{"id":451,"date":"2019-02-24T20:22:23","date_gmt":"2019-02-24T20:22:23","guid":{"rendered":"https:\/\/www.spotonoracle.com\/?p=451"},"modified":"2019-06-08T13:56:25","modified_gmt":"2019-06-08T13:56:25","slug":"bugs-are-annoying-kerberos-ticket-issue","status":"publish","type":"post","link":"https:\/\/www.spotonoracle.com\/?p=451","title":{"rendered":"Bugs are annoying &#8211; Kerberos ticket issue"},"content":{"rendered":"<p><i><strong>Update 08-JUN-2018<\/strong><\/i><br \/>\n<i>This bug has been fixed with the Oracle 19.3 client release for Windows. Below workaround should not be necessary anymore.<\/i><\/p>\n<p>One cool feature of using Kerberos authentication is that when you have a TGT (Ticket Granting Ticket) in the ticket cache the Oracle client software can use that to get a service ticket and log you into the database without further asking for any credentials (single sing-on).<\/p>\n<p>Here&#8217;s what it looks like with a Kerberos authenticated SSH session on Linux:<br \/>\n<a href=\"https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/forwardable-linux.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/forwardable-linux.png\" alt=\"\" width=\"722\" height=\"546\" class=\"alignnone size-full wp-image-452\" srcset=\"https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/forwardable-linux.png 722w, https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/forwardable-linux-300x227.png 300w, https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/forwardable-linux-624x472.png 624w\" sizes=\"auto, (max-width: 722px) 100vw, 722px\" \/><\/a><br \/>\nAs you can see from the screenshot the &#8220;orasrv&#8221; service ticket is flagged &#8220;forwardable&#8221; and the database login is successful (&#8220;-f&#8221; tells &#8220;oklist&#8221; to show the ticket flags).<\/p>\n<p>On Windows on the other hand the same fails with &#8220;ORA-12638: Credential retrieval failed&#8221;:<br \/>\n<a href=\"https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/forwardable-windows.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/forwardable-windows.png\" alt=\"\" width=\"840\" height=\"378\" class=\"alignnone size-full wp-image-454\" srcset=\"https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/forwardable-windows.png 840w, https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/forwardable-windows-300x135.png 300w, https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/forwardable-windows-768x346.png 768w, https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/forwardable-windows-624x281.png 624w\" sizes=\"auto, (max-width: 840px) 100vw, 840px\" \/><\/a><\/p>\n<p>If we change to &#8220;non-forwardable&#8221; service tickets it works on both, Linux and Windows:<br \/>\n<a href=\"https:\/\/www.spotonoracle.com\/?attachment_id=456\" rel=\"attachment wp-att-456\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/non-forwardable-windows.png\" alt=\"\" width=\"842\" height=\"438\" class=\"alignnone size-full wp-image-456\" srcset=\"https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/non-forwardable-windows.png 842w, https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/non-forwardable-windows-300x156.png 300w, https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/non-forwardable-windows-768x400.png 768w, https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/non-forwardable-windows-624x325.png 624w\" sizes=\"auto, (max-width: 842px) 100vw, 842px\" \/><\/a><\/p>\n<p><strong>How do you change to &#8220;non-forwardable&#8221; service tickets?<\/strong><br \/>\n1) Use &#8220;okinit&#8221; to manually re-initialize your ticket cache. By default it will get &#8220;non-forwardable&#8221; tickets (or use &#8220;-F&#8221; to be explicit).<\/p>\n<p>2) You can configure the service principal in Active Directory so only &#8220;non-forwadable&#8221; tickets will be issued (even when you use &#8220;okinit -f&#8221; to explicitly ask for &#8220;forwardable&#8221; tickets)<br \/>\n<a href=\"https:\/\/www.spotonoracle.com\/?attachment_id=458\" rel=\"attachment wp-att-458\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.spotonoracle.com\/wp-content\/uploads\/2019\/02\/kerberos-account-check-box-150x150.png\" alt=\"\" width=\"150\" height=\"150\" class=\"alignnone size-thumbnail wp-image-458\" \/><\/a><\/p>\n<p>Both workarounds do the trick but I don&#8217;t like neither of them for their obvious drawbacks. After a few weeks trying to convince the Oracle Support Engineer of the issue bug 28734494 has been filed on Oct 8, 2018 with no notable progress to date \ud83d\ude41<br \/>Despite what the bug description says the issue is not MSLSA vs file ticket cache, it is the ticket flags that make or break.<\/p>\n<p>Btw. I&#8217;ve tested client versions 12.2.0.1, 18.3, 18.5 and they all exhibit the same behaviour.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update 08-JUN-2018 This bug has been fixed with the Oracle 19.3 client release for Windows. Below workaround should not be necessary anymore. One cool feature of using Kerberos authentication is that when you have a TGT (Ticket Granting Ticket) in the ticket cache the Oracle client software can use that to get a service ticket [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,12],"tags":[],"class_list":["post-451","post","type-post","status-publish","format-standard","hentry","category-internals","category-security"],"_links":{"self":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts\/451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=451"}],"version-history":[{"count":14,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts\/451\/revisions"}],"predecessor-version":[{"id":466,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=\/wp\/v2\/posts\/451\/revisions\/466"}],"wp:attachment":[{"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.spotonoracle.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}