Re: ORA-12641: Authentication service failed to initalize
From: Frank van Bortel <frank.van.bortel_at_gmail.com>
Date: Fri, 14 Mar 2008 20:14:58 +0100
Message-ID: <64439$47daceb2$524b5c40$10909@cache2.tilbu1.nb.home.nl>
>
> thanks. i'll have a look at that. here's what i was using for ktpass:
>
> ktpass -princ oraclesrv/oracle11gtest.mydomain.com_at_MYDOMAIN.COM -
> DesOnly -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -mapuser
> svcoracle.mydomain.com -pass {my password omitted} -out C:
> \keytab.svcoracle
>
> we wanted to test out something secure (i'm very light-skilled in dba-
> stuff), and our "team" wanted to use kerberos. i'll ask them why we're
> not using os authentication. do you have an article, or best practices
> to point me in the right direction? (i'd check out your website), but
> i'm at work -- and can't get to it.
>
> eric
>
Date: Fri, 14 Mar 2008 20:14:58 +0100
Message-ID: <64439$47daceb2$524b5c40$10909@cache2.tilbu1.nb.home.nl>
eric wrote:
> On Mar 7, 3:07 pm, Frank van Bortel <frank.van.bor..._at_gmail.com>
> wrote:
>> eric wrote: >>> i've already gone through the steps to obtain my ticket with ktpass, >>> and setup krb5.conf, krb.conf, and tnsnames.ora. >>> when i obtain my ticket (it appears to work -- no errors produced). >>> however, when i go to connect: sqlplus /@kb_oracle i get the following >>> error: ERROR: ORA-12641: Authentication service failed to initalize, >>> and get prompted to enter my password? anyone have any ideas?? >>> thanks, >>> eric >> Check if you have the correct encryption mechanism; MS Windows 2000 >> uses CRC by default, not MD5. MS Windows 2003 seems to use MD5 >> by default, but better make sure. Oracle wants MD5. >> More options onhttp://vanbortel.blogspot.com, the "Kerberos errors" >> entry. >> >> If the encryption type is the cause, it should become visible >> when tracing. >> >> Just curious - why kerberos on Windows when OS authetication >> will work? Even AD for LDAP is supported on MS. >> >> -- >> >> Regards, >> Frank van Bortel >> >> Top-posting in UseNet newsgroups is one way to shut me up
>
> thanks. i'll have a look at that. here's what i was using for ktpass:
>
> ktpass -princ oraclesrv/oracle11gtest.mydomain.com_at_MYDOMAIN.COM -
> DesOnly -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -mapuser
> svcoracle.mydomain.com -pass {my password omitted} -out C:
> \keytab.svcoracle
>
> we wanted to test out something secure (i'm very light-skilled in dba-
> stuff), and our "team" wanted to use kerberos. i'll ask them why we're
> not using os authentication. do you have an article, or best practices
> to point me in the right direction? (i'd check out your website), but
> i'm at work -- and can't get to it.
>
> eric
>
You can do:
klist -k -e -K -t FILE:/<keytab>
to inspect what you actually got from the AD server
(what ktpass produced).
Get a ticket, using kinit -k -t <keytab>, and see
what gives, using klist.
klist -e will give you the encryption types.
-- Regards, Frank van Bortel Top-posting in UseNet newsgroups is one way to shut me upReceived on Fri Mar 14 2008 - 14:14:58 CDT