sys用户权限不足,本地登录失败 |ORA-01031 insufficient privileges|
机器总喜欢挑放假的时候出问题,“双节”(中秋、国庆)快到了,对于搞系统运维的工程师来说其实并不轻松,于是今天赶紧装起一台数据库备用服务器以备半夜“机”叫。
安装OS就没什么好说的了,从模板机中托一个出来改改IP和HostName就完事了,安装Oracle数据库也不是第一次了,找了一个静默安装的响应文件改一下把数据库装起来,虽然计划是搭建DataGuard的,但是为了测试安装是否成功,还是选择了建库,一切装完后,例行登录数据库发现出了状况:
[oracle@wz_oracle2 dbs]$ sqlplus system/oracle as sysdba SQL*Plus: Release 10.2.0.1.0 - Production on Tue Sep 21 16:41:01 2010 Copyright (c) 1982, 2005, Oracle. All rights reserved. ERROR: ORA-01031: insufficient privileges Enter user-name:
一般来说,ORA-01031都是出现在忘记输入as sysdba
的时候出现的,这是为什么呢?
试一下其他方式登录:
[oracle@wz_oracle2 dbs]$ [oracle@wz_oracle2 dbs]$ [oracle@wz_oracle2 dbs]$ sqlplus system/oracle SQL*Plus: Release 10.2.0.1.0 - Production on Tue Sep 21 16:41:05 2010 Copyright (c) 1982, 2005, Oracle. All rights reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production With the Partitioning, OLAP and Data Mining options SQL> exit Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production With the Partitioning, OLAP and Data Mining options [oracle@wz_oracle2 dbs] [oracle@wz_oracle2 dbs] [oracle@wz_oracle2 dbs]$ sqlplus sys/oracle as sysdba SQL*Plus: Release 10.2.0.1.0 - Production on Tue Sep 21 16:41:16 2010 Copyright (c) 1982, 2005, Oracle. All rights reserved. Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production With the Partitioning, OLAP and Data Mining options SQL> exit Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production With the Partitioning, OLAP and Data Mining options
system 可以登录,由于是新装的数据库,所以system用户不会具有sysdba的权限,可以判断system用的是密码认证方式,密码登录没有问题证明数据库没有问题;
sys用户默认是sysdba,可以通过操作系统认证登录(dba组中的用户自动视为认证通过)或者使用密码文件进行认证的方式登录(常见于远程登录),修改密码文件的名字再登录:
[oracle@wz_oracle2 dbs]$ mv orapwora8i orapwora8i--- [oracle@wz_oracle2 dbs]$ sqlplus sys/oracle as sysdba SQL*Plus: Release 10.2.0.1.0 - Production on Tue Sep 21 20:34:28 2010 Copyright (c) 1982, 2005, Oracle. All rights reserved. ERROR: ORA-01031: insufficient privileges Enter user-name:
登录失败,可以判断 sys 使用了密码文件进行登录认证。
现在可以基本认为 sys 用户在操作系统认证这一关过不去了。由于这次安装是使用响应文件进行静默安装的,估计问题就出在这个响应文件上,于是再次仔细审查响应文件的每一个选项,特别是涉及“组”的选项:
[oracle@wz_oracle2 ~]$ id uid=500(oracle) gid=500(dba) groups=500(dba) [oracle@wz_oracle2 ~]$ cat enterprise.rsp | egrep -i "grp|group" UNIX_GROUP_NAME="dba" s_nameForDBAGrp="oracle" s_nameForOPERGrp="oracle" [oracle@wz_oracle2 ~]$
果然,指定的DBA组合Oper组不对,大意啦~~~~~~。
这个问题应该如何解决呢,当然全部推倒重来也是可以的,但是有没有“成本”更小的方法呢?求助于万能的google轻易地找到了解决方案,就是修改 $ORACLE_HOME/rdbms/lib/config.c 这个文件:
[oracle@wz_oracle2 ~]$ cat $ORACLE_HOME/rdbms/lib/config.c /* SS_DBA_GRP defines the UNIX group ID for adminstrative access. */ /* Refer to the Installation and User's Guide for further information. */ #define SS_DBA_GRP "oracle" /* 改成 dba */ #define SS_OPER_GRP "oracle" /* 改成 dba */ char *ss_dba_grp[] = {SS_DBA_GRP, SS_OPER_GRP};
再执行 relink all 就可以了:
[oracle@wz_oracle2 ~]$ cat $ORACLE_HOME/rdbms/lib/config.c /* SS_DBA_GRP defines the UNIX group ID for adminstrative access. */ /* Refer to the Installation and User's Guide for further information. */ #define SS_DBA_GRP "dba" #define SS_OPER_GRP "dba" char *ss_dba_grp[] = {SS_DBA_GRP, SS_OPER_GRP}; [oracle@wz_oracle2 ~]$ relink all ................. ................. ................. ................. ................. [oracle@wz_oracle2 ~]$ [oracle@wz_oracle2 ~]$ sqlplus / as sysdba SQL*Plus: Release 10.2.0.1.0 - Production on Tue Sep 21 20:48:03 2010 Copyright (c) 1982, 2005, Oracle. All rights reserved. Connected to an idle instance. SQL> startup ; ORACLE instance started. Total System Global Area 599785472 bytes Fixed Size 2022600 bytes Variable Size 171967288 bytes Database Buffers 419430400 bytes Redo Buffers 6365184 bytes Database mounted. Database opened. SQL>
问题解决,使用响应文件静默安装的方式看起来很酷,但是一定要小心谨慎。