Friday 4 May 2018

Things I worked around when setting up MIT kerberos and sqldeveloper over thin jdbc against 12.2.0.1 Oracle Database:

Server used Oracle Linux 7 for Kerberos (yum -y install krb5-server krb5-libs)
and Oracle Database 12.2.0.1
Clients used Oracle Linux 7 and Windows both SQLDeveloper 18.1

MIT Kerberos / oracle thick driver went OK once I used global c## user.

use c## user:
SQL>  create user c##user1 identified externally as 'user1@...'

(non c## user did not work for me.).

Used sqldeveloper with jre included (on windows).

SQLdeveloper jdbc thick:
'just like sqlplus' requires Oracle Client or Instant Client (not sure (which/if both) has Kerberos).

Sqldeveloper thin kerberos configuration:

tools->preferences->database->advanced:  config file (krb5.conf) - eg (on my
linux client) /etc/krb5.conf   Credential cache file (on my linux client) eg
/home/oracle/mycache (not (Microft Windows) MSLSA or OSMFT)
- sqldeveloper thin driver does not read sqlnet.ora
- or currently recognize non file based cache.

On connection either:
1/Give principal (no ticket/cache required) give / get prompted for password - went OK.
2/Leave principal blank (and get it from cache):
Use kinit (from sqldeveloper on windows - from yum -y install krb5-workstation on Oracle Linux) to set up existing ticket:
 needed "kinit -A" (for addressless ticket on windows) (used kinit default cache location and pointed to default from sqldev) (i.e. -A to get around: incorrect net address)

(Also tried at the same time kinit -p -f (proxiable and forwardable, and setting non proxy java -D setting) after -A it worked.)

klist -f
showed:
Flags: FORWARDABLE;PROXIABLE;PRE-AUTHENT

Issues  - customers might not be using MIT Kerberos.
Workarounds: Often thick jdbc works 'just like sqlplus' to workaround thin jdbc issues.