How to make Kerberos authentication in Oracle?

Question

I have Windows Server 2008 r2 with myora.local domain and AD. There is server Oracle. And I have client on Win7. On server:

-C:\krb\krb.conf

MYORA.LOCAL
MYORA.LOCAL myora.local admin server

-C:\krb\krb5.realms

[libdefaults]
default_realm=MYORA.LOCAL
[realms]
MYORA.LOCAL= {
    kdc=DomainController.myora.local:88
}
[domain_realm]
.local.myora=MYORA.LOCAL

-sqlnet.ora

SQLNET.KERBEROS5_CONF= c:\krb\krb.conf
SQLNET.KERBEROS5_REALMS = c:\krb\krb5.realms
SQLNET.KERBEROS5_CC_NAME = C:\krb\v5srvtab
SQLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS, NTS, KERBEROS5)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.KERBEROS5_CONF_MIT = TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = krbtgt

okinit work for Kefir@MYORA.LOCAL (user name on computer-server)

I do all the same steps on client (except sqlnet.ora), but okinit trows error: From local name user1 it can't find, from computer name It has credential problems. What should I change or add?

Answer 1

The error may be telling you that for your database service principle (the account you issued the keytab from ) you haven't selected "pre-authentication not required" in account properties.

For your client you should remove beq from the list of authentication services in sqlnet.ora. If you aren't using them also remove NTS (windows native) and TCPS (certificate).

In your krb5.conf file add upper-case to your domain realm, as well as an alias not prefixed by a period - like this:

[domain_realm]
.local.myora=MYORA.LOCAL
local.myora=MYORA.LOCAL
.MYORA.LOCAL=MYORA.LOCAL
MYORA.LOCAL=MYORA.LOCAL

You might want to take a look at this video - there's a chance it will answer other questions you are likely to run into https://www.youtube.com/watch?v=d_d0j9ssQys&ab_channel=OracleDevelopers