O gato morto é explicado no note ID 284344.1 - DBA_USERS.ACCOUNT_STATUS shows LOCKED after FAILED_LOGIN_ATTEMPTS Is Breached:
Expected behaviour is 1. Oracle release is <= 11.1.0.7. DBA_USERS.ACCOUNT_STATUS = LOCKED(TIMED) whenever the number of failed login attempts is > FAILED_LOGIN_ATTEMPTS 2. Oracle release is >= 11.2 and PASSWORD_LOCK_TIME = unlimited: DBA_USERS.ACCOUNT_STATUS = LOCKED whenever the number of failed login attempts is > FAILED_LOGIN_ATTEMPTS 3. Oracle release is >= 11.2 and PASSWORD_LOCK_TIME = <some fix value> DBA_USERS.ACCOUNT_STATUS = LOCKED(TIMED) whenever the number of failed login attempts is > FAILED_LOGIN_ATTEMPTS Note that 10.2.0.5 displays the same behavior as 11.2, because the fix that changed the behavior in 11.2 was introduced in 10.2.0.5. O banco do Chiappa deve ser 10.2.0.5, o do Paulo é 10.2.0.4. 2012/9/11 Ivan Ricardo Schuster <ivanr...@gmail.com>: > Tem algum gato morto aí. Antes realmente tinha testado em um banco > 11.2.0.2, criando um profile novo e só definindo o > FAILED_LOGIN_ATTEMPTS, mas usando o profile default em um banco > 10.2.0.4, também tenho "LOCKED(TIMED)": > > SQL> select * from dba_profiles where profile='DEFAULT'; > > PROFILE RESOURCE_NAME RESOURCE LIMIT > ------------------------------ -------------------------------- > -------- ---------------------------------------- > DEFAULT COMPOSITE_LIMIT KERNEL > UNLIMITED > DEFAULT SESSIONS_PER_USER KERNEL > UNLIMITED > DEFAULT CPU_PER_SESSION KERNEL > UNLIMITED > DEFAULT CPU_PER_CALL KERNEL > UNLIMITED > DEFAULT LOGICAL_READS_PER_SESSION KERNEL > UNLIMITED > DEFAULT LOGICAL_READS_PER_CALL KERNEL > UNLIMITED > DEFAULT IDLE_TIME KERNEL > UNLIMITED > DEFAULT CONNECT_TIME KERNEL > UNLIMITED > DEFAULT PRIVATE_SGA KERNEL > UNLIMITED > DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 10 > DEFAULT PASSWORD_LIFE_TIME PASSWORD > UNLIMITED > DEFAULT PASSWORD_REUSE_TIME PASSWORD > UNLIMITED > DEFAULT PASSWORD_REUSE_MAX PASSWORD > UNLIMITED > DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL > DEFAULT PASSWORD_LOCK_TIME PASSWORD > UNLIMITED > DEFAULT PASSWORD_GRACE_TIME PASSWORD > UNLIMITED > > SQL> alter user ivan profile default; > > User altered. > > SQL> alter user ivan account unlock; > > User altered. > > SQL> conn ivan/1 > ERROR: > ORA-01017: invalid username/password; logon denied > > > Warning: You are no longer connected to ORACLE. > SQL> conn ivan/1 > ERROR: > ORA-01017: invalid username/password; logon denied > > > SQL> conn ivan/1 > ERROR: > ORA-01017: invalid username/password; logon denied > > > SQL> conn ivan/1 > ERROR: > ORA-01017: invalid username/password; logon denied > > > SQL> conn ivan/1 > ERROR: > ORA-01017: invalid username/password; logon denied > > > SQL> conn ivan/1 > ERROR: > ORA-01017: invalid username/password; logon denied > > > SQL> conn ivan/1 > ERROR: > ORA-01017: invalid username/password; logon denied > > > SQL> conn ivan/1 > ERROR: > ORA-01017: invalid username/password; logon denied > > > SQL> conn ivan/1 > ERROR: > ORA-01017: invalid username/password; logon denied > > > SQL> conn ivan/1 > ERROR: > ORA-01017: invalid username/password; logon denied > > > SQL> conn ivan/1 > ERROR: > ORA-28000: the account is locked > > > SQL> conn / as sysdba > Connected. > SQL> select ACCOUNT_STATUS from dba_users where username='IVAN'; > > ACCOUNT_STATUS > -------------------------------- > LOCKED(TIMED) > > SQL> select banner from v$version; > > BANNER > ---------------------------------------------------------------- > Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Prod > PL/SQL Release 10.2.0.4.0 - Production > CORE 10.2.0.4.0 Production > TNS for Linux: Version 10.2.0.4.0 - Production > NLSRTL Version 10.2.0.4.0 - Production > > > > > > 2012/9/11 J. Laurindo Chiappa <jlchia...@yahoo.com.br>: >> Colega, se REALMENTE vc conferiu no database, consultando a DBA_PROFILES e >> a DBA_USERS (não se fiando em defaults e nem em documentação e/ou na palavra >> de analistas), e realmente os usuários estão no profile DEFAULT ** e ** o >> profile default realmente está Inalterado, então vc NÂO deveria ter esse >> status de LOCK (TIMED) , veja o teste : >> >> => com tudo Realmente default (é o caso deste database de testes) , um >> account só vai ficar bloqueado por ACCOUNT LOCK ou por senha errada por 10 >> vezes, veja : >> >> SYSTEM@O10GR2::SQL>select * from dba_profiles; >> >> PROFILE RESOURCE_NAME RESOURCE >> LIMIT >> ------------------------------ -------------------------------- -------- >> ------------ >> DEFAULT COMPOSITE_LIMIT KERNEL >> UNLIMITED >> DEFAULT SESSIONS_PER_USER KERNEL >> UNLIMITED >> DEFAULT CPU_PER_SESSION KERNEL >> UNLIMITED >> DEFAULT CPU_PER_CALL KERNEL >> UNLIMITED >> DEFAULT LOGICAL_READS_PER_SESSION KERNEL >> UNLIMITED >> DEFAULT LOGICAL_READS_PER_CALL KERNEL >> UNLIMITED >> DEFAULT IDLE_TIME KERNEL >> UNLIMITED >> DEFAULT CONNECT_TIME KERNEL >> UNLIMITED >> DEFAULT PRIVATE_SGA KERNEL >> UNLIMITED >> DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 10 >> DEFAULT PASSWORD_LIFE_TIME PASSWORD >> UNLIMITED >> DEFAULT PASSWORD_REUSE_TIME PASSWORD >> UNLIMITED >> DEFAULT PASSWORD_REUSE_MAX PASSWORD >> UNLIMITED >> DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL >> DEFAULT PASSWORD_LOCK_TIME PASSWORD >> UNLIMITED >> DEFAULT PASSWORD_GRACE_TIME PASSWORD >> UNLIMITED >> WKSYS_PROF COMPOSITE_LIMIT KERNEL >> DEFAULT >> WKSYS_PROF SESSIONS_PER_USER KERNEL >> DEFAULT >> WKSYS_PROF CPU_PER_SESSION KERNEL >> DEFAULT >> WKSYS_PROF CPU_PER_CALL KERNEL >> DEFAULT >> WKSYS_PROF LOGICAL_READS_PER_SESSION KERNEL >> DEFAULT >> WKSYS_PROF LOGICAL_READS_PER_CALL KERNEL >> DEFAULT >> WKSYS_PROF IDLE_TIME KERNEL >> DEFAULT >> WKSYS_PROF CONNECT_TIME KERNEL >> DEFAULT >> WKSYS_PROF PRIVATE_SGA KERNEL >> DEFAULT >> WKSYS_PROF FAILED_LOGIN_ATTEMPTS PASSWORD >> UNLIMITED >> WKSYS_PROF PASSWORD_LIFE_TIME PASSWORD >> DEFAULT >> WKSYS_PROF PASSWORD_REUSE_TIME PASSWORD >> DEFAULT >> WKSYS_PROF PASSWORD_REUSE_MAX PASSWORD >> DEFAULT >> WKSYS_PROF PASSWORD_VERIFY_FUNCTION PASSWORD >> DEFAULT >> WKSYS_PROF PASSWORD_LOCK_TIME PASSWORD >> DEFAULT >> WKSYS_PROF PASSWORD_GRACE_TIME PASSWORD >> DEFAULT >> >> 32 linhas selecionadas. >> >> => vou fazer USER_TESTE e SCOTT bloquearem : >> >> SYSTEM@O10GR2::SQL>alter user user_teste account lock; >> >> Usuario alterado. >> >> SYSTEM@O10GR2::SQL>connect scott/1 >> ERROR: >> ORA-01017: senha/nome do usuario invalido; logon negado >> >> >> Advertencia: Voce n?o esta mais conectado ao ORACLE. >> SYSTEM@O10GR2::SQL>connect scott/1 >> ERROR: >> ORA-01017: senha/nome do usuario invalido; logon negado >> >> >> SYSTEM@O10GR2::SQL>connect scott/1 >> ERROR: >> ORA-01017: senha/nome do usuario invalido; logon negado >> >> >> SYSTEM@O10GR2::SQL>connect scott/1 >> ERROR: >> ORA-01017: senha/nome do usuario invalido; logon negado >> >> >> SYSTEM@O10GR2::SQL>connect scott/1 >> ERROR: >> ORA-01017: senha/nome do usuario invalido; logon negado >> >> >> SYSTEM@O10GR2::SQL>connect scott/1 >> ERROR: >> ORA-01017: senha/nome do usuario invalido; logon negado >> >> >> SYSTEM@O10GR2::SQL>connect scott/1 >> ERROR: >> ORA-01017: senha/nome do usuario invalido; logon negado >> >> >> SYSTEM@O10GR2::SQL>connect scott/1 >> ERROR: >> ORA-01017: senha/nome do usuario invalido; logon negado >> >> >> SYSTEM@O10GR2::SQL>connect scott/1 >> ERROR: >> ORA-01017: senha/nome do usuario invalido; logon negado >> >> >> SYSTEM@O10GR2::SQL>connect scott/1 >> ERROR: >> ORA-01017: senha/nome do usuario invalido; logon negado >> >> >> SYSTEM@O10GR2::SQL>connect scott/1 >> ERROR: >> ORA-28000: a conta esta bloqueada >> >> >> SYSTEM@O10GR2::SQL>conn system/oracle >> Conectado. >> >> ==> Eis o importante : note que AMBOS estão REALMENTE no profile DEFAULT, >> acima nós vimos que o default NÃO FOI ALTERADO, ambos estão como LOCKED (e >> não LOCKED (TIME), NÃO possuem EXPIRY_TIME (pois estão LOCKED apenas, não >> foram expirados) e que USER_TESTE (que foi lockado diretamente) ** possui ** >> LOCK_DATE, enquanto SCOTT (que bloqueou por regra) não contém LOCK_DATE ..... >> >> SYSTEM@O10GR2::SQL>select * from dba_users; >> >> USERNAME ACCOUNT_STATUS LOCK_DATE >> EXPIRY_DATE PROFILE >> ---------------- -------------------------------- ------------------- >> ------------------- ------------ >> SYSTEM OPEN >> DEFAULT >> SYS OPEN >> DEFAULT >> MGMT_VIEW OPEN >> DEFAULT >> SYSMAN OPEN >> DEFAULT >> DBSNMP OPEN >> DEFAULT >> HR OPEN >> DEFAULT >> OE OPEN >> DEFAULT >> SH OPEN >> DEFAULT >> IX OPEN >> DEFAULT >> PM OPEN >> DEFAULT >> BI OPEN >> DEFAULT >> TESTE11G OPEN >> DEFAULT >> OPS$JCHIAPPA OPEN >> DEFAULT >> USER_TESTE LOCKED 11/09/2012 13:48:54 >> DEFAULT >> SCOTT LOCKED >> DEFAULT >> OUTLN EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> WKSYS EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 WKSYS_PROF >> OLAPSYS EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> ORDPLUGINS EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> WKPROXY EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> XDB EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> ANONYMOUS EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> CTXSYS EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> WK_TEST EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> WMSYS EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> DMSYS EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> EXFSYS EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> ORDSYS EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> MDSYS EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> DIP EXPIRED & LOCKED 01/03/2012 14:12:48 >> DEFAULT >> MDDATA EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> TSMSYS EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> ORACLE_OCM EXPIRED & LOCKED 01/03/2012 14:45:14 >> 01/03/2012 14:45:14 DEFAULT >> >> 34 linhas selecionadas. >> >> SYSTEM@O10GR2::SQL> >> >> ====> SE o database em questão tá apresentando status diferentes, PLZ veja >> os seus profiles E as colunas da DBA_USER , pois algo Não Está batendo aí >> .... >> >> []s >> >> Chiappa >> >> >> --- Em oracle_br@yahoogrupos.com.br, Paulo Couto <paulopcto2002@...> escreveu >>> >>> Amigos, algumas vezes nestes últimos meses alguns usuários reclamam que não >>> acessam uma aplicação e quando vou verificar a conta no banco do dito >>> sistema está bloqueada com o status de LOCKED (TIMED). >>> Todas as contas estão usando o profile default e apenas o parametro "FAILED >>> LOGIN ATTEMPTS" está setado para 10, o restante está como UNLIMITED. >>> Gostaria de saber como descobrir a causa destes bloqueios e o que causa >>> este tipo de bloqueio. >>> >>> Estamos utilizando o Oracle 10g patch 10.2.0.4 em windows server 2003. >>> >>> Att, >>> >>> Paulo. >>> >>> [As partes desta mensagem que não continham texto foram removidas] >>> >> >> >> >> >> ------------------------------------ >> >> -------------------------------------------------------------------------------------------------------------------------- >>>Atenção! As mensagens do grupo ORACLE_BR são de acesso público e de inteira >>>responsabilidade de seus remetentes. >> Acesse: http://www.mail-archive.com/oracle_br@yahoogrupos.com.br/ >> -------------------------------------------------------------------------------------------------------------------------- >>>Apostilas » Dicas e Exemplos » Função » Mundo Oracle » Package » Procedure » >>>Scripts » Tutoriais - O GRUPO ORACLE_BR TEM SEU PROPRIO ESPAÇO! VISITE: >>>http://www.oraclebr.com.br/ >> ------------------------------------------------------------------------------------------------------------------------ >> Links do Yahoo! Grupos >> >> > > > > -- > Ivan Ricardo Schuster > OCP 10g/11g > OCE RAC 10g/Linux -- Ivan Ricardo Schuster OCP 10g/11g OCE RAC 10g/Linux