Fail to logon with SYS user: ORA-01031: insufficient privileges
Hello,
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
PL/SQL Release 11.2.0.1.0 - Production
CORE 11.2.0.1.0 Production
TNS for Linux: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production
OS: CentOS 5.5
I fail to log on with SYS user through PL/SQL Developer. I receive the error: ORA-01031: insufficient privileges. PL/SQL Developer is installed on Windows 7 Professional. Oracle Client Version is 11.2.0.1.0. However I logon successfully with SYSMAN and SYSTEM.
For those who might ask whether I try to connect "as sysdba" when I use SYS user, the answer is YES, I do.
Besides I think the name of the tool (PL/SQL Developer) doesn't matter because I think I'll face the same error with any other tool (but I mentioned it just in case).
On server side I have no issues with SYS user. I can connect through SQLPlus with connect / as sysdba or connect "/as sysdba" faultlessly.
The initialization parameter sec_case_sensitive_logon is set to FALSE
SQL> show parameter sensi
NAME TYPE VALUE
sec_case_sensitive_logon boolean FALSE
I'm using local naming to connect and on client side I've a tnanames.ora file. The sqlnet.ora file looks like this:
SQLNET.AUTHENTICATION_SERVICES= (NTS)
NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)I read in this forum (another thread) about using a password file. I created a password file using orapwd this way:
orapwd file=orapwDB11G2 entries=100 ignorecase=y password=a_passwordwhere I replaced "a_password" with the SYS password.
Actually I'm not sure the client is influenced by the password file anyway because I tell it to use local naming.
Any clues?
Thank you very much!
Verdi wrote:
Hello, Chinar, AlexeyDev,
ORACLE_SID variable is:
[oracle@localhost bin]$ echo $ORACLE_SID
planetThe directory $ORACLE_HOME/dbs:
[oracle@localhost ~]$ ls -l $ORACLE_HOME/dbs
total 28020
-rw-rw---- 1 oracle oinstall 1544 Apr 10 12:43 hc_DBUA0.dat
-rw-rw---- 1 oracle oinstall 1544 Apr 27 18:02 hc_planet.dat
-rw-r--r-- 1 oracle oinstall 2851 May 15 2009 init.ora
-rw-r--r-- 1 oracle oinstall 2966 Apr 26 16:33 initplanet.ora
-rw-r----- 1 oracle oinstall 24 Apr 1 18:22 lkPLANET
-rw-r----- 1 oracle oinstall 9519104 Apr 27 18:43 ora_control1
-rw-r----- 1 oracle oinstall 9519104 Apr 27 18:43 ora_control2
drwx------ 2 oracle oinstall 4096 Apr 10 12:43 peshm_DBUA0_0
drwx------ 2 oracle oinstall 4096 Apr 1 18:19 peshm_planet_0
-rw-r----- 1 oracle oinstall 9519104 Apr 8 11:25 snapcf_planet.f
-rw-r----- 1 oracle oinstall 2560 Apr 27 18:41 spfileplanet.oraThe value of the parameter remote_login_passwordfile is:
*.remote_login_passwordfile='EXCLUSIVE'
I start up the instance using the spfile.As a side observation, it appears you have two control files also in this directory. That is risky, and goes against the intent of having multiplexed the control file. Ideally they would be on separate disk devices - including separate controllers, but at the very least they should be in directories that are separate all the way back to the root directory. If you can't protect against hardware failure, at least protect against human failure.
Similar Messages
-
I want to mirror a schema to a existing schema by creating DDL and recreate on the other schema with same name.
I wrote the code below:
create or replace
PROCEDURE SCHEMA_A."MAI__DWHMIRROR"
AS
v_sqlstatement CLOB:='bos';
str varchar2(3999);
BEGIN
select
replace(
replace(replace(
replace(DBMS_METADATA.GET_DDL('TABLE','XXXX','SCHEMA_A'),'(CLOB)',''),';','')
,'SCHEMA_A'
,'SCHEMA_B'
into v_sqlstatement
from dual;
select CAST(v_sqlstatement AS VARCHAR2(3999)) into str from dual;
execute immediate ''||str;
END;
And Executing this block with below code:
set serveroutput on
begin
SCHEMA_A.MAI__DWHMIRROR;
end;
But still getting the following error code:
Error report:
ORA-01031: insufficient privileges
ORA-06512: at "SCHEMA_A.MAI__DWHMIRROR", line 47
ORA-06512: at line 2
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to change the current username or password
without the appropriate privilege. This error also occurs if
attempting to install a database without the necessary operating
system privileges.
When Trusted Oracle is configure in DBMS MAC, this error may occur
if the user was granted the necessary privilege at a higher label
than the current login.
*Action: Ask the database administrator to perform the operation or grant
the required privileges.
For Trusted Oracle users getting this error although granted the
the appropriate privilege at a higher label, ask the database
administrator to regrant the privilege at the appropriate label.user5199319 wrote:
USER has DBA Role
when all else fails Read The Fine Manual
DBMS_METADATA -
Resolving problem with ORA-01031: insufficient privileges
hello i just to write a few word about my installation of oracle database 9i
My installation is on a Red Hat AS3
I have a problem with the error :ORA-01031: insufficient privileges
The one who read this know what about i tell.
The authorization is only for the user which Group is DBA as you can read everywhere.
but me when i tried groupadd dba => it tells group already exist.
but i can't find the group dba in the file /etc/group.
So i tried to make my user 'oracle' works with the 'already group exist' dba .
useradd -g dba oracle
but when i tried to start the database i create i have the message. : ORA-01031: insufficient privileges
i tried to add manualy the group dba to /etc/group (as i can read in websites)
and add a user manualy (/etc/passwd).
But does works.
I try all i can during 1 days long.
I was really upset because nothing that i read work.
finaly I go to the RedHat Menu (things i don't really do normaly on LINUX) and go to 'SYSTEM SETTINGS' and choose 'User and Group'
Here i can see my user 'Oracle' I get the property of the user .
there is a tab group ( 'select the group that the user will be member of:')
None of them where name DBA so i decidied to select all of them and tried.
MAGIC!!! then it works!!!
ps: after when i see the list of the group I saw that one of them is named 'SYS' . I really think that it is the one group i had to select. but don't know.
Now It is working for me so... And good luck for you. bye.Errors
ORA-01031 "insufficient privileges"
Symptoms
During database upgrade phase using DBUA , it fails with error
ORA-1031 Insufficient privileges
Connection from sqlplus also fails with same error
$ sqlplus /nolog
SQLPLUS "conn / as sysdba"
ORA-1031 Insufficient privileges
Changing the REMOTE_LOGIN_PASSWORDFILE to SHARED / NONE does not make differen
Cause
ORACLE_HOME owner oramigts is part of OS group "dba" ,but config.s shows group "g680"
The 'OSDBA' and 'OSOPER' groups are chosen at installation time and usually both default to the group 'dba'.
These groups are compiled into the 'oracle' executable and so are the same for all databases running from a given ORACLE_HOME directory.
The actual groups being used for OSDBA and OSOPER can be checked thus:
cd $ORACLE_HOME/rdbms/lib
cat config.[cs]
Solution
To implement the solution, please execute the following steps:
1. Checked the ORACLE_HOME owner.
echo $ORACLE_HOME
/h02/app/oracle/product/9.2.0_64
cd / h02/app/oracle/product/
ls -l
drwxr-xr-x 58 oramigts dba 1024 Jan 2 2004 9.2.0_64
2.ORACLE_HOME software owner "oramigts" is part of group "dba"
3.Checked file $ORACLE_HOME/rdbms/lib/config.s
[If your platform has config.c:
Due to the way different compilers under different architectures generate
assembler code, it's not possible to give a universal rule.]
It shows dba group as "g680" where software owner is part of "dba" group
You can more find detail on config.s / config.c in the following doc.
Note 50507.1 SYSDBA and SYSOPER Privileges in Oracle
4. Modified the config.s for correct group.
.ascii "g680\0"
to
.ascii "dba\0"
7. mv config.o config.o.bak
8. make -f ins_rdbms.mk config.o ioracle
9. Checked the file config.o is created at $ORACLE_HOME/rdbms/lib
10. Connected / as sysdba thru Sqlplus from 9.2 Home, which connected sucessfully. -
ORA-01031: insufficient privileges when connecting by SQL PLUS 8.0 with sys
From client, I use SQL PLUS 8.0 to connect to server: sys/password@MYDB1 as sysdba
The error always raises “ORA-01031: insufficient privileges”
I have done:
- Set: remote_login_passwordfile=exclusive in tnsname.ora file
- Uncomment: SQLNET.AUTHENTICATION_SERVICES in “sqlnet.ora” file
Also on this client:
to use SQL PLUS 8.0 to connect to server: manager/password@MYDB1. To connect normally
to use PLSQL Deverloper (it is the same oracle_home with SQL PLUS 8.0) to connect to database normally with user sys.
To use Enterprise manager console (it is other oracle_home with SQL PLUS 8.0) to connect to database normally with user sys
Please, help me to solve this troubleTHIS IS CONTENT OF SQLNET.ora CLIENT
# copyright (c) 1996 by the Oracle Corporation
# NAME
# sqlnet.ora
# FUNCTION
# Oracle Network Client startup parameter file example
# NOTES
# This file contains examples and instructions for defining all
# Oracle Network Client parameters. It should be possible to read
# this file and setup a Client by uncommenting parameter definitions
# and substituting values. The comments should provide enough
# explanation to enable a reasonable user to manage his TNS connections
# without having to resort to 'real' documentation.
# SECTIONS
# ONames Client
# Namesctl
# Native Naming Adpaters
# MODIFIED
# skanjila 06/06/97 - Correct default for Automatic_IPC
# eminer 05/15/97 - Add the relevant onrsd parameters.
# asriniva 04/23/97 - Merge with version from doc
# ggilchri 03/31/97 - mods
# bvasudev 02/07/97 - Change sqlnet.authentication_services documentation
# bvasudev 11/25/96 - Merge sqlnet.ora transport related parameters
# asriniva 11/12/96 - Revise with new OSS parameters.
# asriniva 11/05/96 - Add ANO parameters.
# - ONames Client ----------------------------------------------------
#names.default_domain = world
#Syntax: domain-name
#Default: NULL
# Indicates the domain from which the client most often requests names. When
# this parameter is set the default domain name (for example, US.ACME), the
# domain name will be automatically appended to any unqualified name in an
# ONAmes request (query, register, deregister, etc). Any name which contains
# an unescaped dot ('.') will not have the default domain appended. Simple
# names may be qualified with a trailing dot (for example 'rootserver.').
#names.initial_retry_timeout = 30
#Syntax: 1-600 seconds
#Default: 15 (OSD)
# Determines how long a client will wait for a response from a Names Server
# before reiterating the request to the next server in the preferred_servers
# list.
#names.max_open_connections = 3
#Syntax: 3-64
#Default: ADDRS in preferred_servers
# Determines how many connections an ONames client may have open at one time.
# Clients will ordinarily keep connections to servers open once they are
# established until the operation (or session in namesctl) is complete. A
# connection will be opened whenever needed, and if the maximum would be
# exceeded the least recently used connection will be closed.
#names.message_pool_start_size = 10
#Syntax: 3-256
#Default: 10
# Determines the initial number of messages allocated in the client's message
# pool. This pool provides the client with pre-allocated messages to be used
# for requests to ONames servers. Messages which are in the pool and unused
# may be reused. If a message is needed and no free messages are available in
# the pool more will be allocated.
#names.preferred_servers = (address_list =
# (address=(protocol=ipc)(key=n23))
# (address=(protocol=tcp)(host=nineva)(port=1383))
# (address=(protocol=tcp)(host=cicada)(port=1575))
#Syntax: ADDR_LIST
#Default: Well-Known (OSD)
# Specifies a list of ONames servers in the client's region; requests will be
# sent to each ADDRESS in the list until a response is recieved, or the list
# (and number of retries) is exhausted.
# Addresses of the following form specify that messages to the ONames server
# should use Oracle Remote Operations (RPC):
# (description =
# (address=(protocol=tcp)(host=nineva)(port=1383))
# (connect_data=(rpc=on))
#names.request_retries = 2
#Syntax: 1-5
#Default: 1
# Specifies the number of times the client should try each server in the list
# of preferred_servers before allowing the operation to fail.
#names.directory_path
#Syntax: <adapter-name>
#Default: TNSNAMES,ONAMES,HOSTNAME
# Sets the (ordered) list of naming adaptors to use in resolving a name.
# The default is as shown for 3.0.2 of sqlnet onwards. The default was
# (TNSNAMES, ONAMES) before that. The value can be presented without
# parentheses if only a single entry is being specified. The parameter is
# recognized from version 2.3.2 of sqlnet onward. Acceptable values include:
# TNSNAMES -- tnsnames.ora lookup
# ONAMES -- Oracle Names
# HOSTNAME -- use the hostname (or an alias of the hostname)
# NIS -- NIS (also known as "yp")
# CDS -- OSF DCE's Cell Directory Service
# NDS -- Novell's Netware Directory Service
# - Client Cache (ONRSD) ---------------------------------------------
names.addresses = (ADDRESS=(PROTOCOL=IPC)(KEY=ONAMES))
Syntax: ADDR
Default: (ADDRESS=(PROTOCOL=IPC)(KEY=ONAMES))
Address on which the client cache listens (is available to clients).
Any valid TNS address is allowed. The default should be used if at
all possible; clients have this entry hardwired as the first line
of their server-list file (sdns.ora). If the address is set to a
non-default value the client's preferred_servers parameter should
be set to include the client-cache address first.
names.authority_required = False
Syntax: T/F
Default: False
Determines whether system querys (for the root etc) require Authoritative
answers.
names.auto_refresh_expire = 259200
Syntax: Number of seconds, 60-1209600
Default: 259200
This is the amount of time (in seconds) the server will cache the addresses
of servers listed in server-list file (sdns.ora). When this time expires the
server will issue another query to the servers in those regions to refresh
the data.
names.auto_refresh_retry = 180
Syntax: Number of seconds, 60-3600
Default: sec. 180
This set how often the server will retry when the auto_refresh query fails.
names.cache_checkpoint_file = cache.ckp
Syntax: filename
Default: $ORACLE_HOME/network/names/ckpcch.ora
Specifies the name of the operating system file to which the Names Server
writes its foreign data cache.
names.cache_checkpoint_interval = 7200
Syntax: Number of seconds, 10-259200
Default: 0 (off)
Indicates the interval at which a Names Server writes a checkpoint of its
data cache to the checkpoint file.
names.default_forwarders=
(FORWARDER_LIST=
(FORWARDER=
(NAME= rootserv1.world)
(ADDRESS=(PROTOCOL=tcp)(PORT=42100)(HOST=roothost))))
Syntax: Name-Value/address_list
Default: NULL
A list (in NV form) of the addresses of other servers which should be used to
forward querys while in default_forwarder (slave) mode. NAME is the global
names for the server to which forwards whould be directed, and ADDRESS is its
address.
names.default_forwarders_only = True
Syntax: T/F
Default: False
When set to true this server will use the servers listed in default_forwarders
to forward all operations which involve data in foreign regions. Otherwise it
will use the servers defined in the server-list file (sdns.ora) in addition
to any defined in the default_forwarders parameter.
names.log_directory = /oracle/network/log
Syntax: directory
Default: $ORACLE_HOME/network/log
Indicates the name of the directory where the log file for Names Server
operational events are written.
names.log_file = names.log
Syntax: filename
Default: names.log
The name of the output file to which Names Server operational events are
written.
names.log_stats_interval = 3600
Syntax: Number of seconds, 10-ub4max
Default: sec. 0 (off)
Specifies the number of seconds between statistical entries in log file.
names.log_unique = False
Syntax: T/F
Default: False
If set to true the server will guarantee that the log file will have a unique
name which will not overwrite any existing files (note that log files are
appended to, so log information will not be lost if log_unique is not true).
names.max_open_connections = 10
Syntax: 3-64
Default: 10
Specifies the number of connections that the Names Server can have open at any
given time. The value is generated as the value 10 or the sum of one
connection for listening, five for clients, plus one for each foreign domain
defined in the local administrative region, whichever is greater. Any
operation which requires the server to open a network connection will use
an already open connection if it is available, or will open a connection
if not. Higher settings will save time and cost network resources; lower
settings save network resources, cost time.
names.max_reforwards = 2
Syntax: 1-15
Default: 2
The maximum number of times the server will attempt to forward a certain
operation.
names.message_pool_start_size = 24
Syntax: 3-256
Default: 10
Determines the initial number of messages allocated in the server's message
pool. This pool provides the server with pre-allocated messages to be used
for incoming or outgoing messages (forwards). Messages which are in the pool
and unused may be reused. If a message is needed and no free messages are
available in the pool more will be allocated.
names.no_modify_requests = False
Syntax: T/F
Default: False
If set to true, the server will refuse any operations which modify the
data in its region (it will still save foreign info in the cache which is
returned from foreign querys).
names.password = 625926683431AA55
Syntax: encrypted string
Default: NULL
If set the server will require that the user provide a password in his
namesctl session (either with sqlnet.ora:namesctl.server_password or 'set
password') in order to do 'sensitive' operations, like stop, restart, reload.
This parameter is generally set in encrypted form, so it can not be set
manually.
names.reset_stats_interval = 3600
Syntax: 10-ub4max
Default: 0 (off)
Specifies the number of seconds during which the statistics collected by the
Names Servers should accumulate. At the frequency specified, they are reset
to zero. The default value of 0 means never reset statistics.
names.trace_directory = /oracle/network/trace
Syntax: directory
Default: $ORACLE_HOME/network/trace
Indicates the name of the directory to which trace files from a Names Server
trace session are written.
names.trace_file = names.trc
Syntax: filename
Default: names.trc
Indicates the name of the output file from a Names Server trace session.
names.trace_func # NA
Syntax: T/F
Default: False
Internal mechanism to control tracing by function name.
names.trace_level = ADMIN
Syntax: T/F
Default: False
Syntax: {OFF,USER,ADMIN,0-16}
Default: OFF (0)
Indicates the level at which the Names Server is to be traced.
Available Values:
0 or OFF - No trace output
4 or USER - User trace information
10 or ADMIN - Administration trace information
16 or SUPPORT - WorldWide Customer Support trace information
names.trace_mask = (200,201,202,203,205,206,207)
Syntax: list of numbers
Default: NULL
Internal mechanism to control trace behavior.
names.trace_unique = True
Syntax: T/F
Default: False
Indicates whether each trace file has a unique name, allowing multiple trace
files to coexist. If the value is set to ON, a process identifier is appended
to the name of each trace file generated.
# - Namesctl ---------------------------------------------------------
#namesctl.trace_directory = /oracle/network/trace
#Syntax: directory
#Default: $ON/trace
# Indicates the name of the directory to which trace files from a namesctl
# trace session are written.
#namesctl.trace_file = namesctl.trc
#Syntax: filename
#Default: namesctl.trc
# Indicates the name of the output file from a namesctl trace session.
#namesctl.trace_func # NA
#Syntax: word list
#Default: NULL
# Internal mechanism to control tracing by function name.
#namesctl.trace_level = ADMIN
#Syntax: {OFF,USER,ADMIN,0-16}
#Default: OFF (0)
# Indicates the level at which the namesctl is to be traced.
# Available Values:
# 0 or OFF - No trace output
# 4 or USER - User trace information
# 10 or ADMIN - Administration trace information
# 16 or SUPPORT - WorldWide Customer Support trace information
#namesctl.trace_mask # NA
#Syntax: number list
#Default: NULL
# Internal mechanism to control trace behavior.
#namesctl.trace_unique = True
#Syntax: T/F
#Default: False
# Indicates whether each trace file has a unique name, allowing multiple trace
# files to coexist. If the value is set to ON, a process identifier is appended
# to the name of each trace file generated.
#namesctl.no_initial_server = False
#Syntax: T/F
#Default: False
# If set to TRUE namesctl will suppress any error messages when namesctl is
# unable to connect to a default names server.
#namesctl.internal_use = True
#Syntax: T/F
#Default: False
# If set to true namesctl will enable a set of internal undocumented commands.
# All internal commands are preceded by an underscore ('_') in order to
# distinguish them as internal. Without going into details, the commands
# enabled are:
# adddata createname deletename
# fullstatus ireplacedata newttlname
# pause remove_data renamename
# replacedata start walk*
# There are also a set of names server variables which may be set when
# namesctl is in internal mode:
# authorityrequired autorefresh*
# cachecheckpoint_interval cachedump
# defaultautorefresh_expire defaultautorefresh_retry
# defaultforwarders_only forwardingdesired
# maxreforwards modifyops_enabled
# nextcache_checkpoint nextcache_flush
# nextstat_log nextstat_reset
# reload request_delay
# restart shutdown
#namesctl.noconfirm = True
#Syntax: T/F
#Default: False
# When set to TRUE namesctl will suppress the confirmation prompt when
# sensitive operations (stop, restart, reload) are requested. This is
# quite helpful when using namesctl scripts.
#namesctl.server_password = mangler
#Syntax: string
#Default: NULL
# Automatically sets the password for the names server in order to perform
# sensitive operations (stop, restart, reload). The password may also be
# set manually during a namesctl session using 'set password'.
#namesctl.internal_encrypt_password = False
#Syntax: T/F
#Default: True
# When set to TRUE namesctl will not encrypt the password when it is sent to
# the names server. This would enable an unencrypted password to be set in
# names.ora:names.server_password
# - Native Naming Adpaters -------------------------------------------
#names.dce.prefix = /.:/subsys/oracle/names
#Syntax: DCE cell name
#Default: /.:/subsys/oracle/names
#Specifies the DCE cell (prefix) to use for name lookup.
#names.nds.name_context = personnel.acme
#Syntax: NDS name
#Default: (OSD?)
# Specifies the default NDS name context in which to look for the name to
# be resolved.
#names.nis.meta_map # NA
# Syntax: filename
# Default: sqlnet.maps
# Specifies the file to be used to map NIS attributes to an NIS mapname.
# Currently unused.
# - Advanced Networking Option Authentication Adapters ----------------
#sqlnet.authentication_services
# Syntax: A single value or a list from {beq, none, all, kerberos5,
# cybersafe, securid, identitx}
# Default: NONE
# Enables one or more authentication services. To enable
# authentication via the Oracle Security Server, use (beq, oss). If
# the Advanced Networking Option has been installed with Kerberos5
# support, using (beq, kerberos5) would enable authentication via
# Kerberos.
sqlnet.authentication_services=(beq, oss)
## Parmeters used with Kerberos adapter.
#sqlnet.kerberos5_cc_name
# Syntax: Any valid pathname.
# Default: /tmp/krb5cc_<uid>
# The Kerberos credential cache pathname.
#sqlnet.kerberos5_cc_name=/tmp/mycc
#sqlnet.kerberos5_clockskew
# Syntax: Any positive integer.
# Default: 300
# The acceptable difference in the number of seconds between when a
# credential was sent and when it was received.
#sqlnet.kerberos5_clockskew=600
#sqlnet.kerberos5_conf
# Syntax: Any valid pathname.
# Default: /krb5/krb.conf
# The Kerberos configuration pathname.
#sqlnet.kerberos5_conf=/tmp/mykrb.conf
#sqlnet.kerberos5_realms
# Syntax: Any valid pathname
# Default: /krb5/krb.realms
# The Kerberos host name to realm translation file.
#sqlnet.kerberos5_realms=/tmp/mykrb.realms
#sqlnet.kerberos5_keytab
# Syntax: Any valid pathname.
# Default: /etc/v5srvtab
# The Kerberos secret key file.
#sqlnet.kerberos5_keytab=/tmp/myv5srvtab
#sqlnet.authentication_kerberos5_service
# Syntax: Any string.
# Default: A default is not provided.
# The Kerberos service name.
#sqlnet.authentication_kerberos5_service=acme
## Parmeters used with CyberSAFE adapter.
#sqlnet.authentication_gssapi_service
# Syntax: A correctly formatted service principal string.
# Default: A default is not provided.
# The CyberSAFE service principal
#sqlnet.authentication_gssapi_service=acme/[email protected]
## Parmeters used with Identix adapter.
#sqlnet.identix_fingerprint_method
# Syntax: Must be oracle.
# Default: A default is not provided.
# The Identix authentication server method
#sqlnet.identix_fingerprint_method=oracle
#sqlnet.identix_fingerprint_database
# Syntax: Any string.
# Default: A default is not provided.
# The Identix authentication server TNS alias
#sqlnet.identix_fingerprint_database=ofm
#sqlnet.identix_fingerprint_database_user
# Syntax: Any string
# Default: A default is not provided.
# The Identix authentication service well known username.
#sqlnet.identix_fingerprint_database_user=ofm_client
#sqlnet.identix_fingerprint_database_password
# Syntax: Any string
# Default: A default is not provided.
# The Identix authentication service well known password.
#sqlnet.identix_fingerprint_database_password=ofm_client
# - Advanced Networking Option Network Security -------------------------
#sqlnet.crypto_checksum_client
#sqlnet.crypto_checksum_server
#sqlnet.encryption_client
#sqlnet.encryption_server
# These four parameters are used to specify whether a service (e.g.
# crypto-checksumming or encryption) should be active:
# Each of the above parameters defaults to ACCEPTED.
# Each of the above parameters can have one of four possible values:
# value meaning
# ACCEPTED The service will be active if the other side of the
# connection specifies "REQUESTED" or REQUIRED" and
# there is a compatible algorithm available on the other
# side; it will be inactive otherwise.
# REJECTED The service must not be active, and the connection
# will fail if the other side specifies "REQUIRED".
# REQUESTED The service will be active if the other side specifies
# "ACCEPTED", "REQUESTED", or "REQUIRED" and there is a
# compatible algorithm available on the other side; it
# will be inactive otherwise.
# REQUIRED The service must be active, and the connection will
# fail if the other side specifies "REJECTED" or if there
# is no compatible algorithm on the other side.
#sqlnet.crypto_checksum_types_client
#sqlnet.crypto_checksum_types_server
#sqlnet.encryption_types_client
#sqlnet.encryption_types_server
# These parameters control which algorithms will be made available for
# each service on each end of a connection:
# The value of each of these parameters can be either a parenthesized
# list of algorithm names separated by commas or a single algorithm
# name.
# Encryption types can be: RC4_40, RC4_56, RC4_128, DES, DES40
# Encryption defaults to all the algorithms.
# Crypto checksum types can be: MD5
# Crypto checksum defaults to MD5.
#sqlnet.crypto_seed ="4fhfguweotcadsfdsafjkdsfqp5f201p45mxskdlfdasf"
#sqlnet.crypto_checksum_server = required
#sqlnet.encryption_server = required
# - Oracle Security Server ---------------------------------------------
#oss.source.my_wallet
# Syntax: A properly formatted NLNV list.
# Default: Platform specific. Unix: $HOME/oracle/oss
# The method for retrieving and storing my identity.
#oss.source.my_wallet
# =(source
# =(method=file)
# (method_data=/dve/asriniva/oss/wallet)
#oss.source.location
# Syntax: A properly formatted NLNV list.
# Default: Oracle method, oracle_security_service/oracle_security_service@oss
# The method for retrieving encrypted private keys.
#oss.source.location
# =(source
# =(method=oracle)
# (method_data=
# (sqlnet_address=andreoss)
# - Sqlnet(v2.x) and Net3.0 Client ------------------------------------------
# In the following descriptions, the term "client program" could mean
# either sqlplus, svrmgrl or any other OCI programs written by users
#trace_level_client = ADMIN
#Possible values: {OFF,USER,ADMIN,0-16}
#Default: OFF (0)
#Purpose: Indicates the level at which the client program
# is to be traced.
# Available Values:
# 0 or OFF - No Trace output
# 4 or USER - User trace information
# 10 or ADMIN - Administration trace information
# 16 or SUPPORT - Worldwide Customer Support trace information
#Supported since: v2.0
#trace_directory_client = /oracle/network/trace
#Possible values: Any valid directory path with write permission
#Default: $ORACLE_HOME/network/trace ($ORACLE_HOME=/oracle at customer
# site)
#Purpose: Indicates the name of the directory to which trace files from
# the client execution are written.
#Supported since: v2.0
#trace_file_client = /oracle/network/trace/cli.trc
#Possible values: Any valid file name
#Default: $ORACLE_HOME/network/trace/cli.trc ($ORACLE_HOME =
# /oracle at customer site)
#Purpose: Indicates the name of the file to which the execution trace
# of the client is written to.
#Supported since: v2.0
#trace_unique_client = ON
#Possible values: {ON, OFF}
#Default: OFF
#Purpose: Used to make each client trace file have a unique name to
# prevent each trace file from being overwritten by successive
# runs of the client program
#Supported since: v2.0
#log_directory_client = /oracle/network/log
#Possible values: Any valid directory pathname
#Default: $ORACLE_HOME/network/log ($ORACLE_HOME = /oracle at customer
# site)
#Purpose: Indicates the name of the directory to which the client log file
# is written to.
#Supported since: v2.0
#log_file_client = /oracle/network/log/sqlnet.log
#Possible values: This is a default value, u cannot change this
#Default: $ORACLE_HOME/network/log/sqlnet.log ($ORACLE_HOME=/oracle in
# customer site)
#Purpose: Indicates the name of the log file from a client program
#Supported since: v2.0
#log_directory_server = /oracle/network/trace
#Possible values: Any valid diretcory path with write permission
#Default: $ORACLE_HOME/network/trace ( $ORACLE_HOME=/oracle at customer
# site)
#Purpose: Indicates the name of the directory to which log files from the
# server are written
#Supported since: v2.0
#trace_directory_server = /oracle/network/trace
#Possible values: Any valid directory path with write permission
#Default: $ORACLE_HOME/network_trace ( $ORACLE_HOME=/oracle at customer
# site)
#Purpose: Indicates the name of the directory to which trace files from
# the server are written
#Supported since: v2.0
#trace_file_server = /orace/network/trace/svr_<pid>.trc
#Possible values: Any valid filename
#Default: $ORACLE_HOME/network/trace/svr_<pid>.trc where <pid? stands for
# the process id of the server on UNIX systems
#Purpose: Indicates the name of the file to which the execution trace of
# the server program is written to.
#Supported since: v2.0
#trace_level_server = ADMIN
#Possible values: {OFF,USER,ADMIN,0-16}
#Default: OFF (0)
#Purpose: Indicates the level at which the server program
# is to be traced.
# Available Values:
# 0 or OFF - No Trace output
# 4 or USER - User trace information
# 10 or ADMIN - Administration trace information
# 16 or SUPPORT - Worldwide Customer Support trace information
#Supported since: v2.0
#use_dedicated_server = ON
#Possible values: {OFF,ON}
#Default: OFF
#Purpose: Forces the listener to spawn a dedicated server process for
# sessions from this client program.
#Supported since: v2.0
#use_cman = TRUE
#Possible values: {TRUE, FALSE}
#Default: FALSE
#Purpose:
#Supported since: v3.0
#tnsping.trace_directory = /oracle/network/trace
#Possible values: Any valid directory pathname
#Default: $ORACLE_HOME/network/trace ($ORACLE_HOME=/oracle at customer
# site)
#Purpose: Indicates the directory to which the execution trace from
# the tnsping program is to be written to.
#Supported since: v2.0
#tnsping.trace_level = ADMIN
#Possible values: {OFF,USER,ADMIN,0-16}
#Default: OFF (0)
#Purpose: Indicates the level at which the server program
# is to be traced.
# Available Values:
# 0 or OFF - No Trace output
# 4 or USER - User trace information
# 10 or ADMIN - Administration trace information
# 16 or SUPPORT - Worldwide Customer Support trace information
#Supported since: v2.0
#sqlnet.expire_time = 10
#Possible values: 0-any valid positive integer! (in minutes)
#Default: 0 minutes
#Recommended value: 10 minutes
#Purpose: Indicates the time interval to send a probe to verify the
# client session is alive (this is used to reclaim watseful
# resources on a dead client)
#Supported since: v2.1
#sqlnet.client_registration = <unique_id>
#Possible values:
#Default: OFF
#Purpose: Sets a unique identifier for the client machine. This
# identifier is then passed to the listener with any connection
# request and will be included in the Audit Trail. The identifier
# can be any alphanumeric string up to 128 characters long.
#Supported since: v2.3.2
#bequeath_detach = YES
#Possible values: {YES,NO}
#Default: NO
#Purpose: Turns off signal handling on UNIX systems. If signal handling
# were not turned off and if client programs written by users make
# use of signal handling they could interfere with Sqlnet/Net3.
#Supported since: v2.3.3
#automatic_ipc = OFF
#Possible values: {ON,OFF}
#Default: OFF
#Purpose: Force a session to use or not to use IPC addresses on the
# client's node.
#Supported since: v2.0
#disable_oob = ON
#Possible values: {ON,OFF}
#Default: OFF
#Purpose: If the underlying transport protocol (TCP, DECnet,...) does
# not support Out-of-band breaks, then disable out-of-band
# breaks
#Supported since: v2.0
# -
"Create User" gives ORA-01031: insufficient privileges for user sys
I am on Oracle 11g db, 11.1.0.6 and login successfully using sys/password as sysdba. This login is successful.
[oracle@RH5-32-OR bin]$ ./sqlplus sys/abcd1234 as sysdba
SQL*Plus: Release 11.1.0.6.0 - Production on Thu Jan 21 06:06:51 2010
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options
However, I cannot create a new user, getting error about insufficient privileges. I though since this is a sys login with role DBA, it should be allowed to create user.
I also logged in to enterprise manager console using the same credentials, and navigated to: Security->Sys.
- Under the system tab, and can see "Create User" granted.
- Under the role tab, there is DBA granted.
SQL> create user myuser identified globally;
create user myuser identified globally
ERROR at line 1:
ORA-01031: insufficient privileges
Where to check for previleges? And how to debug. I am really very surprised.
Thanks.I don't have first hand experience of using Database Vault myself, but according the manual the default setup prevents SYSDBA from creating users when Database Vault is enabled (which I would guess is the case based on the banner posted above) This behaviour can be modified by the Vault administrator.
http://download.oracle.com/docs/cd/B28359_01/server.111/b31222/db_objects.htm#BEIJIFGA -
Hi,
in the following enviroment:
Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production
With the Partitioning option
JServer Release 9.0.1.1.1 - Production
On an MS 2K box
I experience the following problem:
if I create a table
create table test(c type);
where type is varchar2 o clob I then succesfully issue this
command:
create index test_ctx on test(c) indextype is ctxsys.context;
but if type is sys.XMLType I get :
ORA-01031: insufficient privileges.
Any suggestion
Thanks
AlexUnder user sys as sysdba the following happens:
SQL> create table test(c XMLType);
Table created.
SQL> create index test_ctx on test(c) indextype is
ctxsys.context;
create index test_ctx on test(c) indextype is ctxsys.context
ERROR at line 1:
ORA-29855: error occurred in the execution of ODCIINDEXCREATE
routine
ORA-20000: Oracle Text error:
DRG-50857: oracle error in drixtab.create_index_tables
ORA-00955: name is already used by an existing object
ORA-06512: at "CTXSYS.DRUE", line 157
ORA-06512: at "CTXSYS.TEXTINDEXMETHODS", line 176 -
Check database with error "ORA-01031: insufficient privileges"
Dear Gurus,
I ran "Check database" in DB13 but I got error "ORA-01031: insufficient privileges"
BR0280I BRCONNECT time stamp: 2010-03-31 12.37.00
BR0301E SQL error -1031 at location BrDbdiffRead-1, SQL statement:
'PREPARE stmt_5 STATEMENT FROM'
'SELECT OBJNAME FROM "SAPSR3".DBDIFF WHERE DBSYS IN ('ORACLE', ' ') AND OBJTYPE = 'TABL' AND DIFFKIND IN ('02', '61', '99') ORDER BY OBJNAME'
ORA-01031: insufficient privileges
BR0806I End of BRCONNECT processing: cecxekdh.chk 2010-03-31 12.37.00
Note I try to execute sapdba_role.sql (with command "sqlplus /nolog @sapdba_role.sql SR3") as Note 134592 both login 'oradev' and 'devadm' but it seem to do nothing (not found sapdba_role.log)
Please advice.
Best regards,
Choosak B.
Ps.
detailed log of /oracle/DEV/sapcheck/cecxekdh.chk
BR0801I BRCONNECT 7.00 (40)
BR0477I Oracle pfile /oracle/DEV/102_64/dbs/initDEV.ora created from spfile /oracle/DEV/102_64/dbs/spfileDEV.ora
BR0805I Start of BRCONNECT processing: cecxekdh.chk 2010-03-31 12.30.53
BR0484I BRCONNECT log file: /oracle/DEV/sapcheck/cecxekdh.chk
BR0101I Parameters
Name Value
oracle_sid DEV
oracle_home /oracle/DEV/102_64
oracle_profile /oracle/DEV/102_64/dbs/initDEV.ora
sapdata_home /oracle/DEV
sap_profile /oracle/DEV/102_64/dbs/initDEV.sap
system_info devadm/oradev sapdev SunOS 5.10 Generic_142900-03 sun4v
oracle_info DEV 10.2.0.4.0 8192 7465 94896497 sapdev UTF8 UTF8
sap_info 701 SAPSR3 0002LK0003DEV0011N11827599290015Maintenance_ORA
make_info sun_64 OCI_102 Feb 21 2009
command_line brconnect -u / -jid CHECK20100331123000 -c -f check
alert_log /oracle/DEV/saptrace/background/alert_DEV.log
BR0280I BRCONNECT time stamp: 2010-03-31 12.30.56
BR0813I Schema owners found in database DEV:
DBSNMP, DIP, OPS$DEVADM, OPS$ORADEV, OPS$SAPSERVICEDEV, ORACLE_OCM, OUTLN, SAPSR3*, SYS, SYSTEM,
TSMSYS
BR0118I Tablespaces and data files
Tablespace Status File Status Id. Size MaxSize IncrSize BlkSize Device Type Link
PSAPSR3 ONLINE+ /oracle/DEV/sapdata2/sr3_1/sr3.data1 ONLINE+ 4 2411732992 10485760000 20971520 8192 16777219 FILE NOLINK
SYSTEM ONLINE+ /oracle/DEV/sapdata1/system_1/system.data1 SYSTEM+ 1 1017126912 10485760000 20971520 8192 16777219 FILE NOLINK
BR0119I Redo log files
File Status Group Size Device Type Link
/oracle/DEV/origlogA/log_g11m1.dbf INUSE 1 52429312 16777218 FILE NOLINK
/oracle/DEV/mirrlogA/log_g11m2.dbf INUSE 1 52429312 16777218 FILE NOLINK
/oracle/DEV/origlogB/log_g12m1.dbf INUSE 2 52429312 16777218 FILE NOLINK
/oracle/DEV/mirrlogB/log_g12m2.dbf INUSE 2 52429312 16777218 FILE NOLINK
/oracle/DEV/origlogA/log_g13m1.dbf INUSE 3 52429312 16777218 FILE NOLINK
/oracle/DEV/mirrlogA/log_g13m2.dbf INUSE 3 52429312 16777218 FILE NOLINK
/oracle/DEV/origlogB/log_g14m1.dbf INUSE 4 52429312 16777218 FILE NOLINK
/oracle/DEV/mirrlogB/log_g14m2.dbf INUSE 4 52429312 16777218 FILE NOLINK
BR0120I Control files
File Size Device Type Link
/oracle/DEV/origlogA/cntrl/cntrlDEV.dbf 15024128 16777218 FILE NOLINK
/oracle/DEV/origlogB/cntrl/cntrlDEV.dbf 15024128 16777218 FILE NOLINK
/oracle/DEV/sapdata1/cntrl/cntrlDEV.dbf 15024128 16777219 FILE NOLINK
BR0982I Database disk volumes
Directory / Raw disk Device Total[KB] Free[KB] Used[%] MaxNeed[KB] MaxMiss[KB]
/oracle/DEV/102_64 16777218 480700086 404332206 15.89 0 0
/oracle/DEV 16777218 480700086 404332206 15.89 0 0
/oracle/DEV/mirrlogA 16777218 480700086 404332206 15.89 0 0
/oracle/DEV/mirrlogB 16777218 480700086 404332206 15.89 0 0
/oracle/DEV/origlogA 16777218 480700086 404332206 15.89 0 0
/oracle/DEV/origlogB 16777218 480700086 404332206 15.89 0 0
/oracle/DEV/sapdata1 16777219 591212116 404332206 31.61 240019884 0
/oracle/DEV/sapdata2 16777219 591212116 404332206 31.61 240019884 0
/oracle/DEV/sapdata3 16777219 591212116 404332206 31.61 240019884 0
/oracle/DEV/sapdata4 16777219 591212116 404332206 31.61 240019884 0
/oracle/DEV/saparch 16777218 480700086 404332206 15.89 0 0
/oracle/DEV/sapbackup 16777218 480700086 404332206 15.89 0 0
/oracle/DEV/sapcheck 16777218 480700086 404332206 15.89 0 0
/oracle/DEV/sapreorg 16777218 480700086 404332206 15.89 0 0
/oracle/DEV/saptrace 16777218 480700086 404332206 15.89 0 0
/oracle/DEV/oraarch 16777218 480700086 404332206 15.89 0 0
BR0280I BRCONNECT time stamp: 2010-03-31 12.31.29
BR0814I Number of tables in schema of owner SAPSR3: 74582
BR0836I Number of info cube tables found for owner SAPSR3: 49
BR0814I Number of tables/partitions in schema of owner SYS: 625/189
BR0814I Number of tables/partitions in schema of owner SYSTEM: 134/27
BR0280I BRCONNECT time stamp: 2010-03-31 12.32.28
BR0815I Number of indexes in schema of owner SAPSR3: 89159
BR0815I Number of indexes/partitions in schema of owner SYS: 678/199
BR0815I Number of indexes/partitions in schema of owner SYSTEM: 175/32
BR0280I BRCONNECT time stamp: 2010-03-31 12.37.00
BR0816I Number of segments in schema of owner DBSNMP: 25
BR0816I Number of segments in schema of owner OPS$DEVADM: 1
BR0816I Number of segments in schema of owner OUTLN: 9
BR0816I Number of segments/LOBs in schema of owner SAPSR3: 168369/2314
BR0816I Number of segments/LOBs in schema of owner SYS: 1831/87
BR0816I Number of segments/LOBs in schema of owner SYSTEM: 353/22
BR0816I Number of segments in schema of owner TSMSYS: 4
BR0280I BRCONNECT time stamp: 2010-03-31 12.37.00
BR0961I Number of conditions found in DBCHECKORA: 118
BR0983I Tablespace fragmentation
Tablespace Files Tables Indexes Extents Total[KB] Used[%] Free[KB] FreeExt. MaxSize[KB] MaxAlloc[KB] Used[%] Free[KB] Largest[KB]
PSAPSR3 16 74248 88689 209864 54138880 94.51 2970752 240 163840000+ 109701120+ 31.23+ 112671872+ 9246720:7966720:7946240:7905280:7905280+
PSAPSR3701 14 0 0 0 54466560 0.00 54465664 20 143360000+ 88893440+ 0.00+ 143359104+ 9021440:8192000:8192000:8192000:8192000+
PSAPSR3701X 4 310 445 12190 68342784 94.20 3962240 7 68342784 0 94.20 3962240 1298432:1191936:979968:163776:163776
PSAPSR3USR 1 24 25 51 51200 6.50 47872 1 10240000+ 10188800+ 0.03+ 10236672+ 10188800+:47872:0:0:0
PSAPTEMP 1 0 0 0 1433600 0.00 1433600 0 10240000+ 8806400+ 0.00+ 10240000+ 8806400+:0:0:0:0
PSAPUNDO 1 0 0 0 7823360 0.00 7823296 406 10240000+ 2416640+ 0.00+ 10239936+ 2416640+:2041792:1814464:1433536:603072
SYSAUX 1 254 284 2059 307200 93.35 20416 16 10240000+ 9932800+ 2.80+ 9953216+ 9932800+:13248:3072:1024:640
SYSTEM 1 505 569 2926 993280 98.91 10816 2 10240000+ 9246720+ 9.59+ 9257536+ 9246720+:10176:640:0:0
Total: 39 75341 90012 227090 187556864 62.29 70734656 692 426742784 239185920 27.38 309920576 60157952:19463744:18936384:17695616:16864768
BR0280I BRCONNECT time stamp: 2010-03-31 12.37.00
BR0301E SQL error -1031 at location BrDbdiffRead-1, SQL statement:
'PREPARE stmt_5 STATEMENT FROM'
'SELECT OBJNAME FROM "SAPSR3".DBDIFF WHERE DBSYS IN ('ORACLE', ' ') AND OBJTYPE = 'TABL' AND DIFFKIND IN ('02', '61', '99') ORDER BY OBJNAME'
ORA-01031: insufficient privileges
BR0806I End of BRCONNECT processing: cecxekdh.chk 2010-03-31 12.37.00
BR0280I BRCONNECT time stamp: 2010-03-31 12.37.00
BR0804I BRCONNECT terminated with errorsHi,
It solved after change permission of directory that sapdba_role.sql kept to oradev:dba after that it can write sapdba_role.log.
Thank you for your guideline.
Now, I can ran 'Check database' via DB13 without that error.
Best regards,
Choosak B. -
Getting ORA-01031: Insufficient privileges when connecting as sys as sysdba
Hi There,
I am running Linux AS version 4, oracle 102.0.1, and logginging as oracle user which belongs to dba group. I got error "ORA-01031: Insufficient privileges" when trying to connect as sys user to bring up database. I wondered what is causing the error. Here is an example
oracle-dev>sqlplus /nolog
SQL>conn as sys/oracle@dev as sysdba
ERROR:
ORA-01031: Insufficient privileges
Any suggestions would be greatly appreciated. Thanks again.
Rich,Did you create a password file ?
http://download-uk.oracle.com/docs/cd/B19306_01/server.102/b15658/admin_ora.htm#sthref142
Message was edited by:
Paul M.
BTW, the syntax is
SQL>conn sys/oracle@dev as sysdba -
Error with fullonline_backup (ORA-01031: insufficient privileges)
Hi experts,
we are facing problem during sap fullonline + redolog backup. while wholeonline+redolog backup working fine.
please see the detail.
BR0280I BRBACKUP time stamp: 2011-12-22 16.06.40
BR0063I 35 of 35 files processed - 117460.273 of 117460.273 MB done
BR0204I Percentage done: 100.00%, estimated end time: 16:06
BR0001I **************************************************
BR0280I BRBACKUP time stamp: 2011-12-22 16.06.40
BR0317I 'Alter tablespace SYSTEM end backup' successful
BR0280I BRBACKUP time stamp: 2011-12-22 16.06.42
BR0530I Cataloging backups of all database files...
BR0278E Command output of 'SHELL=/bin/sh /oracle/R3P/102_64/bin/rman nocatalog':
Recovery Manager: Release 10.2.0.4.0 - Production on Thu Dec 22 16:06:42 2011
Copyright (c) 1982, 2007, Oracle. All rights reserved.
RMAN>
RMAN> connect target *
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
ORA-01031: insufficient privileges
RMAN> **end-of-file**
RMAN>
host command complete
RMAN> 2> 3> 4> 5> 6> 7> 8> 9> 10> 11> 12> 13> 14> 15> 16> 17> 18> 19> 20> 21> 22> 23> 24> 25> 26> 27> 28> 29> 30> 31> 32> 33> 34> 35> 36> 37>
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of catalog command at 12/22/2011 16:06:42
RMAN-06171: not connected to target database
RMAN>
Recovery Manager complete.
BR0280I BRBACKUP time stamp: 2011-12-22 16.06.42
BR0279E Return code from 'SHELL=/bin/sh /oracle/R3P/102_64/bin/rman nocatalog': 1
BR0536E RMAN call for database instance R3P failed
BR0280I BRBACKUP time stamp: 2011-12-22 16.06.42
BR0532E Cataloging backups of all database files failed
BR0056I End of database backup: behmnbjo.fnt 2011-12-22 16.06.42
BR0280I BRBACKUP time stamp: 2011-12-22 16.06.42
BR0054I BRBACKUP terminated with errors
Regards
Imran KhanHi,
i dont think is due to authorization issue. There's a different between "FULL" and "WHOLE" database online backup.
Full database backup : Will backup all the databasee files (Inclusing datafiles, online redolog files and the control files) and do the catalog. So that we can use this as the referance backup and we can do the incremental backup.
Whole database backup : Will backup all the databasee files (Inclusing datafiles, online redolog files and the control files). We can't use this for the incremental backup.
As you see from the log, full database online backup is calling RMAN. FYI, backup your system with "Whole" is equally good unless you want to to use incremental backup.
Thanks,
Nicholas Chang
Edited by: Nicholas Chang on Dec 23, 2011 12:03 AM -
FAILED - ORA-01031: insufficient privileges
Hi All,
When i am executing the procedure i am getting below error
FAILED - ORA-01031: insufficient privileges.
My procedure is given below.
create or replace procedure SAM (start_date_key number,end_date_key number) as
varstdt number:=start_date_key;
varendt number:=end_date_key;
MSG varchar2(3456);
varTblnm varchar2(3250);
varDtkey varchar2(3250);
v_chck number(9);
varSQLstmt varchar2(2340);
begin
for r1 in (select table_name from Sales_table where table_name='SALES')
loop
varTblnm := r1.table_name;
varSQLstmt := 'create table '||varTblnm||'_'||varendt||' as select * from '||varTblnm;
execute immediate varSQLstmt;
end loop;
EXCEPTION
WHEN NO_DATA_FOUND THEN
NULL;
WHEN OTHERS THEN
MSG := 'FAILED - '||SUBSTR (SQLERRM, 1, 200);
dbms_output.put_line('Error ' ||MSG );
commit;
RAISE;
end SAM;
please let me know if there are any mistakes in the code.please let me know if there are any mistakes in the code.r1.table_name will always be equal to SALES. Therefore vartblnm will always be SALES. Is what you want?
start_date_key and v_chck are never used.
Then you attempt to create multiple tables, all called SALES_ suffixed with the value passed for end_date_key. You can't create several tables with the same name.
end_date_key and varendt are numeric. You should cast them as varchar and test them before trying to use them as part of a file name. What if the number passed is negative? Or fractional?
To commit within a procedure is an awful bug.
Your WHEN OTHERS clause may be hiding the information needed to debug the code. Get rid if it.
There are no comments anywhere.
On what line does the error occur? -
Connected to Oracle Database 11g Enterprise Edition Release 11.1.0.7.0
Connected as SYS
SQL> exec admin.admin_dba_main.KILL_ORPH_2PHASE_COMMITS();
begin admin.admin_dba_main.KILL_ORPH_2PHASE_COMMITS(); end;
ORA-01031: insufficient privileges
ORA-06512: at "SYS.DBMS_TRANSACTION", line 88
ORA-06512: at "ADMIN.ADMIN_DBA_MAIN", line 52I create this as the sys user but the owner of it is a schema called admin that owns several of our DBA scripts. The ADMIN schema has the DBA role, but as far I understand it, the SYS.DBMS_TRANSACTION needs to be run as either SYS or a SYSDBA user.
What am I missing here. What permission do I have to grant to get this working?Hello,
This post is duplicated:
ORA-01031: insufficient privileges for "SYS.DBMS_TRANSACTION"...FIX???
Best regards,
Jean-Valentin -
MCOD and DB13 (ORA-01031: insufficient privileges)
Hello Oracle experts,
I have a problem with a MCOD installation.
Situation:
I have an Oracle Real Application Cluster with two database instances (DE1_1 and DE1_2). In database 1 (DE1_1) there are running two SAP systems (DE1 and DE2).
In database 2 (DE1_2) there are running also two SAP systems (QE1 and QE2).
DE1: SAPSR3 (DE1_1 )
DE2: SAPSR4 (DE1_1)
QE1: SAPSR5 (DE1_2)
QE2: SAPSR6 (DE1_2)
DE1 has been the first installation. The next one´s have been DE2 (SAPSR4), QE1 (SAPSR5) and QE2 (SAPSR6).
Complication:
Transaction DB13 is making trouble in the systems DE2, QE1 and QE2.
There is a pop-up containing this information:
SQL Errorcode: 1.031
SELECT beg, funct, sysid, obj, rc, ende, actid, line FROM sap_sdbah
WHERE beg BETWEEN '20110416000000' AND '20110524235959' AND sysid = 'DE1'
ORA-01031: insufficient privileges
I can confirm this popup and reach the DBA Planning Calendar. In the message window there are two error messages:
- An error occurred when processing system DE2
- Function ORA_LOG_READ failed with return code = Other error
Only in the first system (DE1) there are no problems when calling DB13!
Solution:
I already checked the following notes:
Note 134592 - Importing the SAPDBA role (sapdba_role.sql)
--> I executed the script from the note.
Note 834917 - Oracle Database 10g: New database role SAPCONN
--> I executed the script from the note.
And checked this:
SQL> select grantee, granted_role from dba_role_privs
where granted_role in ('SAPDBA', 'SAPCONN');
GRANTEE GRANTED_ROLE
SYS SAPDBA
OPS$SAPSERVICEDE2 SAPDBA
OPS$SAPSERVICEQE1 SAPDBA
OPS$QE1ADM SAPDBA
SAPSR6 SAPCONN
OPS$ORADE1 SAPDBA
SAPSR5 SAPCONN
OPS$QE2ADM SAPDBA
OPS$SAPSERVICEQE2 SAPDBA
SYS SAPCONN
OPS$DE1ADM SAPDBA
GRANTEE GRANTED_ROLE
SAPSR3 SAPCONN
OPS$SAPSERVICEDE1 SAPDBA
SAPSR4 SAPCONN
SYSTEM SAPDBA
OPS$DE2ADM SAPDBA
16 rows selected.
Is it correct that there is only ONE ORA<SID>?
The rest is correct regarding the note.
Note 1028220 - ORA-01031: Insufficient privileges despite SAPCONN role
Checked this statement:
SQL> select grantee, granted_role, default_role from dba_role_privs
where grantee = 'SAPSR6';
GRANTEE GRANTED_ROLE DEF
SAPSR6 SAPCONN YES
It´s correct regarding the note.
Note 91216 - BRBACKUP/SAPDBA: ORA-01031 Insufficient privileges
Checked it!
Note 400241 - Problems with ops$ or sapr3 connect to Oracle
SQL> SELECT OWNER, TABLE_OWNER, TABLE_NAME FROM DBA_SYNONYMS
WHERE SYNONYM_NAME = 'SAPUSER';
OWNER TABLE_OWNER
TABLE_NAME
OPS$SAPSERVICEDE1 OPS$DE1ADM
SAPUSER
OPS$SAPSERVICEDE2 OPS$DE2ADM
SAPUSER
OPS$SAPSERVICEQE1 OPS$QE1ADM
SAPUSER
OWNER TABLE_OWNER
TABLE_NAME
OPS$SAPSERVICEQE2 OPS$QE2ADM
SAPUSER
It´s correct regarding the note.
Note 113747 - Permissions for DBA tools BR*Tools and SAPDBA
Permissons for BR*Tools are adjusted regarding this note.
It is still not working!!
Any further suggestions? I don´t know exactly what to configure in a MCOD database. Maybe I forgot one thingu2026
Thank you in advance and kind regards,
GeraldineWell, it's up to you whether or not you consider that a problem.
And it seems SAP doesn't.
The solution for your ORA-01031 probably will be:
In the schema of Oracle user SAPSR3 there are tables SDBAH and SDBAD. Grant full access to Oracle users SAPSR4/5/6.
But afterwards you may encounter another error message.
You have been warned.
Not sure if this is documented anywhere.
And as I wrote, I doubt that it is worth the effort...
It always seemed SAP did not really like nor support MCOD installations. So by now we haven't any of them left.
regards -
BRBACKUP: ORA-01031: insufficient privileges
Hello,
where I try to make a online control file backup test, with command "brback -u / -d disk -t online -m 0 -c", it comes always the error message:
root@odrt88:/oracle/IH3/102_64/cpu/CPUJul2006 > su - oraih3
odrt88:oraih3 51> brbackup -u / -d disk -t online -m 0 -c
BR0051I BRBACKUP 7.00 (11)
BR0055I Start of database backup: bdtsqfrg.pnd 2006-10-16 15.08.04
BR0280I BRBACKUP time stamp: 2006-10-16 15.08.04
BR0301W SQL error -1031 at location BrbDbLogOpen-5
ORA-01031: insufficient privileges
BR0324W Insertion of database log header failed
BR0280I BRBACKUP time stamp: 2006-10-16 15.08.04
BR0319I Control file copy created: /oracle/IH3/sapbackup/cntrlIH3.dbf 12664832
BR0280I BRBACKUP time stamp: 2006-10-16 15.08.04
BR0301W SQL error -1031 at location BrDbfInfoGet-30
ORA-01031: insufficient privileges
BR0280I BRBACKUP time stamp: 2006-10-16 15.08.04
BR0301W SQL error -1031 at location BrDbfInfoGet-31
ORA-01031: insufficient privileges
BR0280I BRBACKUP time stamp: 2006-10-16 15.08.04
BR0301E SQL error -1031 at location BrComprDurGet-1
ORA-01031: insufficient privileges
BR0314E Collection of information on database files failed
BR0280I BRBACKUP time stamp: 2006-10-16 15.08.04
BR0301W SQL error -1031 at location BrbDbLogOpen-5
ORA-01031: insufficient privileges
BR0324W Insertion of database log header failed
BR0056I End of database backup: bdtsqfrg.pnd 2006-10-16 15.08.04
BR0280I BRBACKUP time stamp: 2006-10-16 15.08.04
BR0054I BRBACKUP terminated with errors
The system is Netweaver 2004s SR1 Enterprise Portal on Oracle 10.2.0.2.0 on SLES 9(SP3 x86_64).
I have check the user and group. <sapid>adm belongs to groups sapsys, oper, dba, sapinst and ora<dbsid> belongs to dba, oper, sapinst.
Is there anybody has idea? Any answer is appreciated!
RongfengI'm facing the same error when trying to backup the DB with brtools :
<i>BR0280I BRBACKUP time stamp: 2007-07-13 14.26.48
BR0301E SQL error -1017 at location BrDbConnect-2
ORA-01017: invalid username/password; logon denied
BR0310E Connect to database instance H40 failed
BR0280I BRBACKUP time stamp: 2007-07-13 14.26.49
BR0301E SQL error -1017 at location BrDbConnect-2
ORA-01017: invalid username/password; logon denied
BR0310E Connect to database instance H40 failed</i>
I used the sapdba_role.sql for oracle 9 and got same errors too:
<i>old 1: grant ALL on &User..DBAOBJL to sapdba
new 1: grant ALL on SAPR3.DBAOBJL to sapdba
grant ALL on SAPR3.DBAOBJL to sapdba
ERROR at line 1:
ORA-00942: table or view does not exist
old 1: grant ALL on &User..DBAPHAL to sapdba
new 1: grant ALL on SAPR3.DBAPHAL to sapdba
grant ALL on SAPR3.DBAPHAL to sapdba
ERROR at line 1:
ORA-00942: table or view does not exist
old 1: grant ALL on &User..DBAGRP to sapdba
new 1: grant ALL on SAPR3.DBAGRP to sapdba
grant ALL on SAPR3.DBAGRP to sapdba
ERROR at line 1:
ORA-00942: table or view does not exist
old 1: grant ALL on &User..DBAERR to sapdba
new 1: grant ALL on SAPR3.DBAERR to sapdba
grant ALL on SAPR3.DBAERR to sapdba
ERROR at line 1:
ORA-00942: table or view does not exist
old 1: grant ALL on &User..DBATRIAL to sapdba
new 1: grant ALL on SAPR3.DBATRIAL to sapdba
grant ALL on SAPR3.DBATRIAL to sapdba
ERROR at line 1:
ORA-00942: table or view does not exist</i>
All other has Granted succeefully.
System info :
R/3 4.0B
Oracle9.0.1.0
Win2K3
Brtools 6.40
SIDadm user is in all important groups.
Any suggestions?
Thanks in advance,
Zacharias -
ORA-01031: insufficient privileges in PL/SQL but not in SQL
I have problem with following situation.
I switched current schema to another one "ban", and selected 4 rows from "ed"
alter session set current_schema=ban;
SELECT * FROM ed.PS WHERE ROWNUM < 5;
the output is OK, and I get 4 rows like
ID_S ID_Z
1000152 1
1000153 1
1000154 1
1000155 1
but following procedure is compiled with warning
create or replace
procedure proc1
as
rowcnt int;
begin
select count(*) into rowcnt from ed.PS where rownum < 5;
end;
"Create procedure, executed in 0.031 sec."
5,29,PL/SQL: ORA-01031: insufficient privileges
5,2,PL/SQL: SQL Statement ignored
,,Total execution time 0.047 sec.
Could you help me why SELECT does work in SQL but not in PL/SQL procedure?
Thanks.
Message was edited by:
MattSkPrivs granted via a role are only valid from SQL - and not from/within stored PL/SQL code.
Quoting Tom's (from http://asktom.oracle.com) response to this:I did address this role thing in my book Expert one on one Oracle:
<quote>
What happens when we compile a Definer rights procedure
When we compile the procedure into the database, a couple of things happen with regards to
privileges. We will list them here briefly and then go into more detail:
q All of the objects the procedure statically accesses (anything not accessed via dynamic SQL)
are verified for existence. Names are resolved via the standard scoping rules as they apply to the
definer of the procedure.
q All of the objects it accesses are verified to ensure that the required access mode will be
available. That is, if an attempt to UPDATE T is made - Oracle will verify the definer or PUBLIC
has the ability to UPDATE T without use of any ROLES.
q A dependency between this procedure and the referenced objects is setup and maintained. If
this procedure SELECTS FROM T, then a dependency between T and this procedure is recorded
If, for example, I have a procedure P that attempted to 'SELECT * FROM T', the compiler will first
resolve T into a fully qualified referenced. T is an ambiguous name in the database - there may be
many T's to choose from. Oracle will follow its scoping rules to figure out what T really is, any
synonyms will be resolved to their base objects and the schema name will be associated with the
object as well. It does this name resolution using the rules for the currently logged in user (the
definer). That is, it will look for an object owned by this user called T and use that first (this
includes private synonyms), then it will look at public synonyms and try to find T and so on.
Once it determines exactly what T refers to - Oracle will determine if the mode in which we are
attempting to access T is permitted. In this case, if we as the definer of the procedure either
owns the object T or has been granted SELECT on T directly or PUBLIC was granted SELECT, the
procedure will compile. If we do not have access to an object called T by a direct grant - the
procedure P will fail compilation. So, when the object (the stored procedure that references T) is
compiled into the database, Oracle will do these checks - and if they "pass", Oracle will compile
the procedure, store the binary code for the procedure and set up a dependency between this
procedure and this object T. This dependency is used to invalidate the procedure later - in the
event something happens to T that necessitates the stored procedures recompilation. For example,
if at a later date - we REVOKE SELECT ON T from the owner of this stored procedure - Oracle will
mark all stored procedures this user has that are dependent on T, that refer to T, as INVALID. If
we ALTER T ADD some column, Oracle can invalidate all of the dependent procedures. This will cause
them to be recompiled automatically upon their next execution.
What is interesting to note is not only what is stored but what is not stored when we compile the
object. Oracle does not store the exact privilege that was used to get access to T. We only know
that procedure P is dependent on T. We do not know if the reason we were allowed to see T was due
to:
q A grant given to the definer of the procedure (grant select on T to user)
q A grant to public on T (grant select on T to public)
q The user having the SELECT ANY TABLE privilege
The reason it is interesting to note what is not stored is that a REVOKE of any of the above will
cause the procedure P to become invalid. If all three privileges were in place when the procedure
was compiled, a revoke of ANY of them will invalidate the procedure - forcing it to be recompiled
before it is executed again. Since all three privileges were in place when we created the procedure
- it will compile successfully (until we revoke all three that is). This recompilation will happen
automatically the next time that the procedure is executed.
Now that the procedure is compiled into the database and the dependencies are all setup, we can
execute the procedure and be assured that it knows what T is and that T is accessible. If something
happens to either the table T or to the set of base privileges available to the definer of this
procedure that might affect our ability to access T -- our procedure will become invalid and will
need to be recompiled.
This leads into why ROLES are not enabled during the compilation and execution of a stored
procedure in Definer rights mode. Oracle is not storing exactly WHY you are allowed to access T -
only that you are. Any change to your privileges that might cause access to T to go away will cause
the procedure to become invalid and necessitate its recompilation. Without roles - that means only
'REVOKE SELECT ANY TABLE' or 'REVOKE SELECT ON T' from the Definer account or from PUBLIC. With
roles - it greatly expands the number of times we would invalidate this procedure. If some role
that was granted to some role that was granted to this user was modified, this procedure might go
invalid, even if we did not rely on that privilege from that role. ROLES are designed to be very
fluid when compared to GRANTS given to users as far as privilege sets go. For a minute, let's say
that roles did give us privileges in stored objects. Now, most any time anything was revoked from
ANY ROLE we had, or any role any role we have has (and so on -- roles can and are granted to roles)
-- many of our objects would become invalid. Think about that, REVOKE some privilege from a ROLE
and suddenly your entire database must be recompiled! Consider the impact of revoking some system
privilege from a ROLE, it would be like doing that to PUBLIC is now, don't do it, just think about
it (if you do revoke some powerful system privilege from PUBLIC, do it on a test database). If
PUBLIC had been granted SELECT ANY TABLE, revoking that privilege would cause virtually every
procedure in the database to go invalid. If procedures relied on roles, virtually every procedure
in the database would constantly become invalid due to small changes in permissions. Since one of
the major benefits of procedures is the 'compile once, run many' model - this would be disastrous
for performance.
Also consider that roles may be
q Non-default: If I have a non-default role and I enable it and I compile a procedure that
relies on those privileges, when I log out I no longer have that role -- should my procedure become
invalid -- why? Why not? I could easily argue both sides.
q Password Protected: if someone changes the password on a ROLE, should everything that might
need that role be recompiled? I might be granted that role but not knowing the new password - I
can no longer enable it. Should the privileges still be available? Why or Why not? Again, arguing
either side of this is easy. There are cases for and against each.
The bottom line with respect to roles in procedures with Definer rights are:
q You have thousands or tens of thousands of end users. They don't create stored objects (they
should not). We need roles to manage these people. Roles are designed for these people (end users).
q You have far fewer application schema's (things that hold stored objects). For these we want
to be explicit as to exactly what privileges we need and why. In security terms this is called the
concept of 'least privileges', you want to specifically say what privilege you need and why you
need it. If you inherit lots of privileges from roles you cannot do that effectively. We can manage
to be explicit since the number of development schemas is SMALL (but the number of end users is
large)...
q Having the direct relationship between the definer and the procedure makes for a much more
efficient database. We recompile objects only when we need to, not when we might need to. It is a
large efficiency enhancement.
</quote> -
Error while Creating Master Repository: ORA-01031: insufficient Privileges
Hi,
I'm trying to install ODI into my VM.
I have done the installation and while creating Master Repository, I'm getting following error:
ORA-01031: insufficient Privileges
I'm using Oracle & have created user as ODI_MASTER with Admin Privileges.
I'll be using it to load metadata onto planning (Version 11.1.2)
Is there anything that I'm missing out on.
Jitendra.Seems missing grants on the user you are using to create Master Repository.
you are using Oracle .. grant connect, resource to <your_user>. These two rolesa have sufficient access to db to create the master repository.
execuute the sql from sys user
Regards,
Amit
Edited by: amitgupta1202 on 20 Aug, 2009 10:42 PM
Maybe you are looking for
-
Cannot Start Presentation Services - OBIEE 11g( 11.1.1.5)
Hi, I recently upgraded BIApps RPD and Web Catalog. When I am trying to restart OBIEE services, presentation service (OBIPS) throws the following error and is shutting down [OBIPS] [ERROR:16] [] [saw.dms.conext.unwrap] [ecid: 004dfXFEGCYDGf9_zd9DiW00
-
Hi, Is there a possibility to create dynamically class and add to it methods/fileds/annotaions etc. What I am thinking of is to create jpa entity class dynamiclly and use jpa provider to create table for it.
-
Need workaround for AppleScripts Running
I recently upgraded to Mavericks on my MacBook Pro. Now I am trying to use software that is requesting AppleScript Runner. I understand it is no longer supported in Mavericks. Is there a workaround that will let me use my software? [Software: Wiley C
-
Compaq CQ61-420US getting system disable 65879468 please help
When I power on my notebook I'm getting a message saying enter administrator password or power on password. After entering the password wrong 3 times I get a error message system disable 65879468
-
Updated iphone 3gs and now says i need to connect to itunes.
I updated my iphone using itunes(first time ever). Now my phone says to connect to itunes. itunes said to restore. i tried this but there was an error. I can't use my phone at all. Thanks for any help!!!