Re: ora-12638

"Luc Bonjean" <luc_at_lubon.be> wrote in message news:<UCRya.13336$1u5.928_at_afrodite.telenet-ops.be>...
> Hi,
>
> I'm using oracle 8.1.7 on a windows 2000 server. The authentication in
> sqlnet.ora is configured to nts.
> After I upgraded the domain to mixed mode, the authentication doesn't work
> anymore, except for a local windows 2000 user. On the domain controller I
> see sometimes kerberos errors in the event log.
>
> When I start sqlplus, I receive the ora-12638 error, credential retrieval
> failed. (Only when using a domain user).
> Does anyone have an idea, or a clue to debug this?
>
> Thanks,
>
> Luc Bonjean

Luc,

Might that local user account belong to a local group such as "ORA_DBA" - or belong to a group that is a member of the group "ORA_DBA" or "ORA_%ORACLE_SID%_DBA"?

A local account authenticates against the local security accounts manager (SAM).
A domain account authenticates against a domain controller, or Active Directory Server.

Edit the file sqlnet.ora in the file %ORACLE_HOME%\Network\Admin and change the entry for:

SQLNET.AUTHENTICATION_SERVICES=(NTS) to

# SQLNET.AUTHENTICATION_SERVICES=(NTS)
SQLNET.AUTHENTICATION_SERVICES=(none)

and login via password authentication.

NOTE: this may impact code that already depends upon native authentication.

http://download-west.oracle.com/docs/cd/B10501_01/network.920/a96581/sqlnet.htm#496924

Back in NT4 - I used to use a domain group ORA_DBA - to which I added domain users - which was added to the local group ORA_DBA on each NT4 server - such that I did not have to supply a password when logging into oracle databases (remotely) as sysdba.

It was very convenient - and very insecure.

Well, after nimda ate my database, all of the oracle servers left the domain - and had netbios disabled (as well as lots of other windows features). We went back to local authentication.

hth.

Paul Received on Thu May 22 2003 - 00:03:54 CDT