| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: How to use both 'connect / as sysdba' and OS authentication?
"Baldo" <dana.stockler_at_twobits.no> wrote in message
news:3AA38115.7B0E4420_at_twobits.no...
> (Sorry if this turns up twice. We've had problems with our news server.)
>
> I've been using OS authentication for quite a few years now
> and can't live without it. Oracle says I have to stop using 'connect
> internal' and start using 'connect / as sysdba'. Fair enough.
>
> What's got me scratching my old bald head is how to use them
> both at the same time.
>
> On my Windows NT4/SP6 / Oracle 8.1.7 box:
>
> If I set SQLNET.AUTHENTICATION_SERVICES=NONE
> in the sqlnet.ora file (or remove it entirely), then OS authentication
> works okay, but 'connect / as sysdba' results in 'ORA-01031:
> insufficient privileges'.
I'm confused. "Connect / as sysdba" *IS* O/S authentication, since you are not providing a username or password, and hence Oracle goes to check that there is an ORA_DBA group setup, and that you, the NT User, are a member of said group.
So how os authentication works OK, yet that fails, is a bit meaningless.
UNLESS.... What you mean is that *ordinary* users can get on to the database, but Privileged Users cannot using O/S authentication techniques?? Or vice versa.
Put it this way: O/S authentication for ordinary Users is complete hokum. You log onto the NT box as "rasputin" (it *could* happen!). Your init.ora says that the OS_AUTHENT_PREFIX is 'blah'. Provided that you have issued the command 'create User blahrasputin identified externally' then O/S authentication works. It's hokum, because actually there is a user entry in the data dictionary that equals prefix+o/s logon -really, the data dictionary is being used.
For Privileged Users, however, hokum won't work. There is a group -usually ORA_DBA, but conceivably ORA_<sid>_DBA which is a normal, NT group. Unless you, rasputin, have been added as a member of that group, then you cannot connect as a Privileged User using O/S authentication.
>
> If I set SQLNET.AUTHENTICATION_SERVICES=NTS
> in the sqlnet.ora file, then 'connect / as sysdba' works okay,
> but OS authentication results in 'ORA-01017: invalid username/
> password; logon denied'.
Again, I don't understand how you can claim that 'connect / as sysdba' works, but O/S authentication doesn't. "Connect / as sysdba" IS O/S authentication in action.
>
> Could some kind soul please tell me how I can use the new
> 'connect / as sysdba' functionality while retaining the use of
> OS authentication? Please don't tell me it can't be done. I don't
> think my old ticker could take it.
>
Well, I'm not clear exactly what the problem is, but be clear on the distinction between Bob gaining access to the database without having to supply a Username and Password because he has already logged on to the NT domain (hokum) and you, the DBA, being able to successfully issue the 'connect / as sysdba' because you have successfully logged on to the NT domain and therefore acquired ORA_DBA group membership/privileges (non-hokum).
Regards
HJR
> TIA,
> Baldo
>
>
Received on Mon Mar 05 2001 - 06:33:59 CST
 |
 |