Using SMB/CIFS-Share on Oracle Database Appliance with FIPS enabled

Starting with Oracle Database Appliance release 19.11,
the Linux kernel used by Oracle Database Appliance running on bare metal and KVM Database Systems is compliant with the United States Federal Information Processing Standard 140-2 (FIPS 140-2) level one.
In accordance with the FIPS standard, the algorithms used by the secure shell (SSH) are limited to those permitted by the standard.
FIPS 140-2 is supported in both newly provisioned systems and patched systems.
When a system is updated, FIPS support is automatically enabled. No user intervention is needed.

Oracle Doc: https://docs.oracle.com/en/engineered-systems/oracle-database-appliance/19.12/cmtsg/security-features-database-appliance.html#GUID-B55117CF-6880-4657-9290-D5E314F14106

The text above shows how Oracle described the new feature available on ODA.
If you or your customer uses SMB/CIFS-Shares you will no longer be able to connect your ODA to them because the use of MD5 is disabled which prevents users from using NTLM, NTLMv2 or ntlmssp authentication. Also, signing cannot be used since it uses MD5. Any CIFS mount which uses these methods will break when FIPS mode is enabled.

The how-to below, shows the configuration needed to connect a ODA with a SMB/CIFS-Share by using Kerberos.

# Install krb5-workstation 
## via yum
$> yum install krb5-workstation 
## ON ODA: download and install the rpm manually
$> rpm -qa  | grep krb5-workstation
$> cd /tmp && wget --no-check-certificate \
 https://yum.oracle.com/repo/OracleLinux/OL7/latest/x86_64/getPackage/krb5-workstation-1.15.1-50.0.1.el7.x86_64.rpm
$> rpm -i krb5-workstation*.rpm
# configuration
## define realm in kerberos-config
$> vi /etc/krb5.conf
[realms]
GABRIELKEUSEN.COM = {
  KDC = NTADSP01.GABRIELKEUSEN.COM
  KDC = NTADSP02.GABRIELKEUSEN.COM
  KDC = NTADSP03.GABRIELKEUSEN.COM
  ADMIN_SERVER = NTADSP01.GABRIELKEUSEN.COM
}
## create keytab_file
$> cp /etc/krb5.keytab /etc/krb5.keytab_BAK_$$
$> ktutil 
ktutil> rkt /etc/krb5.keytab
ktutil> list
ktutil> addent -password -p SVC-NTACCOUNT@GABRIELKEUSEN.COM -k 1 -e RC4-HMAC
ktutil> wkt /etc/krb5.keytab
ktutil> q
$> ktutil
ktutil> rkt /etc/krb5.keytab
ktutil> list
# test user and get granting-ticket
$> kinit SVC-NTACCOUNT@GABRIELKEUSEN.COM -k -t /etc/krb5.keytab
# configure fstab and mount it
$> mkdir /mnt/gabrielkeusen_test
$> vi /etc/fstab
//fileserver.gabrielkeusen.com/share$/folder_A/subfolder_A /mnt/gabrielkeusen_test cifs username=SVC-NTACCOUNT@GABRIELKEUSEN.COM,sec=krb5,dir_mode=0755,file_mode=0755,uid=oracle,gid=oinstall 0 0
$> mount -a
##################################################
# autofs configuration (if you use autofs instead of fstab)
## add sec-parameter to /etc/auto.cifs
$> vi /etc/auto.cifs
gabrielkeusen_test -fstype=cifs,sec=krb5,user=SVC-NTACCOUNT@GABRIELKEUSEN.COM,uid=oracle,gid=oinstall "://fileserver.gabrielkeusen.com/share$/folder_A/subfolder_A"
## restart autofs
$> systemctl restart autofs

Note: If you get the following error during the mount process, verify the credentials (by using these on another Client) and try to use the FQDN instead of the IP-Adress:

$> mount -a
## mount error(126): Required key not available

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden /  Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Ändern )

Verbinde mit %s