User's Manual
Troubleshooting
6-18 Oracle Database Advanced Security Administrator's Guide
Troubleshooting
This section lists some common configuration problems and explains how to
resolve them.
■ If you cannot get your ticket-granting ticket using OKINIT:
– Ensure that the default realm is correct by examining the krb.conf file.
– Ensure that the KDC is running on the host specified for the realm.
– Ensure that the KDC has an entry for the user principal and that the
passwords match.
– Ensure that the krb.conf and krb.realms files are readable by Oracle.
■ If you have an initial ticket, but still cannot connect:
– After trying to connect, check for a service ticket.
– Check that the sqlnet.ora file on the database server side has a service
name that corresponds to a service known by Kerberos.
– Check that the clocks on all systems involved are set to times that are
within a few minutes of each other (or change the SQLNET.KERBEROS5_
CLOCKSKEW parameter in the
sqlnet.ora file).
■ If you have a service ticket and you still cannot connect:
– Check the clocks on the client and database server.
– Check that the v5srvtab file exists in the correct location and is readable by
Oracle (remember to set the sqlnet.ora parameters).
– Check that the v5srvtab file has been generated for the service named in
the sqlnet.ora file on the database server side.
■ If everything seems to work fine, but then you issue another query and it fails:
– Check that the initial ticket is forwardable. (You must have obtained the
initial ticket by running the okinit utility.)
– Check the expiration date on the credentials. If the credentials have expired,
then close the connection and run okinit to get a new initial ticket.