Server used Oracle Linux 7 for Kerberos (yum -y install krb5-server krb5-libs)
and Oracle Database
Clients used Oracle Linux 7 and Windows both SQLDeveloper 18.1
MIT Kerberos / oracle thick driver went OK once I used global c## user.
use c## user:
SQL> create user c##user1 identified externally as 'user1@...'
(non c## user did not work for me.).
Used sqldeveloper with jre included (on windows).
SQLdeveloper jdbc thick:
'just like sqlplus' requires Oracle Client or Instant Client (not sure (which/if both) has Kerberos).
Sqldeveloper thin kerberos configuration:
tools->preferences->database->advanced: config file (krb5.conf) - eg (on my
linux client) /etc/krb5.conf Credential cache file (on my linux client) eg
/home/oracle/mycache (not (Microft Windows) MSLSA or OSMFT)
- sqldeveloper thin driver does not read sqlnet.ora
- or currently recognize non file based cache.
On connection either:
1/Give principal (no ticket/cache required) give / get prompted for password - went OK.
2/Leave principal blank (and get it from cache):
Use kinit (from sqldeveloper on windows - from yum -y install krb5-workstation on Oracle Linux) to set up existing ticket:
needed "kinit -A" (for addressless ticket on windows) (used kinit default cache location and pointed to default from sqldev) (i.e. -A to get around: incorrect net address)
(Also tried at the same time kinit -p -f (proxiable and forwardable, and setting non proxy java -D setting) after -A it worked.)
klist -f
Issues - customers might not be using MIT Kerberos.
Workarounds: Often thick jdbc works 'just like sqlplus' to workaround thin jdbc issues.
and Oracle Database
Clients used Oracle Linux 7 and Windows both SQLDeveloper 18.1
MIT Kerberos / oracle thick driver went OK once I used global c## user.
use c## user:
SQL> create user c##user1 identified externally as 'user1@...'
(non c## user did not work for me.).
Used sqldeveloper with jre included (on windows).
SQLdeveloper jdbc thick:
'just like sqlplus' requires Oracle Client or Instant Client (not sure (which/if both) has Kerberos).
Sqldeveloper thin kerberos configuration:
tools->preferences->database->advanced: config file (krb5.conf) - eg (on my
linux client) /etc/krb5.conf Credential cache file (on my linux client) eg
/home/oracle/mycache (not (Microft Windows) MSLSA or OSMFT)
- sqldeveloper thin driver does not read sqlnet.ora
- or currently recognize non file based cache.
On connection either:
1/Give principal (no ticket/cache required) give / get prompted for password - went OK.
2/Leave principal blank (and get it from cache):
Use kinit (from sqldeveloper on windows - from yum -y install krb5-workstation on Oracle Linux) to set up existing ticket:
needed "kinit -A" (for addressless ticket on windows) (used kinit default cache location and pointed to default from sqldev) (i.e. -A to get around: incorrect net address)
(Also tried at the same time kinit -p -f (proxiable and forwardable, and setting non proxy java -D setting) after -A it worked.)
klist -f
Issues - customers might not be using MIT Kerberos.
Workarounds: Often thick jdbc works 'just like sqlplus' to workaround thin jdbc issues.