In my configuration i have:
example.ru - is domain name.
mydb - is sid of database.
I use Kerberos authentification.
At DB server I made user:
CREATE USER myuser IDENTIFIED EXTERNALLY as 'myuser@EXAMPLE.RU';
GRANT CREATE SESSION TO myuser;
At client I login as domain user myuser.
Obtain ticket for myuser:
okinit myuser
Then, okinit asking password, i type it
Then i login in database:
sqlplus /@mydb
Connection is successful.
But after 8 hours, if i want login in database again, i must do "okinit myuser" again and type the password.
Can I avoid password typing? Will it be secure? Maybe I must configure ticket_lifetime and renew_lifetime in krb5.conf (and renew ticket without password)?
But after 8 hours, if i want login in database again, i must do "okinit myuser" again and type the password.
Can I avoid password typing? Will it be secure? Maybe I must configure ticket_lifetime and renew_lifetime in krb5.conf (and renew ticket without password)?
In theory yes, depending on how your realm is configured, setting renew_lifetime to 14d (the typical maximum) – or doing okinit -r 14d – would let you use okinit -R to extend the lifetime to 8h again and again, for up to two weeks.
Note that you must keep renewing the tickets before they expire.
Ideally Oracle should use the Windows LSA ticket cache, which MIT Kerberos can use through the MSLSA: cache type (as in ibre5041's answer)... but I don't think it works properly these days. The way "MSLSA:" works is not by letting LSA/SSPI handle everything, but by extracting the raw TGT out of the LSA cache and letting MIT Kerberos do the rest, and the ability to extract the TGT is not only disabled by default but also outright incompatible with Credential Guard. So, continuing to okinit separately will be the less-bad choice.