Re: Oracle 9i2 & Kerberos Login: TNS-12641

From: Rick Wessman <Rick.WessmanNO_SPAM_at_NoOrSaPcAlMe.com>
Date: 19 Jun 2004 07:47:44 -0700
Message-ID: <cb1jmg01v1o_at_drn.newsguy.com>

In article <87n0394zww.fsf_at_stargate.de.goenninger.com>, Frank Goenninger DG1SBG says...
>
>Hi all:
>
>I consistently get a
>
>ORA-12641 / TNS-12641
>
>error saying "Authentication service failed to initialize".
>
>I double checked (well, more like a dozen times ;-) my config.
>
>Here are the data:
>
>SYSTEM INFO:
>============
>Debian/Linux Kernel 2.4.20
>1GB RAM, SHMEN etc set as required.
>
>IPCS output:
>------ Shared Memory Segments --------
>key shmid owner perms bytes nattch status
>0x2e209fe4 28835840 oracle 640 255852544 30
>
>------ Semaphore Arrays --------
>key semid owner perms nsems
>0x04617750 2031616 oracle 640 77
>0x04617751 2064385 oracle 640 77
>0x04617752 2097154 oracle 640 77
>
>ORACLE INFO:
>============
>
>ORACLE 9i2 (9.2.0.1.0) running with JServer and Spatial options.
>
>TNSNAMES.ORA (partly):
>--------------------
>
>EXTPROC_CONNECTION_DATA.DE.GOENNINGER.COM =
> (DESCRIPTION =
> (ADDRESS_LIST =
> (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
> )
> (CONNECT_DATA =
> (SID = PLSExtProc)
> (PRESENTATION = RO)
> )
> )
>
>K =
> (DESCRIPTION =
> (ADDRESS_LIST =
>(ADDRESS = (PROTOCOL = TCPS)(HOST = kerberos.de.goenninger.com)(PORT = 1521))
> )
> (CONNECT_DATA =
> (SERVER = DEDICATED)
> (SERVICE_NAME = ORAKRB5)
> )
> )
>
>DEGT001T =
> (DESCRIPTION =
> (ADDRESS_LIST =
>(ADDRESS = (COMMUNITY = DEGT)(PROTOCOL = tcp)(HOST =
>stargate.de.goenninger.com)(PORT = 1521))
> (ADDRESS = (PROTOCOL = ipc)(KEY = PNPKEY))
> )
> (SDU = 2048)
> (CONNECT_DATA =
> (SID = DEGT001T)
> (GLOBAL_NAME = DEGT001T.GOENNINGER.COM)
> )
> )
>
>SQLNET.ORA:
>-----------
>
>SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = k
>
>SQLNET.KERBEROS5_CONF = /etc/krb5.conf
>
>SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA1, MD5)
>
>SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA1)
>
>SQLNET.AUTHENTICATION_SERVICES= (BEQ, KERBEROS5)
>
>SQLNET.KERBEROS5_CC_NAME = /tmp/.krbcache_k
>
>SQLNET.ENCRYPTION_TYPES_SERVER= (3DES168, 3DES112, AES256, RC4_256, AES128,
>AES192, DES, RC4_128)
>
>SQLNET.KERBEROS5_CLOCKSKEW = 1500
>
>SQLNET.KERBEROS5_KEYTAB = /etc/krb5.keytab
>
>SQLNET.KERBEROS5_CONF_MIT = true
>
>
>
>KERBEROS CONFIG:
>================
>Keytab file: /etc/krb5.keytab
>
>Kerberos5 running and used as general login mechanism on that
>server without problems.
>
>REALM: STARGATE.DE.GOENNINGER.COM
>host: stargate.de.goenninger.com
>
>The following principals have been created:
>
>k/stargate.de.goenninger.com_at_STARGATE.DE.GOENNINGER.COM
>(used also as the service for Kerberos5 in Oracle9i2)
>
>f_at_STARGATE.DE.GOENNINGER.COM
>(used as the user to login to Oracle)
>
>
>
>ERROR SCENARIO:
>===============
>
>First, I obtain a ticket for f_at_STARGATE.DE.GOENNINGER.COM with okinit -f.
>That is going ok as oklist shows:
>
>Kerberos Utilities for Linux: Version 9.2.0.1.0 - Production on 11-JUN-2004
>22:04:09
>
>Copyright (c) 1996, 2002 Oracle Corporation. All rights reserved.
>
>Ticket cache: /tmp/.krbcache_k
>Default principal: f_at_STARGATE.DE.GOENNINGER.COM
>
> Valid Starting Expires Principal
>11-Jun-2004 21:38:00 12-Jun-2004 05:37:57
>krbtgt/STARGATE.DE.GOENNINGER.COM_at_STARGATE.DE.GOENNINGER.COM
>
>
>When I issue the sqlplus command as published in Oracle literature,
>
>sqlplus /_at_DEGT001T
>
>I get the error
>
>ERROR:
>ORA-12641: Authentication service failed to initialize
>
>
>LOG FILES:
>==========
>
>Listener log file shows:
>
>11-JUN-2004 22:05:08 *
>(CONNECT_DATA=(SID=DEGT001T)(GLOBAL_NAME=DEGT001T.GOENNINGER.COM)(CID=(PROGRAM=)(HOST=stargate)(USER=oracle)))
>* (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.2.102)(PORT=40567)) * establish *
>DEGT001T * 0
>11-JUN-2004 22:05:45 * service_update * DEGT001T * 0
>
>Hmm - Why USER=oracle ??? and why "* establish *" ???
>
>Sqlnet.ora log file shows:
>
>***********************************************************************
>Fatal NI connect error 12641, connecting to:
> (LOCAL=NO)
>
> VERSION INFORMATION:
> TNS for Linux: Version 9.2.0.1.0 - Production
>Oracle Bequeath NT Protocol Adapter for Linux: Version 9.2.0.1.0 - Production
> TCP/IP NT Protocol Adapter for Linux: Version 9.2.0.1.0 - Production
> Time: 11-JUN-2004 22:05:08
> Tracing not turned on.
> Tns error struct:
> nr err code: 0
> ns main err code: 12641
> TNS-12641: Authentication service failed to initialize
> ns secondary err code: 0
> nt main err code: 0
> nt secondary err code: 0
> nt OS err code: 0
>
>
>
>This is all I have.
>
>Any idea and support appreciated!
>
>Thx!
>
>Cheers,
> Frank

Turn on sqlnet tracing to level 16 and try the connection again. The trace file should give you some clues as to what is going on. Look for lines starting with "nau". It's too bad that the error thrown isn't more informative, but for architectural reasons, it wasn't possible.

                                         Rick

                                Rick Wessman
                                Oracle Corporation
     The opinions expressed above are mine and do not necessarily reflect
                         those of Oracle Corporation.

Received on Sat Jun 19 2004 - 16:47:44 CEST

This message: [ Message body ]
Next message: alena123_at_mail15.com: "wanna do a good thing?"
Previous message: .: "comp.bbs.waffle,comp.graphics.apps.paint-shop-pro,comp.soft-sys.app-builder.dynasty,comp.databases.oracle.tools,biz.tadpole.sparcbook"
In reply to: Frank Goenninger DG1SBG: "Oracle 9i2 & Kerberos Login: TNS-12641"
In reply to Frank Goenninger DG1SBG: "Oracle 9i2 & Kerberos Login: TNS-12641"
Next in thread: Cambridgeways: "Re: multiple queries in toad"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message