Oracle Database B10772-01 Administrator's Manual page 164

Configuring Interoperability with a Windows 2000 Domain Controller KDC
2.
3.
6-16 Oracle Database Advanced Security Administrator's Guide
For example, if the Oracle database runs on the host
sales3854.us.acme.com, then use Active Directory to create a user with the
username sales3854.us.acme.com and the password oracle.
Do not create a user as host/hostname.dns.com, such as
Note:
oracle/sales3854.us.acme.com, in Active Directory.
Microsoft's KDC does not support multipart names like an MIT
KDC does. An MIT KDC allows multipart names to be used for
service principals because it treats all principals as usernames.
However, Microsoft's KDC does not.
Use the Ktpass command line utility to extract the keytab file with the
following syntax:
Ktpass -princ service/hostname@NT-DNS-REALM-NAME -mapuser account -pass
password -out keytab.file
Using the database user created in the previous step, the following is an
example of Ktpass usage:
C:> Ktpass -princ oracle/sales3854.us.acme.com@SALES.US.COM -mapuser
sales3854 -pass oracle -out C:\temp\v5srvtab
This utility is part of the Windows 2000 Support Tools and can be found on the
Windows 2000 distribution media in the
\support\reskit\netmgmt\security folder.
Copy the extracted keytab file to the host computer where the Oracle database
is installed.
For example, the keytab that was created in the previous step can be copied to
/krb5/v5svrtab.
Detailed information about Windows 2000
See Also:
interoperability with Kerberos 5 that is available at the following
URL:
http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/
kerbsteps.asp