7 Replies Latest reply on Jun 3, 2014 4:43 PM by DanielCastellani

    Oracle Database 12c and Kerberos


      Hi guys, I have the Kerberos autentication on lunix working well but I can't configure the database to authenticate the users with Kerberos 5.

      I followed the official instructions on Configuring Kerberos Authentication. However I'm struck with as error.


      The okinit and oklist work. But when I try to connect with "sqlplus /@orcl" it gives me this error:


      ORA-12638: Credential retrieval failed


      Can anyone help me?

      Thanks in advance


      Environment information:

      Oracle Database 12c: with multitenent support.

      Red Hat Enterprise Linux Server release 6.4 (Santiago) - Kernel: 2.6.32-358.18.1.el6.x86_64

           the log in is made with Kerberos.


      The content of relevant files are here:


      # sqlnet.ora Network Configuration File: ../network/admin/sqlnet.ora

      # Generated by Oracle configuration tools.




      SQLNET.KERBEROS5_KEYTAB = /etc/oracle.keytab.03.27.14

      SQLNET.KERBEROS5_REALMS = /etc/krb5.realms

      SQLNET.KERBEROS5_CC_NAME = /tmp/krb5cc

      SQLNET.KERBEROS5_CONF = /etc/krb5.conf


      SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = orcl.my-machine.my-domain










      #File modified by ipa-client-install


      includedir /var/lib/sss/pubconf/krb5.include.d/



        default_realm = MY-DOMAIN

        dns_lookup_realm = false

        dns_lookup_kdc = false

        rdns = false

        ticket_lifetime = 24h

        forwardable = yes



        MY.DOMAIN = {

          kdc = kdc-server.my-domain:88

          master_kdc = kdc-server.my-domain:88

          admin_server = kdc-server.my-domain:749

          default_domain = my-domain

          pkinit_anchors = FILE:/etc/ipa/ca.crt




        .my-domain = MY-DOMAIN

        my-domain = MY-DOMAIN



      my-domain MY-DOMAIN



      # tnsnames.ora Network Configuration File: ../network/admin/tnsnames.ora

      # Generated by Oracle configuration tools.

      ORCL =

        (DESCRIPTION =

          (ADDRESS = (PROTOCOL = TCP)(HOST = my-machine.my-domain)(PORT = 1521))

          (CONNECT_DATA =

            (SERVER = DEDICATED)

            (SERVICE_NAME = orcl.my-domain)




      In adittion, I saw in the kerberos KDC log that the request of "sqlplus /@orcl" was very strange:

      Mar 27 15:15:43 kdc-server.my-domain krb5kdc[2715](info): TGS_REQ (4 etypes {18 17 16 23}) PROCESS_TGS: authtime 0,  <unknown client> for <unknown server>, Incorrect net address

      Mar 27 15:15:43 kdc-server.my-domain krb5kdc[2714](info): TGS_REQ (4 etypes {18 17 16 23}) PROCESS_TGS: authtime 0,  <unknown client> for <unknown server>, Incorrect net address

        • 1. Re: Oracle Database 12c and Kerberos


          what OS do you use on client? I spent much time with kerberos and 12c. But it haven't worked. Inside trace log I found "Internal encryption error" message, that spawn ORA-12638.

 (both on client and server) worked fine with the same configuration. I tried MOS, but with no effect. Note 1611643.1 says "We will have to waif for a fix for the RDBMS client as the bugs are under investigation." as cause and "Check the Bugs Evolution using My Oracle Support" as solution.

          1 person found this helpful
          • 2. Re: Oracle Database 12c and Kerberos

            Actually the client is on the same machine. This oracle is kind of a front end access to our data warehouse. But all users that have access to the lab infrastructure are already in Kerberos, and will be easier to audit with a login to each one.


            Thanks for the info about versions Iehf.

            So, you put Kerberos to work with Oracle Database on, right?

            I will give it a try.

            • 3. Re: Oracle Database 12c and Kerberos

              Yep, with it works. Even on same machine, but I have created separate user as client on database machine.

              • 4. Re: Oracle Database 12c and Kerberos

                Iehf, can you give me links to the instructions you followed to config it? And if you needed to do something else. With it worked following the Oracle guide?


                Thanks again

                • 5. Re: Oracle Database 12c and Kerberos


                  which OS do you use on client/server? I had to do some additional steps according to OS. And I have some instructions but only on russian. Have to do some workaround

                  • 6. Re: Oracle Database 12c and Kerberos

                    Hi again, below my steps. I apologize my english

                    And i don't know how to remove email-links. I.e. krbuser@somedomain.ru should be just krbuser at somedomain.ru.

                    Test configuration:


                    Kerberos Server (Microsoft KDC):

                    • Host: dc1.somedomain.ru (
                    • Windows 2008/2012 server tested
                    • Active Directory (KDC)
                    • Realm: SOMEDOMAIN.RU

                    Kerberos client (Oracle DB server):

                    • Host: dboraclen1.somedomain.ru (
                    • RedHat Linux
                    • Oracle Server Standard Edition (** patched)

                    Oracle client:

                    • Host: dbclient.somedomain.ru (
                    • RedHat Linux
                    • Oracle Client

                    P1: Kerberos client configuration to interoperate with Windows Server 2008/2012 KDC

                    On dboraclen1.somedomain.ru.

                    1.1 Check Kerberos software

                    [root@ /]$ cd /etc
                    [root@ /etc]$ rpm -qa | grep -i krb5

                    1.2 Configure Kerberos







                    # /etc/krb5.conf:

                    default_realm = SOMEDOMAIN.RU
                    dns_lookup_realm = false

                    dns_lookup_kdc = false

                    ticket_lifetime = 24h

                    renew_lifetime = 7d

                    forwardable = true

                    SOMEDOMAIN.RU = {
                    kdc = dc1.somedomain.ru:88

                    .somedomain.ru = SOMEDOMAIN.RU
                    somedomain.ru = SOMEDOMAIN.RU

                    profile = /var/kerberos/krb5kdc/kdc.conf


                    # /etc/krb5.realms:

                    .somedomain.ru = SOMEDOMAIN.RU


                    # /etc/krb.realms:
                    .somedomain.ru = SOMEDOMAIN.RU


                    # /etc/hosts:
           localhost.localdomain    localhost

                dboraclen1.somedomain.ru dboraclen1
                dc1.somedomain.ru dc1

                    # /etc/services:
                    kerberos 88/tcp          kerberos5 krb5  # Kerberos v5
                    kerberos 88/udp          kerberos5 krb5  # Kerberos v5


                    !!! Use only uppercase with realm name, only lowercase with usernames/hostames. It's important.

                    1. 1.3 Check  Kerberos software on database server
                    (oracle owner = oracle, ORACLE_HOME= /Oracle/u01/oracle/database/11r2)
                    [oracle@ /home/oracle]$ cd $ORACLE_HOME/bin
                    [oracle@ /Oracle/u01/oracle/database/11r2/bin]$ ./adapters

                    Installed Oracle Advanced Security options are:
                    Kerberos v5 authentication
                    RADIUS authentication

                    [oracle@ /Oracle/u01/oracle/database/11r2/bin]$ ./adapters ./oracle
                    Kerberos v5 authentication
                    RADIUS authentication

                    P2: Windows 2008/2012 KDC configuration

                    On dc1.somedomain.ru.

                    2.1 Create user in Microsoft Active Directory

                    In 'Administration/Active Directory Users and Computers' menu:

                    First Name: krbuser
                    Last Name: welcome1
                    Display Name: kerberos user 1

                    User logon name: krbuser@somedomain.ru

                    2.2.Create principal for Oracle Database in Microsoft AD

                    Create user with name exactly as database hostname, i.e. dboraclen1.somedomain.ru and password, i.e. oracle :


                    First Name: dboraclen1.somedomain.ru
                    Display Name: dboraclen1.somedomain.ru

                    User logon name: dboraclen1.somedomain.ru@somedomain.ru

                    [Account Options]
                    Password never expires.

                    !!! Select option: Do not use Kerberos pre-authentication

                    !!! Unselect option 'User must change password on next logon'.

                    To finish creation use ktpass.exe.



                    C:\Program Files\Support Tools>ktpass -princ oracle/dboraclen1.somedomain.ru@SOMEDOMAIN.RU -mapuser dboraclen1 -pass oracle -crypto RC4-HMAC-NT -out c:\temp\keytab.dboraclen1
                    Targeting domain controller: dc1.somedomain.ru
                    Using legacy password setting method
                    Successfully mapped oracle/dboraclen1.somedomain.ru to dboraclen1.somedomain.ru.
                    WARNING: pType and account type do not match. This might cause problems.
                    Key created.
                    Output keytab to c:\temp\keytab.dboraclen1:
                    Keytab version: 0x502
                    keysize 81 oracle/dboraclen1.somedomain.ru@SOMEDOMAIN.RU ptype 0


                    Copy c:\temp\keytab.dboraclen1 to directory /etc on Oracle DB machine (dboraclen1.somedomain.ru).

                    P3: Oracle DB configuration to interoperate with KDC

                    On dboraclen1.somedomain.ru.

                    3.1 sqlnet.ora


                    NAMES.DIRECTORY_PATH= (TNSNAMES)
                    SQLNET.KERBEROS5_REALMS = /etc/krb5.realms

                    SQLNET.KERBEROS5_CLOCKSKEW = 6000

                    3.2 Check/edit parameters on Oracle DB Server


                    3.3.Create database user in Oracle DB

                    From sys (system) user:

                    SQL> create user "KRBUSER@SOMEDOMAIN.RU" identified externally;
                    User created.

                    SQL> grant create session, resource to "KRBUSER@SOMEDOMAIN.RU";
                    Grant succeeded.


                    SQL> create user KERBUSER identified externally as 'krbuser@SOMEDOMAIN.RU';
                    User created.

                    SQL> grant create session, resource to KERBUSER;
                    Grant succeeded.


                    P4 - Oracle clients configuration

                    On each client machine.

                    4.1 Oracle configuration (for Linux)

                    Kerberos configuration files (krb5.conf, krb5.realms, krb.realms)and hosts,services may be same as above.

                    Create linux user, i.e. krbuser.

                    # /home/krbuser/sqlnet.ora
                    NAMES.DIRECTORY_PATH = (TNSNAMES)


                    SQLNET.KERBEROS5_CONF = /etc/krb5.conf

                    SQLNET.KERBEROS5_CONF_MIT = true

                    SQLNET.AUTHENTICATION_SERVICES = (kerberos5)

                    SQLNET.KERBEROS5_CLOCKSKEW = 6000

                    # /home/krbuser/tnsnames.ora
                    DB_test_auth =

                      (DESCRIPTION =

                          (ADDRESS = (PROTOCOL = TCP)(HOST = dboraclen1.somedomain.ru)(PORT = 1521))

                    (CONNECT_DATA =

                    (SERVER = DEDICATED)

                    (SERVICE_NAME = GlobalDB)



                    4.2 Get initial kerberos ticket (TGT):

                    Execute $ORACLE_HOME/bin/okinit:

                    [krbuser@ /home/krbuser]$ okinit -e 23
                    Kerberos Utilities for Linux: Version - Production on 16-AUG-2011 15:44:11

                    Copyright (c) 1996, 2011 Oracle.  All rights reserved.

                    Password for krbuser@SOMEDOMAIN.RU: <-- AD user password
                    [krbuser@ /home/krbuser]$

                    Check TGT with $ORACLE_HOME/bin/oklist:                                                                       

                    [krbuser@ /home/krbuser]$ oklist
                    Kerberos Utilities for Linux: Version - Production on 16-AUG-2011 15:45:46

                    Copyright (c) 1996, 2011 Oracle.  All rights reserved.

                    Ticket cache: /tmp/krb5cc_502
                    Default principal: krbuser@SOMEDOMAIN.RU

                    Valid Starting Expires Principal
                    16-Nov-2013 15:41:52  16-Nov-2013 23:44:11  krbtgt/SOMEDOMAIN.RU@SOMEDOMAIN.RU
                    [krbuser@ /home/krbuser]$


                    [krbuser@ /home/krbuser]$ ls -l /tmp/krb5cc_502
                    -rw-------    1 krbuser dba          527 Nov 16 15:41 /tmp/krb5cc_502


                    Check the time synchronization between clients and DB server.

                    [krbuser@ /home/krbuser]$ sqlplus /@DB_test_auth
                    SQL*Plus: Release - Production on Tue Nov 16 15:56:53 2013
                    Copyright (c) 1982, 2013, Oracle.  All rights reserved.
                    Connected to:
                    Oracle Database 11g Release - 64bit Production


                    • 7. Re: Oracle Database 12c and Kerberos

                      Hi Iehf,


                      It is working now. Thank you so much for the help.