Can one use the host keytab for Oracle Database Kerberos authentication on Linux host with SSSD?

Posted on

Hi

Im running Oracle Database 19.18 on Red Hat 8.

I have this question/issue and did some googling like one does and found someone that hade the exact same thought that I had and they had formulated the question so darn clearly that I just had to copy it straight off.

I have Linux servers which are members of AD domain, running SSSD demon. SSSD is "Kerberized" and I also do want use Kerberos for Oracle db authentication.

I've come to two possible patterns for configuration.

Linux and Oracle share the same keytab file.

This setup is relatively easy, while joining AD domain I specify additional service name "oracle" and my keytab file will contain SPNs for both Linux server and Oracle database.

host/hostname@DOMAN
oracle/hostname@DOMAIN
...
pros:
relatively simple setup
easy for automation
sssd is able to rotate encryption keys(KNVO number)
possibly sssd also provides a plugin for AD site ID, so the closest Kerberos server will be used
databases SPN+encryption keys are associated with Computer object in AD.
cons:
same keytab file is to be used by Linux and Oracle admins, by default this keytab file is accessible only to "root".
Oracle database has its own keytab

This setup is more complex

Additional non-personal account is to be created in AD for each database
Databases SPN is associated with this NPA account
Keytab is created+exported from Windows server onto Linux machine
pros:
role separation between Linux and Oracle admins
cons:
hard to automate process, some steps have to be executed on Windows server
creation of NPA account, creation of SPN requires excessive privileges in AD
KNVO stays the same, encryption keys are not rotated
decom process has to destroy both Computer object and NPA form AD
From various HOWTOs I saw on Internet, it seems that 2nd approach is mostly used.

Is there any reason for this? Is there something I am missing? Something that makes this 2nd approach more advisable?
Or that the 1st approach is absolutly NOT advisable for some reason?

PF

Responses