Oracle-Ninja.com Andy Colvin's Oracle Blog

7May/123

Why I Don’t Like Role Separated Accounts – Part 1

One of the things that I've touched on before that tends to bother me - role separated grid infrastructure installations - gave me another reason to show my dislike a few weeks ago.  While working on a system that was being upgraded from 11.2.0.2 to 11.2.0.3, we ran into a strange issue.  After upgrading from 11.2.0.2 to 11.2.0.3, we could no longer connect to our databases.  When we would attempt to connect remotely, we would get:

?View Code NONE
[acolvin@homer ~]$ sqlplus system@odademo
 
SQL*Plus: Release 11.2.0.3.0 Production on Sun May 20 11:58:23 2012
 
Copyright (c) 1982, 2011, Oracle.  All rights reserved.
 
Enter password:
ERROR:
ORA-12537: TNS:connection closed

We could connect to the database without issue internally. There were no network issues to report, everything appeared to be working fine, except we couldn't get in to the database.  The database we were connecting to (DEMO) was registered with the listener:

?View Code NONE
[grid@patty ~]$ lsnrctl stat LISTENER_SCAN1
 
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 20-MAY-2012 12:07:55
 
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER_SCAN1
Version                   TNSLSNR for Linux: Version 11.2.0.3.0 - Production
Start Date                25-APR-2012 11:50:38
Uptime                    25 days 0 hr. 17 min. 17 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/11.2.0.3/grid/network/admin/listener.ora
Listener Log File         /u01/app/11.2.0.3/grid/log/diag/tnslsnr/patty/listener_scan1/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER_SCAN1)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=****)(PORT=1521)))
Services Summary...
Service "DEMO" has 2 instance(s).
  Instance "DEMO1", status READY, has 2 handler(s) for this service...
  Instance "DEMO2", status READY, has 2 handler(s) for this service...
 
[grid@patty ~]$ lsnrctl stat
 
LSNRCTL for Linux: Version 11.2.0.3.0 - Production on 20-MAY-2012 12:05:51
 
Copyright (c) 1991, 2011, Oracle.  All rights reserved.
 
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 11.2.0.3.0 - Production
Start Date                07-MAY-2012 15:21:43
Uptime                    12 days 20 hr. 44 min. 8 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/11.2.0.3/grid/network/admin/listener.ora
Listener Log File         /u01/app/grid/diag/tnslsnr/patty/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=LISTENER)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=****)(PORT=1521)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=****)(PORT=1521)))
Services Summary...
Service "+ASM" has 1 instance(s).
  Instance "+ASM1", status READY, has 1 handler(s) for this service...
Service "DEMO" has 1 instance(s).
  Instance "DEMO1", status READY, has 2 handler(s) for this service...

After poking around for a little bit, I came across MOS note #1069517.1, "ORA-12537 if Listener (including SCAN Listener) and Database are Owned by Different OS User." Hey, that looks familiar! Looking through the listener logs, we saw this error:

?View Code NONE
20-MAY-2012 12:10:48 * (CONNECT_DATA=(SID=DEMO1)(CID=(PROGRAM=perl@patty)(HOST=patty)(USER=oracle))) * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.10.219)(PORT=24042)) * establish * DEMO1 * 12518
TNS-12518: TNS:listener could not hand off client connection
 TNS-12547: TNS:lost contact
  TNS-12560: TNS:protocol adapter error
   TNS-00517: Lost contact
    Linux Error: 32: Broken pipe

Turns out this is an issue if the permissions on the oracle binary in the database $ORACLE_HOME/bin directory is missing the setuid bit.

?View Code NONE
[oracle@patty ~]$ ls -al /u01/app/oracle/product/11.2.0/dbhome_1/bin/oracle
-rwxr-x--x 1 oracle asmadmin 229009338 Jan 19 12:59 /u01/app/oracle/product/11.2.0/dbhome_1/bin/oracle

Once we reset the setuid bit, we were back in business:

?View Code NONE
[oracle@patty ~]$
chmod 6751 /u01/app/oracle/product/11.2.0/dbhome_1/bin/oracle
 
[oracle@patty ~]$ ls -al /u01/app/oracle/product/11.2.0/dbhome_1/bin/oracle
-rwsr-x--x 1 oracle asmadmin 229009338 Jan 19 12:59 /u01/app/oracle/product/11.2.0/dbhome_1/bin/oracle

While this isn't something that comes up often, it's still something that wouldn't happen under an environment owned entirely by the Oracle account.

Be Sociable, Share!
Tagged as: , , , Leave a comment
Comments (3) Trackbacks (0)
  1. Shrenik
    July 23rd, 2012 - 14:52

    Very nice. This helped me!!!!

    ( REPLY )
  2. Daniel Andersen
    November 10th, 2012 - 07:15

    You saved my day

    ( REPLY )

Leave a Reply

No trackbacks yet.

» «

Enkitec Extreme Exadata Expo

Enkitec Extreme Exadata Expo - August 13 - 14

Speaking Engagements

Follow me on Twitter

Topics

announcements ASM bug fixes bundle patch Conferences Critical Issues database Enkitec Exadata Exadata Configuration exadata crit Exadata V2 Exadata X3 Expansion hardware infiniband install linux listener maintenance network networking ODA on demand Openworld 2011 Openworld 2012 Operating System oracle Oracle Database Appliance Oracle Enterprise Linux Patching Patching Exadata Presentations prognostications QDPE RAC RAID repository RMAN role separation Speaking Split Rack Write Back Cache X2-8 yum

Recent Posts

Recent Comments

Blogroll

Archives