During installing database software, user is prompted to enter names of various operating system groups mapping to various administrative privileges (SYSDBA, SYSOPER, SYSBACKUP, SYSKM, SYSDG). One might map one operating system group to multiple administrative privileges if role separation is not desired. In case the need for role separation arises later, the mapping can be specified by updating $ORACLE_HOME/rdbms/lib/config.c file and then relinking it. This post explains the various steps.
While installing database 12.1.0.2 software on linux, I had not created OS groups corresponding to administrative privileges SYSBACKUP, SYSKM, SYSDG. Now I want OS groups dgdba, backupdba and kmdba to map to SYSDG, SYSBACKUP and SYSKM administrative privileges respectively.
-- Check that groups dgdba, backupdba and kmdba do not exist
[root@host01 etc]# cat /etc/group | grep dba dba:x:501:oracle
– Create groups dgdba, backupdba and kmdba
#groupadd -g 54321 dgdba groupadd -g 54322 backupdba groupadd -g 54323 kmdba
– Check that groups dgdba, backupdba and kmdba have been created
[root@host01 etc]# cat /etc/group | grep dba dba:x:501:oracle dgdba:x:54321: backupdba:x:54322: kmdba:x:54323:
– Create a user test which is a member of dgdba group
[root@host01 /]# useradd test -g oinstall -G dgdba [root@host01 /]# passwd test Changing password for user test. New UNIX password:
– Login as test user
[root@host01 /]# su - test [test@host01 ~]$ . oraenv ORACLE_SID = [test] ? orcl
– As test user try to connect as sysdg – fails as dgdba group
has not been mapped to SYSDG administrative privilege
[test@host01 ~]$ dgmgrl DGMGRL> connect sysdg/xx ORA-01017: invalid username/password; logon denied Warning: You are no longer connected to ORACLE.
– Verify in configuration file that currently OS group dba corresponds to administrative priviliges SYSDBA, SYSKM, SYSDG and SYSBACKUP
[oracle@host01 ~]$ cat $ORACLE_HOME/rdbms/lib/config.c |grep define /* SS_DBA_GRP defines the UNIX group ID for sqldba adminstrative access. */ #define SS_DBA_GRP "dba" #define SS_OPER_GRP "oper" #define SS_ASM_GRP "" #define SS_BKP_GRP "dba" #define SS_DGD_GRP "dba" #define SS_KMT_GRP "dba"
– Edit configuration file so that OS groups dgdba, backupdba and kmdba to map to SYSDG, SYSBACKUP and SYSKM administrative privileges respectively.
[oracle@host01 ~]$ vi $ORACLE_HOME/rdbms/lib/config.c #define SS_DBA_GRP "dba" #define SS_OPER_GRP "oper" #define SS_ASM_GRP "" #define SS_BKP_GRP "backupdba" #define SS_DGD_GRP "dgdba" #define SS_KMT_GRP "kmdba"
– To relink oracle binaries, Shut down all Oracle processes of all instances
a. Shut down the listener.
$ lsnrctl stop
b. Shut down all instances.
$ ps -ef |grep pmon |grep -v grep
oracle 11832 1 0 15:21 ? 00:00:00 ora_pmon_orcl
ORCL> shutdown immediate
— Relink binaries
[oracle@host01 ~]$ cd $ORACLE_HOME/bin; relink all writing relink log to: /u01/app/oracle/product/12.1.0.2/dbhome_1/install/relink.log
– Now as test user connect as sysdg – succeeds
[test@host01 bin]$ dgmgrl
DGMGRL> connect sysdg/xx
Connected as SYSDG.
– Optionally modify existing OS user oracle to become part of new groups
#usermod -a -G dgdba,backupdba,kmdba oracle
[root@host01 /]# su - oracle
[oracle@host01 ~]$ id
uid=500(oracle) gid=500(oinstall) groups=500(oinstall),501(dba),502(oper),503(asmadmin),54321(dgdba),54322(backupdba),54323(kmdba)
Hope it helps!
Your comments and suggestions are always welcome.
References:
https://community.oracle.com/message/12806120?et=watches.email.thread#12806120
https://www.linkedin.com/groups/Map-OS-Groups-Administrative-Privileges-3698383.S.5964260145260216320?view=&item=5964260145260216320&type=member&gid=3698383&trk=eml-b2_anet_digest-hero-1-hero-disc-disc-0&midToken=AQE9SYOdN_UFjg&fromEmail=fromEmail&ut=1fAfQMlI9DO6A1
==============================================================
Related Links:
Nice hints as usual, thank you .
Foued