Re: User permissions/rights on DBMS host when using NTS
- From: Niall Litchfield <niall.litchfield@xxxxxxxxx>
- To: Martin.Herbener@xxxxxxxxxxxxxxxx
- Date: Thu, 1 Apr 2010 09:46:26 +0100
Hmm,
I'll agree that I've not observed this likely for the reason you mention. My
memory was that essentially all nts authentication did was to verify that
the account issuing the request had a valid domain authentication
token (i.e. not to the server).It maybe of course that by excluding the
Domain Users group - you'd have to do that explicitly as you say - then you
are signalling to the server not to accept standard authentication tokens
from the domain. In such a case I'd *hope* that the creation of an "Oracle
Users" group on the domain should allow users in that group to successfully
authenticate. I'm assuming that the aim here is not to allow everyone access
to the db, to use windows authentication, and to avoid the expense of
advanced security? Again I'd be hopeful that that was possible, but would
suspect that alternatives would be easier.
Niall Litchfield
http://www.orawin.info/
On Wed, Mar 31, 2010 at 5:15 PM, Herbener, Martin - KETS Engineering and
Management <Martin.Herbener@xxxxxxxxxxxxxxxx> wrote:
> The issue is that users apparently cannot connect to a 10.2.0.4 database
> instance (on Windows 2003) with native database userid/password if the
> following are all TRUE
>
>
>
> 1) Client version does not exactly match database version (for
> instance, client is 10.2.0.1), AND
>
> 2) NTS is enabled in SQLNET.ORA, AND
>
> 3) User’s Active Directory account is not in the “Users” group on the
> DBMS host
>
>
>
> Failure usually comes with a ORA-12631 error.
>
>
>
> I think many people would not observe this because, by default, a Windows
> server’s local “Users” group contains the domain “Domain Users” group.
>
>
>
> I guess I am looking for others to validate or refute my theory.
>
>
>
> Thanks
>
>
>
> Martin
>
>
>
> --------------------------------------------
> Martin Herbener
> 502 564 2020 ext 254
> Office of Education Technology
> Kentucky Department of Education
>
> *From:* Jared Still [mailto:jkstill@xxxxxxxxx]
> *Sent:* Wednesday, March 31, 2010 11:57 AM
> *To:* Herbener, Martin - KETS Engineering and Management
> *Cc:* oracle-l@xxxxxxxxxxxxx
> *Subject:* Re: User permissions/rights on DBMS host when using NTS
>
>
>
> On Wed, Mar 31, 2010 at 7:28 AM, Herbener, Martin - KETS Engineering and
> Management <Martin.Herbener@xxxxxxxxxxxxxxxx> wrote:
>
> Those of you using NTS (Windows OS authentication) - have you found that
> the end users' Windows accounts need some level of permissions/user
> rights on the DBMS host?
>
>
>
> Perhaps if you explained the issue you are experiencing someone here can
> help.
>
>
>
> OS authentication does not require any rights on the server if the
> authentication
>
> is network based - AD, Kerboros, ...
>
>
>
> If the authentication must actually take place on the server, then a user
> account
>
> will be needed, at least it works that way on linux/unix.
>
>
>
> So the answer is "It depends" :)
>
>
> Jared Still
> Certifiable Oracle DBA and Part Time Perl Evangelist
> Oracle Blog: http://jkstill.blogspot.com
> Home Page: http://jaredstill.com
>
--
Niall Litchfield
Oracle DBA
http://www.orawin.info
Other related posts:
