[28580] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Oracle Advanced Services with Kerberos

daemon@ATHENA.MIT.EDU (Markus Moeller)
Thu Oct 18 15:07:25 2007

To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Thu, 18 Oct 2007 20:06:32 +0100
Message-ID: <ff8as0$uvp$1@ger.gmane.org>
X-Complaints-To: usenet@ger.gmane.org
Content-Type: multipart/mixed; boundary="===============0623545098=="
Errors-To: kerberos-bounces@mit.edu

--===============0623545098==

So it sounds Oracle uses a very old MIT 1.2.x release. It seems the best is 
to wait for Oracle 12 which is hopefully based on a newer MIT release or 
uses independant GSSAPI libraries (e.g. Solaris 10). When will release 12 
with ASO be available ?

Thank you
Markus

"smelt" <jotones@gmail.com> wrote in message 
news:1192702258.818566.314770@v29g2000prd.googlegroups.com...
On 17 oct, 22:10, "Markus Moeller" <hua...@moeller.plus.com> wrote:
> Has anybody experience using Oracle Advances Services with Kerberos ?
>
> Markus

Hi Markus,

We want to start to using it in the next months. We have made some
tests and reported errors to Oracle.

Some of them are typical errors already reported by other people in
the group. Also the Oracle impletantion of Kerberos is very old.

They told me that in the 12 release they will solve some problems and
will add new functionality (more encryption algorithms, etc..).

We have tested it with an Oracle 9.2 versión and AIX MIT based
kerberos server. The problems reported were:

Typical KRB5CCNAME parsing problem.

If you user the Oracle implementation you could have problems if you
use aliases in network interfaces as this implementation include the
addresses in the requests to the KDC. In our case the addresses were
duplicated and the aliases of the NIC's don't appear in the requests.
As our clusters uses the alias of the NIC like a service address we
can't get tickets.

If we decide to get the initial credentials with the OS Kerberos
software we must use the ccache_type = 3 parameter in the krb5.conf
file. Then we get initial tickets with kinit and we can see them with
oklist after exporting the correct KRB5CCNAME variable.

The last problem is that only des-cbc-crc encryption methods is
supported.

This is a quick review , if you want details about some of the
problems tell me and I will try to give you more details.

Otto





--------------------------------------------------------------------------------


> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 




--===============0623545098==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--===============0623545098==--

home help back first fref pref prev next nref lref last post