A fast question about kerberos and Oracle



  • I'm configuring Kerberos on Oracle I have 2 machines, one is a server with Oracle DB, the other is a client with oracle client(basic+sqlplus), my sqlnet.ora is like this(on server)

    SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, KERBEROS5, NONE)
    SQLNET.FALLBACK_AUTHENTICATION=TRUE
    SQLNET.KERBEROS5_CONF_MIT = TRUE
    ADR_BASE = /var/oracle/app
    SQLNET.KERBEROS5_CC_NAME = /tmp/krb5cc_
    SQLNET.KERBEROS5_KEYTAB = /etc/oracle.keytab
    SQLNET.KERBEROS5_CLOCKSKEW = 1200
    SQLNET.KERBEROS5_CONF=/etc/krb5.conf
    SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=myservice
    

    The keytab is ok, the configuration work and oracle user can access it

    sqlplus /@myserver.domain/myservice
    

    SQL*Plus: Release 21.0.0.0.0 - Production on Tue Apr 12 05:41:58 2022
    Version 21.3.0.0.0

    Copyright (c) 1982, 2021, Oracle. All rights reserved.

    Last Successful login time: Tue Apr 12 2022 05:26:22 +02:00

    Connected to:
    Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
    Version 21.3.0.0.0

    SQL> select sys_context('userenv','authentication_method') from dual;
    

    SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD')

    KERBEROS

    The problem is on client. I have copied the sqlnet.ora(is identical to the server) in the right place I did kinit(I don't have okinit in the client) and...

    sqlplus /@myserver.domain/myservice
    

    SQL*Plus: Release 21.0.0.0.0 - Production on Tue Apr 12 05:43:44 2022
    Version 21.5.0.0.0

    Copyright (c) 1982, 2021, Oracle. All rights reserved.

    ERROR:
    ORA-01017: invalid username/password; logon denied

    Enter user-name:

    I have configured the user correctly(on the server the kerberos user can enter without problems), what I miss in the client?



  • I found the solution: the client needs the https://www.oracle.com/us/products/database/ds-security-advanced-security-11gr2-1-129479.pdf option to connect using kerberos auth. Is included in Enteprise Edition(server) but must be(if you want to use kerberos) buy separately for clients.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2