Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: W2000 connect / as sysdba problem

Re: W2000 connect / as sysdba problem

From: <Kenneth>
Date: Fri, 30 Apr 2004 07:30:11 GMT
Message-ID: <4091fdba.4519939@news.inet.tele.dk>

On Fri, 30 Apr 2004 16:59:23 +1000, "Howard J. Rogers" <hjr_at_dizwell.com> wrote:

>Kenneth Koenraadt wrote:
>
>> On 29 Apr 2004 21:52:23 -0700, myfam_at_surfeu.fi (Andrew) wrote:
>>
>>
>>>Hi,
>>>I am setting up new Oracle 9.2 DB on my laptop.
>>>problem is that I can connect as SYSDBA using
>>>
>>>connect sys/sys as sysdba
>>>
>>>but when I am using
>>>
>>>connect / as sysdba
>>>
>>>I am always getting ORA-01031: insufficient privileges
>>>
>>>I have created instance using
>>>oradim -new -sid OPWVDB1L -startmode manual -pfile
>>>c:\oracle\ora92\database\initOPWVDB1L.ora
>>>
>>>in sqlnet.ora I have
>>>SQLNET.AUTHENTICATION_SERVICES= (NTS)
>>>
>>>my Win2K account is a member of ORA_DBA group
>>>
>>>remote_login_passwordfile = EXCLUSIVE
>>
>>
>> You appear to have read the doc. about O/S authentication, but have
>> got it wrong :
>>
>> remote_login_passwordfile = EXCLUSIVE means
>>
>> "Use the password file, thus disregard O/S authentication"
>>
>> Change it to
>>
>> remote_login_passwordfile = NONE
>>
>> Which means "Ignore the password file, use O/S authentication".
>>
>> Your sqlnet.ora setting is right (right, Howard ;-) ? )
>>
>>
>> - Kenneth Koenraadt
>
>We are all allowed to make mistakes, but that, unfortunately, is an
>absolute howler, and completely and utterly untrue. Whatever the setting
>for remote_login_passwordfile, Oracle *always* checks the O/S for
>appropriate group membership, and if it finds it, doesn't bother
>checking the password file, even if the parameter tells it to.
>
>Remote_login_passwordfile=NONE means "there is no password file". It
>does NOT mean 'use O/S authentication'.
>
>Proof? Well, how about this?
>
>C:\>sqlplus "/ as sysdba"
>
>SQL*Plus: Release 8.1.7.0.0 - Production on Fri Apr 30 16:53:13 2004
>
>(c) Copyright 2000 Oracle Corporation. All rights reserved.
>
>
>Connected to:
>Oracle8i Enterprise Edition Release 8.1.7.3.0 - Production
>With the Partitioning option
>JServer Release 8.1.7.3.0 - Production
>
>SQL> show parameter remote_login
>
>NAME TYPE VALUE
>------------------------------------ ------- ------------------------
>remote_login_passwordfile string EXCLUSIVE
>
>Now, I can do that on 9i and 10g too if you want me to. It's been that
>way since version 7, in fact.
>
>Incidentally, I got it wrong too. The above example is taken from a
>system on which SQLNET.AUTHENTICATION_SERVICES has indeed been set to
>NTS, so my earlier advice to get rid of the line was just daft. I can
>only ask of the original poster: are you sure you're looking at the
>right SQLNET.ORA? And are you certain that your user account you use to
>log onto the server is a member of the ORA_DBA LOCAL group (domain
>groups won't do it).
>
>Regards
>HJR
>
>
>

Hi Howard,

Can't agree.

It's true that you can "connect / as sysdba" even with remote_login_passwordfile =exclusive,
but only as long as your user is a *LOCAL* W2K user. If you logon to the server *remotely* with e.g. a Domain user account, which is also a member of the local ORA_DBA group you *won't* be able to "connect / as sysdba". I guess that's why it is called "remote_login_passwordfile" and not "local_login_passwordfile"

The doc also states that you must set remote_login_passwordfile =NONE to use OS-authentication on W2k. The fact that a *local* user can somehow bypass it does not affect that.

<quote>

   Set the REMOTE_LOGIN_PASSWORDFILE parameter to NONE in the INIT<SID>.ORA

     file. This parameter enables operating system authenticated logins for the

     INTERNAL user.
</quote>

Received on Fri Apr 30 2004 - 02:30:11 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US