7 Replies Latest reply: Jun 3, 2014 11:43 AM by DanielCastellani RSS

    Oracle Database 12c and Kerberos

    DanielCastellani

      Hi guys, I have the Kerberos autentication on lunix working well but I can't configure the database to authenticate the users with Kerberos 5.

      I followed the official instructions on Configuring Kerberos Authentication. However I'm struck with as error.

       

      The okinit and oklist work. But when I try to connect with "sqlplus /@orcl" it gives me this error:

      ERROR:

      ORA-12638: Credential retrieval failed

       

      Can anyone help me?

      Thanks in advance

       

      Environment information:

      Oracle Database 12c: with multitenent support.

      Red Hat Enterprise Linux Server release 6.4 (Santiago) - Kernel: 2.6.32-358.18.1.el6.x86_64

           the log in is made with Kerberos.

       

      The content of relevant files are here:

      sql.ora

      # sqlnet.ora Network Configuration File: ../network/admin/sqlnet.ora

      # Generated by Oracle configuration tools.

       

      SQLNET.AUTHENTICATION_SERVICES= (BEQ, KERBEROS5)

       

      SQLNET.KERBEROS5_KEYTAB = /etc/oracle.keytab.03.27.14

      SQLNET.KERBEROS5_REALMS = /etc/krb5.realms

      SQLNET.KERBEROS5_CC_NAME = /tmp/krb5cc

      SQLNET.KERBEROS5_CONF = /etc/krb5.conf

      SQLNET.KERBEROS5_CONF_MIT = TRUE

      SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = orcl.my-machine.my-domain

      SQLNET.KERBEROS5_CLOCKSKEW=6000

       

      NAMES.DIRECTORY_PATH= (TNSNAMES,EZCONNECT)

       

      TRACE_LEVEL_SERVER = ADMIN

      TRACE_LEVEL_CLIENT = ADMIN

      TRACE_LEVEL_LISTENER = ADMIN

       

      krb5.conf

      #File modified by ipa-client-install

       

      includedir /var/lib/sss/pubconf/krb5.include.d/

       

      [libdefaults]

        default_realm = MY-DOMAIN

        dns_lookup_realm = false

        dns_lookup_kdc = false

        rdns = false

        ticket_lifetime = 24h

        forwardable = yes

       

      [realms]

        MY.DOMAIN = {

          kdc = kdc-server.my-domain:88

          master_kdc = kdc-server.my-domain:88

          admin_server = kdc-server.my-domain:749

          default_domain = my-domain

          pkinit_anchors = FILE:/etc/ipa/ca.crt

        }

       

      [domain_realm]

        .my-domain = MY-DOMAIN

        my-domain = MY-DOMAIN

       

      krb5.realms

      my-domain MY-DOMAIN

       

      tnsnames.ora

      # tnsnames.ora Network Configuration File: ../network/admin/tnsnames.ora

      # Generated by Oracle configuration tools.

      ORCL =

        (DESCRIPTION =

          (ADDRESS = (PROTOCOL = TCP)(HOST = my-machine.my-domain)(PORT = 1521))

          (CONNECT_DATA =

            (SERVER = DEDICATED)

            (SERVICE_NAME = orcl.my-domain)

          )

        )

       

      In adittion, I saw in the kerberos KDC log that the request of "sqlplus /@orcl" was very strange:

      Mar 27 15:15:43 kdc-server.my-domain krb5kdc[2715](info): TGS_REQ (4 etypes {18 17 16 23}) 128.122.72.166: PROCESS_TGS: authtime 0,  <unknown client> for <unknown server>, Incorrect net address

      Mar 27 15:15:43 kdc-server.my-domain krb5kdc[2714](info): TGS_REQ (4 etypes {18 17 16 23}) 128.122.72.166: PROCESS_TGS: authtime 0,  <unknown client> for <unknown server>, Incorrect net address

        • 1. Re: Oracle Database 12c and Kerberos
          iehf

          Hi,

          what OS do you use on client? I spent much time with kerberos and 12c. But it haven't worked. Inside trace log I found "Internal encryption error" message, that spawn ORA-12638.

          11.2.0.4 (both on client and server) worked fine with the same configuration. I tried MOS, but with no effect. Note 1611643.1 says "We will have to waif for a fix for the RDBMS client 12.1.0.1.0 as the bugs are under investigation." as cause and "Check the Bugs Evolution using My Oracle Support" as solution.

          • 2. Re: Oracle Database 12c and Kerberos
            DanielCastellani

            Actually the client is on the same machine. This oracle is kind of a front end access to our data warehouse. But all users that have access to the lab infrastructure are already in Kerberos, and will be easier to audit with a login to each one.

             

            Thanks for the info about versions Iehf.

            So, you put Kerberos to work with Oracle Database on 11.2.0.4, right?

            I will give it a try.

            • 3. Re: Oracle Database 12c and Kerberos
              iehf

              Yep, with 11.2.0.4 it works. Even on same machine, but I have created separate user as client on database machine.

              • 4. Re: Oracle Database 12c and Kerberos
                DanielCastellani

                Iehf, can you give me links to the instructions you followed to config it? And if you needed to do something else. With 11.2.0.4 it worked following the Oracle guide?

                 

                Thanks again

                • 5. Re: Oracle Database 12c and Kerberos
                  iehf

                  Hi,

                  which OS do you use on client/server? I had to do some additional steps according to OS. And I have some instructions but only on russian. Have to do some workaround

                  • 6. Re: Oracle Database 12c and Kerberos
                    iehf

                    Hi again, below my steps. I apologize my english

                    And i don't know how to remove email-links. I.e. krbuser@somedomain.ru should be just krbuser at somedomain.ru.


                    Test configuration:

                     

                    Kerberos Server (Microsoft KDC):

                    • Host: dc1.somedomain.ru (10.0.2.11)
                    • Windows 2008/2012 server tested
                    • Active Directory (KDC)
                    • Realm: SOMEDOMAIN.RU

                    Kerberos client (Oracle DB server):

                    • Host: dboraclen1.somedomain.ru (10.0.2.76)
                    • RedHat Linux
                    • Oracle 11.2.0.4 Server Standard Edition (** patched)

                    Oracle client:

                    • Host: dbclient.somedomain.ru (10.0.2.7)
                    • RedHat Linux
                    • Oracle 11.2.0.4 Client

                    P1: Kerberos client configuration to interoperate with Windows Server 2008/2012 KDC

                    On dboraclen1.somedomain.ru.

                    1.1 Check Kerberos software

                    [root@ /]$ cd /etc
                    [root@ /etc]$ rpm -qa | grep -i krb5
                    krb5-workstation-1.2.7-44
                    pam_krb5-1.73-1
                    krb5-libs-1.2.7-44

                    1.2 Configure Kerberos

                    Check/edit:

                    /etc/krb5.conf

                    /etc/krb5.realms

                    /etc/krb.realms

                    /etc/hosts

                    /etc/services

                    # /etc/krb5.conf:
                    [logging]
                    default=FILE:/var/log/krb5libs.log
                    kdc=FILE:/var/log/krb5kdc.log
                    admin_server=FILE:/var/log/kadmind.log

                    [libdefaults]
                    default_realm = SOMEDOMAIN.RU
                    dns_lookup_realm = false

                    dns_lookup_kdc = false

                    ticket_lifetime = 24h

                    renew_lifetime = 7d

                    forwardable = true


                    [realms]
                    SOMEDOMAIN.RU = {
                    kdc = dc1.somedomain.ru:88
                    }

                    [domain_realm]
                    .somedomain.ru = SOMEDOMAIN.RU
                    somedomain.ru = SOMEDOMAIN.RU

                    [kdc]
                    profile = /var/kerberos/krb5kdc/kdc.conf

                     

                    # /etc/krb5.realms:

                    .somedomain.ru = SOMEDOMAIN.RU

                     

                    # /etc/krb.realms:
                    .somedomain.ru = SOMEDOMAIN.RU

                     

                    # /etc/hosts:
                    127.0.0.1 localhost.localdomain    localhost

                    10.0.2.76      dboraclen1.somedomain.ru dboraclen1
                    10.0.2.11      dc1.somedomain.ru dc1

                    # /etc/services:
                    kerberos 88/tcp          kerberos5 krb5  # Kerberos v5
                    kerberos 88/udp          kerberos5 krb5  # Kerberos v5

                     

                    !!! Use only uppercase with realm name, only lowercase with usernames/hostames. It's important.

                    1. 1.3 Check  Kerberos software on database server
                    (oracle owner = oracle, ORACLE_HOME= /Oracle/u01/oracle/database/11r2)
                     
                    [oracle@ /home/oracle]$ cd $ORACLE_HOME/bin
                    [oracle@ /Oracle/u01/oracle/database/11r2/bin]$ ./adapters

                    Installed Oracle Advanced Security options are:
                    ...
                    Kerberos v5 authentication
                    RADIUS authentication
                    or

                    [oracle@ /Oracle/u01/oracle/database/11r2/bin]$ ./adapters ./oracle
                    ...
                    Kerberos v5 authentication
                    RADIUS authentication

                    P2: Windows 2008/2012 KDC configuration

                    On dc1.somedomain.ru.

                    2.1 Create user in Microsoft Active Directory


                    In 'Administration/Active Directory Users and Computers' menu:

                    [General]
                    First Name: krbuser
                    Last Name: welcome1
                    Display Name: kerberos user 1

                    [Account]
                    User logon name: krbuser@somedomain.ru

                    2.2.Create principal for Oracle Database in Microsoft AD

                    Create user with name exactly as database hostname, i.e. dboraclen1.somedomain.ru and password, i.e. oracle :

                     

                    [General]
                    First Name: dboraclen1.somedomain.ru
                    Display Name: dboraclen1.somedomain.ru

                    [Account]
                    User logon name: dboraclen1.somedomain.ru@somedomain.ru

                    [Account Options]
                    Password never expires.

                    !!! Select option: Do not use Kerberos pre-authentication

                    !!! Unselect option 'User must change password on next logon'.

                    To finish creation use ktpass.exe.

                    Execute:

                     

                    C:\Program Files\Support Tools>ktpass -princ oracle/dboraclen1.somedomain.ru@SOMEDOMAIN.RU -mapuser dboraclen1 -pass oracle -crypto RC4-HMAC-NT -out c:\temp\keytab.dboraclen1
                    Targeting domain controller: dc1.somedomain.ru
                    Using legacy password setting method
                    Successfully mapped oracle/dboraclen1.somedomain.ru to dboraclen1.somedomain.ru.
                    WARNING: pType and account type do not match. This might cause problems.
                    Key created.
                    Output keytab to c:\temp\keytab.dboraclen1:
                    Keytab version: 0x502
                    keysize 81 oracle/dboraclen1.somedomain.ru@SOMEDOMAIN.RU ptype 0

                     

                    Copy c:\temp\keytab.dboraclen1 to directory /etc on Oracle DB machine (dboraclen1.somedomain.ru).


                    P3: Oracle DB configuration to interoperate with KDC

                    On dboraclen1.somedomain.ru.

                    3.1 sqlnet.ora

                    #/Oracle/u01/oracle/database/11r2/network/admin/sqlnet.ora

                    NAMES.DIRECTORY_PATH= (TNSNAMES)
                    SQLNET.KERBEROS5_REALMS = /etc/krb5.realms
                    SQLNET.KERBEROS5_CONF=/etc/krb5.conf
                    SQLNET.KERBEROS5_KEYTAB=/etc/keytab.dboraclen1
                    SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
                    SQLNET.KERBEROS5_CONF_MIT=true
                    SQLNET.AUTHENTICATION_SERVICES=(beq,kerberos5)

                    SQLNET.KERBEROS5_CLOCKSKEW = 6000


                    3.2 Check/edit parameters on Oracle DB Server

                    OS_AUTHENT_PREFIX=""
                    REMOTE_OS_AUTHENT=FALSE

                    3.3.Create database user in Oracle DB

                    From sys (system) user:

                    SQL> create user "KRBUSER@SOMEDOMAIN.RU" identified externally;
                    User created.


                    SQL> grant create session, resource to "KRBUSER@SOMEDOMAIN.RU";
                    Grant succeeded.

                    or

                    SQL> create user KERBUSER identified externally as 'krbuser@SOMEDOMAIN.RU';
                    User created.

                    SQL> grant create session, resource to KERBUSER;
                    Grant succeeded.

                     

                    P4 - Oracle clients configuration

                    On each client machine.

                    4.1 Oracle configuration (for Linux)

                    Kerberos configuration files (krb5.conf, krb5.realms, krb.realms)and hosts,services may be same as above.

                    Create linux user, i.e. krbuser.

                    # /home/krbuser/sqlnet.ora
                    NAMES.DIRECTORY_PATH = (TNSNAMES)

                    SQLNET.KERBEROS5_CC_NAME=/tmp/krb5cc_502

                    SQLNET.KERBEROS5_CONF = /etc/krb5.conf

                    SQLNET.KERBEROS5_CONF_MIT = true

                    SQLNET.AUTHENTICATION_SERVICES = (kerberos5)

                    SQLNET.KERBEROS5_CLOCKSKEW = 6000

                    # /home/krbuser/tnsnames.ora
                    DB_test_auth =

                      (DESCRIPTION =

                          (ADDRESS = (PROTOCOL = TCP)(HOST = dboraclen1.somedomain.ru)(PORT = 1521))

                    (CONNECT_DATA =

                    (SERVER = DEDICATED)

                    (SERVICE_NAME = GlobalDB)

                        )

                        )

                    4.2 Get initial kerberos ticket (TGT):

                    Execute $ORACLE_HOME/bin/okinit:

                    [krbuser@ /home/krbuser]$ okinit -e 23
                    Kerberos Utilities for Linux: Version 11.2.0.4.0 - Production on 16-AUG-2011 15:44:11

                    Copyright (c) 1996, 2011 Oracle.  All rights reserved.

                    Password for krbuser@SOMEDOMAIN.RU: <-- AD user password
                    [krbuser@ /home/krbuser]$

                    Check TGT with $ORACLE_HOME/bin/oklist:                                                                       

                    [krbuser@ /home/krbuser]$ oklist
                    Kerberos Utilities for Linux: Version 11.2.0.4.0 - Production on 16-AUG-2011 15:45:46

                    Copyright (c) 1996, 2011 Oracle.  All rights reserved.

                    Ticket cache: /tmp/krb5cc_502
                    Default principal: krbuser@SOMEDOMAIN.RU

                    Valid Starting Expires Principal
                    16-Nov-2013 15:41:52  16-Nov-2013 23:44:11  krbtgt/SOMEDOMAIN.RU@SOMEDOMAIN.RU
                    [krbuser@ /home/krbuser]$

                    and

                    [krbuser@ /home/krbuser]$ ls -l /tmp/krb5cc_502
                    -rw-------    1 krbuser dba          527 Nov 16 15:41 /tmp/krb5cc_502

                    4.3.Test

                    Check the time synchronization between clients and DB server.

                    [krbuser@ /home/krbuser]$ sqlplus /@DB_test_auth
                    SQL*Plus: Release 11.2.0.4.0 - Production on Tue Nov 16 15:56:53 2013
                    Copyright (c) 1982, 2013, Oracle.  All rights reserved.
                    Connected to:
                    Oracle Database 11g Release 11.2.0.4.0 - 64bit Production

                    SQL>

                    • 7. Re: Oracle Database 12c and Kerberos
                      DanielCastellani

                      Hi Iehf,

                       

                      It is working now. Thank you so much for the help.