Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: oracle authentication from windows

Re: oracle authentication from windows

From: <Jared.Still_at_radisys.com>
Date: Mon, 30 Jun 2003 14:07:04 -0700
Message-ID: <F001.005BC763.20030630133941@fatcity.com> 





Multiple users with the same name may exist in different domain, just
as the docs state.



Using OSAUTH_PREFIX_DOMAIN = true requires that the domain name
be part of the username for externally authenticated accounts.



scott/tiger would become your_domain\scott/tiger



Jared








<[EMAIL PROTECTED]>


Sent by: [EMAIL PROTECTED]


 06/27/2003 12:44 AM


 Please respond to ORACLE-L

 

        To:     Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>
        cc: 
        Subject:        Re: oracle authentication from windows






Thanks reginald, Jared , Mladen,..........
I set sqlnet.authentication_services=(nts)
made sure that the ntlm service was up and running
and created a user by the name \\domain_name\username ( replaced
domain_name with the name of the stand alone computer i was testing
this on) and I can now log in operating system users with
remote_os_authent=false


Thanks a lot list


Could anyone please explain the significance and working of
OSAUTH_PREFIX_DOMAIN.  I read the following but was unable to
understand it :



"" There may be multiple frank usernames on your network, including
local user frank, domain user frank on sales, and possibly several
domain users frank on other domains. Entering true enables the server
to differentiate among them. Entering false causes the domain to be
ignored and local user frank to become the default value of the
operating system user returned to the server.""



The security and network integration guide for windows also says this
about setting registry parameter osauth_prefix_domain :
""Do this step only if you are not authenticating a domain name with a
user (for example, just frank instead of frank on domain sales). ""



Could someone please explain the above quoted docs.


.................







:

: Try authenticating with the domain\userid.  When you create the user

: account in the database, use the domain\userid. Set

: SQLNET.AUTHENTICATION_SERVICES = (NTS) in the sqlnet.ora file. Check

out


: MetaLink note 60634.1 on how to set up domain authenticated users.

Also


: set the registry entry OSAUTH_PREFIX_DOMAIN and create userids in

the form


: of OPS$<domain>\<user> .  For users on the local server, their

domain would


: be the local server. All others domains would be their actual NT

domain.


: Check out the MetaLink document for more details.

:

: RWB


:

:







:

: Reginald W. Bailey

: IBM Global Services - ETS SW GDSD - Database Management

: Your Friendly Neighborhood DBA

: 713-216-7703 (Office) 281-798-5474 (Mobile) 713-415-5410 (Pager)

:







:

:

:

:                     [EMAIL PROTECTED]


:                     dia.net.in               To:

[EMAIL PROTECTED]



:                     Sent by:                 cc:

:                     [EMAIL PROTECTED]       Subject:     Re: oracle

authentication from windows


:                     com

:

:

:                     06/21/2003 08:49

:                     PM

:                     Please respond to

:                     ORACLE-L


:

:

:

:

:

:

: Thank you very much Arup , very lucid and detailed explanation.

: In the last point you said :

: :3) If remote_os_authent is false, but the database has a user

: OPS$BULBUL


: : identified externally; a user named bulbul on the _server_ can

login


: as

: : "sqlplus /", but a user named BULBUL on a remote machine will not

be


: able

: : to.

: That is the problem , as I said I am not able to log in even the

: database server's operating system  users ( who are identified

: externally ) unless I set remote_os_authent= true ;  But then as you

: said any remote client could authenticate the externally identified

: user in whatever means, and then they could log in.  I mean

: create user scott identified externally;

: grant create session  to scott ;

: If on the client machine there is an operating system user called

: scott, then he can log in to the scott schema.

: Any ideas how to restrict the externally identified users so that

they


: have to log in to the database server to access their oracle

schemas.?


:

: Another doubt is from what you said about

: sqlnet_authentication_services :

: : You are using (none) because you do not want to rely on the

: authentication

: : service provided by others.

: :

: So this means that the database will not recognise the

authentication


: done by some other means ( like the white house guards refusing to

: recognize the authentication provided by the people on the hill).

: Then how will someone log in if he is identified externally ?

:

: Once again thanks for the excellent response, thanks for taking time

: out to explain the physical significance of these parameters in a

very


: nice way.

:

:

:

: : (2) remote_os_authent means the user is authenticated in whatever

: manner in

: : the _client_ operating system, not the server. The user may have

no


: account

: : with the server.

: :

: : (3) If remote_os_authent is false, but the database has a user

: OPS$BULBUL


: : identified externally; a user named bulbul on the _server_ can

login


: as

: : "sqlplus /", but a user named BULBUL on a remote machine will not

be


: able

: : to.

: :

: : Hope this helps.

: :

: : Arup Nanda

: : www.proligence.com

: :

: : ----- Original Message -----

: : To: "Multiple recipients of list ORACLE-L" <[EMAIL PROTECTED]>

: : Sent: Saturday, June 21, 2003 2:19 AM

: :

: :

: : > Arup , the procedure you gave is correct and works fine.

: : > I tried it out on win32 with 9.2.0.1.0.

: : > But I had to set SQLNET.AUTHENTICATION_SERVICES= (none) in

: sqlnet.ora

: : > My fundamentals are really weak , so please forgive the stupid

: : > questions : These steps create a database user who will be

: : > authenticated by the operating system , right ? I assume that

the


: : > authenticating os is the one which runs the database  and not

the


: os

: : > running on the remote client machine .  If yes , then this would

: mean

: : > that all these externally identified users would have to somehow

: log

: : > onto the os of the database server.

: : >

: : >

: : > However why does this procedure work only when

: remote_os_authent=true

: : > ?

: : > I had posted this same question a while ago , did not get any

: : > satisfactory answers , though people told me that

: : > remote_os_authent=true is a security problem.

: : >

: : > But it doesn't seem to work without that.

: : > Any ideas of enabling "sqlplus /" without remote_os_authent=true

?


: : > Wouldn't remote_os_authent=true allow remote client machines to

: : > authenticate their users which can then log in  to the database

as


: : > long as they know the name of the externally authenticated

: username

: : > and value of os_authent_prefix

: : >

: : > ----- Original Message -----

: : > To: "Multiple recipients of list ORACLE-L"

<[EMAIL PROTECTED]>


: : > Sent: Friday, June 20, 2003 01:15

: : >

: : >

: : > Sure.

: : >

: : > Just declare these in your init.ora

: : >

: : > os_authent_prefix=OPS$

: : > remote_os_authent=TRUE

: : >

: : > bounce the database, add a user called OPS$<the Windows

username>,


: : > e.g. OPS$AK if your Windows login id is AK as

: : >

: : > create user ops$ak identified externally

: : >

: : > From windows connect as "/@servicename", e.g. sqlplus /@service1

: : >

: : > If it doesn't work, the OS user may be different. Use this query

: while

: : > connected to the database from Windows cleint.

: : >

: : > SQL> select sys_context('USERENV','OS_USER') from dual;

: : >

: : > See what OS username comes up; use that instead.

: : >

: : > HTH.


: : >

: : > Arup Nanda

: : > www.proligence.com

: : >

: : >

: : >   ----- Original Message -----

: : >   From: AK

: : >   To: Multiple recipients of list ORACLE-L

: : >   Sent: Thursday, June 19, 2003 1:10 PM

: : >   Subject: oracle authentication from windows

: : >

: : >

: : >   We want our client users ( forms user )  to just enter windows

: : > password and then automatically able to get in to oracle .Is

there


: a

: : > way oracle can authenticate from windows ( or active directory )

.


: : > enbadding password in runform.exe not an option .

: : >

: : >   thanks,

: : >   -ak

: :

:

: --

: Please see the official ORACLE-L FAQ: http://www.orafaq.net

: --

: Author: <[EMAIL PROTECTED]

:   INET: [EMAIL PROTECTED]


:

: Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

: San Diego, California        -- Mailing list and web hosting

services


: --------------------------------------------------------------------

-


: To REMOVE yourself from this mailing list, send an E-Mail message

: to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in

: the message BODY, include a line containing: UNSUB ORACLE-L

: (or the name of mailing list you want to be removed from).  You may

: also send the HELP command for other information (like subscribing).

:

:

:

: --

: Please see the official ORACLE-L FAQ: http://www.orafaq.net

: --

: Author:

:   INET: [EMAIL PROTECTED]


:

: Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

: San Diego, California        -- Mailing list and web hosting

services


: --------------------------------------------------------------------

-


: To REMOVE yourself from this mailing list, send an E-Mail message

: to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in

: the message BODY, include a line containing: UNSUB ORACLE-L

: (or the name of mailing list you want to be removed from).  You may

: also send the HELP command for other information (like subscribing).

:



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: <[EMAIL PROTECTED]
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: 
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Mon Jun 30 2003 - 16:07:04 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US