Re: W2000 connect / as sysdba problem

From: Howard J. Rogers <hjr_at_dizwell.com>
Date: Fri, 30 Apr 2004 18:03:11 +1000
Message-ID: <40920838$0$20347$afc38c87@news.optusnet.com.au>

Howard J. Rogers wrote:

> Kenneth Koenraadt wrote:
> [snip]
>

>>
>>
>> Hi Howard,
>>
>> Can't agree.
>>
>> It's true that you can "connect / as sysdba" even with
>> remote_login_passwordfile =exclusive,
>> but only as long as your user is a *LOCAL* W2K user.

>
>
> Which is, of course, exactly the case for our original poster, since
> he's doing all of this on his laptop. So even if the rest of what you
> write is true, it's not of relevance to him, is it?
>

>> If you logon to
>> the server  *remotely* with e.g. a Domain user account, which is also
>> a member of the local ORA_DBA group  you *won't* be able to "connect /
>> as sysdba". I guess that's why it is called
>> "remote_login_passwordfile" and not "local_login_passwordfile"

>
>
> Well, since it's a remote connection, you won't be able to connect / as
> sysdba *at all* because there needs to be a tnsnames alias in there
> somewhere (somewhere I can never get right in any case: sqlplus "/@win92
> as sysdba" isn't doing it for me!).
>

>> The doc also states that you must set remote_login_passwordfile =NONE
>> to use OS-authentication on W2k. The fact that a *local* user can
>> somehow bypass it does not affect that.
>>
>> <quote>
>>    Set the REMOTE_LOGIN_PASSWORDFILE parameter to NONE in the
>> INIT<SID>.ORA      file. This parameter enables operating system 
>> authenticated
>> logins for the
>>      INTERNAL user. </quote>

>
>
> Yup, Oracle's course notes always said you had to set R_L_P to NONE too.
> But it isn't true. And this isn't a Windows thing, either, since I used
> to show my students the folly of the 'must set it to NONE' by doing
> exactly the same test as I showed in my last post, but on a Solaris box.
>
> Regards
> HJR
Oh, by the way, just another test to make the point. Here's what my server says:

SQL> show parameter remote_login

NAME                                 TYPE        VALUE
------------------------------------ ----------- ---------
remote_login_passwordfile            string      EXCLUSIVE

Here's my sqlnet.ora on the *CLIENT* machine:

SQLNET.AUTHENTICATION_SERVICES= (NTS) NAMES.DIRECTORY_PATH= (TNSNAMES) And here's the acid test:

H:\>sqlplus "/@win92 as sysdba"

SQL*Plus: Release 10.1.0.2.0 - Production on Fri Apr 30 18:00:36 2004

Copyright (c) 1982, 2004, Oracle. All rights reserved.

Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production With the Partitioning, OLAP and Oracle Data Mining options JServer Release 9.2.0.1.0 - Production

So that's me finally managing to get a remote connection using O/S authentication to a 9i database that's got R_L_P set to something other than NONE.

Still think the docs are correct?

Regards
HJR Received on Fri Apr 30 2004 - 03:03:11 CDT