Re: OS Authentication with winXP client Linux Server

On Jul 28, 12:14 am, "fitzjarr..._at_cox.net" <fitzjarr..._at_cox.net> wrote:
> On Jul 27, 8:38 am, "Matthias Hoys" <a..._at_spam.com> wrote:
>
>
>
> > <fitzjarr..._at_cox.net> wrote in message
>
> >news:1185540761.531273.313830_at_d30g2000prg.googlegroups.com...
>
> > > On Jul 27, 1:00 am, Dazza <DarylFer..._at_gmail.com> wrote:
> > >> Thanks for taking the time to reply.
> > >> However, OS Authentication does actually work on clients aswell.
>
> > >> The doco suggests throughout that the setting in sqlnet.ora be set to
> > >> SQLNET.AUTHENTICATION_SERVICES= (NTS) on both the server and the
> > >> client...suggesting that it does work on both.
>
> > >> >From my personal experience, my previous company did indeed have it
>
> > >> working on the clients - the difference being they had windows servers
> > >> aswell as windows clients, whereas here I have a linux server and a
> > >> windows client.
>
> > > My guess is you do not have the remote_os_authent parameter set to
> > > TRUE on the server. I have several databases using external
> > > authentication from Windows clients and it works quite well.
>
> > Are those databases on UNIX or Linux ? And you don't have Oracle Internet
> > Directory installed on the database server ? I wonder if this works then ?- Hide quoted text -
>
> > - Show quoted text -
>
> The databases are on UNIX and the Windows clients authenticate without
> issue.
>
> David Fitzjarrell

I preface everything I'm about to say with the words, 'This is addressed to the world in general and not David in particular'.

But anyone that runs REMOTE_OS_AUTHENT=TRUE on a production server is asking for really, really bad trouble and needs to examine their head very closely,,, and then stop using it immediately.

It means that if I were your cleaner, janitor or nightime security guard I would simply need to bring in my teenage son's laptop one night, plug it into your network, and I then have access to your database. My laptop, after all, will happily authenticate me as a valid user of that laptop. REMOTE_OS_AUTHENT=TRUE then states that such validation is sufficient to get me access to your database. It doesn't bear thinking about.

So, it's no wonder "Windows clients authenticate without issue": practically the entire WORLD could authenticate without issue! That's really not something you would want for a database whose data you cared about.

It's discussed here: http://www.dizwell.com/prod/node/210 (where David Aldridge uses the 'you want your head tested' line I was tempted to use here!)

It's also discussed here:
http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:142212348066 (where Tom is moved to say, "remote_os_authent is not a very secure setting" and "they have remote_os_authent set -- meaning they have the least secure system on the planet. you must set that false")

In answer to the specific question asked by the original poster, no amount of fiddling is going to get a Windows user's OS account authenticated on a Linux server, unless remote_os_authentication is set to the suicidal value of TRUE. As the OP initimated, messing around with sqlnet.ora values is only going to be helpful in an all-  environment.

Regards
HJR Received on Sun Jul 29 2007 - 22:05:54 CDT