Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: connect as sysdba

Re: connect as sysdba

From: Howard J. Rogers <howardjr_at_www.com>
Date: Sat, 6 Jan 2001 00:42:22 +1100
Message-ID: <3a55cf39@news.iprimus.com.au>

"montserrat mateos" <m.mateos_at_upsa.es> wrote in message news:3a55899a$1_at_193.146.156.23...
> I think that it isnīt problem because when I create the user i do with
> CREATE USER <NAME> IDENTIFIED BY <PASSWORD>, and not EXTERNALLY.
>
> So, i donīt know.
>
> Do you have a more ideas??
>

No, the "externally" thing is used when you want to implement O/S authentication for ordinary users, and requires the username to be equal to the o/s login name plus whatever you set as your OS_AUTHENT_PREFIX in the init.ora (OPS$ by default).

That's *not* what I was talking about. I was referring to O/S authentication for privileged users (ie, those who can startup, shutdown, backup and recover the database) ... ie, those with SYSDBA privileges. Completely different mechanism.

You've missed my essential point, which is that you said your original user could connect 'as sysdba' even though he wasn't granted sysdba privileges. Who were you logged on at the operating system when you tested that? As yourself? If so, your o/s account, presumably being a member of the dba group (or ORA_DBA group on NT), is the thing that counts, not what you type as the connect string in sqlplus or svrmgrl. The presence of the 'as sysdba' keywords means 'ignore the username and password I've typed in the connect string, and go check the memberships of the dba group'.

Do me a favour: type in 'connect skjdhkjhfksjfhaksjdshfa/ksdfhskjhfsjfhksj as sysdba' (without the quotes) and tell me what happens (and actually do it this time!). My guess is you will connect fine. You might then try 'select user from dual', and my guess is that you'll see yourself logged on as SYS... and if both those guesses are true, you have O/S authentication for privileged Users set up.

Regards
HJR
> Thanks
>
> "Howard J. Rogers" <howardjr_at_www.com> escribió en el mensaje
> news:3a5575b8_at_news.iprimus.com.au...
> > You mean "connect fred/password as sysdba" works? Even when fred hasn't
> > been granted sysdba privileges?
> >
> > Strangely enough, that's because you've implemented operating system
> > authentication (by setting up the dba group in Unix or the ORA_DBA (or
> > ORA_<sid>_DBA) group in NT).
> >
> > O/S authentication means "I don't give a damn what you type as part of
 the
> > connect string...I will go out and check whether you, the machine/domain
> > User are a member of the appropriate group and see if you are a member.
 If
> > you are, you're in".
> >
> > Try typing this:
> >
> > connect lkajdslfkahdlkjfhasdlkfalkjf/dhfkjshdfjshfkjsdhfk as sysdba
> >
> > If it works, it's proof (I hope) that O/S authentication is in place and
> > working just fine. The point being that whatever you type as the User
 and
> > Password, it's ignored... you as the domain User are already logged onto
 the
> > network with appropriate group privileges, and those group privileges
 are
> > what Oracle is worried about.
> >
> > If this bothers you, then you need to de-implement O/S authentication,
 and
> > implement password file authentication.
> >
> > Regards
> > HJR
> >
> > "montserrat mateos" <m.mateos_at_upsa.es> wrote in message
> > news:3a54820b_at_193.146.156.23...
> > > I have a problem with oracle, I create a new user and although he
 hasnīt
> > > privilegies as sysdba, he can connect as sysdba, can i do to deny this
> > > privilegie
> > >
> > > Thanks
> > >
> > >
> >
> >
>
>
Received on Fri Jan 05 2001 - 07:42:22 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US