Kerberos auth in Oracle, sys user and dba group

Hello.
I've set up kerbros auth in test oracle 10g r2 database on 64-bit linux according to Oracle® Database Advanced Security Administrator's Guide. I have the following issue: kerberos user can login to the test server (from this server) and normal database user can login to database server from other hosts. However, oracle system user, members of dba group and normal users can't longer login to this server from it. So, when oracle system user runs sqlplus "/as sysdba" , he gets ORA-12638: Credential retrieval failed.
sqlnet.ora looks the following way:
SQLNET.KERBEROS5_CC_NAME = /tmp/krb5cc
SQLNET.KERBEROS5_CONF_MIT=TRUE
SQLNET.AUTHENTICATION_SERVICES= (KERBEROS5)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
SQLNET.KERBEROS5_CONF = /etc/krb5.conf
SQLNET.KERBEROS5_REALMS = /etc/krb5.realms
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = oracle
What should I do to enable login to this server for members of dba group and normal users from the database server?

I've tried to set SQLNET.AUTHENTICATION_SERVICES to (BEQ,KERBEROS5), it works almost as expected, but I have strange effect: my os user is not in dba group, but can connect "/as sysdba"...
$ id -nG
domusers oinstall
$ sqlplus "/as sysdba"
SQL*Plus: Release 10.2.0.1.0 - Production on Tue Mar 3 13:20:55 2009
Copyright (c) 1982, 2005, Oracle. All rights reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options
SQL>

Similar Messages

Connect to oracle sys user

Hi folks
when i try to connect to oracle sys user from the unixbox its opening an idle instance .
[u01/appl/ora817]$ set ORACLE_SID=fclaie1
[u01/appl/ora817]$ sqlplus
SQL*Plus: Release 8.1.7.0.0 - Production on Thu Feb 28 09:37:55 2008
(c) Copyright 2000 Oracle Corporation. All rights reserved.
Enter user-name: / as sysdba
Connected to an idle instance.
SQL>
can someone suggest me why an idle instance is starting rather then the normal instance .
Your expert suggestion is highly appriciated
Thanks

Connected to an idle instance.Idle Instance means the instance has not started.
You can issue
c) Copyright 2000 Oracle Corporation. All rights reserved.
Enter user-name: / as sysdba
Connected to an idle instance.
SQL> startup <-- (Here)
After which your instance will be started. By the way what you mean by normal instance?
Adith

Programmatically creating Oracle Applications users and groups....

Hi,
does anybody know of a way for programmatically creating Oracle Applications users and groups....
--Arvind Ashtekar

So my question is still unanswered:
1)I want to add users programmatically. Can I use apps.fnd_user_pkg to do this.If I am using MS Active Directory Single sign on
2) Are you sure it is supported ny Oracle. If yes, Can you give me the link supporting this.
Can you add my name to ur yahoo chat friends My id is arvind_ashtekar2001
I need urgent help.
I am getting login pag not found error for e-buz home page. iAS Server is runnung fine.(One more thing setup is failed after 100% installation. I mean it did once more system check and the error was jsp not resonding. And no action after that just sinply close that message windoe and manually close setup dialog)
What might me the error.
Thanks
--Arvind Ashtekar

Add grid user to dba group

Hello,
After RAC installation, We are facing some cluster issues. After investigation, Oracle support suggested to add the grid user to the dba group. We missed to add the grid user to the dba user in most of the nodes. This is Linux Redhat 5.
How can I add grid user to dba group and keep the grid user belonging to the other linux groups? what 's the correct command?
Thanks,
Diego

Hi,
As root:
#### check before
id grid
#### Change It
usermod -a -G dba grid
#### Check after
id gridLevi Pereira

Oinstall and Dba group

What are the levels of security maintained with Oinstall and Dba group at the Oracle level.
Just want to know for which set of files we need to assign Oinstall and Dba group for which files. Is there any particular reason.
if so please let me know
kumaresh

oinstall/dba are the unix oracle privileged groups. Only the Oracle installation owner and the SYSDBA/SYSOPER roles should belong to this groups.
If you installed your RDBMS using oinstall, all of the ORACLE_HOME and oracle related files must belong to this group. If using OS authentication to startup/shutdown, and generally speaking, connect / as sysdba, your user must belong to the oracle privileged group. No other user is recommended to belong to this group as this would open excesive administrative privileges to other users.

Need info regarding Oracle UCM Accounts and Security Groups behaviour

Need information regarding Oracle UCM Accounts and Security Groups behaviour.
Oracle UCM version: 11.1.1.5.0
Steps:
1. Log in with "weblogic" user and created a content with id "content1"
2. Applied "@acc1(R)" and "TestGroup1" to the cotent created in step 1
3. Log out
4. Log in as "acc1user1", the user is not able to see the "content1"
5. Log out
6. Log in as "role1user1", the user is not able to see the "content1"
Account and Group information:
1. User "acc1user1" is part of "@acc1(R)"
2. User "role1user1" is part of "role1(R)" and is mapped to "TestGroup1" in UCM
Expected:
Both "acc1user1" and "role1user1" should be able to see "content1" as they have at least Read permission.
Please help me understand why the users are not able to see the content.

ACLs, like Accounts, are optional security setting which may add on some extra functionality to mandatory security groups. Likewise, the resulting permission is taken as an intersection of SG and ACLs.
But in the second part the number of set of users is huge (approx say 600)I don't get this completely. Does this mean that those "sets of users" (users who see the same data) are distinct and that there is 600 of such groups?
If you read thoroughly the manual I sent earlier, there is a recommendation that there should be maximum 50 security groups, and you should use accounts, should this number be exceeded. This means you could have all the documents in one security group (and have one common role with Read permission), but combine it with accounts. ACLs are not a good choice here - their performance and manageability is much worse than of accounts. ACLs are primarily used if you expect security settings to change during the lifetime (e.g. a project manager adds temporarily rights to access an item to another user, and revokes it when the user finishes his or her work).
Note that accounts as well as permissions of users within accounts can also be mapped externally (from LDAP/AD) and it usually follows some kind of org chart.
I'd feel more comfortable not to speak about users, security groups, roles, etc., but about some real-life objects and scenarios.

PS Script to find the list of users and the groups in a Workgroup server

Hi There, could you please explain on how to get a complete list of local users and local groups in a "Workgroup" server to which they belong to using Powershell. I'm able to get the users list but couldn't find any help in finding
the script to find to which localgroup the user belong to. Anticipating your response. Also let me know the cmdlet for Win2k3 servers to find the same.

Here's some code from David Pham (don't remember wher I fund this code):
Trap {"Error: $_"; Break;}
Function EnumLocalGroup($LocalGroup)
$Group = [ADSI]"WinNT://$strComputer/$LocalGroup,group"
"Group: $LocalGroup"
# Invoke the Members method and convert to an array of member objects.
$Members= @($Group.psbase.Invoke("Members"))
ForEach ($Member In $Members)
$Name = $Member.GetType().InvokeMember("Name", 'GetProperty', $Null, $Member, $Null)
$Name
# Specify the computer.
$strComputer = gc env:computername
"Computer: $strComputer"
$computer = [adsi]"WinNT://$strComputer"
$objCount = ($computer.psbase.children | measure-object).count
$i=0
foreach($adsiObj in $computer.psbase.children)
switch -regex($adsiObj.psbase.SchemaClassName)
"group"
{ $group = $adsiObj.name
EnumLocalGroup $group }
} #end switch
$i++
} #end foreach

Getting list of all users and their group memberships from Active Directory

Hi,
I want to retrieve a list of all the users and their group memberships through JNDI from Active Directory. I am using the following code to achieve this:
==================
import javax.naming.*;
import java.util.Hashtable;
import javax.naming.directory.*;
public class GetUsersGroups{
     public static void main(String[] args){
          String[] attributeNames = {"memberOf"};
          //create an initial directory context
          Hashtable env = new Hashtable();
          env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
          env.put(Context.PROVIDER_URL, "ldap://172.19.1.32:389/");
          env.put(Context.SECURITY_AUTHENTICATION, "simple");
          env.put(Context.SECURITY_PRINCIPAL, "[email protected]");
          env.put(Context.SECURITY_CREDENTIALS, "p8admin");
          try {
               // Create the initial directory context
               DirContext ctx = new InitialDirContext(env);
               //get all the users list and their group memberships
               NamingEnumeration contentsEnum = ctx.list("CN=Users,DC=filenetp8,DC=com");
               while (contentsEnum.hasMore()){
                    NameClassPair ncp = (NameClassPair) contentsEnum.next();
                    String userName = ncp.getName();
                    System.out.println("User: "+userName);
                    try{
                         System.out.println("am here....1");
                         Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should be returned
                         System.out.println("am here....2");
                         Attribute groupsAttribute = attrs.get(attributeNames[0]); // memberOf
                         System.out.println("-----"+groupsAttribute.size());
                         if (groupsAttribute != null){
                              // memberOf is a multi valued attribute
                              for (int i=0; i<groupsAttribute.size(); i++){
                              // print out each group that user belongs to
                              System.out.println("MemberOf: "+groupsAttribute.get(i));
                    }catch(NamingException ne){
                    // ignore for now
               System.err.println("Problem encountered....0000:" + ne);
               //get all the groups list
          } catch (NamingException e) {
          System.err.println("Problem encountered 1111:" + e);
=================
The following exception gets thrown at every user entry:
User: CN=Administrator
am here....1
Problem encountered....0000:javax.naming.NamingException: [LDAP: error code 1 -
000020D6: SvcErr: DSID-03100690, problem 5012 (DIR_ERROR), data 0
]; remaining name 'CN=Administrator'
I think it gets thrown at this line in the code:
Attributes attrs = ctx.getAttributes(userName, attributeNames);
Any idea how to overcome this and where am I wrong?
Thanks in advance,
Regards.

In this sentence:
Attributes attrs = ctx.getAttributes(userName, attributeNames); // only asked for one attribute so only one should
It seems Ok when I add "CN=Users,DC=filenetp8,DC=com" after userName, just as
userName + ",CN=Users,DC=filenetp8,DC=com"
But I still have some problem with it.
Hope it will be useful for you.

Can I add Users and/or Groups?

Hi,
Can I add Users and/or Groups in a Realm from my webapplication?
(not using administrative console....but from my code)
Tanks by
Angelo.

Yes.
"Angelo" <[email protected]> wrote:
>
Hi,
Can I add Users and/or Groups in a Realm from my webapplication?
(not using administrative console....but from my code)
Tanks by
Angelo.

Report of Users and their groups

Hi Experts,
Is there a way to extract all the Hyperion Planning Users and the groups they belong in Hyperion 11.1.2.1 version? I need an excel file having the users and groups.
Thanks
Kannan.

Hello Kannan,
Yes, a clean list of Users with their Groups...
Nothing standard. Strange...
You might see if this export has something you can use. I do not recall it from the vast amount of detail exported here. The file will be generated on the server, so you might need somebody to pick it up and give it to you.
MaxL command
export security_file to data_file "essbase_security_file.txt";
The alternative is to query the Planning repository. Maybe somebody has experience with this?
Regards,
Philip

Can not synchronize the SAP NW UME users and system groups with SSM

We have created a demo enviroment for a client demo.
In SAP NW UME:
1. Create the system group.
2. Asing the goup created to the admin user (pipadmin).
In Administrator's user interface:
3. Acces to Administration > Set System Defaults in order to synchronize user tables. The data informed in the fields are:
SSM Administrator = pipadmin
Cache directory = C:Program FilesSAPSSMInternetPubcache
Global cache setting = Enable
End point = <IP:port>
User name = pipadmin
pasword = ······
cache = Enable
Then we click on syncronize tables (Administration > Set System Defaults). The "Update compled" message is showed but users and application group don't appear in the Administration > Manages Application Groups.
Note: We tried to syncronize yesterday and we recieved the message: restart the SSM Extended listener.

Thank you for your answer Bob.
Yes, I restarted the SSM Extended listener after all the steps.
Do you know if there is another missing step?
Regards,
Santiago

LINUX:while Deleting OLD backup's got error that ORACLE is not in DBA group

Error
Error - The specified host user is not a member of the operating system DBA group. The host user must be a DBA group member since the database user does not have the SYSDBA role.
But. put users: system,oracle in OS /etc/group :
oracle:x:500:oracle,system
And both users have the DBA role

To be able to OS authenticate login as sysdba, your OS user need to be in dba group which you choose when you do installation.
SYSDBA role is not same as DBA role

Grid user in dba group ?

Hey,
according to the best practise paper, the grid user should not be part of the dba user group.
While running cluvy, this fixupscript will put the user grid into this group.
Is it neccessary to put the grid user into the dba group or can I ignore this message ?
CHristian

Christian wrote:
Hey,
according to the best practise paper, the grid user should not be part of the dba user group.
While running cluvy, this fixupscript will put the user grid into this group.
Is it neccessary to put the grid user into the dba group or can I ignore this message ?
CHristianHi, GRID user can be part of DBA group there is no problem, this is designed if grid user is supposed to have access to db's which would be running on RAC system.
See
http://docs.oracle.com/cd/E11882_01/install.112/e22489/prelinux.htm#BABBIDCF

People Picker can resolve users and security group from another domain but no validation for groups

Dear all,
Here is the scenario of our issue:
We are migrating from Domain A to Domain B and in Domain A we currently have a SharePoint 2013 on which we want to set permissions for users and groups that have already migrated to Domain B.
A bi-directional trust exist between the two domains and all applications relying on trust and resolving IDs from on domain to another are working fine (Windows RDS for instance)
The "bug" that we have is when using the PeoplePicker, it can resolve without any issue a user account in Domain A or B, and a security group (type global, I haven't tried local or universal yet) from domain A or B. But for the security groups
only (it works well for users), when I click on "Save" to validate the add of the group to the site permissions, I have the following error:
I have seen a lot of similar issues on the web but no answer so far that work :(
Example: https://social.technet.microsoft.com/forums/sharepoint/en-US/74e8d14b-a0f4-4e21-8cfa-b1a937247160/cant-provision-security-to-old-domain-users
If you have any question that could help you to understand it, do not hesitate.
Thanks a lot in advance for your help ! :)

Can you give the snippet from the ULS log where you're seeing this error?
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

LDAP- When importing a Group it goes into Security Users and not Groups.

Hello,
I created a new LDAP Server
cn=GroupBI,OU=Groups,OU=Systems,OU=Milan,OU=Italy,OU=Countries,DC=u,DC=a,DC=g
Connection Test was ok.
The problem is on importing members of my group, on Security Import window instead of having the group drop-down list populated I have the user drop-down list populated with "GroupBI".
If I import this group (considered as a user by BI) it goes into Security > Users and not Security > Groups.
This does not make sense.
I'm sure this "GroupBI" is a group and not a user and the atribute type used is sAMAccountname
Any help?
Cheers

Let me tell how we did Authentication using LDAP
I havent imported any groups or users once the LDAP is set up and connection was successfull. I simply created the session variables USER DISPLAYNAME EMAIL and mapped to LDAP Variables uid, displayname, mail.
Authentication is done in this way by mapping the OBIEE variables to LDAP variables instead of importing the groups.
Now for Authorization I created the groups populated using some db tables and captured the group name and loglevel and applied filters on the group in the rpd for data level and permissions on the group in webcat for object level.
So just for Authentication purposes I think we can authenticate with out really importing groups as long as you map OB variables to LDAP
hope it helps
Prash

Kerberos auth in Oracle, sys user and dba group

Similar Messages

Maybe you are looking for