Re: Authentication Problem
Date: Tue, 5 Feb 2008 08:53:11 +0000
Message-ID: <7765c8970802050053o55aa85c5yb083f82214bad7c9@mail.gmail.com>
Hi
If you want to allow this scenario, then you should really be looking at the
Advanced Security Option which will allow you (on a *nix server) to
authenticate the user against the Windows Kerberos security services -
(i.eactually use the kerberos authentication rather than merely verify
that the
domain knows of an account by that name). There may be political issues
about paying more just to use your enterprise security provider, but there *
shouldn't* be any particularly horrible technical issues.
This used to be discussed in the security administration section of the documentation - haven't looked for a while to see if it's still there - but I expect that it is.
On Feb 4, 2008 10:15 PM, Jack van Zanen <jack_at_vanzanen.com> wrote:
> Hi Jared,
>
>
> I agree with you on the security issue, but sometimes it is a requirement
> to have this possibility.
> If you create the database user with domain name as well doesn't this make
> it a bit more secure, as this is more difficult to create such a user on
> windows (not a windows admin so could be wrong)?
>
> Jack
>
>
> On 05/02/2008, Jared Still <jkstill_at_gmail.com> wrote:
> >
> > On Jan 30, 2008 6:53 PM, Jack van Zanen <jack_at_vanzanen.com> wrote:
> >
> > >
> > > When creating the domain user in the database you use double quotes ( "OPS$<domainname>\<username>"
> > > ). It than becomes case sensitive as well. Make sure the case is spot
> > > on.
> > >
> > > log on to the database as a dba user and look in v$session to see
> > > exact spelling of your os account.
> > >
> > >
> > > Jack
> > >
> > >
> >
> >
> > Creating an account with domainnname/username is not necessary when
> > connecting
> > to Oracle on unix/linux from a windows client.
> >
> > I just created an account on 2 different databases on linux using
> > "OPS$<myusername>".
> > No domain name.
> >
> > One server knows how to authenticate via AD, the other does not.
> >
> > Both allowed an OS authenticated login from a Windows client.
> >
> > Setting remote_os_authent=true is a rather dangerous option.
> >
> > If is *extremely* easy for a windows client to gain ownership of the
> > database when remote_os_authent=true.
> >
> > If you set it, you better be using invited_nodes in sqlnet.ora to limit
> > who can get to the database.
> >
> > Jared
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > Jared Still
> > Certifiable Oracle DBA and Part Time Perl Evangelist
> >
>
>
>
> --
> J.A. van Zanen
-- Niall Litchfield Oracle DBA http://www.orawin.info -- http://www.freelists.org/webpage/oracle-lReceived on Tue Feb 05 2008 - 02:53:11 CST