Oracle Advanced Services with Kerberos

smelt jotones at
Fri Oct 19 07:23:56 EDT 2007


I am very sorry, Preetam is right.

In theory (I couldn't test it) Oracle solves the problems in 11gR1
versión. Also some of them are solved with patches in previous

These were my question (I have eliminated detailed information):

1.- We configure the environment variable

krb5cc_oratest at AIXPRU.BDE.ES_201

but Oracle doesn't parse correctly this variable using like the
credentials cache the following value:

file:var/krb5/security/creds/krb5cc_oratest at AIXPRU.BDE.ES_201

producing and error because sqlplus is not able to locate the file. We
know this error has already been reported to Oracle and we would like
to know when we can expect to have this error (it seems very easy to
solve) fixed.

2.- Oracle uses internaly addresses in the Kerberos tickets. We use
MIT style configuration style but Oracle doesn't undestand the option

noaddresses = true

That means that we can't disable the use of the address in the TGT
tickets so if we use the okinit command to get the initial ticket in
an IBM HACMP cluster environment the command is not working correctly.
In this environment there are several network interfaces with IP's and
aliases. The problem is that Oracle is not able to construct the list
of addresses correctly.

3.- Oracle is not supporting other encription and checksuming methods
apart of DES-CBC-CRC. Is
that right? We have tried to configure other methods and the Oracle
Kerberos libraries always use DES-CBC-CRC.

When we can expect to have more security encription and checksuming

4.- When willl Oracle use external MIT or Kerberos software to avoid
the dependency we have in Oracle Kerberos software and his

5.- In general we would like to complain about the old implementation
that Oracle uses, we are not sure if it is MIT or not compliant, it
uses credentials cache format = 3 , instead we use now in our clients
(ccache_type=4), it is not support the most of the configuration
options in a MIT style software. When Oracle will move forward with

And here attach a LAB answer about the following points:

1. This has been fixed in 11gR1. Patches are also available for
certain previous versions (bug#5031220)
2. Oracle's version of kerberos is based on an old version of MIT
kerberos and is a
reduced functionality version.
Hence, doesn't support all options that are available in the latest
MIT version.
3. 11gR1 has support for other algorithms
4. you can create a ticket with kinit and use with oracle 11gr1, but
it will not support all the newer MIT additions.
5. This has been fixed in 11gR1. Please check bug#5095984

Sorry again for the mistake....


On 19 oct, 10:25, preetam R <rpreetam2... at> wrote:
> Hi,
>    Oracle has most of these kerberos issues fixed in
> 11g which was recently released.
> Thanks,
> Preetam
> --- Markus Moeller <hua... at> wrote:
> > So it sounds Oracle uses a very old MIT 1.2.x
> > release. It seems the best is
> > to wait for Oracle 12 which is hopefully based on a
> > newer MIT release or
> > uses independant GSSAPI libraries (e.g. Solaris 10).
> > When will release 12
> > with ASO be available ?
> > Thank you
> > Markus
> > "smelt" <joto... at> wrote in message
> news:1192702258.818566.314770 at
> > On 17 oct, 22:10, "Markus Moeller"
> > <hua... at> wrote:
> > > Has anybody experience using Oracle Advances
> > Services with Kerberos ?
> > > Markus
> > Hi Markus,
> > We want to start to using it in the next months. We
> > have made some
> > tests and reported errors to Oracle.
> > Some of them are typical errors already reported by
> > other people in
> > the group. Also the Oracle impletantion of Kerberos
> > is very old.
> > They told me that in the 12 release they will solve
> > some problems and
> > will add new functionality (more encryption
> > algorithms, etc..).
> > We have tested it with an Oracle 9.2 versión and AIX
> > MIT based
> > kerberos server. The problems reported were:
> > Typical KRB5CCNAME parsing problem.
> > If you user the Oracle implementation you could have
> > problems if you
> > use aliases in network interfaces as this
> > implementation include the
> > addresses in the requests to the KDC. In our case
> > the addresses were
> > duplicated and the aliases of the NIC's don't appear
> > in the requests.
> > As our clusters uses the alias of the NIC like a
> > service address we
> > can't get tickets.
> > If we decide to get the initial credentials with the
> > OS Kerberos
> > software we must use the ccache_type = 3 parameter
> > in the krb5.conf
> > file. Then we get initial tickets with kinit and we
> > can see them with
> > oklist after exporting the correct KRB5CCNAME
> > variable.
> > The last problem is that only des-cbc-crc encryption
> > methods is
> > supported.
> > This is a quick review , if you want details about
> > some of the
> > problems tell me and I will try to give you more
> > details.
> > Otto
> ---------------------------------------------------------------------------­-----
> > > ________________________________________________
> > > Kerberos mailing list           Kerbe... at
> > >
> > > ________________________________________________
> > Kerberos mailing list           Kerbe... at
> >
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around Ocultar texto de la cita -
> - Mostrar texto de la cita -

More information about the Kerberos mailing list