Home » RDBMS Server » Security » SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 (Oracle 12.2, Windows2008R2)
| SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670681] |
Thu, 19 July 2018 06:42  |
 |
sagar.sandbhor
Messages: 5
Registered: July 2018
|
Junior Member |
|
|
Hi All,
I am trying to create the duplication of the database on Windows 2008R2. I had created ORGDB during installation of the Oracle 12.2.
See Properties of ORGDB -> security:
Administrator, OracleServiceORGDB is part of this.
When I am setting ORACLE SID to ORGDB, SQLNET.AUTHENTICATION_SERVICES = (NTS) or SQLNET.AUTHENTICATION_SERVICES = (NONE) I am able to connect to the DB.
remote_login_passwordfile='EXCLUSIVE'
I have created the pwd.ora file with a complex password(include a-z, A-Z, 0-9 and special char).
***************************************************************************************************
C:\Users\Administrator>set ORACLE_SID=ORGDB
C:\Users\Administrator>sqlplus
SQL*Plus: Release 12.2.0.1.0 Production on Thu Jul 19 16:52:27 2018
Copyright (c) 1982, 2016, Oracle. All rights reserved.
Enter user-name: sys as sysdba
Enter password:
Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
SQL>
***************************************************************************************************
To recreate duplicate(MYDUP) the DB I have copied the datafile, created init.ora and created password file PWD$SID.ora.
I check the service created as NT SYSTEM\OracleService$SID
Check the properties of MYDUP->security:
Created with Administrator
When I set SQLNET.AUTHENTICATION_SERVICES = (NTS) I am able to connect to DUP DB sucessfully.
***************************************************************************************************
C:\Users\Administrator>set ORACLE_SID=MYDUP
C:\Users\Administrator>sqlplus
SQL*Plus: Release 12.2.0.1.0 Production on Thu Jul 19 16:52:27 2018
Copyright (c) 1982, 2016, Oracle. All rights reserved.
Enter user-name: sys as sysdba
Enter password:
Connected to:
Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
SQL>
***************************************************************************************************
SQLNET.AUTHENTICATION_SERVICES = (NONE)
***************************************************************************************************
C:\Users\Administrator>set ORACLE_SID=MYDUP
C:\Users\Administrator>sqlplus
SQL*Plus: Release 12.2.0.1.0 Production on Thu Jul 19 16:56:13 2018
Copyright (c) 1982, 2016, Oracle. All rights reserved.
Enter user-name: sys as sysdba
Enter password:
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
***************************************************************************************************
The MYDUP is created with NT SERVICE\OracleServiceMYDUP.
Here is my questions:
1. Do windows prefer NTS over NONE as Authentication service, does it recommended by Windows/Oracle?
2. if authentication set as NONE and it is connecting to ORGDB and why it is not connecting to MYDUP?
3. Is there any way I can connect to the MYDUP by providing administrator rights?
4. I even tried to add the user to the ora_dba but still unable to login to MYDUP. Could you please let me know what is missing here?
Help appreciated.
Thanks....
|
|
|
|
| Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670682 is a reply to message #670681] |
Thu, 19 July 2018 09:29  |
 |
Michel Cadot
Messages: 68749
Registered: March 2007
Location: Saint-Maur, France, https...
|
Senior Member
Account Moderator |
|
|
1. Either can be used, it depends if the OS account is secure or not, if it is shared or not, and what is your security policy.
2. If NONE and EXCLUSIVE, password file is used, check it/them, verify you have the same password in both DB, maybe a typo when you created the second password file... (these are some avenues, others are possible). Have a look at McPwfile.
3. Which administrator rights are you talking? DB or OS? Question is not clear.
4. If authentication is set to NONE OS groups are not involved. They come into play only if authentication is NTS.
|
|
|
|
| Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670683 is a reply to message #670682] |
Thu, 19 July 2018 10:47 |
|
sagar.sandbhor
Messages: 5
Registered: July 2018
|
Junior Member |
|
|
Hey Michel Thanks for replying,
1. Agree, I am currently login as Windows Administrator and have all rights to perform the operation.
2. I have cross check the password for both the DB and it is correct. As I login with NTS authentication on MYDUP.
3. Here I am talking about Windows Administrator rights and not DB.
4. Agree, in that case, it should allow to login with the same password of primary database.
I have check below parameters:
Computer Management->local User and Groups-> Groups->ora_dba
Administrator, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SYSTEM
Also check OS DB Administrators-Computer:
Administrator, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SYSTEM
Check the services:
OracleServiceMYDUP ->Started -> Manual->NT SERVICE\OracleServiceMYDUP10
During installation, I set Oracle Home user as Exiting Windows User(Administrator)
I read in some forum with Windows 2008r2 onwards uses Virtual Account. I am confused with OS and DB default user.
Provided above info, If I set authentication as NONE, what login credentials used in this case?
Administrator for OS is had ora_dba rights, then it is not allowing me to login for Duplicate DB.
-Thanks
|
|
|
|
| Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670684 is a reply to message #670683] |
Thu, 19 July 2018 11:45 |
John Watson
Messages: 8968
Registered: January 2010
Location: Global Village
|
Senior Member |
|
|
I think that the group ora_dba is not enough when you using release 12: it applies only to pre-release 12 databases. See this, on my PC with two release 12 database ORacle Homes installed:
C:\Users\john>whoami -groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only
jw\ORA_ASMADMIN Alias S-1-5-21-1889652306-443339906-4187214991-1017 Mandatory group, Enabled by default, Enabled group
jw\ORA_ASMDBA Alias S-1-5-21-1889652306-443339906-4187214991-1014 Mandatory group, Enabled by default, Enabled group
jw\ORA_ASMOPER Alias S-1-5-21-1889652306-443339906-4187214991-1015 Mandatory group, Enabled by default, Enabled group
jw\ORA_CLIENT_LISTENERS Alias S-1-5-21-1889652306-443339906-4187214991-1010 Mandatory group, Enabled by default, Enabled group
jw\ora_dba Alias S-1-5-21-1889652306-443339906-4187214991-1016 Mandatory group, Enabled by default, Enabled group
jw\ORA_GRID_LISTENERS Alias S-1-5-21-1889652306-443339906-4187214991-1008 Mandatory group, Enabled by default, Enabled group
jw\ORA_INSTALL Alias S-1-5-21-1889652306-443339906-4187214991-1005 Mandatory group, Enabled by default, Enabled group
jw\ORA_OPER Alias S-1-5-21-1889652306-443339906-4187214991-1009 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home1_DBA Alias S-1-5-21-1889652306-443339906-4187214991-1006 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home1_OPER Alias S-1-5-21-1889652306-443339906-4187214991-1007 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home1_SYSBACKUP Alias S-1-5-21-1889652306-443339906-4187214991-1011 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home1_SYSDG Alias S-1-5-21-1889652306-443339906-4187214991-1012 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home1_SYSKM Alias S-1-5-21-1889652306-443339906-4187214991-1013 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home2_SYSBACKUP Alias S-1-5-21-1889652306-443339906-4187214991-1026 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home2_SYSDG Alias S-1-5-21-1889652306-443339906-4187214991-1027 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraDB12Home2_SYSKM Alias S-1-5-21-1889652306-443339906-4187214991-1028 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraGI12Home1_SYSBACKUP Alias S-1-5-21-1889652306-443339906-4187214991-1021 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraGI12Home1_SYSDG Alias S-1-5-21-1889652306-443339906-4187214991-1022 Mandatory group, Enabled by default, Enabled group
jw\ORA_OraGI12Home1_SYSKM Alias S-1-5-21-1889652306-443339906-4187214991-1023 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
C:\Users\john> |
|
|
|
| Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670687 is a reply to message #670683] |
Thu, 19 July 2018 12:15 |
|
Michel Cadot
Messages: 68749
Registered: March 2007
Location: Saint-Maur, France, https...
|
Senior Member
Account Moderator |
|
|
Quote:2. I have cross check the password for both the DB and it is correct. As I login with NTS authentication on MYDUP.
NTS does not care about Oracle passwords, so the fact you can connect with NTS does not validate the password:
SQL> host type %ORACLE_HOME%\network\admin\sqlnet.ora
# This file is actually generated by netca. But if customers choose to
# install "Software Only", this file wont exist and without the native
# authentication, they will not be able to connect to the database on NT.
SQLNET.AUTHENTICATION_SERVICES = (NTS)
...
SQL> conn sys/toto as sysdba
Connected.
***SYS***> conn sys/whatever as sysdba
Connected.
***SYS***> conn sys/anotherone as sysdba
Connected.
***SYS***>
So how did you check the password?
Quote:3. Here I am talking about Windows Administrator rights and not DB.
If authentication is set to NONE, OS groups/privileges are not checked and don't care.
Quote:4. Agree, in that case, it should allow to login with the same password of primary database.
If password file is correct.
In short, if authentication is NTS OS groups are used and only them to authenticate, if authentication is NONE then DB passwords are used and only them.
|
|
|
|
|
|
| Re: SQLNET.AUTHENTICATION_SERVICES = (NONE) ORA-01017 [message #670697 is a reply to message #670684] |
Fri, 20 July 2018 04:37 |
|
sagar.sandbhor
Messages: 5
Registered: July 2018
|
Junior Member |
|
|
here is output of - whoami -groups
Group Name Type SID Attributes
============================================================= ================ ============================================= ======================
=========================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ORA_ASMDBA Alias S-1-5-21-526688176-3877096626-3997236983-1033 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ora_dba Alias S-1-5-21-526688176-3877096626-3997236983-1037 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ORA_DUP7_DBA Alias S-1-5-21-526688176-3877096626-3997236983-1039 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ORA_OPER Alias S-1-5-21-526688176-3877096626-3997236983-1028 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ORA_OraDB12Home1_SYSBACKUP Alias S-1-5-21-526688176-3877096626-3997236983-1030 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ORA_OraDB12Home1_SYSDG Alias S-1-5-21-526688176-3877096626-3997236983-1031 Mandatory group, Enabl
ed by default, Enabled group
VW-PUN-BSA-QA11\ORA_OraDB12Home1_SYSKM Alias S-1-5-21-526688176-3877096626-3997236983-1032 Mandatory group, Enabl
ed by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabl
ed by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabl
ed by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabl
ed by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabl
ed by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabl
ed by default, Enabled group
C:\Users\Administrator>
I am unable to see the ORA_OraDB12Home1_DBA in groups, but when i see local user and group i can see the group as ORA_OraDB12Home1_DBA.
I tried to add the administrator to this group and try to login but unsuccessful.
Thanks!!!
|
|
|
|
|
|
|
|
|
|
|
|
Goto Forum:
Current Time: Tue Mar 11 23:39:18 CDT 2025
|
] 
Blog
Search
Help
Members
Register
Login
Home
