Oracle DB 12c: sqlplus as sysdba causes ORA-01017

0
votes

Good day. If i do sqlplus user/oracle@db i have successfull connection with db.

If i do sqlplus user/oracle@db as sysdba i have error ORA-01017.

But at the server this command executes successfully.

My tnsnames.ora:

db =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.100.175)(PORT = 1521))
    )
    (CONNECT_DATA =
        (SERVER = DEDICATED)
        (SERVICE_NAME = orcl)
    )
  )

Also i can't do sqlplus /@db as sysdba. And after sqlplus user@db as sysdba i enter a password and have this error too. At the server this executes without errors. What is the problem?

Oracle VirtualBox with Win2008, Oracle 12c

2
oracleoracle12c

2 Answers

1
votes

You can use as sysdba only if permission has been granted. Run 

GRANT SYSDBA TO user;

in order to permit that.

sqlplus /@db as sysdba is not possible from a remote machine - this would open the database to entire world where everybody could connect with SYSDBA privileges without any password!

sqlplus /@db as sysdba is allowed only from local machine because there you are already authenticated (typically) as OS-User "oracle".

0
votes

It is definitively possible to connect as SYSDBA from a remote machine, as you were doing: specifying a password, and not relying on the OS authentication mechanism (the operative system auth is not involved in the course of a remote authentication such this).

Only, you have to activate the password-file mechanism (that is disabled by default).

To do so, change the value of the parameter remote_login_passwordfile to either shared or exclusive. If it is shared it works for all databases run on that machine and can only contain the SYS user (while if is it exclusive it can contain any user and its scope is the target database).

Important: users are added to the password file only after the password-file was enabled and after they're granted the SYSDBA or sysoper privilege; i.e. pre-existing users won't be automatically added (!), you have to re-grant the SYSDBA or SYSOPER role to them.

Finally this view lets you peek at the logical content of the password file

select * from v$pwfile_users;

See Creating and Maintaining a Password File for more details.