Re: ORA-12641: Authentication service failed to initalize

From: eric <eric.olson_at_gmail.com>
Date: Mon, 17 Mar 2008 06:20:41 -0700 (PDT)
Message-ID: <be403743-0bbf-4254-b130-2cf527fcb32c@m44g2000hsc.googlegroups.com>

On Mar 14, 3:14�pm, Frank van Bortel <frank.van.bor..._at_gmail.com> wrote:
> eric wrote:
> > On Mar 7, 3:07 pm, Frank van Bortel <frank.van.bor..._at_gmail.com>
> > wrote:
> >> eric wrote:
> >>> i've already gone through the steps to obtain my ticket with ktpass,
> >>> and setup krb5.conf, krb.conf, and tnsnames.ora.
> >>> when i obtain my ticket (it appears to work -- no errors produced).
> >>> however, when i go to connect: sqlplus /@kb_oracle i get the following
> >>> error: ERROR: ORA-12641: Authentication service failed to initalize,
> >>> and get prompted to enter my password? anyone have any ideas??
> >>> thanks,
> >>> eric
> >> Check if you have the correct encryption mechanism; MS Windows 2000
> >> uses CRC by default, not MD5. MS Windows 2003 seems to use MD5
> >> by default, but better make sure. Oracle wants MD5.
> >> More options onhttp://vanbortel.blogspot.com, the "Kerberos errors"
> >> entry.
>
> >> If the encryption type is the cause, it should become visible
> >> when tracing.
>
> >> Just curious - why kerberos on Windows when OS authetication
> >> will work? Even AD for LDAP is supported on MS.
>
> >> --
>
> >> Regards,
> >> Frank van Bortel
>
> >> Top-posting in UseNet newsgroups is one way to shut me up
>
> > thanks. i'll have a look at that. here's what i was using for ktpass:
>
> > ktpass -princ oraclesrv/oracle11gtest.mydomain...._at_MYDOMAIN.COM -
> > DesOnly -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -mapuser
> > svcoracle.mydomain.com -pass {my password omitted} -out C:
> > \keytab.svcoracle
>
> > we wanted to test out something secure (i'm very light-skilled in dba-
> > stuff), and our "team" wanted to use kerberos. i'll ask them why we're
> > not using os authentication. do you have an article, or best practices
> > to point me in the right direction? (i'd check out your website), but
> > i'm at work -- and can't get to it.
>
> > eric
>
> You can do:
> klist -k -e -K -t FILE:/<keytab>
> to inspect what you actually got from the AD server
> (what ktpass produced).
>
> Get a ticket, using kinit -k -t <keytab>, and see
> what gives, using klist.
> klist -e will give you the encryption types.
>
> --
>
> Regards,
> Frank van Bortel
>
> Top-posting in UseNet newsgroups is one way to shut me up- Hide quoted text -
>
> - Show quoted text -

i tried klist with the syntax you described above, and it didn't work (i get -- Usage: klist <tickets | tgt | purge>)

also, i'm still stuck on okinit oraclesrv/oracle11gtest.mydomain.com. it returns the error: okinit: client not found in kerberos database.

i'm going to try and set it up in a test lab today and see if i get a different result. Received on Mon Mar 17 2008 - 08:20:41 CDT

This message: [ Message body ]
Next message: Ben: "auditing disabled still getting aud files"
Previous message: Ben: "Re: What would happen if..?"
In reply to: Frank van Bortel: "Re: ORA-12641: Authentication service failed to initalize"
Next in thread: Frank van Bortel: "Re: ORA-12641: Authentication service failed to initalize"
Reply: Frank van Bortel: "Re: ORA-12641: Authentication service failed to initalize"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message