Re: remote / as sysdba
Ah, thanks. Didn't try anything with that Friday. Jared On Sunday 09 March 2003 22:58, Alex Feinstein wrote: Jared, Look at Note 60634.1 on MetaLink. OSAUTH_PREFIX_DOMAIN = TRUE is default for 8.1 and 9. Alex. - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Sunday, March 09, 2003 10:08 PM -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: remote / as sysdba
Ran into an interesting problem with this on Friday. We've put together a new SAP server that is not yet attached to a network, and so are using local account names rather than the normal domain accounts until we're ready to put it on the network. ( We're replacing another server, and this one has the same name. We have to name it properly from the beginning, no switching the name to make it live.) SAP uses three types of servers in General: PRD, QAS and DEV. This one happens to be the QAS server. In this case, there are two OS accounts on the server, qasadm and sapserviceqas, that will be created with oracle accounts identified externally. Normally these appear as OPS$QASADM and OPS$SAPSERVICEQAS in the Oracle database. The name of the server is SAPQAS. After installing SAP, we hid the starter db that is installed by renaming directories, etc. We then switched in the real database that is a clone of the current QAS system. SAP wouldn't start, and wouldn't give any indication of the problem. Turning auditing on for sessions showed that the SAP services were not logging into the database. Hmmm Switched the starter database back in, and took a look at the accounts. They were somewhat different than expected: OPS$SAPQAS\QASADM and OPS$SAPQAS\SAPSERVICEQAS. The machine name had been included in the accounts names of the SAP starter database. Hadn't seen this before. Switched the cloned database backin, created accounts with machine name included ( which requires caps and double quotes due to the backslash in the account name ), assigned all privs, copied some objects and started SAP again. All worked fine after that. Is this to be expected? I still don't know nearly as much about Windoze as Unix, so maybe I need to bone up on the Windoze security. ( Don't laugh please, I have to live with it ) Jared On Thursday 06 March 2003 16:38, Jacques Kilchoer wrote: Thank you for the information. I thought the security issues were more fundamental. For example if my database has remote os authentication (with prefix OPS$), and I know that there is a user called OPS$JSTILL, then I can change the Windows Registry on my client to enable me to logon to the database as OPS$JSTILL. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] At one time you could set the 'ORACLE_USERNAME=SYSTEM' variable in your oracle.ini file, and log into any database as SYSTEM ( without a password ) as long as REMOTE_OS_AUTHEN=true. That was obviously some years ago, and I don't know if that is still possible. I would have hoped that such an obvious hole was plugged years ago. It seems to me that it was, but I don't recall details. Content-Type: text/html; name=Attachment: 1 Content-Transfer-Encoding: quoted-printable Content-Description: -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: remote / as sysdba
Jared, Look at Note 60634.1 on MetaLink. OSAUTH_PREFIX_DOMAIN = TRUE is default for 8.1 and 9. Alex. - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Sunday, March 09, 2003 10:08 PM -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Alex Feinstein INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: remote / as sysdba
have you got the remote login password file ?
if you set it I think it should work .
take a look at Note:1016540.6
-Original Message-
[mailto:[EMAIL PROTECTED]
Sent: Thursday, March 06, 2003 7:09 PM
To: Multiple recipients of list ORACLE-L
Hello,
env: Oracle 9.2.0.2 on Solaris 9.
Does anyone know of a way to use the / as sysdba logon remotely?
(to a separate Oracle instance on a separate machine)
Other remote user logons work OK.
I have tried several variations from sqlplus, such as
[EMAIL PROTECTED]connect /@DWQ as sysdba
ERROR:
ORA-01031: insufficient privileges
Warning: You are no longer connected to ORACLE.
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED] as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
[EMAIL PROTECTED]connect sys/exr_sys as [EMAIL PROTECTED]
SP2-0306: Invalid option.
Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
where logon ::= username[/password][@connect_string] | /
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED]
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
I also find I cannot even connect sys/syspassword locally:
[EMAIL PROTECTED]connect sys/sys_password
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
This does work locally, but not remotely:
[EMAIL PROTECTED]connect sys/sys_password as sysdba
Connected.
I am a member of the dba group on both platforms.
I have verified that I am using the correct sys_password for sys
on the remote instance.
Eventually, I want to do a remote transportable tablespace import, where
the userid would be listed in a parfile; I have tried the same logons in
a parfile, and that also fails.
I found a Metalink doc that says the O7_DICTIONARY_ACCESSIBILITY (sp?)
must be true to do this, but the same doc strongly advises against setting
this to true.
So, has anyone found a way to use the / as sysdba logon remotely?
(without setting the O7 parameter to true)
Thanks to any responders.
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author:
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: MARREIROS,RUI (HP-Portugal,ex1)
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
RE: remote / as sysdba
Title: RE: remote / as sysdba
As far as I know, it works like this:
You will need to set init parameter REMOTE_LOGIN_PASSWORD_FILE to EXCLUSIVE.
You then can sign on as SYS remotely, or as another user remotely if the other user has SYSDBA. See the users that have SYSDBA or SYSOPER in v$pwfile_users.
As the view name suggests, you will also need a password file for the database, which should be created with the orapwd utility.
$ orapwd
Usage: orapwd file=fname password=password entries=users
where
file - name of password file (mand),
password - password for SYS and INTERNAL (mand),
entries - maximum number of distinct DBA and OPERs (opt),
There are no spaces around the equal-to (=) character.
Once you've done all that, you can connect remotely by saying the following in SQL*Plus:
connect sys/[EMAIL PROTECTED] as sysdba
But I don't think you will ever be able to do
connect / as sysdba remotely. For one thing, the syntax in SQL*Plus is:
Syntaxe : CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
ou logon ::= username[/password][@connect_string] | /
So the logon is either username/[EMAIL PROTECTED] or else / all by itself. How would you tell SQL*Plus which remote database you want to connect to? I tried setting TWO_TASK to the tns_alias for the database, but that didn't help. It seems to me that when you enable remote SYSDBA logins Oracle will insist on verifying a password for the SYSDBA user in the password file.
Or is there some clever trick I don't know about?
-Original Message-
From: [EMAIL PROTECTED]
env: Oracle 9.2.0.2 on Solaris 9.
Does anyone know of a way to use the / as sysdba logon remotely?
(to a separate Oracle instance on a separate machine)
Other remote user logons work OK.
I have tried several variations from sqlplus, such as
[EMAIL PROTECTED]connect /@DWQ as sysdba
ERROR:
ORA-01031: insufficient privileges
Warning: You are no longer connected to ORACLE.
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED] as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
[EMAIL PROTECTED]connect sys/exr_sys as [EMAIL PROTECTED]
SP2-0306: Invalid option.
Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
where logon ::= username[/password][@connect_string] | /
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED]
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
I also find I cannot even connect sys/syspassword locally:
[EMAIL PROTECTED]connect sys/sys_password
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
This does work locally, but not remotely:
[EMAIL PROTECTED]connect sys/sys_password as sysdba
Connected.
I am a member of the dba group on both platforms.
I have verified that I am using the correct sys_password for sys
on the remote instance.
Eventually, I want to do a remote transportable tablespace
import, where
the userid would be listed in a parfile; I have tried the
same logons in
a parfile, and that also fails.
I found a Metalink doc that says the O7_DICTIONARY_ACCESSIBILITY (sp?)
must be true to do this, but the same doc strongly advises
against setting
this to true.
So, has anyone found a way to use the / as sysdba logon remotely?
(without setting the O7 parameter to true)
Re: remote / as sysdba
Bill,
You can't do that. If you try to, you will eventually see ORA-1997
12:18:58 rsysdevdb.radisys.com - [EMAIL PROTECTED] SQL grant sysdba to
ops$jkstill;
grant sysdba to ops$jkstill
*
ERROR at line 1:
ORA-01997: GRANT failed: user 'OPS$JKSTILL' is identified externally
12:19:07 rsysdevdb.radisys.com - [EMAIL PROTECTED] SQL
You can create a remote user that can logon as sysdba remotely, but
that user must have a password.
See MetaLink Doc # 185703.1
Jared
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
03/06/2003 11:08 AM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
cc:
Subject:remote / as sysdba
Hello,
env: Oracle 9.2.0.2 on Solaris 9.
Does anyone know of a way to use the / as sysdba logon remotely?
(to a separate Oracle instance on a separate machine)
Other remote user logons work OK.
I have tried several variations from sqlplus, such as
[EMAIL PROTECTED]connect /@DWQ as sysdba
ERROR:
ORA-01031: insufficient privileges
Warning: You are no longer connected to ORACLE.
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED] as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
[EMAIL PROTECTED]connect sys/exr_sys as [EMAIL PROTECTED]
SP2-0306: Invalid option.
Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
where logon ::= username[/password][@connect_string] | /
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED]
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
I also find I cannot even connect sys/syspassword locally:
[EMAIL PROTECTED]connect sys/sys_password
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
This does work locally, but not remotely:
[EMAIL PROTECTED]connect sys/sys_password as sysdba
Connected.
I am a member of the dba group on both platforms.
I have verified that I am using the correct sys_password for sys
on the remote instance.
Eventually, I want to do a remote transportable tablespace import, where
the userid would be listed in a parfile; I have tried the same logons in
a parfile, and that also fails.
I found a Metalink doc that says the O7_DICTIONARY_ACCESSIBILITY (sp?)
must be true to do this, but the same doc strongly advises against setting
this to true.
So, has anyone found a way to use the / as sysdba logon remotely?
(without setting the O7 parameter to true)
Thanks to any responders.
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author:
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author:
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
RE: remote / as sysdba
*** Comments by BECKER, BILL Thu Mar 06, 2003 -- 03:30:49 PM
I have tried this, but it still does not work.
[EMAIL PROTECTED]select value from v$parameter
2 where name = 'remote_login_passwordfile';
VALUE
---
EXCLUSIVE
(This instance was bounced; not yet using spfiles.)
[EMAIL PROTECTED]select * from v$pwfile_users;
USERNAME SYSDB SYSOP
-- - -
SYSTRUE TRUE
I have verified that the orapwDWQ file exists in $ORACLE_HOME/dbs
with the correct unix perms.
So I connect as sys to the local instance:
[EMAIL PROTECTED]connect sys/syspassword as sysdba
Connected.
[EMAIL PROTECTED]sho user
USER is SYS
But when trying to connect to the remote instance:
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED] as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
Do both instances need to have remote_login_passwordfile=EXCLUSIVE,
or just the remote instance? Am I missing something else?
*** Original message by Jacques Kilchoer [EMAIL PROTECTED]
As far as I know, it works like this:
You will need to set init parameter REMOTE_LOGIN_PASSWORD_FILE to EXCLUSIVE.
You then can sign on as SYS remotely, or as another user remotely if the
other user has SYSDBA. See the users that have SYSDBA or SYSOPER in
v$pwfile_users.
As the view name suggests, you will also need a password file for the
database, which should be created with the orapwd utility.
$ orapwd
Usage: orapwd file=fname password=password entries=users
where
file - name of password file (mand),
password - password for SYS and INTERNAL (mand),
entries - maximum number of distinct DBA and OPERs (opt),
There are no spaces around the equal-to (=) character.
Once you've done all that, you can connect remotely by saying the following
in SQL*Plus:
connect sys/[EMAIL PROTECTED] as sysdba
But I don't think you will ever be able to do
connect / as sysdba remotely. For one thing, the syntax in SQL*Plus is:
Syntaxe : CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
ou logon ::= username[/password][@connect_string] | /
So the logon is either username/[EMAIL PROTECTED] or else / all by
itself. How would you tell SQL*Plus which remote database you want to
connect to? I tried setting TWO_TASK to the tns_alias for the database, but
that didn't help. It seems to me that when you enable remote SYSDBA logins
Oracle will insist on verifying a password for the SYSDBA user in the
password file.
Or is there some clever trick I don't know about?
-Original Message-
From: [EMAIL PROTECTED]
env: Oracle 9.2.0.2 on Solaris 9.
Does anyone know of a way to use the / as sysdba logon remotely?
(to a separate Oracle instance on a separate machine)
Other remote user logons work OK.
I have tried several variations from sqlplus, such as
[EMAIL PROTECTED]connect /@DWQ as sysdba
ERROR:
ORA-01031: insufficient privileges
Warning: You are no longer connected to ORACLE.
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED] as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
[EMAIL PROTECTED]connect sys/exr_sys as [EMAIL PROTECTED]
SP2-0306: Invalid option.
Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
where logon ::= username[/password][@connect_string] | /
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED]
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
I also find I cannot even connect sys/syspassword locally:
[EMAIL PROTECTED]connect sys/sys_password
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
This does work locally, but not remotely:
[EMAIL PROTECTED]connect sys/sys_password as sysdba
Connected.
I am a member of the dba group on both platforms.
I have verified that I am using the correct sys_password for sys
on the remote instance.
Eventually, I want to do a remote transportable tablespace
import, where
the userid would be listed in a parfile; I have tried the
same logons in
a parfile, and that also fails.
I found a Metalink doc that says the O7_DICTIONARY_ACCESSIBILITY (sp?)
must be true to do this, but the same doc strongly advises
against setting
this to true.
So, has anyone found a way to use the / as sysdba logon remotely?
(without setting the O7 parameter to true)
--
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author:
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing
RE: remote / as sysdba
Title: RE: remote / as sysdba
If you want to do
connect sys/[EMAIL PROTECTED] as sysdba
then the database corresponding to TNS alias DWQ has to have remote_login_passwordfile EXCLUSIVE, and it needs to have a password file.
It is not clear to me from your e-mail if remote database DWQ has remote_login_passwordfile EXCLUSIVE.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
*** Comments by BECKER, BILL Thu Mar 06, 2003 -- 03:30:49 PM
I have tried this, but it still does not work.
[EMAIL PROTECTED]select value from v$parameter
2 where name = 'remote_login_passwordfile';
VALUE
--
-
EXCLUSIVE
(This instance was bounced; not yet using spfiles.)
[EMAIL PROTECTED]select * from v$pwfile_users;
USERNAME SYSDB SYSOP
-- - -
SYS TRUE TRUE
I have verified that the orapwDWQ file exists in $ORACLE_HOME/dbs
with the correct unix perms.
So I connect as sys to the local instance:
[EMAIL PROTECTED]connect sys/syspassword as sysdba
Connected.
[EMAIL PROTECTED]sho user
USER is SYS
But when trying to connect to the remote instance:
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED] as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
Do both instances need to have remote_login_passwordfile=EXCLUSIVE,
or just the remote instance? Am I missing something else?
__
__
*** Original message by Jacques Kilchoer [EMAIL PROTECTED]
As far as I know, it works like this:
You will need to set init parameter
REMOTE_LOGIN_PASSWORD_FILE to EXCLUSIVE.
You then can sign on as SYS remotely, or as another user
remotely if the
other user has SYSDBA. See the users that have SYSDBA or SYSOPER in
v$pwfile_users.
As the view name suggests, you will also need a password file for the
database, which should be created with the orapwd utility.
$ orapwd
Usage: orapwd file=fname password=password entries=users
where
file - name of password file (mand),
password - password for SYS and INTERNAL (mand),
entries - maximum number of distinct DBA and OPERs (opt),
There are no spaces around the equal-to (=) character.
Once you've done all that, you can connect remotely by saying
the following
in SQL*Plus:
connect sys/[EMAIL PROTECTED] as sysdba
But I don't think you will ever be able to do
connect / as sysdba remotely. For one thing, the syntax in
SQL*Plus is:
Syntaxe : CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
ou logon ::= username[/password][@connect_string] | /
So the logon is either username/[EMAIL PROTECTED] or else / all by
itself. How would you tell SQL*Plus which remote database you want to
connect to? I tried setting TWO_TASK to the tns_alias for the
database, but
that didn't help. It seems to me that when you enable remote
SYSDBA logins
Oracle will insist on verifying a password for the SYSDBA user in the
password file.
Or is there some clever trick I don't know about?
-Original Message-
From: [EMAIL PROTECTED]
env: Oracle 9.2.0.2 on Solaris 9.
Does anyone know of a way to use the / as sysdba logon remotely?
(to a separate Oracle instance on a separate machine)
Other remote user logons work OK.
I have tried several variations from sqlplus, such as
[EMAIL PROTECTED]connect /@DWQ as sysdba
ERROR:
ORA-01031: insufficient privileges
Warning: You are no longer connected to ORACLE.
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED] as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
[EMAIL PROTECTED]connect sys/exr_sys as [EMAIL PROTECTED]
SP2-0306: Invalid option.
Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
where logon ::= username[/password][@connect_string] | /
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED]
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
I also find I cannot even connect sys/syspassword locally:
[EMAIL PROTECTED]connect sys/sys_password
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
This does work locally, but not remotely:
[EMAIL PROTECTED]connect sys/sys_password as sysdba
Connected.
I am a member of the dba group on both platforms.
I have verified that I am using the correct sys_password for sys
on the remote instance.
Eventually, I want to do a remote transportable tablespace
import, where
the userid would be listed in a parfile; I have tried the
same logons in
a parfile, and that also fails.
I found a Metalink doc that says the
O7_DICTIONARY_ACCESSIBILITY (sp?)
must be true to do this, but the same doc strongly advises
against setting
this to true.
So, has anyone found a way to use the / as sysdba logon remotely?
(without setting the O7 parameter to true)
RE: remote / as sysdba
You could logon that way if Oracle allowed it.
sqlplus /@dv03 as sysdba
two different linux boxes, same OS account name on both boxes.
While the previous will result in an ORA-1997 ( sorry, you can't remotely
logon as SYSDBA ), the following works just fine:
sqlplus /@dv03
Jared
Jacques Kilchoer [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
03/06/2003 12:14 PM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
cc:
Subject:RE: remote / as sysdba
As far as I know, it works like this:
You will need to set init parameter REMOTE_LOGIN_PASSWORD_FILE to
EXCLUSIVE.
You then can sign on as SYS remotely, or as another user remotely if the
other user has SYSDBA. See the users that have SYSDBA or SYSOPER in
v$pwfile_users.
As the view name suggests, you will also need a password file for the
database, which should be created with the orapwd utility.
$ orapwd
Usage: orapwd file=fname password=password entries=users
where
file - name of password file (mand),
password - password for SYS and INTERNAL (mand),
entries - maximum number of distinct DBA and OPERs (opt),
There are no spaces around the equal-to (=) character.
Once you've done all that, you can connect remotely by saying the
following in SQL*Plus:
connect sys/[EMAIL PROTECTED] as sysdba
But I don't think you will ever be able to do
connect / as sysdba remotely. For one thing, the syntax in SQL*Plus is:
Syntaxe : CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
ou logon ::= username[/password][@connect_string] | /
So the logon is either username/[EMAIL PROTECTED] or else / all by
itself. How would you tell SQL*Plus which remote database you want to
connect to? I tried setting TWO_TASK to the tns_alias for the database,
but that didn't help. It seems to me that when you enable remote SYSDBA
logins Oracle will insist on verifying a password for the SYSDBA user in
the password file.
Or is there some clever trick I don't know about?
-Original Message-
From: [EMAIL PROTECTED]
env: Oracle 9.2.0.2 on Solaris 9.
Does anyone know of a way to use the / as sysdba logon remotely?
(to a separate Oracle instance on a separate machine)
Other remote user logons work OK.
I have tried several variations from sqlplus, such as
[EMAIL PROTECTED]connect /@DWQ as sysdba
ERROR:
ORA-01031: insufficient privileges
Warning: You are no longer connected to ORACLE.
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED] as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
[EMAIL PROTECTED]connect sys/exr_sys as [EMAIL PROTECTED]
SP2-0306: Invalid option.
Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
where logon ::= username[/password][@connect_string] | /
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED]
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
I also find I cannot even connect sys/syspassword locally:
[EMAIL PROTECTED]connect sys/sys_password
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
This does work locally, but not remotely:
[EMAIL PROTECTED]connect sys/sys_password as sysdba
Connected.
I am a member of the dba group on both platforms.
I have verified that I am using the correct sys_password for sys
on the remote instance.
Eventually, I want to do a remote transportable tablespace
import, where
the userid would be listed in a parfile; I have tried the
same logons in
a parfile, and that also fails.
I found a Metalink doc that says the O7_DICTIONARY_ACCESSIBILITY (sp?)
must be true to do this, but the same doc strongly advises
against setting
this to true.
So, has anyone found a way to use the / as sysdba logon remotely?
(without setting the O7 parameter to true)
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author:
INET: [EMAIL PROTECTED]
Fat City Network Services-- 858-538-5051 http://www.fatcity.com
San Diego, California-- Mailing list and web hosting services
-
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
RE: remote / as sysdba
The remote instance must have remote_login_passwordfile=EXCLUSIVE
Any local instances, whether or not you are logged into them, are
unimportant.
In this case:
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED] as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
I would tend to think that you're either not connecting to the database
you intend,
or you've mistyped the password.
Does connect sys/[EMAIL PROTECTED] as sysdba work?
Jared
[EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
03/06/2003 01:34 PM
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED]
cc:
Subject:RE: remote / as sysdba
*** Comments by BECKER, BILL Thu Mar 06, 2003 -- 03:30:49 PM
I have tried this, but it still does not work.
[EMAIL PROTECTED]select value from v$parameter
2 where name = 'remote_login_passwordfile';
VALUE
---
EXCLUSIVE
(This instance was bounced; not yet using spfiles.)
[EMAIL PROTECTED]select * from v$pwfile_users;
USERNAME SYSDB SYSOP
-- - -
SYSTRUE TRUE
I have verified that the orapwDWQ file exists in $ORACLE_HOME/dbs
with the correct unix perms.
So I connect as sys to the local instance:
[EMAIL PROTECTED]connect sys/syspassword as sysdba
Connected.
[EMAIL PROTECTED]sho user
USER is SYS
But when trying to connect to the remote instance:
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED] as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
Do both instances need to have remote_login_passwordfile=EXCLUSIVE,
or just the remote instance? Am I missing something else?
*** Original message by Jacques Kilchoer [EMAIL PROTECTED]
As far as I know, it works like this:
You will need to set init parameter REMOTE_LOGIN_PASSWORD_FILE to
EXCLUSIVE.
You then can sign on as SYS remotely, or as another user remotely if the
other user has SYSDBA. See the users that have SYSDBA or SYSOPER in
v$pwfile_users.
As the view name suggests, you will also need a password file for the
database, which should be created with the orapwd utility.
$ orapwd
Usage: orapwd file=fname password=password entries=users
where
file - name of password file (mand),
password - password for SYS and INTERNAL (mand),
entries - maximum number of distinct DBA and OPERs (opt),
There are no spaces around the equal-to (=) character.
Once you've done all that, you can connect remotely by saying the
following
in SQL*Plus:
connect sys/[EMAIL PROTECTED] as sysdba
But I don't think you will ever be able to do
connect / as sysdba remotely. For one thing, the syntax in SQL*Plus is:
Syntaxe : CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
ou logon ::= username[/password][@connect_string] | /
So the logon is either username/[EMAIL PROTECTED] or else / all by
itself. How would you tell SQL*Plus which remote database you want to
connect to? I tried setting TWO_TASK to the tns_alias for the database,
but
that didn't help. It seems to me that when you enable remote SYSDBA logins
Oracle will insist on verifying a password for the SYSDBA user in the
password file.
Or is there some clever trick I don't know about?
-Original Message-
From: [EMAIL PROTECTED]
env: Oracle 9.2.0.2 on Solaris 9.
Does anyone know of a way to use the / as sysdba logon remotely?
(to a separate Oracle instance on a separate machine)
Other remote user logons work OK.
I have tried several variations from sqlplus, such as
[EMAIL PROTECTED]connect /@DWQ as sysdba
ERROR:
ORA-01031: insufficient privileges
Warning: You are no longer connected to ORACLE.
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED] as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
[EMAIL PROTECTED]connect sys/exr_sys as [EMAIL PROTECTED]
SP2-0306: Invalid option.
Usage: CONN[ECT] [logon] [AS {SYSDBA|SYSOPER}]
where logon ::= username[/password][@connect_string] | /
[EMAIL PROTECTED]connect sys/[EMAIL PROTECTED]
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
I also find I cannot even connect sys/syspassword locally:
[EMAIL PROTECTED]connect sys/sys_password
ERROR:
ORA-28009: connection to sys should be as sysdba or sysoper
This does work locally, but not remotely:
[EMAIL PROTECTED]connect sys/sys_password as sysdba
Connected.
I am a member of the dba group on both platforms.
I have verified that I am using the correct sys_password for sys
on the remote instance.
Eventually, I want to do a remote transportable tablespace
import, where
the userid would be listed in a parfile; I have tried the
same logons in
a parfile, and that also fails.
I found a Metalink doc that says the O7_DICTIONARY_ACCESSIBILITY (sp?)
must be true to do this, but the same
RE: remote / as sysdba
Title: RE: remote / as sysdba I forgot that you could do that. I never liked remote os authentication (is it still possible to easily fool a client into thinking you're someone else?), and I would like it even less if it allowed you to sign on as SYSDBA without a password. The best security is still having different passwords for everything, and if there are too many passwords to remember, just write them down on a post-it note stuck to your monitor. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] You could logon that way if Oracle allowed it. sqlplus /@dv03 as sysdba two different linux boxes, same OS account name on both boxes. While the previous will result in an ORA-1997 ( sorry, you can't remotely logon as SYSDBA ), the following works just fine: sqlplus /@dv03
RE: remote / as sysdba
At one time you could set the 'ORACLE_USERNAME=SYSTEM' variable in your oracle.ini file, and log into any database as SYSTEM ( without a password ) as long as REMOTE_OS_AUTHEN=true. That was obviously some years ago, and I don't know if that is still possible. I would have hoped that such an obvious hole was plugged years ago. It seems to me that it was, but I don't recall details. Jared Jacques Kilchoer [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/06/2003 03:28 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: remote / as sysdba I forgot that you could do that. I never liked remote os authentication (is it still possible to easily fool a client into thinking you're someone else?), and I would like it even less if it allowed you to sign on as SYSDBA without a password. The best security is still having different passwords for everything, and if there are too many passwords to remember, just write them down on a post-it note stuck to your monitor. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] You could logon that way if Oracle allowed it. sqlplus /@dv03 as sysdba two different linux boxes, same OS account name on both boxes. While the previous will result in an ORA-1997 ( sorry, you can't remotely logon as SYSDBA ), the following works just fine: sqlplus /@dv03 -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: remote / as sysdba
Title: RE: remote / as sysdba Thank you for the information. I thought the security issues were more fundamental. For example if my database has remote os authentication (with prefix OPS$), and I know that there is a user called OPS$JSTILL, then I can change the Windows Registry on my client to enable me to logon to the database as OPS$JSTILL. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] At one time you could set the 'ORACLE_USERNAME=SYSTEM' variable in your oracle.ini file, and log into any database as SYSTEM ( without a password ) as long as REMOTE_OS_AUTHEN=true. That was obviously some years ago, and I don't know if that is still possible. I would have hoped that such an obvious hole was plugged years ago. It seems to me that it was, but I don't recall details.
