Re: strange sysbackup issue

From: David Barbour <david.barbour1_at_gmail.com>
Date: Sat, 15 Jan 2022 21:49:24 -0600
Message-ID: <CAFH+ifdAdBJin0EAYv9Tdb6m3C9MuG5T-R_mk4foE4cs==oDeA_at_mail.gmail.com>

A new profile parameter PASSWORD_ROLLOVER_TIME allows to change a database account password, without a downtime for the application that needs to use this password.

This parameter was originally developed for 21c and was backported in version 19.12. It can be set for a profile, but also the alter user syntax was enhanced.

Essentially it means for a certain time a user can login with either the old or with the new password. The maximum allowed time is 7 days.

Some accounts (administrative) can not use this, probably for security reasons.
ORA-28227: Gradual password rollover is not supported for administrative users.

Julian Dontcheff explains the parameter in more detail: https://juliandontcheff.wordpress.com/2021/08/06/life-grace-and-rollover-time-of-passwords-in-the-oracle-database/

For security consideration check this post by Rodrigo Jorge: https://www.dbarj.com.br/en/2020/12/21c-gradual-database-password-rollover-brings-new-backdoor-opportunities/

On Wed, Jan 5, 2022 at 3:50 PM Sweetser, Joe <JSweetser_at_icat.com> wrote:

> Greetings Gurus,
>
> I am scratching my head on this one. I have 2 v19 databases with the Oct
> 2021 RU installed. I am getting what (to me) is strange error in one of
> them when I try to grant sysbackup to a user. I will open a call with
> Oracle support but figured this list my provide a quicker
> solution/explanation. Database ONE works as expected by me. Database TWO
> throws an ORA-28227 when trying to grant sysbackup to a user. Something
> must be different between the 2 databases but I cannot figure it out.
>
> Any/all ideas on where to look are appreciated. Google and Metalink
> (dating myself there, I know) are not helpful yet.
>
> Thanks,
> -joe
>
> Database ONE (works)
> SQL> select banner_full from v$version;
>
> BANNER_FULL
>
> --------------------------------------------------------------------------------
> Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
> Version 19.13.0.0.0
>
>
> SQL> create user joe identified by "DFKLD_345345-sdfksdfsdk!#$blah";
>
> User created.
>
> SQL> grant connect to joe;
>
> Grant succeeded.
>
> SQL> grant sysbackup to joe;
>
> Grant succeeded.
>
> SQL> drop user joe cascade;
>
> User dropped.
>
> ++++++++++++++++++++++++++
>
> Database TWO (fails)
> SQL> select banner_full from v$version;
>
> BANNER_FULL
>
> --------------------------------------------------------------------------------
> Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
> Version 19.13.0.0.0
>
>
> SQL> create user joe identified by "DFKLD_345345-sdfksdfsdk!#$blah";
>
> User created.
>
> SQL> grant connect to joe;
>
> Grant succeeded.
>
> SQL> grant sysbackup to joe;
> grant sysbackup to joe
> *
> ERROR at line 1:
> ORA-28227: Gradual password rollover is not supported for administrative
> users.
>
> SQL> drop user joe cascade;
>
> User dropped.
>
> This e-mail transmission and any attachments that accompany it may contain
> information that is privileged, confidential or otherwise exempt from
> disclosure under applicable law and is intended solely for the use of the
> individual's to whom it was intended to be addressed. If you have received
> this e-mail by mistake, or you are not the intended recipient, any
> disclosure, dissemination, distribution, copying or other use or retention
> of this communication or its substance is prohibited. If you have received
> this communication in error, please immediately reply to the author via
> e-mail that you received this message by mistake and also permanently
> delete the original and all copies of this e-mail and any attachments from
> your computer. Please note that coverage cannot be bound or altered by
> sending an email. You must receive written confirmation from a
> representative of our firm to put coverage in force or make changes to an
> existing policy.
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Sun Jan 16 2022 - 04:49:24 CET

This message: [ Message body ]
Next message: Lothar Flatz: "Long Parse Time for a big Statement"
Previous message: Powell, Mark: "Re: Which object lists the tablespaces for deferred creation segments?"
Maybe in reply to: Sweetser, Joe: "strange sysbackup issue"
In reply to Sweetser, Joe: "strange sysbackup issue"
Next in thread: Lothar Flatz: "Re: Long Parse Time for a big Statement"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message