Shut the front door!



Today i thought i'd discovered a major issue with 12c - os authenticated accounts did not seem to be working in 12.1.0.2 (but were ok in 12.1.0.1).

So for example if i say

create user ops$oracle identified externally;
grant dba to ops$oracle;

I can then from a unix prompt just type

sqlplus /

And i log straight on as ops$oracle - oracle has basically trusted the o/s to do authentication - if the o/s says it's OK then it's alright by me - come on in.....

Now when i tried this in 12.1.0.2 it didn't work - even after messing about and double checking everything it didn't work

A quick google revealed that this was deprecated (at least the os_authent_prefix parameter in 11g) - surely they wouldn't have removed this facility altogether in 12.1.0.2...?

I installed another system on a different box to try it out, a new database created here worked fine - so what was going on?

In the broken one unified auditing was switched on - maybe that was sending stuff down a different code path somehow and was breaking things? I switched that off but it made no difference.

So what on earth is going on.....

Well then i woke up...

And realized I'd been doing some testing with secure external password stores - and i'd left this parameter in the sqlnet.ora

SQLNET.WALLET_OVERRIDE = TRUE

This essentially disables os authentication for 'traditional' external users...

I commented this out and then all returned to normal.

Mental note to tidy up when i'm messing around with config files.......

1 comments: