| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: How to use both 'connect / as sysdba' and OS authentication?
Yes. Yes.
"Howard J. Rogers" wrote:
> "Baldo" <dana.stockler_at_twobits.no> wrote in message
> news:3AA3949D.6C7476C4_at_twobits.no...
> > Obviously I made a hash of my explanation. Sorry.
> >
> > What I referred to as OS authentication is perhaps called
> > externally authenticated users? Anyway, what I meant was
> > I can connect using sqlplus thusly: 'sqlplus /@baldodb'. This
> > works because I have an externally authenticated db user
> > named <prefix><osuser> (as per your rasputin example)
> >
> > Let me try asking my question in a different way:
> >
> > If (sqlnet.authentication_services=none) then
> > 'sqlplus /@baldodb' works
> > 'connect / as sysdba' doesn't
> > end if ;
> >
> > If (sqlnet.authentication_services=nts) then
> > 'connect / as sysdba' works
> > 'sqlplus /@baldodb' doesn't
> > end if ;
> >
> > How can I make both work at the same time?
> >
> > -
> > Baldo
>
> That's got to be one of the best ways of phrasing a question I've seen here!
> Cheers!!
>
> Now...
>
> If only I knew the answer.
>
> I'm cogitating as we speak.... (and it hurts).
>
> Before we go any further... is there an ORA_DBA group, and are you, the NT
> User, a member of it?
>
> Regards
> HJR
>
> >
> >
> > "Howard J. Rogers" wrote:
> >
> > > "Baldo" <dana.stockler_at_twobits.no> wrote in message
> > > news:3AA38115.7B0E4420_at_twobits.no...
> > > > (Sorry if this turns up twice. We've had problems with our news
server.)
> > > >
> > > > I've been using OS authentication for quite a few years now
> > > > and can't live without it. Oracle says I have to stop using 'connect
> > > > internal' and start using 'connect / as sysdba'. Fair enough.
> > > >
> > > > What's got me scratching my old bald head is how to use them
> > > > both at the same time.
> > > >
> > > > On my Windows NT4/SP6 / Oracle 8.1.7 box:
> > > >
> > > > If I set SQLNET.AUTHENTICATION_SERVICES=NONE
> > > > in the sqlnet.ora file (or remove it entirely), then OS authentication
> > > > works okay, but 'connect / as sysdba' results in 'ORA-01031:
> > > > insufficient privileges'.
> > >
> > > I'm confused. "Connect / as sysdba" *IS* O/S authentication, since you
are
> > > not providing a username or password, and hence Oracle goes to check
that
> > > there is an ORA_DBA group setup, and that you, the NT User, are a member
of
> > > said group.
> > >
> > > So how os authentication works OK, yet that fails, is a bit meaningless.
> > >
> > > UNLESS....
> > >
> > > What you mean is that *ordinary* users can get on to the database, but
> > > Privileged Users cannot using O/S authentication techniques?? Or vice
> > > versa.
> > >
> > > Put it this way: O/S authentication for ordinary Users is complete
hokum.
> > > You log onto the NT box as "rasputin" (it *could* happen!). Your
init.ora
> > > says that the OS_AUTHENT_PREFIX is 'blah'. Provided that you have
issued
> > > the command 'create User blahrasputin identified externally' then O/S
> > > authentication works. It's hokum, because actually there is a user
entry in
> > > the data dictionary that equals prefix+o/s logon -really, the data
> > > dictionary is being used.
> > >
> > > For Privileged Users, however, hokum won't work. There is a
group -usually
> > > ORA_DBA, but conceivably ORA_<sid>_DBA which is a normal, NT group.
Unless
> > > you, rasputin, have been added as a member of that group, then you
cannot
> > > connect as a Privileged User using O/S authentication.
> > >
> > > >
> > > > If I set SQLNET.AUTHENTICATION_SERVICES=NTS
> > > > in the sqlnet.ora file, then 'connect / as sysdba' works okay,
> > > > but OS authentication results in 'ORA-01017: invalid username/
> > > > password; logon denied'.
> > >
> > > Again, I don't understand how you can claim that 'connect / as sysdba'
> > > works, but O/S authentication doesn't. "Connect / as sysdba" IS O/S
> > > authentication in action.
> > >
> > > >
> > > > Could some kind soul please tell me how I can use the new
> > > > 'connect / as sysdba' functionality while retaining the use of
> > > > OS authentication? Please don't tell me it can't be done. I don't
> > > > think my old ticker could take it.
> > > >
> > >
> > > Well, I'm not clear exactly what the problem is, but be clear on the
> > > distinction between Bob gaining access to the database without having to
> > > supply a Username and Password because he has already logged on to the
NT
> > > domain (hokum) and you, the DBA, being able to successfully issue the
> > > 'connect / as sysdba' because you have successfully logged on to the NT
> > > domain and therefore acquired ORA_DBA group membership/privileges
> > > (non-hokum).
> > >
> > > Regards
> > > HJR
> > >
> > > > TIA,
> > > > Baldo
> > > >
> > > >
> >
Received on Mon Mar 05 2001 - 07:41:52 CST
 |
 |