Oracle Kerberos authentication on Linux host with SSSD
I have Linux servers which are members of AD domain, running SSSD demon. SSSD is "Kerberized" and I also do want use Kerberos for Oracle db authentication.
NOTE: this is not purely about Oracle database. This can be applied to any situation where there are two or more Kerberized services running on the same server.
I've come to two possible patterns for configuration.
Linux and Oracle share the same keytab file.
This setup is relatively easy, while joining AD domain I specify additional service name "oracle" and my keytab file will contain SPNs for both Linux server and Oracle database.
host/hostname@DOMAN
oracle/hostname@DOMAIN
...
pros:
- relatively simple setup
- easy for automation
- sssd is able to rotate encryption keys(KNVO number)
- possibly sssd also provides a plugin for AD site ID, so the closest Kerberos server will be used
- databases SPN+encryption keys are associated with Computer object in AD.
cons:
- same keytab file is to be used by Linux and Oracle admins, by default this keytab file is accessible only to
"root".
Oracle database has its own keytab
This setup is more complex
- Additional non-personal account is to be created in AD for each database
- Databases SPN is associated with this NPA account
- Keytab is created+exported from Windows server onto Linux machine
pros:
- role separation between Linux and Oracle admins
cons:
- hard to automate process, some steps have to be executed on Windows server
- creation of NPA account, creation of SPN requires excessive privileges in AD
- KNVO stays the same, encryption keys are not rotated
- decom process has to destroy both Computer object and NPA form AD
From various HOWTOs I saw on Internet, it seems that 2nd approach is mostly used.
Is there any reason for this? Is there something I am missing? Something that makes this 2nd approach more advisable?
