Markus, I am very sorry, Preetam is right.
In theory (I couldn't test it) Oracle solves the problems in 11gR1 versión. Also some of them are solved with patches in previous versions. These were my question (I have eliminated detailed information): 1.- We configure the environment variable KRB5CCNAME=FILE:/var/krb5/security/creds/ [EMAIL PROTECTED] but Oracle doesn't parse correctly this variable using like the credentials cache the following value: file:var/krb5/security/creds/[EMAIL PROTECTED] producing and error because sqlplus is not able to locate the file. We know this error has already been reported to Oracle and we would like to know when we can expect to have this error (it seems very easy to solve) fixed. 2.- Oracle uses internaly addresses in the Kerberos tickets. We use MIT style configuration style but Oracle doesn't undestand the option (VERY IMPORTANT): noaddresses = true That means that we can't disable the use of the address in the TGT tickets so if we use the okinit command to get the initial ticket in an IBM HACMP cluster environment the command is not working correctly. In this environment there are several network interfaces with IP's and aliases. The problem is that Oracle is not able to construct the list of addresses correctly. 3.- Oracle is not supporting other encription and checksuming methods apart of DES-CBC-CRC. Is that right? We have tried to configure other methods and the Oracle Kerberos libraries always use DES-CBC-CRC. When we can expect to have more security encription and checksuming algoritms? 4.- When willl Oracle use external MIT or Kerberos software to avoid the dependency we have in Oracle Kerberos software and his development? 5.- In general we would like to complain about the old implementation that Oracle uses, we are not sure if it is MIT or not compliant, it uses credentials cache format = 3 , instead we use now in our clients (ccache_type=4), it is not support the most of the configuration options in a MIT style software. When Oracle will move forward with Kerberos authentication? And here attach a LAB answer about the following points: 1. This has been fixed in 11gR1. Patches are also available for certain previous versions (bug#5031220) 2. Oracle's version of kerberos is based on an old version of MIT kerberos and is a reduced functionality version. Hence, doesn't support all options that are available in the latest MIT version. 3. 11gR1 has support for other algorithms 4. you can create a ticket with kinit and use with oracle 11gr1, but it will not support all the newer MIT additions. 5. This has been fixed in 11gR1. Please check bug#5095984 Sorry again for the mistake.... Otto On 19 oct, 10:25, preetam R <[EMAIL PROTECTED]> wrote: > Hi, > > Oracle has most of these kerberos issues fixed in > 11g which was recently released. > > Thanks, > Preetam > > --- Markus Moeller <[EMAIL PROTECTED]> wrote: > > > So it sounds Oracle uses a very old MIT 1.2.x > > release. It seems the best is > > to wait for Oracle 12 which is hopefully based on a > > newer MIT release or > > uses independant GSSAPI libraries (e.g. Solaris 10). > > When will release 12 > > with ASO be available ? > > > Thank you > > Markus > > > "smelt" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > > > > On 17 oct, 22:10, "Markus Moeller" > > <[EMAIL PROTECTED]> wrote: > > > Has anybody experience using Oracle Advances > > Services with Kerberos ? > > > > Markus > > > Hi Markus, > > > We want to start to using it in the next months. We > > have made some > > tests and reported errors to Oracle. > > > Some of them are typical errors already reported by > > other people in > > the group. Also the Oracle impletantion of Kerberos > > is very old. > > > They told me that in the 12 release they will solve > > some problems and > > will add new functionality (more encryption > > algorithms, etc..). > > > We have tested it with an Oracle 9.2 versión and AIX > > MIT based > > kerberos server. The problems reported were: > > > Typical KRB5CCNAME parsing problem. > > > If you user the Oracle implementation you could have > > problems if you > > use aliases in network interfaces as this > > implementation include the > > addresses in the requests to the KDC. In our case > > the addresses were > > duplicated and the aliases of the NIC's don't appear > > in the requests. > > As our clusters uses the alias of the NIC like a > > service address we > > can't get tickets. > > > If we decide to get the initial credentials with the > > OS Kerberos > > software we must use the ccache_type = 3 parameter > > in the krb5.conf > > file. Then we get initial tickets with kinit and we > > can see them with > > oklist after exporting the correct KRB5CCNAME > > variable. > > > The last problem is that only des-cbc-crc encryption > > methods is > > supported. > > > This is a quick review , if you want details about > > some of the > > problems tell me and I will try to give you more > > details. > > > Otto > > -------------------------------------------------------------------------------- > > > > > > ________________________________________________ > > > Kerberos mailing list [EMAIL PROTECTED] > > >https://mailman.mit.edu/mailman/listinfo/kerberos > > > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > >https://mailman.mit.edu/mailman/listinfo/kerberos > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection > aroundhttp://mail.yahoo.com- Ocultar texto de la cita - > > - Mostrar texto de la cita -
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
