Oracle 集群sysbackup用户登陆随机报错ORA-01017
前言:
近期处理了一起Oracle 19c集群sysbackup用户登陆随机报错ORA-01017: invalid username/password; logon denied的问题,后面分析发现是由于集群密码文件没有共享,两个节点的密码文件不一致,导致用户通过scan ip随机分发节点时,连接到了错误密码所在的节点,进而产生了ORA-01017。
问题现象:
集群sysbackup用户登陆节点随机报错ORA-01017: invalid username/password; logon denied
问题原因:
用户进行配置sysbackup用户的操作,但由于集群密码文件没有共享,导致两个节点的密码文件不一致,在用户通过scan ip随机分发节点时,连接到了错误密码所在的节点,进而产生了ORA-01017。
问题解决:
方法一:在集群每个节点同时执行配置sysbackup的操作,确保节点密码文件一致
alter user testbackup identified by testbackup;
grant sysbackup to testbackup;方法二:将正确节点的密码文件拷贝到其他节点,确保集群节点密码文件配置一致
scp $ORACLE_HOME/dbs/orapworcl1 node2@:$ORACLE_HOME/dbs/orapworcl2方法三:将密码文件设置为asm共享文件
orapwd input_file='/u01/app/oracle/product/19.0.0/db_1/dbs/orapworcl1' file='+DATADG/ORCL/orapworcl' asm=y force=y
---不需要重启数据库,密码文件会自己切换到asm路径下,可以通过GV$PASSWORDFILE_INFO进行验证问题分析:
在节点一node1创建备份用户testbackup
create user testbackup identified by testbackup;
grant connect,resource,sysbackup to testbackup;测试用户登陆,会出现随机登陆失败的情况
---通过scan_ip,第一次登陆成功
[oracle@node1 /u01/app/oracle/product/19.0.0/db_1/network/admin ]$ sqlplus testbackup/testbackup@orcl as sysbackup
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Jul 18 17:21:28 2022
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL>
SQL>
SQL> exit
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
---通过scan_ip,第二次登陆失败,报ORA-01017: invalid username/password; logon denied
[oracle@node1 /u01/app/oracle/product/19.0.0/db_1/network/admin ]$ sqlplus testbackup/testbackup@orcl as sysbackup
SQL*Plus: Release 19.0.0.0.0 - Production on Mon Jul 18 17:21:31 2022
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:查看sysbackup用户密码文件的配置
---会发现,只有节点一node1有写入TESTBACKUP这个sysbackup的用户,节点二node2没有写入sysbackup用户
1* select inst_id,username,sysbackup from gv$pwfile_users
INST_ID USERNAME SYSBA
---------- -------------------------------------------------------------------------------------------------------------------------------- -----
1 SYS FALSE
1 TESTBACKUP TRUE
2 SYS FALSE查看密码文件路径,可以发现密码文件都是节点本地存放
1* select * from GV$PASSWORDFILE_INFO
INST_ID FILE_NAME FORMAT IS_AS CON_ID
---------- ------------------------------------------------------------ ------ ----- ----------
1 /u01/app/oracle/product/19.0.0/db_1/dbs/orapworcl1 12 FALSE 0
2 /u01/app/oracle/product/19.0.0/db_1/dbs/orapworcl2 12 FALSE 0测试通过节点vip访问登陆,节点一vip登陆没有报错,节点二vip登陆有报错ora-01017,这进一步验证了节点二密码文件有问题
---通过节点一vip登陆没有报错
[oracle@node1 /u01/app/oracle/product/19.0.0/db_1/network/admin ]$ rman target /
Recovery Manager: Release 19.0.0.0.0 - Production on Mon Jul 18 17:26:30 2022
Version 19.3.0.0.0
Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved.
RMAN> connect target 'testbackup/testbackup@node1-vip:1521/orcl as sysbackup'
connected to target database: ORCL (DBID=1632283697)
RMAN> exit
---通过节点二vip登陆报错ora-01017
[oracle@node1 /u01/app/oracle/product/19.0.0/db_1/network/admin ]$ rman target /
RMAN> connect target 'testbackup/testbackup@node2-vip:1521/orcl as sysbackup';
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
ORA-01017: invalid username/password; logon denied
RMAN> exit
在节点二node2执行节点一配置sysbackup的操作
SQL> alter user testbackup identified by testbackup;
SQL> grant sysbackup to testbackup;
Grant succeeded.
SQL> select * from gv$pwfile_users;
INST_ID USERNAME SYSDB SYSOP SYSAS SYSBA SYSDG SYSKM ACCOUNT_STATUS PASSWORD_PROFILE
---------- -------------------------------------------------------------------------------------------------------------------------------- ----- ----- ----- ----- ----- ----- ------------------------------ --------------------------------------------------------------------------------------------------------------------------------
LAST_LOGIN LOCK_DATE EXPIRY_DA
--------------------------------------------------------------------------- --------- ---------
EXTERNAL_NAME
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
AUTHENTI COM CON_ID
-------- --- ----------
2 SYS TRUE TRUE FALSE FALSE FALSE FALSE OPEN
PASSWORD NO 0
2 TESTBACKUP FALSE FALSE FALSE TRUE FALSE FALSE OPEN
PASSWORD NO 0
1 SYS TRUE TRUE FALSE FALSE FALSE FALSE OPEN
PASSWORD NO 0
1 TESTBACKUP FALSE FALSE FALSE TRUE FALSE FALSE OPEN
PASSWORD NO 0再次通过节点二vip进行登陆,连接成功
RMAN> connect target 'testbackup/testbackup@node2-vip:1521/orcl as sysbackup';
connected to target database: ORCL (DBID=1632283697)
RMAN> select sys_context('USERENV', 'CURRENT_SCHEMA') current_schema, sys_context('USERENV', 'SESSION_USER') session_user from dual;
using target database control file instead of recovery catalog
CURRENT_SCHEMA
--------------------------------------------------------------------------------
SESSION_USER
--------------------------------------------------------------------------------
SYS
SYSBACKUP
RMAN> exit总结:
sysbackup用户出现随机登陆失败ora-01017的原因为用户进行配置sysbackup用户的操作,但由于集群密码文件没有共享,导致两个节点的密码文件不一致,在用户通过scan ip随机分发节点时,连接到了错误密码所在的节点,进而产生了ORA-01017。
可以通过以下方法修复问题
方法一:在集群每个节点同时执行配置sysbackup的操作,确保节点密码文件一致。
方法二:将正确节点的密码文件拷贝到其他节点,确保集群节点密码文件配置一致。
方法三:将密码文件设置为asm共享文件。