IBM Guardium

IBM Guardium

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Kerberos Debug

    Posted 02/28/25 07:15 AM

    Hello,

    I am creating a report with the number of affected rows. I have enabled the affected rows setting in Inspection engine. All MS SQL databases report this field. I see the number of affected rows in Oracle databases (linux), but not in all cases. When I use kerberos auth to Oracle database, the DBusername field is empty and the affected rows have the value -1. I tried changing the auth to database with username and password, all aparameters were filled in correctly.

    In the kerberos configuration file guardkerbplugin.conf there is an option to enable the Debug setting. The Guardia documentation does not state how to use this setting. Does anyone know how to find out where the problem is, when I use kerberos auth the dbusername field is empty and affected rows is -1?



    ------------------------------
    petr mares
    ------------------------------


  • 2.  RE: Kerberos Debug

    Posted 02/28/25 08:13 AM

    Hi @petr mares,

    To troubleshoot Kerberos plugin issues, enable S-TAP and Kerberos plugin debug as shown below followed by an S-TAP process restart, then analyze /tmp/guard_stap.stderr.txt file content.
    - tap_debug_output_level=4 in guard_tap.ini file
    - KRB5_PLUGIN_DEBUG=1 in guardkerbplugin.conf file
     
    Database user name issues are common with kerberose and Oracle, the plugin is supposed to resolve that if configured properly. It sounds like you enabled the plug in. Review the configuration as such:
    1. Run the following commands to find Kerberos settings in the Oracle environment:
       grep -i KERB $ORACLE_HOME/network/admin/sqlnet.ora
       output is similar to:
       SQLNET.AUTHENTICATION_SERVICES = (BEQ,KERBEROS5PRE,KERBEROS5)
       SQLNET.KERBEROS5_CONF = /etc/krb5.conf # kerberization
       SQLNET.KERBEROS5_KEYTAB = /var/servicekeytab/oracleiaase00009848
       SQLNET.FALLBACK_AUTHENTICATION = TRUE
       SQLNET.KERBEROS5_CONF_MIT = TRUE
       SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = oracle
       
       oklist|grep -i cache
       output is similar to: /tmp/krb5cc_500
    2. Set specific parameters in guardkerbplugin.conf file based on the output in step 1 as follows: 
        
        # Kerberos values
        KRB5RCACHETYPE=none
        KRB5_KTNAME= /var/servicekeytab/oracleiaase00009848
        KRB5_CONFIG=/etc/krb5.conf
        #Plugin values
        KRB5_PLUGIN_CCACHE=/tmp/krb5cc_* :/var/tmp/*.CC
        #KRB5_PLUGIN_GSSAPI_LIBRARY=/usr/lib64/libgssapi_krb5.so.2.2
        #KRB5_PLUGIN_DEBUG=0
        KRB5_PLUGIN_DISABLE_GSSAPI=1


    ------------------------------
    Wendy Zemba
    Sr. Consultant, Data Protection
    Converge Technology Solutions
    wendy.zemba@convergetp.com

    Need help with your Guardium deployment? Contact me directly to discuss engagement opportunities. Currently serving North America.
    ------------------------------



  • 3.  RE: Kerberos Debug

    Posted 02/28/25 10:31 AM

    Hello,

    I have Kerberos set up correctly. I have already done the test. The test ended with an error. I will run new tests with your recommended settings.

    The previous error was:

    Kerberos plugin: in_buf = 0x7f5a7b3c1aa7  in_len = 806  out_buf = 0x7f5a7b3c1dcd  *out_len = 128
    Kerberos plugin: trying gssapi
    Kerberos plugin: ERROR: KDC did not return DB_USER
    Kerberos plugin: ROUTINE ERROR: GSS_S_BAD_SIG
    Kerberos plugin: MINOR STATUS: 0x186a1
    Kerberos plugin: A token had an invalid Message Integrity Check (MIC)
    Kerberos plugin: gssapi didn't work
    Kerberos plugin: trying ccache
    Kerberos plugin: ccache didn't work
    Kerberos plugin: ERROR: couldn't find name
    Kerberos plugin: in_buf = 0x7f5a7b3c1aa7  in_len = 771  out_buf = 0x7f5a7b3c1daa  *out_len = 128
    Kerberos plugin: trying gssapi
    Kerberos plugin: ERROR: KDC did not return DB_USER
    Kerberos plugin: ROUTINE ERROR: GSS_S_DEFECTIVE_TOKEN
    Kerberos plugin: Invalid token was supplied
    Kerberos plugin: gssapi didn't work
    Kerberos plugin: trying ccache
    Kerberos plugin: ccache didn't work
    Kerberos plugin: ERROR: couldn't find name

    Do you have some idea?

    Regards Petr



    ------------------------------
    petr mares
    ------------------------------

    Original Message


  • 4.  RE: Kerberos Debug
    Best Answer

    Posted 02/28/25 11:13 AM

    It looks like possible token issue with Kerberos. Suggest sharing this with your Kerberos team.



    ------------------------------
    Wendy Zemba
    Sr. Consultant, Data Protection
    Converge Technology Solutions
    wendy.zemba@convergetp.com

    Need help with your Guardium deployment? Contact me directly to discuss engagement opportunities. Currently serving North America.
    ------------------------------

    Original Message


  • 5.  RE: Kerberos Debug

    Posted 03/04/25 07:43 AM

    Hello Wendy,
    There may be a problem with a missing package, like krb5-config installed but not libkrb5-dev.



    ------------------------------
    petr mares
    ------------------------------

    Original Message


Related Content