In an effort to simplify Oracle database authentication, Kerberos will be installed and configured to authenticate user’s password against Microsoft AD. This will allow users to maintain only one password for AD and Oracle databases.
There are several parts to the configuration; MS AD, Unix and Oracle Database. This document will consolidate all the parts into one document for a consistent installation across all the database servers.
Create a user with the samaccountname that matches the short name. The cn, displayname, givenname and name attributes must match FQDN.
The following was run from PDC emulator (Should be able to use any DC). The password was a generated, complex password.
ktpass.exe -princ <userPrincipalName> -mapuser <cn> -crypto all -pass $pass -out C:\temp\krb5.keypass
The pertinent user attributes are below. The red color represents admin entered. The black bold represent populated by the ktpass command when it creates the keytab file.
userAccountControl  User
The resultant file was transferred to the *nix admin for installation and config.
Make krb components available:
revise AD server exports to make /export/71 available to target server(s);
mount AD Server:/export/71 /mnt
smitty install from current directory
Check/Install these Kerberos components:
krb5.client.rte 220.127.116.11 Network Authentication Servi…
krb5.client.samples 18.104.22.168 Network Authentication Servi…
krb5.doc.en_US.html 22.214.171.124 Network Auth Service HTML Do…
krb5.doc.en_US.pdf 126.96.36.199 Network Auth Service PDF Doc…
krb5.lic 188.8.131.52 Network Authentication Servi…
Revise kerberos entries in /etc/services:
kerberos 88/tcp kerberos5 krb5 # Kerberos v5
kerberos 88/udp kerberos5 krb5 # Kerberos v5
Oracle Database Servers
Create or add the following to the sqlnet.ora file ($ORACLE_HOME/network/admin)
SQLNET.AUTHENTICATION_SERVICES = (BEQ,KERBEROS5PRE,KERBEROS5)
Update each user with the following:
alter user <username> identified externally as ‘<username>@CORP.<COMPANY.COM>’;
I hope this blog helps provide you with a one stop shop to simplify your Oracle database authentication. If you’re looking for support your Oracle databases, please reach out.
Subscribe to Our Blog
Never miss a post! Stay up to date with the latest database, application and analytics tips and news. Delivered in a handy bi-weekly update straight to your inbox. You can unsubscribe at any time.
The “ORA-12154: TNS:could not resolve the connect identifier specified” Oracle error is a commonly seen message for database administrators.
Which RAID should you use with SQL Server? Learn the differences between RAID 0, RAID 1, RAID 5, and RAID 10, along with best practices.