Re: How to use both 'connect / as sysdba' and OS authentication?

From: Baldo <dana.stockler_at_twobits.no>
Date: Mon, 05 Mar 2001 14:29:01 +0100
Message-ID: <3AA3949D.6C7476C4@twobits.no>

Obviously I made a hash of my explanation. Sorry.

What I referred to as OS authentication is perhaps called externally authenticated users? Anyway, what I meant was I can connect using sqlplus thusly: 'sqlplus /@baldodb'. This works because I have an externally authenticated db user named <prefix><osuser> (as per your rasputin example)

Let me try asking my question in a different way:

If (sqlnet.authentication_services=none) then 'sqlplus /@baldodb' works
'connect / as sysdba' doesn't
end if ;

If (sqlnet.authentication_services=nts) then 'connect / as sysdba' works
'sqlplus /@baldodb' doesn't
end if ;

How can I make both work at the same time?

-
Baldo

"Howard J. Rogers" wrote:

> "Baldo" <dana.stockler_at_twobits.no> wrote in message
> news:3AA38115.7B0E4420_at_twobits.no...
> > (Sorry if this turns up twice. We've had problems with our news server.)
> >
> > I've been using OS authentication for quite a few years now
> > and can't live without it. Oracle says I have to stop using 'connect
> > internal' and start using 'connect / as sysdba'. Fair enough.
> >
> > What's got me scratching my old bald head is how to use them
> > both at the same time.
> >
> > On my Windows NT4/SP6 / Oracle 8.1.7 box:
> >
> > If I set SQLNET.AUTHENTICATION_SERVICES=NONE
> > in the sqlnet.ora file (or remove it entirely), then OS authentication
> > works okay, but 'connect / as sysdba' results in 'ORA-01031:
> > insufficient privileges'.

> I'm confused. "Connect / as sysdba" *IS* O/S authentication, since you are
> not providing a username or password, and hence Oracle goes to check that
> there is an ORA_DBA group setup, and that you, the NT User, are a member of
> said group.

> So how os authentication works OK, yet that fails, is a bit meaningless.

> UNLESS....

> What you mean is that *ordinary* users can get on to the database, but
> Privileged Users cannot using O/S authentication techniques?? Or vice
> versa.

> Put it this way: O/S authentication for ordinary Users is complete hokum.
> You log onto the NT box as "rasputin" (it *could* happen!). Your init.ora
> says that the OS_AUTHENT_PREFIX is 'blah'. Provided that you have issued
> the command 'create User blahrasputin identified externally' then O/S
> authentication works. It's hokum, because actually there is a user entry in
> the data dictionary that equals prefix+o/s logon -really, the data
> dictionary is being used.

> For Privileged Users, however, hokum won't work. There is a group -usually
> ORA_DBA, but conceivably ORA_<sid>_DBA which is a normal, NT group. Unless
> you, rasputin, have been added as a member of that group, then you cannot
> connect as a Privileged User using O/S authentication.

>


> >

> > If I set SQLNET.AUTHENTICATION_SERVICES=NTS

> > in the sqlnet.ora file, then 'connect / as sysdba' works okay,

> > but OS authentication results in 'ORA-01017: invalid username/
> > password; logon denied'.

> Again, I don't understand how you can claim that 'connect / as sysdba'
> works, but O/S authentication doesn't. "Connect / as sysdba" IS O/S
> authentication in action.

>


> >

> > Could some kind soul please tell me how I can use the new

> > 'connect / as sysdba' functionality while retaining the use of

> > OS authentication? Please don't tell me it can't be done. I don't

> > think my old ticker could take it.
> >

> Well, I'm not clear exactly what the problem is, but be clear on the
> distinction between Bob gaining access to the database without having to
> supply a Username and Password because he has already logged on to the NT
> domain (hokum) and you, the DBA, being able to successfully issue the
> 'connect / as sysdba' because you have successfully logged on to the NT
> domain and therefore acquired ORA_DBA group membership/privileges
> (non-hokum).

> Regards
> HJR

>


> > TIA,

> > Baldo

> >
> >
Received on Mon Mar 05 2001 - 07:29:01 CST