Today i thought i'd discovered a major issue with 12c - os authenticated accounts did not seem to be working in 12.1.0.2 (but were ok in 12.1.0.1).
So for example if i say
create user ops$oracle identified externally;
grant dba to ops$oracle;
I can then from a unix prompt just type
sqlplus /
And i log straight on as ops$oracle - oracle has basically trusted the o/s to do authentication - if the o/s says it's OK then it's alright by me - come on in.....
Now when i tried this in 12.1.0.2 it didn't work - even after messing about and double checking everything it didn't work
A quick google revealed that this was deprecated (at least the os_authent_prefix parameter in 11g) - surely they wouldn't have removed this facility altogether in 12.1.0.2...?
I installed another system on a different box to try it out, a new database created here worked fine - so what was going on?
In the broken one unified auditing was switched on - maybe that was sending stuff down a different code path somehow and was breaking things? I switched that off but it made no difference.
So what on earth is going on.....
Well then i woke up...
And realized I'd been doing some testing with secure external password stores - and i'd left this parameter in the sqlnet.ora
SQLNET.WALLET_OVERRIDE = TRUE
This essentially disables os authentication for 'traditional' external users...
I commented this out and then all returned to normal.
Mental note to tidy up when i'm messing around with config files.......
Nice post. Thanks for the info!
ReplyDelete