其實簡單點就是檢查一下你的機器有沒有一個ora_dba用戶組,而且你登陸os的用戶是否在這個組裏,有的話問題的原因就找到了,下面是轉的高手的介紹
本文環境配置:Oracle10gR2,Windows XP
Oracle的用戶信息一般來說是保存在數據字典裏的,所以常規用戶在Oracle數據庫沒有啓動的時候是無法登陸的。但有兩類用戶例外,這就是具有sysdba或者sysoper權限的用戶。Oracle sysdba或者sysoper用戶的登陸有兩種方式:一是通過OS認證,二是通過密碼文件驗證。
究竟使用哪一種驗證方式以及能否成功登陸取決於三個方面的因素:
1. sqlnet.ora中SQLNET.AUTHENTICATION_SERVICES的設置
2. 參數文件中REMOTE_LOGIN_PASSWORDFILE的設置
3. 密碼文件 PWD%sid%.ora
Oracle進行權限驗證的大致順序如下:
1. 根據SQLNET.AUTHENTICATION_SERVICES的值決定是進行os驗證還是密碼文件驗證。
2. 如果是os驗證,根據當前用戶的用戶組判斷是否具有sysdba權限。如果os驗證失敗,則進行密碼文件驗證。
2. 如果是密碼文件驗證,REMOTE_LOGIN_PASSWORDFILE的值以及密碼文件是否存在決定了驗證是否成功。
1. OS 驗 證
要啓用os驗證,就必須在qlnet.ora中設置SQLNET.AUTHENTICATION_SERVICES=(NTS),然後在Windows中建立ora_dba用戶組,把相關用戶加入到這個組中(e.g., administrator),這樣administrator就可以在不用提供用戶名和密碼(或者提供任意的用戶名和密碼)的情況下以sysdba身份本地登陸。因爲操作系統已經代替Oracle進行了驗證。
測試一:ora_dba用戶本地登陸
- C:/>sqlplus / as sysdba
- Connected to:
- Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
- With the OLAP and Data Mining options
- SQL>
- C:/>sqlplus wrong_user/wrong_password as sysdba
- Connected to:
- Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
- With the OLAP and Data Mining options
- SQL>
C:/>sqlplus / as sysdba
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the OLAP and Data Mining options
SQL>
C:/>sqlplus wrong_user/wrong_password as sysdba
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the OLAP and Data Mining options
SQL>
測試二:非ora_dba用戶本地登陸
- C:/>sqlplus / as sysdba
- ERROR:
- ORA-01031: insufficient privileges
- Enter user-name:
- C:/>sqlplus wrong_user/wrong_password sysdba
- ERROR:
- ORA-01017: invalid username/password; logon denied
- Enter user-name:
- C:/>sqlplus sys/change_on_install as sysdba
- Connected to:
- Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
- With the OLAP and Data Mining options
- SQL>
C:/>sqlplus / as sysdba
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
C:/>sqlplus wrong_user/wrong_password sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
C:/>sqlplus sys/change_on_install as sysdba
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the OLAP and Data Mining options
SQL>
2. 密碼文件驗證
密碼文件包含了被授予sysdba和sysoper權限的用戶的用戶名和密碼。這是一個加密文件,一般來說存放在%oracle_home%/database目錄下,文件名爲PWD%sid%.ora。
如果要使用密碼文件驗證,則把sqlnet.ora改爲SQLNET.AUTHENTICATION_SERVICES=none,或者從sqlnet.ora中刪除SQLNET.AUTHENTICATION_SERVICES。同上匿名登陸sqlplus會失敗,給出用戶名和密碼就可以成功登陸。
- C:/>sqlplus / as sysdba
- ERROR:
- ORA-01031: insufficient privileges
- Enter user-name:
- C:/>sqlplus sys/change_on_install as sysdba
- Connected to an idle instance.
- idle>
C:/>sqlplus / as sysdba
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
C:/>sqlplus sys/change_on_install as sysdba
Connected to an idle instance.
idle>
測試一:刪除密碼文件。使用用戶名和密碼登陸,失敗!
- C:/>sqlplus sys/change_on_install as sysdba
- ERROR:
- ORA-01031: insufficient privileges
- Enter user-name:
C:/>sqlplus sys/change_on_install as sysdba
ERROR:
ORA-01031: insufficient privileges
Enter user-name:
測試二:恢復密碼文件,設置REMOTE_LOGIN_PASSWORDFILE=none。使用用戶名和密碼登陸,失敗!
- SQL> alter system set remote_login_passwordfile=none scope=spfile;
- System altered.
- C:/>sqlplus sys/change_on_install as sysdba
- ERROR:
- ORA-01017: invalid username/password; logon denied
- Enter user-name:
SQL> alter system set remote_login_passwordfile=none scope=spfile;
System altered.
C:/>sqlplus sys/change_on_install as sysdba
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
測試三:恢復密碼文件,設置REMOTE_LOGIN_PASSWORDFILE爲EXCLUSIVE或者SHARED。使用用戶名和密碼登陸,成功!
- SQL> alter system set remote_login_passwordfile=exclusive scope=spfile;
- System altered.
- C:/>sqlplus sys/change_on_install as sysdba
- Connected to an idle instance.
- SQL>
SQL> alter system set remote_login_passwordfile=exclusive scope=spfile;
System altered.
C:/>sqlplus sys/change_on_install as sysdba
Connected to an idle instance.
SQL>
3. 密碼文件
查看具有sysdba或者sysoper權限的用戶:
- SQL> select * from v$pwfile_users;
- USERNAME SYSDB SYSOP
- ------------------------------ ------- -------
- SYS TRUE TRUE
SQL> select * from v$pwfile_users;
USERNAME SYSDB SYSOP
------------------------------ ------- -------
SYS TRUE TRUE
每次使用grant sysdba/sysoper授予新用戶特殊權限或是alter user命令修改擁有sysdba/sysoper權限的用戶密碼的時候,Oracle都會自動的同步密碼文件,這樣保證在數據庫沒有打開的情況擁有特殊權限的用戶能正常的登陸數據庫以進行管理操作。
- SQL> grant sysdba to logicgate;
- Grant succeeded.
- SQL> select * from v$pwfile_users;
- USERNAME SYSDB SYSOP
- ------------------------------- -------- --------
- SYS TRUE TRUE
- LOGICGATE TRUE FALSE
SQL> grant sysdba to logicgate;
Grant succeeded.
SQL> select * from v$pwfile_users;
USERNAME SYSDB SYSOP
------------------------------- -------- --------
SYS TRUE TRUE
LOGICGATE TRUE FALSE
使用orapwd命令可以重建密碼文件。
- C:/>orapwd
- Usage: orapwd file=<fname> password=<password> entries=<users> force=<y/n>
- where
- file - name of password file (mandatory),
- password - password for SYS (mandatory),
- entries - maximum number of distinct DBA (optional),
- force - whether to overwrite existing file (optional)
C:/>orapwd
Usage: orapwd file=<fname> password=<password> entries=<users> force=<y/n>
where
file - name of password file (mandatory),
password - password for SYS (mandatory),
entries - maximum number of distinct DBA (optional),
force - whether to overwrite existing file (optional)
其中文件名和密碼是必需的。entries設置了密碼文件可包含的dba用戶的最大數目。force定義了是否覆蓋當前文件。重建密碼文件會清除系統內除了sys用戶以外所有sysdba用戶的密碼。必須使用grant sysdba同步密碼文件。
- C:/>orapwd file=%oracle_home%/database/PWDepcit.ora password=temp entries=20 force=y;
- C:/>sqlplus sys/temp as sysdba
- Connected to:
- Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
- With the OLAP and Data Mining options
- SQL> select * from v$pwfile_users;
- USERNAME SYSDB SYSOP
- ------------------------------- -------- --------
- SYS TRUE TRUE
C:/>orapwd file=%oracle_home%/database/PWDepcit.ora password=temp entries=20 force=y;
C:/>sqlplus sys/temp as sysdba
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
With the OLAP and Data Mining options
SQL> select * from v$pwfile_users;
USERNAME SYSDB SYSOP
------------------------------- -------- --------
SYS TRUE TRUE