Home » RDBMS Server » Security » Query on OS Authentication (Oracle 9.2.0.6.0 on HP-UX)
Query on OS Authentication [message #433509] Wed, 02 December 2009 10:46 Go to next message
chetanaZ
Messages: 132
Registered: October 2009
Location: UK
Senior Member
Hi,

I understand that we follow the below mentioned steps for OS Authentication
1)	Sqlnet.log entry
   SQLNET.AUTHENTICATION_SERVICES= (NTS)
2)	Configure parameter os_authent_prefix ---ops$
3)	Create OS level user and add it to ora_dba group 
4)	Create database user as following 
   create user "OPS$USERNAME\DOMAIN" identified externally;
SQL> grant connect to "OPS$USERNAME\DOMAIN";


In Step 3 above, I assume we create OS level user on client side
e.g. while connecting from windows machine (oracle client) to Oracle Database on Unix/Linux, we will create the user on Windows Machine

Is that Correct?

I am asking this since I am unable to find myself added to ora_dba group (on windows) while I am using OS Authentication!

Thanks and Regards
Chetana
Re: Query on OS Authentication [message #433518 is a reply to message #433509] Wed, 02 December 2009 11:32 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Step 3 is ONLY to enable local connection as "/ as sysdba" and has nothing to do with normal os authent.

I don't remember where is the domain name in the user name, check osuser from v$session for a standard connection.
You can also not pass this part and keep only user name by setting the followings in HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE\HOME<n>:
OSAUTH_PREFIX_DOMAIN=FALSE

Do NOT grant CONNECT to an account, NEVER; grant it CREATE SESSION.
Create a role with its necessary privileges and grant it the role.

Regards
Michel
Re: Query on OS Authentication [message #434761 is a reply to message #433509] Thu, 10 December 2009 11:03 Go to previous messageGo to next message
chetanaZ
Messages: 132
Registered: October 2009
Location: UK
Senior Member
Thanks Michel

I think still I am not clear ..May be my question is not clear..Sorry for my knowledge

I have a linux machine on which Oracle 9i databse say db01 is installed
I have a windows machine on which Oracle client is installed, tnsnams.ora is configured for db01
I am connecting db01 database on linux server from my windows machine using tns entry
scott/tiger@db01.world 



Now I want OS authentication

I create database user 
I have os_authent_prefix=ops$

create user ops$scott identified externally;
grant create session to ops$scott;


Now do I need to create user scott on windows machine or database server linux?

Thanks and Regards,
Chetana





Re: Query on OS Authentication [message #434763 is a reply to message #434761] Thu, 10 December 2009 11:14 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
Now I want OS authentication

From what? To connect as what? normal user or sysdba?

Regards
Michel
Re: Query on OS Authentication [message #434764 is a reply to message #433509] Thu, 10 December 2009 11:17 Go to previous messageGo to next message
chetanaZ
Messages: 132
Registered: October 2009
Location: UK
Senior Member
To connect as ops$scott to db01 database on linux server from windows machine (client)

Thanks and Regards,
Chetana
Re: Query on OS Authentication [message #434766 is a reply to message #434764] Thu, 10 December 2009 11:23 Go to previous messageGo to next message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
No, you do not want that.
If you really want that then ANYONE in the network can connect as the user scott on your database.

Alternatively you can remotely connect with / using Oracle "Secure External Password Store".

Regards
Michel

[Updated on: Thu, 10 December 2009 11:24]

Report message to a moderator

Re: Query on OS Authentication [message #434773 is a reply to message #433509] Thu, 10 December 2009 11:41 Go to previous messageGo to next message
chetanaZ
Messages: 132
Registered: October 2009
Location: UK
Senior Member
Many Thanks Michel

You have rightly mentioned that anyone in the network can connect to database (of course the user must login as scott to OS, right?)

In fact before I post my query in this forum (where I get correct answers/advice that to quickly), I tried to search on google

But it seems my search key was wrong
I should have searched for 'Remote OS Authentication' rather than 'OS Authentication'

As a product of your answer and link below, I understand that in my case

Quote:

If I want OS Authentication where users logging directly (OS level) to linux server want to get authenticated I create their account on LINUX server itself apart from database users e.g. ops$scott

If I want Remote OS Authentication I create database users (ops$scott) but create OS users on windows box itself


http://www.oracle.com/technology/pub/articles/project_lockdown/phase2.html#2.2

Thanks for your help

Thanks and Regards,
Chetana

[Updated on: Thu, 10 December 2009 12:13] by Moderator

Report message to a moderator

Re: Query on OS Authentication [message #434782 is a reply to message #434773] Thu, 10 December 2009 12:16 Go to previous message
Michel Cadot
Messages: 68624
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
of course the user must login as scott to OS, right?)

Yes, a thing I can in less a minute on my laptop.

And as you can see in your link about projet Lockdown: section 2.3 Disable Remote OS Authentication.

As I said if you want to authenticate remotely but using "/" in your connection string use Oracle "Secure External Password Store".

Regards
Michel
Previous Topic: VPD (ergent need, plz)
Next Topic: Password Policy
Goto Forum:
  


Current Time: Thu Mar 28 10:37:08 CDT 2024