Ran into an interesting problem with this on Friday.

We've put together a new SAP server that is not yet attached
to a network, and so are using local account names rather than
the normal domain accounts until  we're ready to put it on the
network. ( We're replacing another server, and this one has
the same name.  We have to name it properly from the beginning,
no switching the name to make it live.)

SAP uses three types of servers in General: PRD, QAS and DEV.

This one happens to be the QAS server.  In this case, there are
two OS accounts on the server, qasadm and sapserviceqas, that
will be created with oracle accounts identified externally.

Normally these appear as OPS$QASADM and OPS$SAPSERVICEQAS
in the Oracle database.  

The name of the server is SAPQAS.

After installing SAP, we hid the starter db that is installed by renaming
directories, etc.  We then switched in the real database that is a clone
of the current QAS system.

SAP wouldn't start, and wouldn't give any indication of the problem. 
Turning auditing on for sessions showed that the SAP services were
not logging into the database.  Hmmm....

Switched the starter database back in, and took a look at the accounts.

They were somewhat different than expected: OPS$SAPQAS\QASADM
and OPS$SAPQAS\SAPSERVICEQAS.  The machine name had been 
included in the accounts names of the SAP starter database.  Hadn't 
seen this before.

Switched the cloned database backin, created accounts with machine 
name included ( which requires caps and double quotes due to the 
backslash in the account name ), assigned all privs, copied some objects
and started SAP again.

All worked fine after that.  

Is this to be expected?  I still don't know nearly as much about Windoze
as Unix, so maybe I need to bone up on the Windoze security.  ( Don't
laugh please, I have to live with it )

Jared



On Thursday 06 March 2003 16:38, Jacques Kilchoer wrote:
> Thank you for the information. I thought the security issues were more
> fundamental. For example if my database has remote os authentication (with
> prefix OPS$), and I know that there is a user called OPS$JSTILL, then I can
> change the Windows Registry on my client to enable me to logon to the
> database as OPS$JSTILL.
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> >
> > At one time you could set the 'ORACLE_USERNAME=SYSTEM'
> > variable in your
> > oracle.ini
> > file, and log into any database as SYSTEM ( without a
> > password ) as long
> > as REMOTE_OS_AUTHEN=true.
> >
> > That was obviously some years ago, and I don't know if that is still
> > possible.
> >
> > I would have hoped that such an obvious hole was plugged
> > years ago.  It
> > seems to
> > me that it was, but I don't recall details.

----------------------------------------
Content-Type: text/html; name="Attachment: 1"
Content-Transfer-Encoding: quoted-printable
Content-Description: 
----------------------------------------
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: [EMAIL PROTECTED]

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

Reply via email to