topic Re: samba, kerberos, Oracle ASO and Win2k3 AD in Operating System - HP-UX

samba, kerberos, Oracle ASO and Win2k3 AD

darrel chen — Wed, 04 Jul 2007 08:15:42 GMT

They are killing me, please help me out!

our environment:
platform: hpux 11.23
software: KRB5CLIENT C.1.3.5.03, CIFS server A.02.03, oracle 9.2.0.8
KDC: win2k3 service pack 1

before i configured samba, kerberos on unix worked perfect with win AD, we can kinit with host keytab, and also we can use okinit in oracle to get oracle service key. but after samba joined, "net ads join" and "net ads keytab create", all the kerberos stuff broke. i did put #default_keytab_name = "WRFILE:/etc/krb5.keytab" in the krb5.conf, and i can do "kinit -k" in unix, but i can not add oracle service keytab into the host keytab created by samba, i'm thinking, correct me if i'm wrong, when use net join, samba create a computer account instead of user account, there is no password for computer account, so i can not use ktpass to map user, and even with the tools like css_adkadmin, ktutil, i can add the oracle service keytab into the host keytab, but in oracle, when i did okint, i got error message "program lack support for encryption type", we use CRC in krb5.conf.

so my question is how to map a kerberos service to a computer account created by samba.

thanks

Re: samba, kerberos, Oracle ASO and Win2k3 AD

Ralf Seefeldt — Wed, 18 Jul 2007 08:43:10 GMT

Hello Darrel,

I don't know much about kerberos, but you wrote:
"there is no password for computer account".

Did you try to set a password? I think configuring some scripts or tools which have to use those account should be far less effort than having kerberos accepting any account without a password.

I hope, this wil lhalp you out somehow.

Bye
Ralf

Re: samba, kerberos, Oracle ASO and Win2k3 AD

eric roseme — Thu, 19 Jul 2007 12:13:17 GMT

Hi Darrel,

Take a look at this whitepaper for tips on configuring CIS/Samba and Kerberos, and for keytab generation. I need to update it with some new stuff, but it's still accurate for what it contains:
http://docs.hp.com/en/7213/HPCIFSKerberosV103.pdf

I am not sure about what you mean by "all the kerberos stuff broke", but you may need to remove "WRFILE" from krb5.conf *after* the "net ads keytab create". You definitely must do this for HP inet services to work. Not sure about Oracle.

Also, you can add your Oracle Service Principals to krb5.keytab using "net ads keytab add ". The net command will add the same principal 7 times - each with a different enc type, including CRC. You might need to update to HP CIFS Server A.02.03.02 - I am not sure when keytab add came in.

Using the whitepaper, set your log level to 10 and then look for the keytab events to see what's happening.

Eric Roseme
HP

Re: samba, kerberos, Oracle ASO and Win2k3 AD

darrel chen — Thu, 19 Jul 2007 14:05:29 GMT

Hello Eric,

"net ads keytab add" is a good point, but still I'm getting some trouble.

After doing "net ads keytab add", it did add 7 entries in /etc/krb5.keytab, and also, in AD, there are two entries for oracle services in host attribute, "serviceprincipalname", which are exactly what I want to see, however, when login oracle and doing "okinit", kerberos utility bound with oracle ASO, I got the fellowing error message "okinit: Program lacks support for encryption type". If I removed the computer account created by SAMBA and used "ktpass" to generate a keytab encrypted with CRC, I can pass "okinit", seemed okinit did not know the encryption type of the keytab created by SAMBA, so any idea about this?

Thanks

Darrel

Re: samba, kerberos, Oracle ASO and Win2k3 AD

darrel chen — Thu, 19 Jul 2007 14:57:46 GMT

forgot mention, after "net ads join", "net ads keytab create", "net ads keytab add", I did comment "WRFILE" in /etc/krb5.conf, and everythings worked fine except oracle ASO.

Re: samba, kerberos, Oracle ASO and Win2k3 AD

eric roseme — Thu, 19 Jul 2007 17:18:35 GMT

Hi Darrel,

Just to confirm: you used ktutil to merge a working "net ads keytab create" krb5.keytab file, with a working Oracle keytab that you created with ktpass. Like this: http://docs.hp.com/en/J4269-90037/ch04s11.html

And the result was a merged krb5.keytab, except now Oracle gives the error message? And with a "klist -k -e" you see your Oracle service principal with CRC enc type, along with the 182 or so CIFS and Host keys?

Is that right?

Re: samba, kerberos, Oracle ASO and Win2k3 AD

darrel chen — Fri, 20 Jul 2007 08:14:34 GMT

Hello Eric,

When i used "net ads keytab add", it added oracle service key in krb5.keytab, so when i did "klist -k -e", i can see oracle service key there encrypted with "HMAC", "DES cbc with MD5" and "CRC-32", seemed we were fine here. In the oracle part, i don't know how oracle works with kerberos. I already sent my question to oracle support, but haven't got any positive response yet.

I don't think we need do ktpass and ktutil, because we can not "map" service principal to the host account created by samba in AD, because there is no password for "computer" account. "net ads keytab add" seems be the only way to do this. If i'm wrong, please correct me.

Thanks

Re: samba, kerberos, Oracle ASO and Win2k3 AD

eric roseme — Fri, 20 Jul 2007 16:49:52 GMT

Hi Darrel,

I am unclear about how and where the Oracle SP gets created. Let me know what Oracle says. You can email me directly - just look at my profile. I'll be out of the office until Tuesday.

Re: samba, kerberos, Oracle ASO and Win2k3 AD

darrel chen — Fri, 27 Jul 2007 07:39:28 GMT

Hi Eric,

To generate oracle SP, i used "net ads keytab add oracle", keep "WRFILE" in krb5.conf, then i got "oracle/hostname.domainname@DOMAINNAME" in krb5.keytab, and also, in AD, when i used adsi editer to check the computer account, i can see two oracle service entries, "oracle/hostnmae" and "oracle/hostname.domainname", in service principal account. I assume these are all we need, please correct me if i'm wrong. So, now, the only problem is oracle can not recognize the keytab created by "net". I already sent all the trace files and log files to oracle, but haven't got response yet.

I cann't find your email from your profile, you can send me email to "dchen@claimsecure.com" if there's anything you need to know from me. Have a good day.

Darrel