Oracle 9i2 & Kerberos Login: TNS-12641
Date: Fri, 11 Jun 2004 22:12:31 +0200
Message-ID: <87n0394zww.fsf_at_stargate.de.goenninger.com>
Hi all:
I consistently get a
ORA-12641 / TNS-12641 [Quoted] error saying "Authentication service failed to initialize".
I double checked (well, more like a dozen times ;-) my config.
Here are the data:
SYSTEM INFO:
Debian/Linux Kernel 2.4.20
1GB RAM, SHMEN etc set as required.
IPCS output:
------ Shared Memory Segments --------
key shmid owner perms bytes nattch status 0x2e209fe4 28835840 oracle 640 255852544 30 ------ Semaphore Arrays -------- key semid owner perms nsems 0x04617750 2031616 oracle 640 77 0x04617751 2064385 oracle 640 77 0x04617752 2097154 oracle 640 77
ORACLE INFO:
ORACLE 9i2 (9.2.0.1.0) running with JServer and Spatial options.
TNSNAMES.ORA (partly):
EXTPROC_CONNECTION_DATA.DE.GOENNINGER.COM =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC))
)
(CONNECT_DATA =
(SID = PLSExtProc)
(PRESENTATION = RO)
)
)
K =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCPS)(HOST = kerberos.de.goenninger.com)(PORT = 1521))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = ORAKRB5)
)
)
DEGT001T =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (COMMUNITY = DEGT)(PROTOCOL = tcp)(HOST = stargate.de.goenninger.com)(PORT = 1521))
(ADDRESS = (PROTOCOL = ipc)(KEY = PNPKEY))
)
(SDU = 2048)
(CONNECT_DATA =
(SID = DEGT001T)
(GLOBAL_NAME = DEGT001T.GOENNINGER.COM)
)
)
SQLNET.ORA:
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = k
SQLNET.KERBEROS5_CONF = /etc/krb5.conf
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER= (SHA1, MD5) SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT= (SHA1) SQLNET.AUTHENTICATION_SERVICES= (BEQ, KERBEROS5) SQLNET.KERBEROS5_CC_NAME = /tmp/.krbcache_k
SQLNET.ENCRYPTION_TYPES_SERVER= (3DES168, 3DES112, AES256, RC4_256, AES128, AES192, DES, RC4_128) SQLNET.KERBEROS5_CLOCKSKEW = 1500 SQLNET.KERBEROS5_KEYTAB = /etc/krb5.keytab
SQLNET.KERBEROS5_CONF_MIT = true
KERBEROS CONFIG:
Keytab file: /etc/krb5.keytab
Kerberos5 running and used as general login mechanism on that server without problems.
REALM: STARGATE.DE.GOENNINGER.COM
host: stargate.de.goenninger.com
The following principals have been created:
k/stargate.de.goenninger.com_at_STARGATE.DE.GOENNINGER.COM (used also as the service for Kerberos5 in Oracle9i2)
f_at_STARGATE.DE.GOENNINGER.COM
(used as the user to login to Oracle)
ERROR SCENARIO:
First, I obtain a ticket for f_at_STARGATE.DE.GOENNINGER.COM with okinit -f. That is going ok as oklist shows:
Kerberos Utilities for Linux: Version 9.2.0.1.0 - Production on 11-JUN-2004 22:04:09
Copyright (c) 1996, 2002 Oracle Corporation. All rights reserved.
Ticket cache: /tmp/.krbcache_k
Default principal: f_at_STARGATE.DE.GOENNINGER.COM
Valid Starting Expires Principal11-Jun-2004 21:38:00 12-Jun-2004 05:37:57 krbtgt/STARGATE.DE.GOENNINGER.COM_at_STARGATE.DE.GOENNINGER.COM
When I issue the sqlplus command as published in Oracle literature,
sqlplus /_at_DEGT001T
I get the error
ERROR:
ORA-12641: Authentication service failed to initialize
LOG FILES:
Listener log file shows:
[Quoted] 11-JUN-2004 22:05:08 * (CONNECT_DATA=(SID=DEGT001T)(GLOBAL_NAME=DEGT001T.GOENNINGER.COM)(CID=(PROGRAM=)(HOST=stargate)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.2.102)(PORT=40567)) * establish * DEGT001T * 0 11-JUN-2004 22:05:45 * service_update * DEGT001T * 0
Hmm - Why USER=oracle ??? and why "* establish *" ???
Sqlnet.ora log file shows:
Fatal NI connect error 12641, connecting to: (LOCAL=NO) VERSION INFORMATION:
TNS for Linux: Version 9.2.0.1.0 - Production Oracle Bequeath NT Protocol Adapter for Linux: Version 9.2.0.1.0 - Production TCP/IP NT Protocol Adapter for Linux: Version 9.2.0.1.0 - ProductionTime: 11-JUN-2004 22:05:08
Tracing not turned on.
Tns error struct:
nr err code: 0
ns main err code: 12641
TNS-12641: Authentication service failed to initialize ns secondary err code: 0
nt main err code: 0
nt secondary err code: 0
nt OS err code: 0
This is all I have.
Any idea and support appreciated!
Thx!
Cheers,
Frank Received on Fri Jun 11 2004 - 22:12:31 CEST