Hi
now I switched to

remote_login_passwordfile = SHARED

so when laptop is connected to domain I can use

connect / as sysdba

if laptop is not connected to network, i.e. at home, I am using

connect sys/password as sysdba.

This is ok, I just have to edit my scripts to always use sys/password
in connect string which is not a big deal.

This all is taking place on my laptop. Instance is running on my
laptop and I am connecting to this instance on the same laptop. Why
the hell it requires domain access to allow me to "connect / as
sysdba" I don't know...

I am using good old W2K pro.

Thanks for your answers guys.
Andrew


"Howard J. Rogers" <hjr@dizwell.com> wrote in message news:<409251a0$0$32558$afc38c87@news.optusnet.com. au>...
> Andrew wrote:
>

>
> I wrote you a long reply, and then my Internet connection died, just as
> I hit the send button... I presume it's now gone to the great black hole
> in the sky somewhere.
>
> Short version (because I can't remember all of the original!): you could
> try listener.log in ORACLE_HOME\network\log. It will at least show you
> the O/S username as received by the Listener, which may help a little.
> But otherwise, I can't think of anywhere this would be logged. The
> insufficient privieleges message is just the database doing its normal
> thing and authenticating people, so it's not an error state as such, and
> I wouldn't expect it therefore to actually ever be logged.
>
> I'm a bit confused, because you mentioned originally, I think, that this
> was all taking place on your laptop... but now you're talking about
> domains and such like. Can you clarify the situation? Is this really all
> happening on one laptop, or is there a network and remote connections
> involved somewhere?
>
> Which O/S are you using, again? Windows 2000 Professional, Server or
> what (again, with a domain being mentioned, there's got to be Server in
> there somewhere, but on a laptop???!) And if we are talking a remote
> connection, be clear about what the client is using and what the server
> is using. I think something's been lost (by me) in translation somewhere.
>
> All I can tell you is that the test I showed Kenneth working was from an
> XP laptop running the 10g client connecting to a Windows 2000 Advanced
> Server running 9i release 2. SQLNET.ORA on the client was as I posted to
> Kenneth, remote_login_password was set to EXCLUSIVE, and the
> tnsnames.ora is stock-standard stuff (namely:
>
> WIN92 =
> (DESCRIPTION =
> (ADDRESS_LIST =
> (ADDRESS = (PROTOCOL = TCP)(HOST = mozart)(PORT = 1521))
> )
> (CONNECT_DATA =
> (SERVICE_NAME = win92.dizwell.local)
> )
> )
>
> The listener.ora on the server has no weirdnesses in it, either (no
> Shared Server, for example). I log on to my laptop as a domain user, and
> that user account is indeed a member of the server's ORA_DBA group.
>
> All of which you described as having done, so I'm not sure what else to
> suggest. Other than, perhaps, if it used to work and doesn't work any
> more, what changed in between??
>
> Apologies if this duplicates somewhere.
>
> Regards
> HJR

What you saying is correct. But if I were able to formulate my
question as you did for me below I wouldn't ask it at all. Simply
because as all is running on the same laptop (oracle instance and
connection to it) I wasn't able to associate my problem with the fact
that I am not connected to domain...

I think if oracle is configured to use OS authentication it should
always allow privileged connection to local instance (whether OS
connected to domain or not). Simply because I am allowed to log in to
OS so Oracle should obey this fact. If you allowed to drive the car
you should be allowed to steer it

"Howard J. Rogers" <hjr@dizwell.com> wrote in message news:<4092d978$0$12033$afc38c87@news.optusnet.com. au>...

>
> Had you originally posted an accurate description of what you were
> doing, I think we might have resolved the matter rather quicker than we
> did, don't you?
>
> "I am trying to connect from a laptop client as a privileged user to a
> database stored on a server , using my domain account, which has been
> made a member of the ORA_DBA account on the server. My client isn't
> actually connected to the network, and hence the domain, at the time I
> make the connection attempt. It doesn't work. Why?"
>
> To which the answer would have come straight back: how is Oracle
> supposed to check domain account membership of a group when you're not
> actually connected to the domain controller? The fact that Windows is
> capable of caching domain credentials is a Windows feature, and not
> something that Oracle can or should make use of.
>
> Anyway: you might do us all a favour and now change
> remote_login_passwordfile back to its original setting of EXCLUSIVE and
> report back on whether your remote connections as a privileged user
> still work.
>
> HJR

Andrew wrote:
> Hi
> now I switched to
>
> remote_login_passwordfile = SHARED

That is a very odd setting for that parameter. It means one password
file will do duty for multiple instances. Are you going to have multiple
instances on the one laptop?

But whatever, at least you are saying that the parameter is not set to
NONE, and yet you can still do O/S authentication as a privileged user
(provided you are connected to the domain).

Good. Case closed.

> so when laptop is connected to domain I can use
>
> connect / as sysdba
>
> if laptop is not connected to network, i.e. at home, I am using
>
> connect sys/password as sysdba.
>
> This is ok, I just have to edit my scripts to always use sys/password
> in connect string which is not a big deal.
>
> This all is taking place on my laptop. Instance is running on my
> laptop and I am connecting to this instance on the same laptop. Why
> the hell it requires domain access to allow me to "connect / as
> sysdba" I don't know...

Why don't you know? Is it not obvious?? I asked you specifically about
domain groups/users versus local groups/users, and you said bluntly that
you were using your domain logon. O/S authentication means, to Oracle,
"go and check whether this user is a member of the ORA_DBA group", and
in your case, because you are using a domain username, it needs to
authenticate with the domain controller to find out details about the
group memberships of your domain user account.

Pretty obvious, I would have thought. If you were logging on as a local
(laptop) user, and that local user account was a member of the ORA_DBA
group (again, presumably local to your laptop), then the laptop could
solve the matter on its own. But you've *asked* to introduce a domain
component, so how can you expect it work when the domain is not available?

OK, you say: Windows allows me to use the laptop under that domain
username even when not connected to the domain. True: but it doesn't let
you use mapped network drives or other domain resources, does it? Same
deal with Oracle. It must check the domain for authentication each time
a connection request that depends on it is made, and just happens to be
cocded that way.

I think in any other walk of IT life, if you said "I want to use domain
privileges, but without actually connecting to a domain", you could
reasonably predict what would happen. I don't quite understand why you
think Oracle should behave any differently.

Andrew wrote:

> What you saying is correct. But if I were able to formulate my
> question as you did for me below I wouldn't ask it at all. Simply
> because as all is running on the same laptop (oracle instance and
> connection to it) I wasn't able to associate my problem with the fact
> that I am not connected to domain...
>
> I think if oracle is configured to use OS authentication

WHICH O/S????????????

*You* set it up so that it is your DOMAIN user account that is a member
of the ORA_DBA group. Therefore it's the *domain controller's* O/S that
has to be available to validate that.

> it should
> always allow privileged connection to local instance (whether OS
> connected to domain or not). Simply because I am allowed to log in to
> OS

You are allowed to log onto your *laptop's* O/S, not the network. Try
and print something to one of the printer's on your domain when you have
chosen to log onto the laptop with a local account, yet still can "see"
the printer over the network (ie, connect up to the network, but log on
as the laptop's local administrator, for example)... I bet you can't
print to the printer (unless your network administrator has allowed
'Everyone' or 'Guest' privileges). Similarly, be able to ping the domain
controller, but log on with a local account and try and map to a network
drive: you won't be able to, not without supplying a set of *domain* log
on credentials.

That Windows permits you to use the laptop without a domain is one
thing. But it doesn't permit you to use domain resources without a
domain. And it was *you* that specified that a domain resource (namely,
a user account) should be involved in Oracle's O/S authentication mechanism.

>so Oracle should obey this fact.

It does. It does precisely what would happen if you tried to connect to
a domain network shared drive without supplying fresh domain logon
credentials.

>If you allowed to drive the car
> you should be allowed to steer it

But Windows doesn't let you drive the car on the network unless you've
supplied the network logon ignition key. Oracle is doing nothing odd
whatsoever.

If you don't like it, the answer is as I suggested way back yonder:
don't configure a domain account in the ORA_DBA group. Keep the thing
entirely local, and the issue won't arise because the laptop can resolve
the lot. As soon as you introduce a domain element into the
authentication process, you can confidently expect a domain actually to
have to be available.

HJR