Sys user authentication method in Oracle10g

---------------------------------------------------------------------------

---- This is andkylee's personal originality. Please repost it with respect to the author's Labor achievements;

---- The original source must be specified for reprinting.
:
Http://blog.csdn.net/andkylee

---



2010-08-10
18:19:57

---- Keywords: Oracle sysdba sysoper OS password file Authentication

----------------------------------------------------------------------------

This afternoon, a test database demo was created by manually writing the create database Command and catalog was executed. SQL, catproc. SQL, pupbld. after these three SQL scripts, the password file is also created using orapwd:

Orapwd file = E:/Oracle/db_1/database/Orapwdemo. ora
Password = dB entries = 10

 

Because an oracle instance was running on that machine, the contents of the listener. ora file were not modified.

There is no problem when connecting to the instance demo on the local machine of the Test Library Demo.

Set oracle_sid = demo

Sqlplus/nolog

Conn/As sysdba

Can be connected!

C:/Documents and Settings/Administrator> set oracle_sid = demo <br/> C:/Documents and Settings/Administrator> sqlplus/nolog <br/> SQL * Plus: release 10.2.0.1.0-production on Tuesday August 10 17:28:21 2010 <br/> copyright (c) 1982,200 5, Oracle. all rights reserved. <br/> SQL> Conn/As sysdba <br/> connected. <Br/> SQL> show parameter db_name <br/> name type value <br/> -------------------------------------- ---------------------------------- <br/> db_name string demo

 

However, on a remote computer, the System user can connect to the system, and an error is returned when sys is used for connection:

SQL> conn sys/DB @ demo178 as sysdba
Error:
ORA-01031: insufficient privileges

 

Solution:

 

The final problem lies in the name of the password file. When Oracle 9i is usedOrapw
But in Oracle10gPWD
. Therefore, on the machine where the demo of the test instance is located, change the password file orapwdemo. ora under E:/Oracle/db_1/database/to pwddemo. ora. The problem can be solved!

In addition, you can use other password files after renaming them according to PWD $ oracle_sid.ora. However, if you know the password in advance. (This method saves you the trouble of using orapwd to create a password file !)

 

Through the preceding error, we can see that when Oracle uses the password file to verify the logon of SYS users, it will find the PWD $ oracle_sid.ora file in the $ ORACLE_HOME/dbs/directory. If you find this file, check whether the password is correct. Otherwise, you cannot verify the validity of SYS and report an error with insufficient permissions.

 

Summary:

It is necessary to review the authentication method of SYS login users in Oracle. On the local machine where the Oracle database instance is located, when the Sys user logs on, the operating system authentication mode is selected first, if the logon user of the current operating system belongs to the DBA group (Windows Host ora_dba), the authentication is successful. Otherwise, the Password Authentication mode is used.

 

Verify sys Logon at the operating system level in the Local System

The following shows how to use Telnet to connect to a Windows machine with the Oracle10g instance named demo. The operating system Logon Name Is SA, which belongs to the ora_dba group. The password of the Sys user of the Instance demo is dB.

Execute: Net localgroup ora_dba in Telnet to check whether the current logon user SA belongs to this group.

C: /Windows/system32> net localgroup ora_dba <br/> alias ora_dba <br/> comment <br/> member <br/> administrator <br/> NT authority the/System <br/> SA <br/> command is successfully completed. <Br/>

It can be seen that SA belongs to Oracle's ora_dba group. Therefore, Oracle will give priority to operating system-level verification when using sys to connect to the database.

C:/Windows/system32> set oracle_sid = demo <br/> C:/Windows/system32> sqlplus/nolog <br/> SQL * Plus: release 10.2.0.1.0-production on Tuesday August 10 17:47:02 2010 <br/> copyright (c) 1982,200 5, Oracle. all rights reserved. <br/> SQL> conn sys/dbaaa as sysdba <br/> is connected. <Br/> SQL> Conn/As sysdba <br/> connected. <Br/> SQL> conn sys as sysdba <br/> enter the password: <br/> connected. <Br/> SQL> show parameter db_name <br/> name type value <br/> -------------------------------------- -------------------------------- <br/> db_name string demo <br/> SQL>

 

 

Use the password file in the local system to verify sys Logon

 

Use another user as the login terminal to telnet to the machine where the Oracle instance is located. The user does not belong to the ora_dba group.

Run: Net user to view the local group to which the user belongs.

 

C:/Windows/system32> set oracle_sid = demo <br/> C:/Windows/system32> sqlplus/nolog <br/> SQL * Plus: release 10.2.0.1.0-production on Tuesday August 10 17:53:58 2010 <br/> copyright (c) 1982,200 5, Oracle. all rights reserved. <br/> SQL> Conn/As sysdba <br/> error: <br/> ORA-01031: insufficient privileges <br/> SQL> conn sys/DB as sysdba <br/> is connected. <Br/> SQL> conn sys/dbaa as sysdba <br/> error: <br/> ORA-01031: insufficient privileges

 

You can only use the password file for verification when it does not belong to the group ora_dba.

 

 

Verify sys Logon at the operating system level in the remote system

This method requires the secure TCP (TCPs) network protocol to be used in the "local net service name configuration" on the remote system. However, I have not yet learned how to use it. There may be fewer people using this method.

 

Use in a remote system
Password File to verify sys Logon

 

It is easy to understand that password file verification is used when the secure TCP (Insecure TCP protocol) network protocol is used in "local net service name configuration" on the remote system.

 

The following figure intuitively describes how to verify sys users: