER = DEDICATED)

      (SERVICE_NAME = orcl.my-domain)

    )

  )

In adittion, I saw in the kerberos KDC log that the request of "sqlplus /@orcl" was very strange:

Mar 27 15:15:43 kdc-server.my-domain krb5kdc[2715](info): TGS_REQ (4 etypes {18 17 16 23}) 128.122.72.166: PROCESS_TGS: authtime 0,  <unknown client> for <unknown server>, Incorrect net address

Mar 27 15:15:43 kdc-server.my-domain krb5kdc[2714](info): TGS_REQ (4 etypes {18 17 16 23}) 128.122.72.166: PROCESS_TGS: authtime 0,  <unknown client> for <unknown server>, Incorrect net address
This post has been answered by iehf on May 14 2014
Jump to Answer
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jul 1 2014
Added on Apr 1 2014
#database-security, #database-security-general, #sqlplus
7 comments
6,441 views