| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: OS Authentication with winXP client Linux Server
On Jul 29, 10:05 pm, hjr.pyth..._at_gmail.com wrote:
> On Jul 28, 12:14 am, "fitzjarr..._at_cox.net" <fitzjarr..._at_cox.net>
> wrote:
>
>
>
>
>
> > On Jul 27, 8:38 am, "Matthias Hoys" <a..._at_spam.com> wrote:
>
> > > <fitzjarr..._at_cox.net> wrote in message
>
> > >news:1185540761.531273.313830_at_d30g2000prg.googlegroups.com...
>
> > > > On Jul 27, 1:00 am, Dazza <DarylFer..._at_gmail.com> wrote:
> > > >> Thanks for taking the time to reply.
> > > >> However, OS Authentication does actually work on clients aswell.
>
> > > >> The doco suggests throughout that the setting in sqlnet.ora be set to
> > > >> SQLNET.AUTHENTICATION_SERVICES= (NTS) on both the server and the
> > > >> client...suggesting that it does work on both.
>
> > > >> >From my personal experience, my previous company did indeed have it
>
> > > >> working on the clients - the difference being they had windows servers
> > > >> aswell as windows clients, whereas here I have a linux server and a
> > > >> windows client.
>
> > > > My guess is you do not have the remote_os_authent parameter set to
> > > > TRUE on the server. I have several databases using external
> > > > authentication from Windows clients and it works quite well.
>
> > > Are those databases on UNIX or Linux ? And you don't have Oracle Internet
> > > Directory installed on the database server ? I wonder if this works then ?- Hide quoted text -
>
> > > - Show quoted text -
>
> > The databases are on UNIX and the Windows clients authenticate without
> > issue.
>
> > David Fitzjarrell
>
> I preface everything I'm about to say with the words, 'This is
> addressed to the world in general and not David in particular'.
>
> But anyone that runs REMOTE_OS_AUTHENT=TRUE on a production server is
> asking for really, really bad trouble and needs to examine their head
> very closely,,, and then stop using it immediately.
>
> It means that if I were your cleaner, janitor or nightime security
> guard I would simply need to bring in my teenage son's laptop one
> night, plug it into your network, and I then have access to your
> database. My laptop, after all, will happily authenticate me as a
> valid user of that laptop. REMOTE_OS_AUTHENT=TRUE then states that
> such validation is sufficient to get me access to your database. It
> doesn't bear thinking about.
>
> So, it's no wonder "Windows clients authenticate without issue":
> practically the entire WORLD could authenticate without issue! That's
> really not something you would want for a database whose data you
> cared about.
>
> It's discussed here:http://www.dizwell.com/prod/node/210
> (where David Aldridge uses the 'you want your head tested' line I was
> tempted to use here!)
>
> It's also discussed here:http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1...
> (where Tom is moved to say, "remote_os_authent is not a very secure
> setting" and "they have remote_os_authent set -- meaning they have the
> least secure system on the planet. you must set that false")
>
> In answer to the specific question asked by the original poster, no
> amount of fiddling is going to get a Windows user's OS account
> authenticated on a Linux server, unless remote_os_authentication is
> set to the suicidal value of TRUE. As the OP initimated, messing
> around with sqlnet.ora values is only going to be helpful in an all-
> Windows environment.
>
> Regards
> HJR- Hide quoted text -
>
> - Show quoted text -
I'll be more than happy to forward this on to whomever configured the server I inherited. Such wasn't MY choice for authentication methods, however it's the method I have been given and I have no authority to change it.
Sometimes we must play the hand we're dealt.
David Fitzjarrell Received on Mon Jul 30 2007 - 08:57:59 CDT
 |
 |