IBM Guardium

Hello,

I am creating a report with the number of affected rows. I have enabled the affected rows setting in Inspection engine. All MS SQL databases report this field. I see the number of affected rows in Oracle databases (linux), but not in all cases. When I use kerberos auth to Oracle database, the DBusername field is empty and the affected rows have the value -1. I tried changing the auth to database with username and password, all aparameters were filled in correctly.

In the kerberos configuration file guardkerbplugin.conf there is an option to enable the Debug setting. The Guardia documentation does not state how to use this setting. Does anyone know how to find out where the problem is, when I use kerberos auth the dbusername field is empty and affected rows is -1?

Hi @petr mares,

Hello,

I am creating a report with the number of affected rows. I have enabled the affected rows setting in Inspection engine. All MS SQL databases report this field. I see the number of affected rows in Oracle databases (linux), but not in all cases. When I use kerberos auth to Oracle database, the DBusername field is empty and the affected rows have the value -1. I tried changing the auth to database with username and password, all aparameters were filled in correctly.

In the kerberos configuration file guardkerbplugin.conf there is an option to enable the Debug setting. The Guardia documentation does not state how to use this setting. Does anyone know how to find out where the problem is, when I use kerberos auth the dbusername field is empty and affected rows is -1?

Hello,

I have Kerberos set up correctly. I have already done the test. The test ended with an error. I will run new tests with your recommended settings.

The previous error was:

Kerberos plugin: in_buf = 0x7f5a7b3c1aa7  in_len = 806  out_buf = 0x7f5a7b3c1dcd  *out_len = 128
Kerberos plugin: trying gssapi
Kerberos plugin: ERROR: KDC did not return DB_USER
Kerberos plugin: ROUTINE ERROR: GSS_S_BAD_SIG
Kerberos plugin: MINOR STATUS: 0x186a1
Kerberos plugin: A token had an invalid Message Integrity Check (MIC)
Kerberos plugin: gssapi didn't work
Kerberos plugin: trying ccache
Kerberos plugin: ccache didn't work
Kerberos plugin: ERROR: couldn't find name
Kerberos plugin: in_buf = 0x7f5a7b3c1aa7  in_len = 771  out_buf = 0x7f5a7b3c1daa  *out_len = 128
Kerberos plugin: trying gssapi
Kerberos plugin: ERROR: KDC did not return DB_USER
Kerberos plugin: ROUTINE ERROR: GSS_S_DEFECTIVE_TOKEN
Kerberos plugin: Invalid token was supplied
Kerberos plugin: gssapi didn't work
Kerberos plugin: trying ccache
Kerberos plugin: ccache didn't work
Kerberos plugin: ERROR: couldn't find name

Do you have some idea?

Regards Petr

Hi @petr mares,

Hello,

I am creating a report with the number of affected rows. I have enabled the affected rows setting in Inspection engine. All MS SQL databases report this field. I see the number of affected rows in Oracle databases (linux), but not in all cases. When I use kerberos auth to Oracle database, the DBusername field is empty and the affected rows have the value -1. I tried changing the auth to database with username and password, all aparameters were filled in correctly.

In the kerberos configuration file guardkerbplugin.conf there is an option to enable the Debug setting. The Guardia documentation does not state how to use this setting. Does anyone know how to find out where the problem is, when I use kerberos auth the dbusername field is empty and affected rows is -1?

It looks like possible token issue with Kerberos. Suggest sharing this with your Kerberos team.

Hello,

I have Kerberos set up correctly. I have already done the test. The test ended with an error. I will run new tests with your recommended settings.

The previous error was:

Kerberos plugin: in_buf = 0x7f5a7b3c1aa7  in_len = 806  out_buf = 0x7f5a7b3c1dcd  *out_len = 128
Kerberos plugin: trying gssapi
Kerberos plugin: ERROR: KDC did not return DB_USER
Kerberos plugin: ROUTINE ERROR: GSS_S_BAD_SIG
Kerberos plugin: MINOR STATUS: 0x186a1
Kerberos plugin: A token had an invalid Message Integrity Check (MIC)
Kerberos plugin: gssapi didn't work
Kerberos plugin: trying ccache
Kerberos plugin: ccache didn't work
Kerberos plugin: ERROR: couldn't find name
Kerberos plugin: in_buf = 0x7f5a7b3c1aa7  in_len = 771  out_buf = 0x7f5a7b3c1daa  *out_len = 128
Kerberos plugin: trying gssapi
Kerberos plugin: ERROR: KDC did not return DB_USER
Kerberos plugin: ROUTINE ERROR: GSS_S_DEFECTIVE_TOKEN
Kerberos plugin: Invalid token was supplied
Kerberos plugin: gssapi didn't work
Kerberos plugin: trying ccache
Kerberos plugin: ccache didn't work
Kerberos plugin: ERROR: couldn't find name

Do you have some idea?

Regards Petr

Hi @petr mares,

Hello,

I am creating a report with the number of affected rows. I have enabled the affected rows setting in Inspection engine. All MS SQL databases report this field. I see the number of affected rows in Oracle databases (linux), but not in all cases. When I use kerberos auth to Oracle database, the DBusername field is empty and the affected rows have the value -1. I tried changing the auth to database with username and password, all aparameters were filled in correctly.

In the kerberos configuration file guardkerbplugin.conf there is an option to enable the Debug setting. The Guardia documentation does not state how to use this setting. Does anyone know how to find out where the problem is, when I use kerberos auth the dbusername field is empty and affected rows is -1?