Home » RDBMS Server » Security » / as sysdba issue with AD membership (11.2.0.4 Windows 2008R2)
/ as sysdba issue with AD membership [message #655469] Wed, 31 August 2016 08:13 Go to next message
gijskerstens
Messages: 2
Registered: August 2016
Junior Member
On most of our other servers, we add 1 AD group that contains the various relevant users to the local ORADBA group, and are able to log in with / as sysdba. On 1 server, with the same setup as the others, we get an ORA-01017 Invalid Username / password: logon denied when trying to connect with / as sysdba, usless the AD user logged in is directly a member of the ORADBA group, instead of via an AD group.
Has anyone ever encountered this issue, and knows what causes this difference?

[Updated on: Wed, 31 August 2016 08:49]

Report message to a moderator

Re: / as sysdba issue with AD membership [message #655473 is a reply to message #655469] Wed, 31 August 2016 10:19 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
Welcome to the forum. Please read our OraFAQ Forum Guide and How to use [code] tags and make your code easier to read

I'm not very good with Windows, but I have often found that domain groups cause problems. Please can you run these (or similar) to see if anything is obviously different on the two machines:

whoami 
whoami /groups 

(please use the [code] tags to format it)
Re: / as sysdba issue with AD membership [message #655493 is a reply to message #655473] Thu, 01 September 2016 01:10 Go to previous message
gijskerstens
Messages: 2
Registered: August 2016
Junior Member
whoami / groups from server where it fuctions correctly:
GROUP INFORMATION
-----------------

Group Name                               Type             SID                                            Attributes                                                     
======================================== ================ ============================================== ===============================================================
Everyone                                 Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group             
DBS0010004\ora_dba                       Alias            S-1-5-21-2546961453-2121279585-425628438-1000  Mandatory group, Enabled by default, Enabled group             
BUILTIN\Users                            Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators                   Alias            S-1-5-32-544                                   Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\REMOTE INTERACTIVE LOGON    Well-known group S-1-5-14                                       Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\INTERACTIVE                 Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users         Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization           Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group             
LOCAL                                    Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group             
DAMEN\G-MG-IFS-A                         Group            S-1-5-21-1367750691-1023149619-2204648915-1770 Mandatory group, Enabled by default, Enabled group             
from the server where the issue occurs:
Everyone                                 Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group             
DBS0020056\ora_dba                       Alias            S-1-5-21-3026858500-674165576-603926984-1000   Mandatory group, Enabled by default, Enabled group             
BUILTIN\Users                            Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group             
BUILTIN\Administrators                   Alias            S-1-5-32-544                                   Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\REMOTE INTERACTIVE LOGON    Well-known group S-1-5-14                                       Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\INTERACTIVE                 Well-known group S-1-5-4                                        Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\Authenticated Users         Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group             
NT AUTHORITY\This Organization           Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group             
LOCAL                                    Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group             
DAMEN\G-MG-IFS-A                         Group            S-1-5-21-1367750691-1023149619-2204648915-1770 Mandatory group, Enabled by default, Enabled group             
I've removed a few pages worth of AD groups from both outputs, as they relate to other servers, applications, etc
DAMEN\G-MG-IFS-A is the AD group that my colleagues and myself are part of, and that, in turn, is part of the local ORA_DBA group. On neither server am I directly part of ORA_DBA group

[Updated on: Thu, 01 September 2016 01:15]

Report message to a moderator

Previous Topic: Who / what keeps locking one of database users?
Next Topic: Problem with Oracle Wallet functionality in a call HTTPS web serivces
Goto Forum:
  


Current Time: Thu Mar 28 06:49:43 CDT 2024