Connection to Oracle with Kerberos

  authentication, docker, external, kerberos, oracle

I use docker-images for oracle-server and oracle-client. But but can’t connect to the database even from the server.
/etc/hosts

172.17.0.2 kdc.h4vms.com h4vms.com

/etc/krb5.conf

includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = H4VMS.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = true
 udp_preference_limit = 1000000
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 kdc_timesync = 1
 ccache_type = 4

[realms]
 H4VMS.COM = {
  kdc = kdc.h4vms.com:88
  admin_server = kdc.h4vms.com:749
  default_domain = h4vms.com
 }

[domain_realm]
 .h4vms.com = H4VMS.COM
 h4vms.com = H4VMS.COM

/var/kerberos/krbkdc/kdc.conf

default_realm = H4VMS.COM

[kdcdefaults]
 v4_mode = nopreauth
 kdc_ports = 0

[realms]
 H4VMS.COM = {
  kdc_ports = 88
  database_name = /var/kerberos/krb5kdc/principal
  key_stash_file = /var/kerberos/krb5kdc/stash
  max_life = 10h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
  master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
  default_principal_flags = +preauth
 }

sqlnet.ora

names.directory_path=(tnsnames, ezconnect, hostname)
sqlnet.authentication_services=(beq, kerberos5, KERBEROS5PRE)
sqlnet.kerberos5_conf_mit=true
sqlnet.kerberos5_conf=/etc/krb5.conf
sqlnet.kerberos5_keytab=/var/kerberos/krb5kdc/kadm5.keytab
sqlnet.authentication_kerberos5_service=KRB

I am successfully registering a kdc database with command kdb5_util create -r H4VMS.COM -s.
Successfully adding princ with commands

bash-4.2# kadmin.local
kadmin.local:  addprinc -randkey KRB/kdc.h4vms.com
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab KRB/kdc.h4vms.com

successfully receive a ticket on both the server and the client:

bash-4.2# okinit -k KRB/kdc.h4vms.com                                              

Kerberos Utilities for Linux: Version 18.0.0.0.0 - Production on 07-DEC-2020 20:05:09

Copyright (c) 1996, 2018 Oracle.  All rights reserved.

Configuration file : /etc/krb5.conf.
bash-4.2# oklist

Kerberos Utilities for Linux: Version 18.0.0.0.0 - Production on 07-DEC-2020 20:05:18

Copyright (c) 1996, 2018 Oracle.  All rights reserved.

Configuration file : /etc/krb5.conf.
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: KRB/[email protected]

Valid starting     Expires            Service principal
12/07/20 20:05:09  12/08/20 06:05:09  krbtgt/[email protected]
    renew until 12/08/20 20:05:09

Create externally user into database

CREATE USER "KRB/[email protected]" IDENTIFIED EXTERNALLY

trying to configure the connection sid
tnsnames.ora

KRB =
 (DESCRIPTION =
   (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = kdc.h4vms.com)(PORT = 1521))
   )
   (CONNECT_DATA =
        (SERVICE_NAME = KRB.H4VMS.COM)
   )
 )

listener.ora

        LISTENER =
           (DESCRIPTION_LIST =
             (DESCRIPTION =
               (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
               (ADDRESS = (PROTOCOL = TCP)(HOST = kdc.h4vms.com)(PORT = 1521))
             )
           )


         SID_LIST_LISTENER =
           (SID_LIST =
             (SID_DESC =
                (GLOBAL_DBNAME = KRB.H4VMS.COM)
                (ORACLE_HOME = /opt/oracle/product/18c/dbhomeXE)
                (SID_NAME = KRB)
             )
           )
          ADR_BASE_LISTENER = /opt/oracle

restart listeners

bash-4.2# lsnrctl stop

LSNRCTL for Linux: Version 18.0.0.0.0 - Production on 07-DEC-2020 20:18:06

Copyright (c) 1991, 2018, Oracle.  All rights reserved.

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
The command completed successfully
bash-4.2# lsnrctl start 

LSNRCTL for Linux: Version 18.0.0.0.0 - Production on 07-DEC-2020 20:18:10

Copyright (c) 1991, 2018, Oracle.  All rights reserved.

Starting /opt/oracle/product/18c/dbhomeXE/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 18.0.0.0.0 - Production
System parameter file is /opt/oracle/product/18c/dbhomeXE/network/admin/listener.ora
Log messages written to /opt/oracle/diag/tnslsnr/f4243ba6e3f1/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=f4243ba6e3f1)(PORT=1521)))

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 18.0.0.0.0 - Production
Start Date                07-DEC-2020 20:18:10
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /opt/oracle/product/18c/dbhomeXE/network/admin/listener.ora
Listener Log File         /opt/oracle/diag/tnslsnr/f4243ba6e3f1/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=f4243ba6e3f1)(PORT=1521)))
The listener supports no services
The command completed successfully

the connection attempt fails

[[email protected] /]$ sqlplus /@KRB

SQL*Plus: Release 18.0.0.0.0 - Production on Mon Dec 7 20:14:35 2020
Version 18.4.0.0.0

Copyright (c) 1982, 2018, Oracle.  All rights reserved.

ERROR:
ORA-12514: TNS:listener does not currently know of service requested in connect
descriptor

Source: Docker Questions

LEAVE A COMMENT