Oracle Advanced Services with Kerberos - Kerberos

This is a discussion on Oracle Advanced Services with Kerberos - Kerberos ; Has anybody experience using Oracle Advances Services with Kerberos ? Markus...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Oracle Advanced Services with Kerberos

  1. Oracle Advanced Services with Kerberos

    Has anybody experience using Oracle Advances Services with Kerberos ?

    Markus





  2. Re: Oracle Advanced Services with Kerberos

    On 17 oct, 22:10, "Markus Moeller" wrote:
    > Has anybody experience using Oracle Advances Services with Kerberos ?
    >
    > Markus


    Hi Markus,

    We want to start to using it in the next months. We have made some
    tests and reported errors to Oracle.

    Some of them are typical errors already reported by other people in
    the group. Also the Oracle impletantion of Kerberos is very old.

    They told me that in the 12 release they will solve some problems and
    will add new functionality (more encryption algorithms, etc..).

    We have tested it with an Oracle 9.2 versión and AIX MIT based
    kerberos server. The problems reported were:

    Typical KRB5CCNAME parsing problem.

    If you user the Oracle implementation you could have problems if you
    use aliases in network interfaces as this implementation include the
    addresses in the requests to the KDC. In our case the addresses were
    duplicated and the aliases of the NIC's don't appear in the requests.
    As our clusters uses the alias of the NIC like a service address we
    can't get tickets.

    If we decide to get the initial credentials with the OS Kerberos
    software we must use the ccache_type = 3 parameter in the krb5.conf
    file. Then we get initial tickets with kinit and we can see them with
    oklist after exporting the correct KRB5CCNAME variable.

    The last problem is that only des-cbc-crc encryption methods is
    supported.

    This is a quick review , if you want details about some of the
    problems tell me and I will try to give you more details.

    Otto



  3. Re: Oracle Advanced Services with Kerberos

    So it sounds Oracle uses a very old MIT 1.2.x release. It seems the best is
    to wait for Oracle 12 which is hopefully based on a newer MIT release or
    uses independant GSSAPI libraries (e.g. Solaris 10). When will release 12
    with ASO be available ?

    Thank you
    Markus

    "smelt" wrote in message
    news:1192702258.818566.314770@v29g2000prd.googlegr oups.com...
    On 17 oct, 22:10, "Markus Moeller" wrote:
    > Has anybody experience using Oracle Advances Services with Kerberos ?
    >
    > Markus


    Hi Markus,

    We want to start to using it in the next months. We have made some
    tests and reported errors to Oracle.

    Some of them are typical errors already reported by other people in
    the group. Also the Oracle impletantion of Kerberos is very old.

    They told me that in the 12 release they will solve some problems and
    will add new functionality (more encryption algorithms, etc..).

    We have tested it with an Oracle 9.2 versión and AIX MIT based
    kerberos server. The problems reported were:

    Typical KRB5CCNAME parsing problem.

    If you user the Oracle implementation you could have problems if you
    use aliases in network interfaces as this implementation include the
    addresses in the requests to the KDC. In our case the addresses were
    duplicated and the aliases of the NIC's don't appear in the requests.
    As our clusters uses the alias of the NIC like a service address we
    can't get tickets.

    If we decide to get the initial credentials with the OS Kerberos
    software we must use the ccache_type = 3 parameter in the krb5.conf
    file. Then we get initial tickets with kinit and we can see them with
    oklist after exporting the correct KRB5CCNAME variable.

    The last problem is that only des-cbc-crc encryption methods is
    supported.

    This is a quick review , if you want details about some of the
    problems tell me and I will try to give you more details.

    Otto





    --------------------------------------------------------------------------------


    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >





+ Reply to Thread