Re: OS Authentication with winXP client Linux Server

On Jul 29, 11:05 pm, hjr.pyth...@xxxxxxxxx wrote:
On Jul 28, 12:14 am, "fitzjarr...@xxxxxxx" <fitzjarr...@xxxxxxx>
wrote:





On Jul 27, 8:38 am, "Matthias Hoys" <a...@xxxxxxxx> wrote:

<fitzjarr...@xxxxxxx> wrote in message

news:1185540761.531273.313830@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

On Jul 27, 1:00 am, Dazza <DarylFer...@xxxxxxxxx> wrote:
Thanks for taking the time to reply.
However, OS Authentication does actually work on clients aswell.

The doco suggests throughout that the setting in sqlnet.ora be set to
SQLNET.AUTHENTICATION_SERVICES= (NTS) on both the server and the
client...suggesting that it does work on both.

From my personal experience, my previous company did indeed have it

working on the clients - the difference being they had windows servers
aswell as windows clients, whereas here I have a linux server and a
windows client.

My guess is you do not have the remote_os_authent parameter set to
TRUE on the server. I have several databases using external
authentication from Windows clients and it works quite well.

Are those databases on UNIX or Linux ? And you don't have Oracle Internet
Directory installed on the database server ? I wonder if this works then ?- Hide quoted text -

- Show quoted text -

The databases are on UNIX and the Windows clients authenticate without
issue.

David Fitzjarrell

I preface everything I'm about to say with the words, 'This is
addressed to the world in general and not David in particular'.

But anyone that runs REMOTE_OS_AUTHENT=TRUE on a production server is
asking for really, really bad trouble and needs to examine their head
very closely,,, and then stop using it immediately.

It means that if I were your cleaner, janitor or nightime security
guard I would simply need to bring in my teenage son's laptop one
night, plug it into your network, and I then have access to your
database. My laptop, after all, will happily authenticate me as a
valid user of that laptop. REMOTE_OS_AUTHENT=TRUE then states that
such validation is sufficient to get me access to your database. It
doesn't bear thinking about.

So, it's no wonder "Windows clients authenticate without issue":
practically the entire WORLD could authenticate without issue! That's
really not something you would want for a database whose data you
cared about.

It's discussed here:http://www.dizwell.com/prod/node/210
(where David Aldridge uses the 'you want your head tested' line I was
tempted to use here!)

It's also discussed here:http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1...
(where Tom is moved to say, "remote_os_authent is not a very secure
setting" and "they have remote_os_authent set -- meaning they have the
least secure system on the planet. you must set that false")

In answer to the specific question asked by the original poster, no
amount of fiddling is going to get a Windows user's OS account
authenticated on a Linux server, unless remote_os_authentication is
set to the suicidal value of TRUE. As the OP initimated, messing
around with sqlnet.ora values is only going to be helpful in an all-
Windows environment.

Regards
HJR

Thanks Howard for your helpful reply in this thread.

Some of the postings that followed this one in the thread make me
somewhat nervous. Obviously it was dangerous for one of the people
responding to point out this parameter setting without all the caveats
expressed above.

Then the discussion got somewhat heated with questions about who
authorized this setting, was management are of the implications etc.
One of the people volleying back responded that all of the warnings
had been made but ignored etc.

I think it's pretty dangerous putting out in a public place like cdos
this explicit of a discussion. It's not hard to try and figure out
where people are working etc. If some kind of exploit or tampering of
data was done based on the setting discussed, then watch out for the
lawyers and the suits.

Taking discussions like this offline might be a good choice IMHO.

.

Relevant Pages

  • Re: OS Authentication with winXP client Linux Server
    ... SQLNET.AUTHENTICATION_SERVICES= on both the server and the ... authentication from Windows clients and it works quite well. ... Directory installed on the database server? ... The databases are on UNIX and the Windows clients authenticate without ...
    (comp.databases.oracle.server)
  • Re: SMTP using usernames & passwords.
    ... How can I stop non authenticated smtp access to the sever. ... clients accessing over pop to authenticate when they send email no ... You configure this on the client (by default the SMTP virtuel server ... the internet and local clients get a fail message when attempting to ...
    (microsoft.public.exchange.setup)
  • Re: Another additional DC question
    ... Clients use VPN, why not have them log on to the domain that Site A hosts. ... I recommend that if you authenticate over the WAN that you increase the size ... install a server at the remote site for authentication (I do this all the ... firewall like and ASA5505 or ASA5510 at the remote site. ...
    (microsoft.public.cert.exam.mcse)
  • Re: Can not receive and Send Email
    ... firewall client which does not authenticate the traffic for some reason, ... > We get our mail from and external Mail server pop.registeredsite.com, ... Are your clients accessing an ...
    (microsoft.public.isa)
  • Re: Clients are authenticated but reports still show only IP addre
    ... I hadn't checked the "Require all clients to authenticate" option on the web ... It's just that the ISA ... server reporting function would only show IP addresses for most users. ...
    (microsoft.public.isa.configuration)