Select Page

Kerberos Authentication with Oracle Databases

Author: Cindy Putnam | | September 8, 2020

In an effort to simplify Oracle database authentication, Kerberos will be installed and configured to authenticate user’s password against Microsoft AD. This will allow users to maintain only one password for AD and Oracle databases.

There are several parts to the configuration; MS AD, Unix and Oracle Database. This document will consolidate all the parts into one document for a consistent installation across all the database servers.

Microsoft AD

Create a user with the samaccountname that matches the short name. The cn, displayname, givenname and name attributes must match FQDN.

The following was run from PDC emulator (Should be able to use any DC).  The password was a generated, complex password.

$Pass=”…….”

ktpass.exe -princ <userPrincipalName> -mapuser <cn> -crypto all -pass $pass -out C:\temp\krb5.keypass

The pertinent user attributes are below.  The red color represents admin entered.  The black bold represent populated by the ktpass command when it creates the keytab file.

cn                       <servername>.<company.com>
displayName              <servername>.<company.com>
distinguishedName        CN=<servername>.<company.com>,OU=AIX,DC=corp,DC=<company>,DC=com
givenName                <servername>.<company.com>
name                     <servername>.<company.com>
sAMAccountName           <servername>
servicePrincipalName     oracle/<servername>.<company.com>
                         oracle/<servername>.corp.<company.com>
userAccountControl       [512] User
userPrincipalName        oracle/<servername>.<company.com>@CORP.<COMPANY.COM>

The resultant file was transferred to the *nix admin for installation and config.

Unix

Make krb components available:

revise AD server exports to make /export/71 available to target server(s);
mount AD Server:/export/71 /mnt
cd /mnt/lppsource_71TL3SP6_full/installp/ppc
smitty install from current directory

Check/Install these Kerberos components:

krb5.client.rte 1.5.0.3      Network Authentication Servi…
krb5.client.samples 1.5.0.3  Network Authentication Servi…
krb5.doc.en_US.html 1.5.0.3  Network Auth Service HTML Do…
krb5.doc.en_US.pdf 1.5.0.3   Network Auth Service PDF Doc…
krb5.lic 1.5.0.3             Network Authentication Servi…

Revise kerberos entries in /etc/services:

kerberos                88/tcp  kerberos5 krb5  # Kerberos v5
kerberos                88/udp  kerberos5 krb5  # Kerberos v5

Oracle Database Servers

Create or add the following to the sqlnet.ora file ($ORACLE_HOME/network/admin)

SQLNET.KERBEROS5_KEYTAB=/etc/krb5/krb5.keytab
SQLNET.AUTHENTICATION_SERVICES = (BEQ,KERBEROS5PRE,KERBEROS5)
SQLNET.AUTHENTICATION_REQUIRED=TRUE
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.KERBEROS5_CONF=$ORACLE_HOME/network/admin/krb5.conf
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=oracle
SQLNET.INBOUND_CONNECT_TIMEOUT=180

Update each user with the following:

alter user <username> identified externally as ‘<username>@CORP.<COMPANY.COM>’;

 

I hope this blog helps provide you with a one stop shop to simplify your Oracle database authentication. If you’re looking for support your Oracle databases, please reach out.

How to Solve the Oracle Error ORA-12154: TNS:could not resolve the connect identifier specified

The “ORA-12154: TNS:could not resolve the connect identifier specified” Oracle error is a commonly seen message for database administrators.

Vijay Muthu | February 4, 2021

Using Nulls in DB2

If a column “value” can be null, it can mean one of two things: the attribute is not applicable for certain occurrences of the entity, or the attribute applies to all entity occurrences, but the information may not always be known.

Craig Mullins | April 6, 2015

Scripting Out SQL Server Logins, Server Role Assignments, and Server Permissions

This blog reviews how you can generate scripts for SQL server logins, role assignments, and server permissions for a smooth migration.

JP Chen | October 1, 2015

Subscribe to Our Blog

Never miss a post! Stay up to date with the latest database, application and analytics tips and news. Delivered in a handy bi-weekly update straight to your inbox. You can unsubscribe at any time.

Work with Us

Let’s have a conversation about what you need to succeed and how we can help get you there.

CONTACT US

Work for Us

Where do you want to take your career? Explore exciting opportunities to join our team.

EXPLORE JOBS