Re: remote / as sysdba

Ran into an interesting problem with this on Friday.

We've put together a new SAP server that is not yet attached to a network, and so are using local account names rather than the normal domain accounts until we're ready to put it on the network. ( We're replacing another server, and this one has the same name. We have to name it properly from the beginning, no switching the name to make it live.)

SAP uses three types of servers in General: PRD, QAS and DEV.

This one happens to be the QAS server. In this case, there are two OS accounts on the server, qasadm and sapserviceqas, that will be created with oracle accounts identified externally.

Normally these appear as OPS$QASADM and OPS$SAPSERVICEQAS in the Oracle database.

The name of the server is SAPQAS.

After installing SAP, we hid the starter db that is installed by renaming directories, etc. We then switched in the real database that is a clone of the current QAS system.

SAP wouldn't start, and wouldn't give any indication of the problem. Turning auditing on for sessions showed that the SAP services were not logging into the database. Hmmm....

Switched the starter database back in, and took a look at the accounts.

They were somewhat different than expected: OPS$SAPQAS\QASADM and OPS$SAPQAS\SAPSERVICEQAS. The machine name had been included in the accounts names of the SAP starter database. Hadn't seen this before.

Switched the cloned database backin, created accounts with machine name included ( which requires caps and double quotes due to the backslash in the account name ), assigned all privs, copied some objects and started SAP again.

All worked fine after that.

Is this to be expected? I still don't know nearly as much about Windoze as Unix, so maybe I need to bone up on the Windoze security. ( Don't laugh please, I have to live with it )

Jared

On Thursday 06 March 2003 16:38, Jacques Kilchoer wrote:
> Thank you for the information. I thought the security issues were more
> fundamental. For example if my database has remote os authentication (with
> prefix OPS$), and I know that there is a user called OPS$JSTILL, then I can
> change the Windows Registry on my client to enable me to logon to the
> database as OPS$JSTILL.
>
> > -----Original Message-----
> > From: Jared.Still_at_radisys.com [mailto:Jared.Still_at_radisys.com]
> >
> > At one time you could set the 'ORACLE_USERNAME=SYSTEM'
> > variable in your
> > oracle.ini
> > file, and log into any database as SYSTEM ( without a
> > password ) as long
> > as REMOTE_OS_AUTHEN=true.
> >
> > That was obviously some years ago, and I don't know if that is still
> > possible.
> >
> > I would have hoped that such an obvious hole was plugged
> > years ago. It
> > seems to
> > me that it was, but I don't recall details.

Content-Type: text/html; name="Attachment: 1"
Content-Transfer-Encoding: quoted-printable
Content-Description: 
----------------------------------------

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).