Enabling Kerberos Authentication
6-10 Oracle Database Advanced Security Administrator's Guide
Task 8: Create a Kerberos User
To create Oracle users that Kerberos can authenticate, perform this task on the
Kerberos authentication server where the administration tools are installed. The
realm must already exist.
Run /krb5/admin/kadmin.local as root to create a new Kerberos user, such as
krbuser.
The following example is UNIX-specific:
# ./kadmin.local
kadmin.local: addprinc krbuser
Enter password for principal: "krbuser@SOMECO.COM": (password does not display)
Re-enter password for principal: "krbuser@SOMECO.COM": (password does not
display)
kadmin.local: exit
Task 9: Create an Externally Authenticated Oracle User
Run SQL*Plus on the Oracle database server to create the Oracle user that
corresponds to the Kerberos user. In the following example, OS_AUTHENT_PREFIX
is set to null (""). The Oracle user name is in uppercase enclosed in double
quotation marks as shown in the following example:
SQL> CONNECT / AS SYSDBA;
SQL> CREATE USER "KRBUSER@SOMECO.COM" IDENTIFIED EXTERNALLY;
SQL> GRANT CREATE SESSION TO "KRBUSER@SOMECO.COM";
Description: This parameter specifies the complete path name to the
Kerberos realm translation file. The translation file provides a
mapping from a host name or domain name to a realm. The
default is operating system-dependent. For UNIX, it is
/etc/krb.realms.
Example: SQLNET.KERBEROS5_REALMS=/krb5/krb.realms
Note: The utility names in this section are executable programs.
However, the Kerberos user name krbuser and realm
SOMECO.COM are examples only; they can vary among systems.
To Next Page
Loading...