Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How to use both 'connect / as sysdba' and OS authentication?

Re: How to use both 'connect / as sysdba' and OS authentication?

From: Howard J. Rogers <howardjr_at_www.com>
Date: Tue, 6 Mar 2001 00:38:06 +1100
Message-ID: <3aa3969e@news.iprimus.com.au> 







"Baldo" <dana.stockler_at_twobits.no> wrote in message
news:3AA3949D.6C7476C4_at_twobits.no...


> Obviously I made a hash of my explanation. Sorry.

>

> What I referred to as OS authentication is perhaps called

> externally authenticated users? Anyway, what I meant was

> I can connect using sqlplus thusly: 'sqlplus /@baldodb'. This

> works because I have an externally authenticated db user

> named <prefix><osuser> (as per your rasputin example)

>

> Let me try asking my question in a different way:

>

> If (sqlnet.authentication_services=none) then

>   'sqlplus /@baldodb' works

>   'connect / as sysdba' doesn't

> end if ;

>

> If (sqlnet.authentication_services=nts) then

>   'connect / as sysdba' works

>   'sqlplus /@baldodb' doesn't

> end if ;

>

> How can I make both work at the same time?

>

> -

> Baldo





That's got to be one of the best ways of phrasing a question I've seen here!
Cheers!!



Now...



If only I knew the answer.



I'm cogitating as we speak.... (and it hurts).



Before we go any further... is there an ORA_DBA group, and are you, the NT
User, a member of it?



Regards


HJR











>

>

> "Howard J. Rogers" wrote:

>

> > "Baldo" <dana.stockler_at_twobits.no> wrote in message

> > news:3AA38115.7B0E4420_at_twobits.no...

> > > (Sorry if this turns up twice. We've had problems with our news

 server.)


> > >

> > > I've been using OS authentication for quite a few years now

> > > and can't live without it. Oracle says I have to stop using 'connect

> > > internal' and start using 'connect / as sysdba'. Fair enough.

> > >

> > > What's got me scratching my old bald head is how to use them

> > > both at the same time.

> > >

> > > On my Windows NT4/SP6 / Oracle 8.1.7 box:

> > >

> > > If I set SQLNET.AUTHENTICATION_SERVICES=NONE

> > > in the sqlnet.ora file (or remove it entirely), then OS authentication

> > > works okay, but 'connect / as sysdba' results in 'ORA-01031:

> > > insufficient privileges'.

> >

> > I'm confused.  "Connect / as sysdba" *IS* O/S authentication, since you

 are


> > not providing a username or password, and hence Oracle goes to check

 that


> > there is an ORA_DBA group setup, and that you, the NT User, are a member

 of


> > said group.

> >

> > So how os authentication works OK, yet that fails, is a bit meaningless.

> >

> > UNLESS....


> >

> > What you mean is that *ordinary* users can get on to the database, but

> > Privileged Users cannot using O/S authentication techniques??  Or vice

> > versa.

> >

> > Put it this way: O/S authentication for ordinary Users is complete

 hokum.


> > You log onto the NT box as "rasputin" (it *could* happen!).  Your

 init.ora


> > says that the OS_AUTHENT_PREFIX is 'blah'.  Provided that you have

 issued


> > the command 'create User blahrasputin identified externally' then O/S

> > authentication works.  It's hokum, because actually there is a user

 entry in


> > the data dictionary that equals prefix+o/s logon -really, the data

> > dictionary is being used.

> >

> > For Privileged Users, however, hokum won't work.  There is a

 group -usually


> > ORA_DBA, but conceivably ORA_<sid>_DBA which is a normal, NT group.

 Unless


> > you, rasputin, have been added as a member of that group, then you

 cannot


> > connect as a Privileged User using O/S authentication.

> >

> > >

> > > If I set SQLNET.AUTHENTICATION_SERVICES=NTS

> > > in the sqlnet.ora file, then 'connect / as sysdba' works okay,

> > > but OS authentication results in 'ORA-01017: invalid username/

> > > password; logon denied'.

> >

> > Again, I don't understand how you can claim that 'connect / as sysdba'

> > works, but O/S authentication doesn't.  "Connect / as sysdba" IS O/S

> > authentication in action.

> >

> > >

> > > Could some kind soul please tell me how I can use the new

> > > 'connect / as sysdba' functionality while retaining the use of

> > > OS authentication? Please don't tell me it can't be done. I don't

> > > think my old ticker could take it.

> > >

> >

> > Well, I'm not clear exactly what the problem is, but be clear on the

> > distinction between Bob gaining access to the database without having to

> > supply a Username and Password because he has already logged on to the

 NT


> > domain (hokum) and you, the DBA, being able to successfully issue the

> > 'connect / as sysdba' because you have successfully logged on to the NT

> > domain and therefore acquired ORA_DBA group membership/privileges

> > (non-hokum).

> >

> > Regards

> > HJR


> >

> > > TIA,


> > > Baldo

> > >

> > >

>

Received on Mon Mar 05 2001 - 07:38:06 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US