Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: W2000 connect / as sysdba problem

Re: W2000 connect / as sysdba problem

From: Andrew <>
Date: 30 Apr 2004 09:04:48 -0700
Message-ID: <>

I found the problem and this is probably why this issue is so "popular"
I have domain account on my laptop which is member of ORA_DBA group.

Consider simple test I did:

  1. I deleted instance oradim -delete -sid XXX
  2. changed remote_login_passwordfile = NONE
  3. Created instance oradim -new -sid XXX -startmode manual -pfile XXX.ora
  4. sqlplus /nolog SQL> connect / as sysdba Connected to an idle instance. i.e. works just fine
  5. then!!! I unplug network cable from my laptop, so there is no connection to domain and...

SQL> connect / as sysdba
ORA-01031: insufficient privileges

6. then!!! I plug cabple back in and
SQL> connect / as sysdba
Connected to an idle instance.
i.e. works just fine again

So it needs connection to donain to authenticate. But W2K allows logging in using same account when not in domain (or no network connection). Why oracle doesn't allow internal connection in this case. Is there a way to fix that? Logging to windows with different, i.e. local, acount is not an option of course, same account has to be used.


Kenneth Koenraadt wrote in message news:<>...
> On Fri, 30 Apr 2004 17:55:48 +1000, "Howard J. Rogers"
> <> wrote:
> >Kenneth Koenraadt wrote:
> >[snip]
> >>
> >>
> >> Hi Howard,
> >>
> >> Can't agree.
> >>
> >> It's true that you can "connect / as sysdba" even with
> >> remote_login_passwordfile =exclusive,
> >> but only as long as your user is a *LOCAL* W2K user.
> >
> >Which is, of course, exactly the case for our original poster, since
> >he's doing all of this on his laptop. So even if the rest of what you
> >write is true, it's not of relevance to him, is it?
> It most certainly is. The fact is that *whenever* you want to use
> O/S-authentication, you *should* set R_L_P = NONE. The fact that you
> can (sometimes) get away with not doing it, is merely a lucky punch.
> R_L_P = NONE is the best, the safest and the recommended way. Period.
> >
> >> If you logon to
> >> the server *remotely* with e.g. a Domain user account, which is also
> >> a member of the local ORA_DBA group you *won't* be able to "connect /
> >> as sysdba". I guess that's why it is called
> >> "remote_login_passwordfile" and not "local_login_passwordfile"
> >
> >Well, since it's a remote connection, you won't be able to connect / as
> >sysdba *at all* because there needs to be a tnsnames alias in there
> >somewhere (somewhere I can never get right in any case: sqlplus "/@win92
> >as sysdba" isn't doing it for me!).
> Yes you will.
> You logon to the server with a domain user being a member of the local
> ORA_DBA group. With R_L_P=NONE, and sqlnet.ora properly set, I can
> connect / as sysdba easily. Have done it hundreds of times.
> >
> >> The doc also states that you must set remote_login_passwordfile =NONE
> >> to use OS-authentication on W2k. The fact that a *local* user can
> >> somehow bypass it does not affect that.
> >>
> >> <quote>
> >> Set the REMOTE_LOGIN_PASSWORDFILE parameter to NONE in the
> >> file. This parameter enables operating system authenticated
> >> logins for the
> >> INTERNAL user.
> >> </quote>
> >
> >Yup, Oracle's course notes always said you had to set R_L_P to NONE too.
> >But it isn't true. And this isn't a Windows thing, either, since I used
> >to show my students the folly of the 'must set it to NONE' by doing
> >exactly the same test as I showed in my last post, but on a Solaris box.
> >
> >Regards
> >HJR
Received on Fri Apr 30 2004 - 11:04:48 CDT

Original text of this message