測試環境:
測試過程:
使用oracle 11.2.0.1 的使用者端,對19c的伺服器端進行連線時,報錯:ORA-28040: No matching authentication protocol
C:\Users\Alfred>sqlplus sys/[email protected]/demo as sysdba
SQL*Plus: Release 11.2.0.1.0 Production on 星期二 1月 17 17:52:30 2023
Copyright (c) 1982, 2010, Oracle. All rights reserved.
ERROR:
ORA-28040: No matching authentication protocol
這個錯誤其實我在給客戶做經驗分享類的交流時,反覆講過,解決起來也很簡單,同時也有MOS檔案 2296947.1 依據:
如果在不方便升級使用者端的情況下,只能在伺服器端,設定sqlnet.ora檔案:
[oracle@bogon admin]$ pwd
/u01/app/oracle/product/19.3.0/db_1/network/admin
[oracle@bogon admin]$ cat sqlnet.ora
SQLNET.ALLOWED_LOGON_VERSION_SERVER=10
非常簡單,且不用重啟任何服務,不用過載監聽,即可生效;
再次連線,不再報錯ORA-28040。
不再報錯ORA-28040,但開始報錯:ORA-01017: invalid username/password; logon denied
C:\Users\Alfred>sqlplus sys/[email protected]/demo as sysdba
SQL*Plus: Release 11.2.0.1.0 Production on 星期二 1月 17 21:17:09 2023
Copyright (c) 1982, 2010, Oracle. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
請輸入使用者名稱:
可是輸入的密碼確認是沒問題的,使用高版本的使用者端,同樣的密碼測試連線也是OK的。
那是什麼問題呢?想到是密碼版本問題,根據MOS 檔案 2040705.1:
When you inspect the DBA_USERS.PASSWORD_VERSIONS you only see 11G and 12C values but not 10G.
查詢使用者的PASSWORD_VERSIONS:
SQL> select username, password_versions from dba_users where password_versions is not null;
USERNAME PASSWORD_VERSIONS
------------------------------ -----------------
SYS 11G 12C
SYSTEM 11G 12C
CTXSYS 11G 12C
按
With this solution you will also need to change the user password again so the DBA_USERS.PASSWORD_VERSIONS will get a 10G value, however the DES based verifiers are outdated and should only be used in exceptional cases when legacy client applications still need it.
alter user sys identified by oracle;
再次,嘗試從11.2.0.1的使用者端,對19c的伺服器端進行連線時,可以成功連線:
C:\Users\Alfred>sqlplus sys/[email protected]/demo as sysdba
SQL*Plus: Release 11.2.0.1.0 Production on 星期二 1月 17 21:57:33 2023
Copyright (c) 1982, 2010, Oracle. All rights reserved.
連線到:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
SQL> exit
從 Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production 斷開
C:\Users\Alfred>
但是有個疑問,這裡再次改過SYS密碼後,查詢PASSWORD_VERSIONS其實還是沒有顯示出來:
SQL> select username, password_versions from dba_users where password_versions is not null;
USERNAME PASSWORD_VERSIONS
------------------------------ -----------------
SYS 11G 12C
SYSTEM 11G 12C
CTXSYS 11G 12C
考慮到SYS使用者的特殊性,那麼這裡使用SYSTEM使用者再次測試觀察下:
sqlplus system/[email protected]/demo
同樣,報錯ORA-01017,輸入的密碼確認是沒問題的,使用高版本的使用者端,同樣的密碼測試連線也是OK的。
C:\Users\Alfred>sqlplus system/[email protected]/demo
SQL*Plus: Release 11.2.0.1.0 Production on 星期二 1月 17 22:10:02 2023
Copyright (c) 1982, 2010, Oracle. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
請輸入使用者名稱:
C:\Users\Alfred>
修改system密碼:
SQL> select username, PASSWORD_VERSIONS, PASSWORD_CHANGE_DATE from dba_users where PASSWORD_VERSIONS is not null;
USERNAME PASSWORD_VERSIONS PASSWORD_
------------------------------ ----------------- ---------
SYS 11G 12C 04-JAN-23
SYSTEM 11G 12C 04-JAN-23
CTXSYS 11G 12C 04-JAN-23
SQL> alter user system identified by oracle;
User altered.
SQL> select username, PASSWORD_VERSIONS, PASSWORD_CHANGE_DATE from dba_users where PASSWORD_VERSIONS is not null;
USERNAME PASSWORD_VERSIONS PASSWORD_
------------------------------ ----------------- ---------
SYS 11G 12C 04-JAN-23
SYSTEM 10G 11G 12C 17-JAN-23
CTXSYS 11G 12C 04-JAN-23
SQL>
看來,SYSTEM使用者是比較正常顯示的,改過密碼後,PASSWORD_VERSIONS多了10G的顯示,符合我們預期。
此時,再嘗試從11.2.0.1的使用者端,對19c的伺服器端進行連線時,確認system使用者也可以成功連線了:
C:\Users\Alfred>sqlplus system/[email protected]/demo
SQL*Plus: Release 11.2.0.1.0 Production on 星期二 1月 17 22:15:23 2023
Copyright (c) 1982, 2010, Oracle. All rights reserved.
連線到:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
SQL>
其他業務使用者,推斷應該都和system使用者的表現一致,這樣也符合邏輯。
這裡還觀察到一個細節:
修改密碼前,查詢SYS和SYSTEM使用者在user$中的password和spare4欄位:
select name, password, spare4 from user$ where name in ('SYS','SYSTEM')
SQL> /
NAME PASSWORD SPARE4
--------------- --------------- --------------------------------------------------------------------------------
SYS S:88EB5B08A9EC6EBAE68148FB711CF9416C26077B3512B6A5BF8A1F44C610;T:4EDCFBAD9376CD1
ACEBA5567ECA2877B386ED292DD993B57CEEC07261A0137141A5C43941265FC7FD7A540D9D3EED87
1B6EB1733EEBC2AED5A63CF02F69AFEBC89F026B2D4430CE35D6CCCD5C5DA7123
SYSTEM S:9CFB5871B12A3CF7E01D864BFE348D521B15B78DEF75B8C95C0EC661792B;T:52418514B24923B
6C1CC3A609B293A413C5B71C5B2A270A97A71F5E2A2857CFCAE98ECE47B17A1149BAAFF268654082
469B1078901B0B55CFD377987E2C5AFC598045FFCE551D42CBDE2D38418BDFBE6
修改密碼後,再次查詢:
SQL> select name, password, spare4 from user$ where name in ('SYS','SYSTEM') ;
NAME PASSWORD SPARE4
--------------- --------------- --------------------------------------------------------------------------------
SYS S:88EB5B08A9EC6EBAE68148FB711CF9416C26077B3512B6A5BF8A1F44C610;T:4EDCFBAD9376CD1
ACEBA5567ECA2877B386ED292DD993B57CEEC07261A0137141A5C43941265FC7FD7A540D9D3EED87
1B6EB1733EEBC2AED5A63CF02F69AFEBC89F026B2D4430CE35D6CCCD5C5DA7123
SYSTEM 2D594E86F93B17A S:CAA7AFAE43C3D06D50F6272A837ACDF4C3A2D092821AD7076534CCEEE6F7;T:B8FCFE4B975D3D9
1 86C1CD27A21FB6F78397BD97889B017FE2F6B949981E85E5F1208C42A143367C3EA70AF7B39B6193
C38D171CEEF893EAF6FB87A5C095F864B6517CEA65522ACCDE592D9A645FEDC3A
發現SYS使用者在基表user$中也是沒有變化,但是SYSTEM使用者就比較正常了,而且會發現,SYSTEM使用者在PASSWORD欄位也有對應值了,這是因為PASSWORD_VERSIONS=10G版本時,是存在這個欄位的。
最後總結一下: