Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: W2000 connect / as sysdba problem

Re: W2000 connect / as sysdba problem

From: <Kenneth>
Date: Fri, 30 Apr 2004 13:58:57 GMT
Message-ID: <409257c1.1234635@news.inet.tele.dk>


On Fri, 30 Apr 2004 22:08:39 +1000, "Howard J. Rogers" <hjr_at_dizwell.com> wrote:

>Kenneth Koenraadt wrote:
>
>> On Fri, 30 Apr 2004 17:55:48 +1000, "Howard J. Rogers"
>> <hjr_at_dizwell.com> wrote:
>>
>> It most certainly is. The fact is that *whenever* you want to use
>> O/S-authentication, you *should* set R_L_P = NONE. The fact that you
>> can (sometimes) get away with not doing it, is merely a lucky punch.
>>
>> R_L_P = NONE is the best, the safest and the recommended way. Period.
>
>That is just not the case, and has the smell of sour grapes about it to
>boot. It's NOT what you originally posted (you said NONE *had* to be
>set, not that it was "safe", "recommended" or "best". There's a
>difference between "must" and "can"). It's NOT the problem for the
>original poster. And it's NOT even true, because I can (and did)
>demonstrate that the setting of RLP has no bearing on the matter.
>
>Believe the Oracle documentation if you want to, but it's been wrong for
>many, many years. O/S authentication is *always* checked first, and
>password file authentication kicks in if it fails. There is nothing you
>have to do to switch O/S authentication on as far as the database is
>concerned apart from add the right users into the correct O/S groups.
>Period.
>
>>>>If you logon to
>>>>the server *remotely* with e.g. a Domain user account, which is also
>>>>a member of the local ORA_DBA group you *won't* be able to "connect /
>>>>as sysdba". I guess that's why it is called
>>>>"remote_login_passwordfile" and not "local_login_passwordfile"
>>>
>>>Well, since it's a remote connection, you won't be able to connect / as
>>>sysdba *at all* because there needs to be a tnsnames alias in there
>>>somewhere (somewhere I can never get right in any case: sqlplus "/@win92
>>>as sysdba" isn't doing it for me!).
>>
>>
>> Yes you will.
>> You logon to the server with a domain user being a member of the local
>> ORA_DBA group. With R_L_P=NONE, and sqlnet.ora properly set, I can
>> connect / as sysdba easily. Have done it hundreds of times.
>
>Define "properly setting" sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES= (NTS)
>(because the other setup steps you
>mention are obvious and non-contentious, though the RLP=NONE setting is
>clearly superfluous as my earlier post demonstrated), and then explain
>why the Oracle documentation you so laud in one regard now gets ignored.
>Because it clearly describes having to put a tnsnames alias somewhere in
>the connection string for remote logins to work. Quote:
>

>"For a remote database connection over a secure connection, the user
>must also specify the net service name of the remote database:
>
>CONNECT /@net_service_name AS SYSDBA
>CONNECT /@net_service_name AS SYSOPER
>"
>Unquote.

See below. I don't think logging on to a W2K-domain from the DB server itself is considered a remote connection. But I am not sure.
>
>Sorry Kenneth, but you're demonstrably not right on the RLP topic,
>unless you can post an opposing test case, instead of merely claiming
>"hundreds" of non-demonstrated personal annecdotes.
>
>On the grounds that though you can lead a horse to water, you can't
>force it to drink that which it finds unpalatable, I guess the thread
>ends here.

Guess it should, but I want to know the whole truth. I am not able to demonstate, since the only W2k-system I work on now is my laptop.

Maybe someone out there can reveal it :

You have an oracle 8i+ on a W2K server called DBS. It participates in a domain DOM with a Domain admin user USR also being member of the local ORA_DBA group.

We assume
SQLNET.AUTHENTICATION_SERVICES= (NTS)
present in sqlnet.ora.

You now login to the domain DOM with user USR from DBS.

And I claim : In order to "connect / as sysdba" to a DB on DBS, that DB *cannot* have R_L_P = EXCLUSIVE or SHARED.

False or true ?? I believe true, it is what I experienced through 1 year and hundreds of logins.

>HJR
Received on Fri Apr 30 2004 - 08:58:57 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US