Re: oracle authentication from windows

Arup,

Do you include info on setting 'OSAUTH_PREFIX_DOMAIN' in the registry?

If not set then cross-domain externally identified accounts must be created as OPS$domain\username, which is a bit of a pain.

Security may require it though.

Jared

On Thursday 19 June 2003 15:34, Arup Nanda wrote:
> Mladen,
>
> This is precisely the content I have gone in depth in my upcoming book
> where this practice of OPS$ accounts have been discussed.
>
> The security hole in OPS$ accounts is a bit overrated. Chagnign username in
> Windows XP alone does not allow logging in to the database directly if OPS$
> accounts are used. What you are referring to is setting the ORA_DBA group
> in Windows. Here is an excerpt from the book:
>
> "If OPS$ accounts must be used, make sure that init.ora parameter
> os_authent_prefix is set to OPS$ or some other value, not NULL. If it is
> null, as shown by an empty string "", the security is severely threatened.
> Any one can create a userid called SYSTEM in the OS and then logon without
> a password as the Oracle user SYSTEM. If the os_authent_prefix is set to
> OPS$, then the corresponding user id in Oracle will be OPS$SYSTEM, not
> SYSTEM. they are different users."
>
> As you might notice, OPS$ accounts are somehow insecure, and I personally
> eschew them; but let's face it, in some situations, like in the case AK
> mentioned, the use is required. When the DBAs can do is to take some
> precautions to ensure security.
>
> HTH.
>
> Arup
> ----- Original Message -----
> From: Gogala, Mladen
> To: Multiple recipients of list ORACLE-L
> Sent: Thursday, June 19, 2003 4:19 PM
> Subject: RE: oracle authentication from windows
>
>
> That, of course, will render your database totally insecure and open to
> anybody who can bring in a WinXP laptop, change the windoze username and
> log in as he pleases. DBA that sets his production parameters the way Arup
> described deserves to be publicly tortured by Bill O'Reilly in the "no spin
> zone".
>
> Mladen Gogala
> Oracle DBA
> Phone:(203) 459-6855
> Email:[EMAIL PROTECTED]
>
> -----Original Message-----
> From: Arup Nanda [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 19, 2003 3:46 PM
> To: Multiple recipients of list ORACLE-L
> Subject: Re: oracle authentication from windows
>
>
> Sure.
>
> Just declare these in your init.ora
>
> os_authent_prefix=OPS$
> remote_os_authent=TRUE
>
> bounce the database, add a user called OPS$<the Windows username>, e.g.
> OPS$AK if your Windows login id is AK as
>
> create user ops$ak identified externally
>
> From windows connect as "/@servicename", e.g. sqlplus /@service1
>
> If it doesn't work, the OS user may be different. Use this query while
> connected to the database from Windows cleint.
>
> SQL> select sys_context('USERENV','OS_USER') from dual;
>
> See what OS username comes up; use that instead.
>
> HTH.
>
> Arup Nanda
> www.proligence.com
>
>
> ----- Original Message -----
> From: AK
> To: Multiple recipients of list ORACLE-L
> Sent: Thursday, June 19, 2003 1:10 PM
> Subject: oracle authentication from windows
>
>
> We want our client users ( forms user ) to just enter windows
> password and then automatically able to get in to oracle .Is there a way
> oracle can authenticate from windows ( or active directory ) . enbadding
> password in runform.exe not an option .
>
> thanks,
> -ak

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).