Wednesday, January 5, 2011

Installation of Kerberos 5 on linux and Oracle authentication on 11gR2

For more information about Kerberos just read the MIT documentation about the terminology used. For Oracle authentcation just read the Oracle Advanced Security Administrator's Guide.


First of all as oracle user you have to check if you installed your Oracle Database Server with Oracle Advanced Security option. Type

[oracle@plutone ~]$ adapters


and you should see something like

...
Installed Oracle Advanced Security options are:
...
Kerberos v5 authentication
...


Go to the MIT website and download the latest available stable realease of Kerberos.
http://mit.edu/kerberos/

For me it was krb5-1.9.
I've copied the krb5-1.9-signed.tar file on my directory /u04/kerberos5 and then typed the following commands:

[root@plutone /root]# cd /u04/kerberos5
[root@plutone kerberos5]# tar xvf krb5-1.9-signed.tar
[root@plutone kerberos5]# tar xvfz krb5-1.9.tar.gz
[root@plutone kerberos5]# cd krb5-1.9/src
[root@plutone src]# pwd
/u04/kerberos5/krb5-1.9/src


Then you have to compile the kerberos files using the usual commands:

[root@plutone src]# ./configure
[root@plutone src]# make
[root@plutone src]# make install


Now it's time to configure one of the two Kerberos configuration files. To the default conf file I've modified only my hostname (plutone)

[root@plutone src]# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
EXAMPLE.COM = {
kdc = plutone:88
admin_server = plutone:749
default_domain = example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


Then you should modify (or create) the second kerberos configuration file, I mean kdc.conf:

[root@plutone src]# cd /usr/local/var/krb5kdc/
[root@plutone krb5kdc]# ll
total 0
[root@plutone krb5kdc]# vi kdc.conf
[kdcdefaults]
kdc_ports = 750,88

[realms]
EXAMPLE.COM = {
kdc_ports = 750,88
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.KERB.IT
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}


Let's create the kerberos database for the Key Distribution Centers (KDCs) . The following command created five files.

[root@plutone krb5kdc]# /usr/local/sbin/kdb5_util create -r EXAMPLE.COM -s
Loading random data
Initializing database '/usr/local/var/krb5kdc/principal' for realm 'EXAMPLE.COM',
master key name 'K/M@EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
[root@plutone krb5kdc]# ls -la
total 32
drwxr-xr-x 2 root root 4096 Jan 5 14:30 .
drwxr-xr-x 3 root root 4096 Jan 5 13:06 ..
-rw------- 1 root root 72 Jan 5 14:30 .k5.KERB.IT
-rw-r--r-- 1 root root 386 Jan 5 14:28 kdc.conf
-rw------- 1 root root 8192 Jan 5 14:30 principal
-rw------- 1 root root 8192 Jan 5 14:30 principal.kadm5
-rw------- 1 root root 0 Jan 5 14:30 principal.kadm5.lock
-rw------- 1 root root 0 Jan 5 14:30 principal.ok


Now let's create the acl file

[root@plutone krb5kdc]# echo "*/plutone@EXAMPLE.COM * *" > kadm5.acl
[root@plutone krb5kdc]# more kadm5.acl
*/plutone@EXAMPLE.COM * *


and create the principal administrator of the kerberos database

[root@plutone krb5kdc]# /usr/local/sbin/kadmin.local
Authenticating as principal root/plutone@EXAMPLE.COM with password.
kadmin.local: addprinc admin/plutone@EXAMPLE.COM
WARNING: no policy specified for admin/plutone@EXAMPLE.COM; defaulting to no policy
Enter password for principal "admin/plutone@EXAMPLE.COM":
Re-enter password for principal "admin/plutone@EXAMPLE.COM":
Principal "admin/plutone@EXAMPLE.COM" created.
kadmin.local: quit


Now let's start the Kerberos daemons:

[root@plutone krb5kdc]# /usr/local/sbin/krb5kdc
[root@plutone krb5kdc]# /usr/local/sbin/kadmind


and see if there are any errors on log files

[root@plutone ~]# tail -f /var/log/kadmind.log
Jan 05 14:42:36 plutone kadmind[22621](info): listening on fd 7: udp ::.464 (pktinfo)
kadmind: setsockopt(8,IPV6_V6ONLY,1) worked
Jan 05 14:42:37 plutone kadmind[22621](info): listening on fd 9: tcp 0.0.0.0.464
Jan 05 14:42:37 plutone kadmind[22621](info): listening on fd 8: tcp ::.464
Jan 05 14:42:37 plutone kadmind[22621](info): listening on fd 10: rpc 0.0.0.0.749
kadmind: setsockopt(11,IPV6_V6ONLY,1) worked
Jan 05 14:42:37 plutone kadmind[22621](info): listening on fd 11: rpc ::.749
Jan 05 14:42:37 plutone kadmind[22621](info): set up 6 sockets
Jan 05 14:42:37 plutone kadmind[22622](info): Seeding random number generator
Jan 05 14:42:37 plutone kadmind[22622](info): starting

[root@plutone ~]# tail -f /var/log/krb5kdc.log
Jan 05 14:42:30 plutone krb5kdc[22619](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support
Jan 05 14:42:30 plutone krb5kdc[22619](info): setting up network...
Jan 05 14:42:30 plutone krb5kdc[22619](info): listening on fd 6: udp 0.0.0.0.88 (pktinfo)
Jan 05 14:42:30 plutone krb5kdc[22619](info): listening on fd 7: udp 0.0.0.0.750 (pktinfo)
krb5kdc: setsockopt(8,IPV6_V6ONLY,1) worked
Jan 05 14:42:30 plutone krb5kdc[22619](info): listening on fd 8: udp ::.88 (pktinfo)
krb5kdc: setsockopt(9,IPV6_V6ONLY,1) worked
Jan 05 14:42:30 plutone krb5kdc[22619](info): listening on fd 9: udp ::.750 (pktinfo)
Jan 05 14:42:30 plutone krb5kdc[22619](info): set up 4 sockets
Jan 05 14:42:31 plutone krb5kdc[22620](info): commencing operation


Now add a service principal for our Oracle Database Server

[root@plutone krb5kdc]# /usr/local/sbin/kadmin.local
Authenticating as principal root/plutone@EXAMPLE.COM with password.
kadmin.local: DB11G/plutone@EXAMPLE.COM
kadmin.local: Unknown request "DB11G/plutone@EXAMPLE.COM". Type "?" for a request list.
kadmin.local: addprinc -randkey DB11G/plutone@EXAMPLE.COM
WARNING: no policy specified for DB11G/plutone@EXAMPLE.COM; defaulting to no policy
Principal "DB11G/plutone@EXAMPLE.COM" created.


Next the principal for the Oracle user, named marco, is created

[root@plutone krb5kdc]# /usr/local/sbin/kadmin.local
Authenticating as principal root/plutone@EXAMPLE.COM with password.
kadmin.local: addprinc marco
WARNING: no policy specified for marco@EXAMPLE.COM; defaulting to no policy
Enter password for principal "marco@EXAMPLE.COM":
Re-enter password for principal "marco@EXAMPLE.COM":
Principal "marco@EXAMPLE.COM" created.


Extract the service table from kerberos. This file will be used on sqlnet.ora configuration.

kadmin.local: ktadd -k /tmp/keytab DB11G/plutone
Entry for principal DB11G/plutone with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/keytab.
Entry for principal DB11G/plutone with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/keytab.
Entry for principal DB11G/plutone with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/keytab.
Entry for principal DB11G/plutone with kvno 4, encryption type arcfour-hmac added to keytab WRFILE:/tmp/keytab.


Create the Oracle user on the Oracle Database Server. According to Oracle documentation (Oracle Advanced Security Administrator's Guide) "This username must be created in uppercase and must have the realm specified."


idle> startup
ORACLE instance started.

Total System Global Area 626327552 bytes
Fixed Size 2215944 bytes
Variable Size 427823096 bytes
Database Buffers 188743680 bytes
Redo Buffers 7544832 bytes
Database mounted.
Database opened.
idle> create user "MARCO@EXAMPLE.COM" identified externally;

User created.

idle> grant create session to "MARCO@EXAMPLE.COM";

Grant succeeded.


The authent parameter should be as following:

idle> show parameter authent

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
os_authent_prefix string ops$
remote_os_authent boolean FALSE

idle> alter system set os_authent_prefix='' scope=spfile;

System altered.



Copy the service table file from /tmp directory to elsewhere and give Oracle permission

[root@plutone krb5kdc]# cp /tmp/keytab /etc/
[root@plutone krb5kdc]# chown oracle.oinstall /etc/keytab


Now it's time to configure sqlnet.ora file to point to kerberos. The following are the parameters added on sqlnet.ora file:

[oracle@plutone admin]$ pwd
/u01/app/oracle/product/11.2.0/db_1/network/admin
[oracle@plutone admin]$ vi sqlnet.ora
SQLNET.KERBEROS5_KEYTAB=/etc/keytab
SQLNET.KERBEROS5_CONF=/etc/krb5.conf
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=DB11G
SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)


Let's get a ticket from Kerberos server

[oracle@plutone admin]$ okinit marco

Kerberos Utilities for Linux: Version 11.2.0.1.0 - Production on 05-JAN-2011 16:02:02

Copyright (c) 1996, 2009 Oracle. All rights reserved.

Password for marco@EXAMPLE.COM:
[oracle@plutone admin]$ oklist

Kerberos Utilities for Linux: Version 11.2.0.1.0 - Production on 05-JAN-2011 16:02:15

Copyright (c) 1996, 2009 Oracle. All rights reserved.

Ticket cache: /tmp/krb5cc_500
Default principal: marco@EXAMPLE.COM

Valid Starting Expires Principal
05-Jan-2011 16:02:06 06-Jan-2011 00:02:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM


And now it's time to log in

[oracle@plutone admin]$ sqlplus /@DB11G

SQL*Plus: Release 11.2.0.1.0 Production on Wed Jan 5 16:10:11 2011

Copyright (c) 1982, 2009, Oracle. All rights reserved.


Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

marco@example.com@DB11G>


What does it happen if I remove the ticket ?

[root@plutone krb5kdc]# rm /tmp/krb5cc_500
rm: remove regular file `/tmp/krb5cc_500'? y


Pf course I'm not able to authenticate the user.

[oracle@plutone admin]$ sqlplus /@DB11G

SQL*Plus: Release 11.2.0.1.0 Production on Wed Jan 5 16:19:52 2011

Copyright (c) 1982, 2009, Oracle. All rights reserved.

ERROR:
ORA-12638: Credential retrieval failed


Enter user-name:

3 comments:

Ramesh said...

The document is very good. I had followed the same , but had issue in loggin into oracle. The error it shows : Aug 18 10:36:31 plutone.example.com krb5kdc[17063](info): listening on fd 9: udp ::.750 (pktinfo)
Aug 18 10:36:31 plutone.example.com krb5kdc[17063](info): set up 4 sockets
Aug 18 10:36:31 plutone.example.com krb5kdc[17064](info): commencing operation
Aug 18 10:49:45 plutone.example.com krb5kdc[17064](info): AS_REQ (5 etypes {18 16 23 1 3}) 10.74.0.95: ISSUE: authtime 1313644785, etypes {rep=18 tkt=18 ses=18}, marco@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM
Aug 18 10:50:38 plutone.example.com krb5kdc[17064](info): TGS_REQ (5 etypes {18 16 23 1 3}) 10.74.0.95: UNKNOWN_SERVER: authtime 0, marco@EXAMPLE.COM for DB11G/plutone.example.com@EXAMPLE.COM, Server not found in Kerberos database
Aug 18 10:51:54 plutone.example.com krb5kdc[17064](info): TGS_REQ (5 etypes {18 16 23 1 3}) 10.74.0.95: UNKNOWN_SERVER: authtime 0, marco@EXAMPLE.COM for DB11G/plutone.example.com@EXAMPLE.COM, Server not found in Kerberos database

Unknown said...

Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating Hadoop Administration Online Training

Linh said...


trung tâm tư vấn du học canada vnsava



công ty tư vấn du học canada vnsava
trung tâm tư vấn du học canada vnsava uy tín
công ty tư vấn du học canada vnsava uy tín
trung tâm tư vấn du học canada vnsava tại tphcm
công ty tư vấn du học canada vnsava tại tphcm
điều kiện du học canada vnsava
chi phí du học canada vnsava
#vnsava
@vnsava