ORA-12641: Authentication service failed to initalize
eric
and setup krb5.conf, krb.conf, and tnsnames.ora.
when i obtain my ticket (it appears to work -- no errors produced).
however, when i go to connect: sqlplus /@kb_oracle i get the following
error: ERROR: ORA-12641: Authentication service failed to initalize,
and get prompted to enter my password? anyone have any ideas??
thanks,
eric
joel garry
Note:185897.1 on metalink is a troubleshooting guide, it notes the
usual answer (enable tracing), as well as
"Problem: Typographical error in the sqlnet.ora file.
Most of the setting for Kerberos authentication in the sqlnet.ora file
have the string '.KERBEROS5_' within them. The 'S5' often gets entered
incorrectly. "
There's also a possible NTS issue if you are using windows, but since
you don't say, I won't.
jg
--
@home.com is bogus.
http://blogs.zdnet.com/projectfailures/
eric
thanks. i had tracing enabled, but didn't see anything helpful. i'll
go back and check over my stuff again. we are using windows (server
2003). if i had my config here right now, i'd post it (but i'm mobile
right now). i do remember this line though...
SQLNET.AUTHENTICATION_SERVICES=(KERBEROS5, BEQ)
Frank van Bortel
uses CRC by default, not MD5. MS Windows 2003 seems to use MD5
by default, but better make sure. Oracle wants MD5.
More options on http://vanbortel.blogspot.com, the "Kerberos errors"
entry.
If the encryption type is the cause, it should become visible
when tracing.
Just curious - why kerberos on Windows when OS authetication
will work? Even AD for LDAP is supported on MS.
--
Regards,
Frank van Bortel
Top-posting in UseNet newsgroups is one way to shut me up
eric
wrote:
> eric wrote:
> > i've already gone through the steps to obtain my ticket with ktpass,
> > and setup krb5.conf, krb.conf, and tnsnames.ora.
>
> > when i obtain my ticket (it appears to work -- no errors produced).
> > however, when i go to connect: sqlplus /@kb_oracle i get the following
> > error: ERROR: ORA-12641: Authentication service failed to initalize,
> > and get prompted to enter my password? anyone have any ideas??
>
> > thanks,
>
> > eric
>
> Check if you have the correct encryption mechanism; MS Windows 2000
> uses CRC by default, not MD5. MS Windows 2003 seems to use MD5
> by default, but better make sure. Oracle wants MD5.
> entry.
>
> If the encryption type is the cause, it should become visible
> when tracing.
>
> Just curious - why kerberos on Windows when OS authetication
> will work? Even AD for LDAP is supported on MS.
>
> --
>
> Regards,
> Frank van Bortel
>
> Top-posting in UseNet newsgroups is one way to shut me up
thanks. i'll have a look at that. here's what i was using for ktpass:
ktpass -princ oraclesrv/oracle11gtest...@MYDOMAIN.COM -
DesOnly -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -mapuser
svcoracle.mydomain.com -pass {my password omitted} -out C:
\keytab.svcoracle
we wanted to test out something secure (i'm very light-skilled in dba-
stuff), and our "team" wanted to use kerberos. i'll ask them why we're
not using os authentication. do you have an article, or best practices
to point me in the right direction? (i'd check out your website), but
i'm at work -- and can't get to it.
eric
Frank van Bortel
You can do:
klist -k -e -K -t FILE:/<keytab>
to inspect what you actually got from the AD server
(what ktpass produced).
Get a ticket, using kinit -k -t <keytab>, and see
what gives, using klist.
klist -e will give you the encryption types.
eric
> > DesOnly -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -mapuser
> > svcoracle.mydomain.com -pass {my password omitted} -out C:
> > \keytab.svcoracle
>
> > we wanted to test out something secure (i'm very light-skilled in dba-
> > stuff), and our "team" wanted to use kerberos. i'll ask them why we're
> > not using os authentication. do you have an article, or best practices
> > to point me in the right direction? (i'd check out your website), but
> > i'm at work -- and can't get to it.
>
> > eric
>
> You can do:
> klist -k -e -K -t FILE:/<keytab>
> to inspect what you actually got from the AD server
> (what ktpass produced).
>
> Get a ticket, using kinit -k -t <keytab>, and see
> what gives, using klist.
> klist -e will give you the encryption types.
>
> --
>
> Regards,
> Frank van Bortel
>
>
> - Show quoted text -
i tried klist with the syntax you described above, and it didn't work
(i get -- Usage: klist <tickets | tgt | purge>)
also, i'm still stuck on okinit oraclesrv/oracle11gtest.mydomain.com.
it returns the error: okinit: client not found in kerberos database.
i'm going to try and set it up in a test lab today and see if i get a
different result.
Frank van Bortel
>
> i tried klist with the syntax you described above, and it didn't work
> (i get -- Usage: klist <tickets | tgt | purge>)
>
Oops - MicroSoft Windows?
There's a kerberos ticket viewer somewhere; used it once
@work - not @work now, so can't help you
vdeol...@ncf.edu
I know that this was many, many moons ago, but I am now where you were then. Did you get these problems resolve, and if so, do you recall what the roadblocks were?
Many thanks.
Peter Schneider
So don't hold your breath waiting for an answer.
Regards
Peter
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
vdeoliveira
I have seriously been scouring so much of the internet that I came across this post again and forget that I had left a comment.
Noons
> Attempting to set up oracle 12c with kerberos authentication for a class next semester has been hands down the most frustrating task I have ever been given in IT.
>
> I have seriously been scouring so much of the internet that I came across this post again and forget that I had left a comment.
>
>
authentication is nothing but a load of CRAP!