OraFAQ Forum: Security » Who / what keeps locking one of database users?

Home » RDBMS Server » Security » Who / what keeps locking one of database users? (Oracle 11.2.0.3, MS Windows)

Show: Today's Messages :: Polls :: Message Navigator
E-mail to friend

Re: Who / what keeps locking one of database users? [message #655029 is a reply to message #655028]

Fri, 19 August 2016 02:56

Michel Cadot
Messages: 68645
Registered: March 2007
Location: Nanterre, France, http://...

Senior Member
Account Moderator

Yes, sorry for the typo.

Quote:

I suppose that it is easier (simpler) to modify 11g's LISTENER.ORA (i.e. adding 1523 to it, as described above) than to modify all TNSNAMES.ORA files, everywhere ...

Sure, I mentioned it for completeness.

Listener.ora must contain something like:

LISTENER =
  (DESCRIPTION_LIST =
    (DESCRIPTION =
      (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
      (ADDRESS_LIST =
        (ADDRESS = (PROTOCOL = TCP)(HOST = dbs1)(PORT = 1521))
        (ADDRESS = (PROTOCOL = TCP)(HOST = dbs1)(PORT = 1523))
      )
    )
  )

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655030 is a reply to message #655028]

Fri, 19 August 2016 02:57

John Watson
Messages: 8931
Registered: January 2010
Location: Global Village

Senior Member

Yes, LF, that is it exactly. After re-starting the 11g listener off its modified listener.ora file, you will see that it is listening on both ports.
Then within a few seconds, both your database instances will register with it.

Use
lsnrctl status
from the 11g home to see this.

Use
lsnrctl services
to see how many connections the listener has established for each instance.

You'll be a DBA soon Smile

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655032 is a reply to message #655030]

Fri, 19 August 2016 03:24

Littlefoot
Messages: 21808
Registered: June 2005
Location: Croatia, Europe

Senior Member
Account Moderator

Thank you, guys! In a case I find enough courage, I'll try to do that during the weekend.

John

You'll be a DBA soon

That goes into the joke of the day category /forum/fa/10057/0/

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655037 is a reply to message #655028]

Fri, 19 August 2016 06:33

EdStevens
Messages: 1376
Registered: September 2013

Senior Member

Here's what I would do
1 - In the services control panel, stop the 10g listener and set it as "disabled"
2 - In the listener.ora file of the 11g home, add the other port to the ADDRESS_LIST section, as shown by Michael Cadot.
3 - Restart the 11g listner.

No need to shut down or restart any databases. But you will need to check the LOCAL_LISTENER parameter of them all and make sure they are pointing to a port used by the active listener. LOCAL_LISTENER specifies where the database attempts to register itself with a listener. If LOCAL_LISTENER is null, then the database will use the default of port 1521, which your listener should be configured for.

You might want to read the series of TNS related articles I wrote at edstevensdba.com

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655039 is a reply to message #655037]

Fri, 19 August 2016 06:42

Littlefoot
Messages: 21808
Registered: June 2005
Location: Croatia, Europe

Senior Member
Account Moderator

Thank you, Ed.

EdStevens

You might want to read the series of TNS related articles I wrote at edstevensdba.com

I already have, one of them - "Exploring the Oracle LOCAL_LISTENER Parameter" (when people mentioned that parameter as I had no idea what it is; Google was my friend).

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655051 is a reply to message #655016]

Fri, 19 August 2016 14:30

Barbara Boehmer
Messages: 9090
Registered: November 2002
Location: California, USA

Senior Member

Littlefoot wrote on Thu, 18 August 2016 22:08

Exactly! The same situation here (apart from the fact that both databases run well). Thank you, I understand what you are saying.

I'll do that during the weekend - shut down 10g, set its listener to "manual", restart 10g, check whether I can connect to it using 11g's listener. Although, it's a mystery to me - how is it going to work OK all by itself, automagically? Do I have to change some settings, somewhere?

I'll let you know the outcome.

I am not a DBA, just a retired developer, so, like you, I have to figure out how to do minor DBA things without one. However, my potential consequences are minimal compared to yours. I am just dealing with a personal laptop, not a production database at some business. I seem to recall it using the available listener "automagically". However, that may be because things were set up on bath databases using the same defaults. This is why I suggested setting the 10g listener to manual, not removing it, then testing by starting the 10g database and seeing what happens, so that if there is a problem, then you can at least put it back the way it was. I would imagine that the DBA's on this forum have given you far better advice, so I would follow that.

[Updated on: Fri, 19 August 2016 14:33]

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655068 is a reply to message #654928]

Sat, 20 August 2016 17:52

EdStevens
Messages: 1376
Registered: September 2013

Senior Member

Littlefoot wrote on Wed, 17 August 2016 02:16

OK, I fixed that (DBSNMP and SYSMAN users have been EXPIRED; I altered them using the USER$.SPARE4 column value).

YIKES!

NEVER directly modify a data dictionary table. ESPECIALLY one that is not documented in the Reference Manual. (And none of the tables themselves are ... just views on top of them). If you are very, very lucky, you'll escape this with no problems. But such practice could break your database totally and potentially void your support contract.

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655077 is a reply to message #655068]

Sun, 21 August 2016 05:58

Littlefoot
Messages: 21808
Registered: June 2005
Location: Croatia, Europe

Senior Member
Account Moderator

Calm down, Ed! You read something that I didn't write Smile

Users were expired. The only way (I know) to resurrect them is to use ALTER USER. I have no idea what their password is; therefore, I wanted to use IDENTIFIED BY VALUES option.

There's no value in DBA_USERS.PASSWORD:

SQL> select password from dba_users where username = 'DBSNMP';

PASSWORD
------------------------------


SQL>

Another option I managed to find was to check SYS.USER$. PASSWORD column is empty:

SQL> select password from user$ where name = 'DBSNMP';

PASSWORD
------------------------------

SPARE4 is not empty (my friend Google says that it, actually, is the hash password):

SQL> select spare4 from user$ where name = 'DBSNMP';

SPARE4
--------------------------------------------------------------------------------
S:BC9D1F9D88032E0126AF6407DCB28BC6EE2966F38B58970C648EA285DFA6

Finally, ALTER it:

SQL> alter user dbsnmp
  2  identified by values 'S:BC9D1F9D88032E0126AF6407DCB28BC6EE2966F38B58970C648EA285DFA6';

I never, ever modified any data dictionary table (not just the other day, I mean never).

Was there any other option I could have used?

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655078 is a reply to message #655077]

Sun, 21 August 2016 06:04

John Watson
Messages: 8931
Registered: January 2010
Location: Global Village

Senior Member

THe "official" way to generate the ALTER USER command is like this,

orclz>
orclz> set long 10000
orclz> select dbms_metadata.get_ddl('USER','SCOTT') from dual;

DBMS_METADATA.GET_DDL('USER','SCOTT')
--------------------------------------------------------------------------------

   CREATE USER "SCOTT" IDENTIFIED BY VALUES 'S:CECB832AFC74C2E59ADC81FEF48D024F5
F668B343277371EF62006C8D272;H:63EC639D32F2C215B68C56321EE236FE;T:15FCA9B73551699
09C9A8CABB18A7D08A8191F6E2503FD2ABD7B57F9B85DE581321082AE12E8C61E1E9B8FD3103FDAF
48C989146B9C16F2D45B35AA8DB0B8848574465FA03B0FC6F2EEC90EBB4D150D7;F894844C34402B
67'
      DEFAULT TABLESPACE "USERS"
      TEMPORARY TABLESPACE "TEMP"

the password string you get depends on your release, this example is 12.1.0.2.

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655079 is a reply to message #655077]

Sun, 21 August 2016 06:13

Michel Cadot
Messages: 68645
Registered: March 2007
Location: Nanterre, France, http://...

Senior Member
Account Moderator

If you want to invalidate a password which means the user will never be able to connect even if the password is not expired and the account unlocked is to use something like:

alter user dbsnmp identified by values '*** INVALID PASSWORD ***';

or the string you want so that the DBA will know that the user should have no session.

SQL> alter user test identified by values '*** INVALID PASSWORD ***';

User altered.

SQL> col spare4 format a50
SQL> select password, spare4 from sys.user$ where name='TEST';
PASSWORD                       SPARE4
------------------------------ --------------------------------------------------
*** INVALID PASSWORD ***

1 row selected.

[Edit: added example]

[Updated on: Sun, 21 August 2016 06:18]

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655081 is a reply to message #655079]

Sun, 21 August 2016 12:45

Littlefoot
Messages: 21808
Registered: June 2005
Location: Croatia, Europe

Senior Member
Account Moderator

JW & MC: OK, but the (original) question was "how to un-expire existing user whose account status = EXPIRED"? I asked whether there's some other way to do that, different from

alter user SOME_USER identified by [values] SOME_VALUE

as well as whether there's another way to obtain SOME_VALUE ...

I mean, was the way I "fixed" it wrong?

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655082 is a reply to message #655081]

Sun, 21 August 2016 12:56

Michel Cadot
Messages: 68645
Registered: March 2007
Location: Nanterre, France, http://...

Senior Member
Account Moderator

The only way to unexpire a password is to set a new password (new one could be the same than the old one if no password policy forbid it).
You can use ALTER USER or any other possible way: SQL*Plus "password" command, OCIPasswordChange OCI function, oci_password_change PHP function...

The only way to get the current password hash value is to query SYS.USER$, PASSWORD and SPARE4 columns depending on the password version.

So the way you do to unexpire the password without knowing and changing it is correct.

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655083 is a reply to message #655082]

Sun, 21 August 2016 13:21

Littlefoot
Messages: 21808
Registered: June 2005
Location: Croatia, Europe

Senior Member
Account Moderator

OK then (I'll be a DBA soon LOL!)

Meanwhile (in the past few minutes), I took the steps which were supposed to eliminate ora10 listener and make ora11 listener serve both databases. Everything went well, apart from the fact that I should have first modified LOCAL_LISTENER parameter and then stop ora10 listener itself because stopping the listener made impossible connecting to the database.

Hmmm, on a second thought, remembering what you guys used to say, perhaps it is irrelevant. When I'm on a server (I mean, connected directly to it (either by sitting behind its keyboard or using Remote Desktop)), I *think* I don't need listener at all.

So, the steps taken:

connect to SQL*Plus as SYS

alter system set local_listener = 'dbs1:1523';

in Windows Services, STOP OracleOraDb10g_home1TNSListener and - in its properties - set STARTUP TYPE to "Disabled"
add the following line into 11g's LISTENER.ORA file:

LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = dbs1)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = dbs1)(PORT = 1523))
)
)
in Windows Services, RESTART OracleOraDb11g_home1TNSListener

check listener status (excerpt)

D:\>lsnrctl status

LSNRCTL for 32-bit Windows: Version 11.2.0.3.0 - Production on 21-AUG-2016 19:56:31

STATUS of the LISTENER
------------------------
Listener Parameter File   D:\oracle11\product\11.2.0\dbhome_1\network\admin\listener.ora
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(PIPENAME=\\.\pipe\EXTPROC1521ipc)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbs1)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=dbs1)(PORT=1523)))
Services Summary...
Service "ora11" has 1 instance(s).
  Instance "ora11", status READY, has 1 handler(s) for this service...
Service "ora10" has 1 instance(s).
  Instance "ora10", status READY, has 1 handler(s) for this service...

test connections to both databases

SQL> connect scott/tiger@ora10
Connected.
SQL> connect scott/tiger@ora11
Connected.
SQL>

I guess that should be all ...

Thank you, again, everyone!

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655084 is a reply to message #655083]

Sun, 21 August 2016 13:37

Michel Cadot
Messages: 68645
Registered: March 2007
Location: Nanterre, France, http://...

Senior Member
Account Moderator

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655104 is a reply to message #655077]

Mon, 22 August 2016 06:44

EdStevens
Messages: 1376
Registered: September 2013

Senior Member

[quote title=Littlefoot wrote on Sun, 21 August 2016 05:58]Calm down, Ed! You read something that I didn't write Smile

Could have fooled me! "I altered them using the USER$.SPARE4 column value"

After re-reading it several times I realize I had mentally quit reading after "I altered them using the USER$.SPARE4 column". Mea culpa.

Report message to a moderator

Re: Who / what keeps locking one of database users? [message #655105 is a reply to message #655083]

Mon, 22 August 2016 06:47

EdStevens
Messages: 1376
Registered: September 2013

Senior Member

Littlefoot wrote on Sun, 21 August 2016 13:21

OK then (I'll be a DBA soon LOL!)

Meanwhile (in the past few minutes), I took the steps which were supposed to eliminate ora10 listener and make ora11 listener serve both databases. Everything went well, apart from the fact that I should have first modified LOCAL_LISTENER parameter and then stop ora10 listener itself because stopping the listener made impossible connecting to the database.

Hmmm, on a second thought, remembering what you guys used to say, perhaps it is irrelevant. When I'm on a server (I mean, connected directly to it (either by sitting behind its keyboard or using Remote Desktop)), I *think* I don't need listener at all.

So, the steps taken:

By jove! I believe he's got it!

Smile

Report message to a moderator

Pages (2): [ « ‹ 1 2]

Previous Topic:	When Role Was Granted?
Next Topic:	/ as sysdba issue with AD membership

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Thu Apr 25 20:24:21 CDT 2024