3 Replies Latest reply: May 11, 2013 5:56 PM by 992784 RSS

    Can a single Kerberos Keytab file hold multiple principals?

    992784
      Hi
      I have a situation where I have multiple keytab files (different principal accounts) and my application is going to use these different service
      principal accounts and connect to one or more Oracle databases (all kerberos enabled). Can I maintain only one keytab (merging all into one)in my application environment?
      If I merge all keytabs into one using kutil and issue kinit (or okinit) using keytab and service principal, I could see the command runs successful and see
      the cache credentials getting updated. But I am not sure if the single cache file is actually storing tickets for all the principals. When I issue klist (or oklist),
      I could only see the last issued service principal's ticket.

      Do we ever put more than one principal in a single keytab file and maintain it in an application env? If not, why there is an option to merge keytab files? only to be used in kdc may be?
      The reason why I want to maintain one keytab is, my applications rely on Oracle OCI thick driver (sqlnet.ora) and I cant maintain multiple keytab files and multiple sqlnet.ora,
      as sqlnet.ora cannot be switched or changed in runtime.

      I know I am missing something here, perhaps a flaw in my application design using more than one service account at first place?

      Please give me some directions, I dont find the right forum where I get my queries answered. Thanks in advance.

      -Srivatsan Nallazhagappan

      Edited by: 989781 on Apr 8, 2013 7:43 PM

      Edited by: 989781 on Apr 8, 2013 8:05 PM
        • 1. Re: Can a single Kerberos Keytab file hold multiple principals?
          992784
          I find that there is a "DIR cache" feature available in MIT libraries (env variable KRB5CCNAME and kswitch) where the cache context switch can be done. I am also told by someone that this is rarely used as its relatively a new feature and most of the existing kerberos products/API's have the notion of treating the cache file as a single default principal.

          Its not mentioned anywhere in the Oracle documentation about the "DIR cache" feature which I doubt is implemented in OCI looking at the parameters exposed in sqlnet.ora. So my solution now is to maintain one principal service account configured as external user across all databases and use it in my application.

          Thanks,
          Srivatsan Nallazhagappan
          • 2. Re: Can a single Kerberos Keytab file hold multiple principals?
            Weijun
            You can always put keys for multiple principals in a single keytab file, but java's kinit command only recognizes the FILE format and it always overwrites the whole ccache file.

            I am not sure what you want to achieve. If you just want to get initial TGTs for multiple principals and want each use its own, you can call "kinit -c" to save the TGT to different files, and then in you JAAS login config file, use 'ticketCache=' to assign the files to different principals on their own Krb5LoginModule lines.
            • 3. Re: Can a single Kerberos Keytab file hold multiple principals?
              992784
              Hi,
              The application is not written in Java, but in C++ which uses Oracle OCI thick driver and not JAAS like thin driver. With Oracle OCI thick driver within a running process, you can connect to Oracle database with only one Kerberos principal, and switching between principals is not supported.

              For example, once you login to sqlplus /@<TNS-Service> using a kerberos principal, you cannot connect with another principal within that same sqlplus session. (sqlplus uses Oracle's sqlnet which is a OCI thick driver )

              I know JAAS does support because its thin but not OCI thick driver which loads the Oracle parameters during process boot up and can never refresh (atleast the sqlnet parameters)

              I have changed my application to use only one service principal (provide all the required privileges for that principal to use the resources) .

              Thanks
              Srivatsan