Oracle 密码文件

--==============================

-- Oracle 密码文件

--==============================

/*

一、密码文件

作用：主要进行DBA权限的身份认证

DBA用户：具有sysdba，sysoper权限的用户被称为dba用户。默认情况下sysdba角色中存在sys用户，sysoper角色中存在system用户

二、Oracle的两种认证方式；

1.使用与操作系统集成的身份验证

2.使用Oracle数据库的密码文件进行身份认证

三、密码文件的位置

Linux下的存放位置：$ORACLE_HOME/dbs/orapw$ORACLE_SID

即：ORACLE_HOME/dbs/orapw<sid>

Windows下的存放位置:$ORACLE_HOME/database/PW%ORACLE_SID%.ora

密码文件查找的顺序

--->orapw<sid>--->orapw--->Failure

两种认证方式：类型与SQL server中的windows认证和SQL server认证

决定在两个参数中

1.remote_login_passwordfile = none | exclusive |shared 位于$ORACLE_HOME/dbs/spfile$ORACLE_SID.ora参数文件中

none : 不使用密码文件认证

exclusive :要密码文件认证，自己独占使用(默认值)

shared ：要密码文件认证，不同实例dba用户可以共享密码文件

2. $ORACLE_HOME/network/admin/sqlnet.ora

SQLNET.AUTHENTICATION_SERVICES = none | all | ntf(windows)

none : 表示关闭操作系统认证，只能密码认证

all : 用于linux或unix平台，关闭本机密码文件认证，采用操作系统认证，但远程<异机>可以使用密码文件认证

nts : 用于windows平台

不同的组合

1 2

none none sys用户无论是本机还是远程均不可用

判断当前使用的是操作系统认证还是密码认证

四、演示：

1.在sqlnet.ora 中追加SQLNET.AUTHENTICATION_SERVICES = none */

[oracle@robinson ~]$ sqlplus / as sysdba /*登陆失败*/

SQL*Plus: Release 10.2.0.1.0 - Production on Fri Apr 9 10:41:28 2010

Copyright (c) 1982, 2005, Oracle. All rights reserved.

ERROR:

ORA-01031: insufficient privileges

Enter user-name:

--------------------------------------------------------------------------------

[oracle@robinson ~]$ sqlplus sys/redhat as sysdba /*使用密码文件认证，登陆成功*/

SQL*Plus: Release 10.2.0.1.0 - Production on Fri Apr 9 10:42:35 2010

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production

With the Partitioning, OLAP and Data Mining options

SQL>

--=================================================================================

2.将SQLNET.AUTHENTICATION_SERVICES的值改为all

[oracle@robinson admin]$ sqlplus / as sysdba /*采用本机认证可以登陆*/

SQL*Plus: Release 10.2.0.1.0 - Production on Fri Apr 9 10:46:55 2010

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production

With the Partitioning, OLAP and Data Mining options

SQL>

--------------------------------------------------------------------------------------

[oracle@robinson admin]$ sqlplus sys/redhat@orcl as sysdba /*使用密码文件登陆认证失败*/

SQL*Plus: Release 10.2.0.1.0 - Production on Fri Apr 9 10:48:35 2010

Copyright (c) 1982, 2005, Oracle. All rights reserved.

ERROR:

ORA-12641: Authentication service failed to initialize

Enter user-name:

--注：此时可以使用远程登陆。

--使用#符号将新增的SQLNET.AUTHENTICATION_SERVICES行注释掉恢复到缺省值

/*

五、密码文件的建立：orapwd */

[oracle@robinson ~]$ orapwd

Usage: orapwd file=<fname> password=<password> entries=<users> force=<y/n>

where

file - name of password file (mand), /*密码文件的名字orapw<sid>*/

password - password for SYS (mand), /*sys用户的密码*/

entries - maximum number of distinct DBA and /*可以有多少个sysdba,sysoper权限用户放到密码文件中去，去掉重复记录*/

/*注意entries中存放的个数但不是实际个数，这个是二进制数据*/

force - whether to overwrite existing file (opt), /*10g新增的参数，默认值为n ,y表示允许覆盖*/

OPERs (opt),

There are no spaces around the equal-to (=) character.

--修改密码：

[oracle@robinson ~]$ cd $ORACLE_HOME/dbs

[oracle@robinson dbs]$ ll orapworcl

-rw-r----- 1 oracle oinstall 1536 Apr 7 15:50 orapworcl

[oracle@robinson dbs]$ orapwd file=orapworcl password=oracle force=y

[oracle@robinson dbs]$ sqlplus sys/oracle@orcl as sysdba

SQL*Plus: Release 10.2.0.1.0 - Production on Fri Apr 9 11:34:09 2010

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production

With the Partitioning, OLAP and Data Mining options

SQL>

--将密码改回原来的密码

[oracle@robinson dbs]$ orapwd file=orapworcl password=redhat

OPW-00005: File with same name exists - please delete or rename

[oracle@robinson dbs]$ orapwd file=orapworcl password=redhat force=y

[oracle@robinson dbs]$ rm orapworcl /*删除密码文件*/

[oracle@robinson dbs]$ orapwd file=orapworcl password=redhat /*重建密码文件*/

--演示将entries 改为，然后将多个用户设置为sysdba或sysoper

[oracle@robinson dbs]$ orapwd file=orapworcl password=redhat entries=1

[oracle@robinson dbs]$ strings orapworcl

]/[Z

ORACLE Remote Password file

INTERNAL

F7AC0C5E9C3C37AB

E100B964899CDDDF

--创建PL/SQL 增加个新用户

SQL> begin

2 for i in 1..20 loop

3 execute immediate 'create user u'||i||' identified by u'||i||'';

4 end loop;

5 end;

6 /

--将新用户赋予sysdba角色

PL/SQL procedure successfully completed.

SQL> begin

2 for i in 1..20 loop

3 execute immediate 'grant sysdba to u'||i||'';

4 end loop;

5 end;

6 /

begin /*得到和密码文件相关的错误提示*/

*

ERROR at line 1:

ORA-01996: GRANT failed: password file '' is full

ORA-06512: at line 3

--再次查看orapworcl发现多出了行，即当设置为的时候多出了个用户。原因是该密码文件是二进制文件，按矩阵计算可存放多少

[oracle@robinson dbs]$ strings orapworcl

]/[Z

ORACLE Remote Password file

INTERNAL

F7AC0C5E9C3C37AB

E100B964899CDDDF

3E81B724A296E296

668509DF9DD36B43

9CE6AF1E3F609FFC

7E19965085C9ED47

--注意不要轻易删掉密码文件，这样会将其他账户的信息也删除

/*

六、导致密码文件内容修改的几种方式：

1.使用orapwd建立，修改密码文件，不建议使用

2.使用alter user sys identified by <>

3.使用grant sysdba to <> 或grant sysoper to <> 或revoke sysdba |sysoper from <>

七、查看密码文件内容 */

[oracle@robinson dbs]$ strings orapworcl

]/[Z

ORACLE Remote Password file

INTERNAL

F7AC0C5E9C3C37AB

E100B964899CDDDF

--当sys密码不记得可以使用OS系统身份认证登陆到sqlplus,再使用alter user修改密码

SQL> alter user sys identified by oracle;

User altered

--再次查看密码文件与上一次对比，已经发生变化

SQL> ho strings orapworcl

]/[Z

ORACLE Remote Password file

INTERNAL

AB27B53EDC5FEF41

8A8F025737A9097A

--通过授予权限来修改密码，密码文件中多出了scott的信息

SQL> grant sysdba to scott;

Grant succeeded.

SQL> ho strings orapworcl

]/[Z

ORACLE Remote Password file

INTERNAL

AB27B53EDC5FEF41

8A8F025737A9097A

SCOTT

F894844C34402B67

--注意此处中登陆后，显示的账户信息还是sys,而不是scott,但此时的scott已经具备了sys权限

[oracle@robinson dbs]$ sqlplus scott/tiger@orcl as sysdba

SQL*Plus: Release 10.2.0.1.0 - Production on Fri Apr 9 11:56:09 2010

Copyright (c) 1982, 2005, Oracle. All rights reserved.

Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production

With the Partitioning, OLAP and Data Mining options

SQL> show user

USER is "SYS"

/*

八、sysdba 与sysoper的区别*/

SQL> select * from system_privilege_map where name like '%SYS%';

PRIVILEGE NAME PROPERTY

---------- ---------------------------------------- ----------

-3 ALTER SYSTEM 0

-4 AUDIT SYSTEM 0

-83 SYSDBA 0

-84 SYSOPER 0

--下面的链接是两者不同的权限说明

http://download.oracle.com/docs/cd/B19306_01/server.102/b14231/dba.htm#sthref137

The manner in which you are authorized to use these privileges depends upon the method of authentication that you use.

When you connect with SYSDBA or SYSOPER privileges, you connect with a default schema,

not with the schema that is generally associated with your username.

For SYSDBA this schema is SYS; for SYSOPER the schema is PUBLIC.

--两者的schema不同

SQL> show user

USER is "SYS"

SQL> conn / as sysoper

Connected.

SQL> show user

USER is "PUBLIC"

--查看密码文件视图，可以得到哪些用户为sysdba,哪些用户为sysoper

SQL> select * from v$pwfile_users;

USERNAME SYSDB SYSOP

------------------------------ ----- -----

SYS TRUE TRUE

SCOTT TRUE FALSE

USER1 FALSE TRUE

--下面演示了使用不同的角色来登陆

SQL> conn scott/tiger@orcl as sysdba

Connected.

SQL> conn scott/tiger@orcl as sysoper /*scott的sysop列为false*/

ERROR:

ORA-01031: insufficient privileges

Warning: You are no longer connected to ORACLE.

SQL> conn user1/user1@orcl as sysdba

ERROR:

ORA-01031: insufficient privileges

SQL> conn user1/user1 as sysoper

Connected.

/*

九、更多 */

Oracle 数据库实例启动关闭过程

Oracle 10g SGA 的自动化管理

使用OEM,SQL*Plus,iSQL*Plus 管理Oracle实例

Oracle实例和Oracle数据库(Oracle体系结构)

SQL 基础-->常用函数

SQL基础-->过滤和排序

SQL 基础-->SELECT 查询