Oracle 9i2 & Kerberos Login: TNS-12641

From: Frank Goenninger DG1SBG <frank_goenninger_at_t-online.de>
Date: Fri, 11 Jun 2004 22:12:31 +0200
Message-ID: <87n0394zww.fsf_at_stargate.de.goenninger.com>



Hi all:

I consistently get a

ORA-12641 / TNS-12641 [Quoted] error saying "Authentication service failed to initialize".

I double checked (well, more like a dozen times ;-) my config.

Here are the data:

SYSTEM INFO:



Debian/Linux Kernel 2.4.20
1GB RAM, SHMEN etc set as required.

IPCS output:
------ Shared Memory Segments --------

key        shmid      owner      perms      bytes      nattch     status
0x2e209fe4 28835840   oracle    640        255852544  30

------ Semaphore Arrays --------
key        semid      owner      perms      nsems
0x04617750 2031616    oracle    640        77
0x04617751 2064385    oracle    640        77
0x04617752 2097154    oracle    640        77

ORACLE INFO:


ORACLE 9i2 (9.2.0.1.0) running with JServer and Spatial options.

TNSNAMES.ORA (partly):


EXTPROC_CONNECTION_DATA.DE.GOENNINGER.COM =   (DESCRIPTION =
    (ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
    )
    (CONNECT_DATA =
(SID = PLSExtProc)
(PRESENTATION = RO)

    )
  )                                                                                 

K =
  (DESCRIPTION =
    (ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = kerberos.de.goenninger.com)(PORT = 1521))
    )
    (CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = ORAKRB5)

    )
  )                                                                                 

DEGT001T =
  (DESCRIPTION =
    (ADDRESS_LIST =
(ADDRESS = (COMMUNITY = DEGT)(PROTOCOL = tcp)(HOST = stargate.de.goenninger.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = ipc)(KEY = PNPKEY))
    )
    (SDU = 2048)
    (CONNECT_DATA =
(SID = DEGT001T)
(GLOBAL_NAME = DEGT001T.GOENNINGER.COM)
    )
  )

SQLNET.ORA:


SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = k                                                                                 

SQLNET.KERBEROS5_CONF = /etc/krb5.conf                                                                                 

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA1, MD5)                                                                                  SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA1)                                                                                  SQLNET.AUTHENTICATION_SERVICES= (BEQ, KERBEROS5)                                                                                  SQLNET.KERBEROS5_CC_NAME = /tmp/.krbcache_k                                                                                 

SQLNET.ENCRYPTION_TYPES_SERVER= (3DES168, 3DES112, AES256, RC4_256, AES128, AES192, DES, RC4_128)                                                                                  SQLNET.KERBEROS5_CLOCKSKEW = 1500                                                                                  SQLNET.KERBEROS5_KEYTAB = /etc/krb5.keytab                                                                                 

SQLNET.KERBEROS5_CONF_MIT = true

KERBEROS CONFIG:



Keytab file: /etc/krb5.keytab

Kerberos5 running and used as general login mechanism on that server without problems.

REALM: STARGATE.DE.GOENNINGER.COM
host: stargate.de.goenninger.com

The following principals have been created:

k/stargate.de.goenninger.com_at_STARGATE.DE.GOENNINGER.COM (used also as the service for Kerberos5 in Oracle9i2)

f_at_STARGATE.DE.GOENNINGER.COM
(used as the user to login to Oracle)

ERROR SCENARIO:


First, I obtain a ticket for f_at_STARGATE.DE.GOENNINGER.COM with okinit -f. That is going ok as oklist shows:

Kerberos Utilities for Linux: Version 9.2.0.1.0 - Production on 11-JUN-2004 22:04:09                                                                                 

Copyright (c) 1996, 2002 Oracle Corporation. All rights reserved.                                                                                 

Ticket cache: /tmp/.krbcache_k
Default principal: f_at_STARGATE.DE.GOENNINGER.COM

                                                                                
   Valid Starting           Expires            Principal
11-Jun-2004 21:38:00 12-Jun-2004 05:37:57 krbtgt/STARGATE.DE.GOENNINGER.COM_at_STARGATE.DE.GOENNINGER.COM

When I issue the sqlplus command as published in Oracle literature,

sqlplus /_at_DEGT001T

I get the error

ERROR:
ORA-12641: Authentication service failed to initialize

LOG FILES:


Listener log file shows:

[Quoted] 11-JUN-2004 22:05:08 * (CONNECT_DATA=(SID=DEGT001T)(GLOBAL_NAME=DEGT001T.GOENNINGER.COM)(CID=(PROGRAM=)(HOST=stargate)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.2.102)(PORT=40567)) * establish * DEGT001T * 0 11-JUN-2004 22:05:45 * service_update * DEGT001T * 0

Hmm - Why USER=oracle ??? and why "* establish *" ???

Sqlnet.ora log file shows:



Fatal NI connect error 12641, connecting to:  (LOCAL=NO)                                                                                    VERSION INFORMATION:
        TNS for Linux: Version 9.2.0.1.0 - Production
        Oracle Bequeath NT Protocol Adapter for Linux: Version 9.2.0.1.0 - Production
        TCP/IP NT Protocol Adapter for Linux: Version 9.2.0.1.0 - Production
  Time: 11-JUN-2004 22:05:08
  Tracing not turned on.
  Tns error struct:
    nr err code: 0
    ns main err code: 12641
    TNS-12641: Authentication service failed to initialize     ns secondary err code: 0
    nt main err code: 0
    nt secondary err code: 0
    nt OS err code: 0

This is all I have.

Any idea and support appreciated!

Thx!

Cheers,

   Frank Received on Fri Jun 11 2004 - 22:12:31 CEST

Original text of this message