Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: OS Authentication with winXP client Linux Server

Re: OS Authentication with winXP client Linux Server

From: joel garry <>
Date: Fri, 27 Jul 2007 14:32:36 -0700
Message-ID: <>

On Jul 27, 6:38 am, "Matthias Hoys" <> wrote:
> <> wrote in message
> > On Jul 27, 1:00 am, Dazza <> wrote:
> >> Thanks for taking the time to reply.
> >> However, OS Authentication does actually work on clients aswell.
> >> The doco suggests throughout that the setting in sqlnet.ora be set to
> >> SQLNET.AUTHENTICATION_SERVICES= (NTS) on both the server and the
> >> client...suggesting that it does work on both.
> >> >From my personal experience, my previous company did indeed have it
> >> working on the clients - the difference being they had windows servers
> >> aswell as windows clients, whereas here I have a linux server and a
> >> windows client.
> > My guess is you do not have the remote_os_authent parameter set to
> > TRUE on the server. I have several databases using external
> > authentication from Windows clients and it works quite well.
> Are those databases on UNIX or Linux ? And you don't have Oracle Internet
> Directory installed on the database server ? I wonder if this works then ?- Hide quoted text -
> - Show quoted text -

I believe it is either/or: You use Advanced Security and don't need remote_os_authent and you can use global authentication, or vice versa. See for more precise details.

Dazza: Have you tried setting the os_authent_prefix to null?

See Note:371110.1, you need to set
SQLNET.AUTHENTICATION_SERVICES = (NONE) Also, you've probably seen this from metalink Note:60634.1:

   Init.ora parameter REMOTE_OS_AUTHENT can be set to TRUE when non local

   connections are allowed to use OS authentication. This is not recommended.

   REMOTE_OS_AUTHENT=TRUE allows users to connect to the database and bypassing

   all NTS-security. Every user validated to be that user by his operating system,

   is allowed to connect to the database as <OPS$>user_name, which of course is

   a possible security hazard. Don't use this unless you have complete control over

   all computers on the network segment that can reach the server on which the

   Oracle database is installed and that it is sure those computers enforce secure


   Setting REMOTE_OS_AUTHENT=TRUE means that you can login with any user

   authenticated by the OS. It simply checks if the (plain text) user name on

   the client is the same as the username in the database. Hence you can then log

   in from *any* OS (Unix, Linux, Windows etc. [also on a virtual machine!]) that

   has a local user with that name.

So that's why I think you should set ops$ to null. And why I can only guess because I've never seen a network secure enough to use it, so haven't even tried it in a long time. Your "secure" network has some sort of MS mail, I would guess? Browsers? Users who can create any username on any OS just by installing vmware? Firewalls are no answer, only complete disconnection from the outside world. (I'm thinking another answer might be to set OPS$ to your client domain name, and create the db user like that, but I'm very unsure, I don't think I've done that - your audit seems to say no, and yet it somehow sounds familiar - that would have something to do with using NTS authentication, I guess).


-- is bogus.
"I'm infinite!" - Charlie Brown
Received on Fri Jul 27 2007 - 16:32:36 CDT

Original text of this message