Hi,

: I execute the DB database setup wizard using "084 ORACLE 8.0.4 -
: 8.1.X" driver and ...
: If i go back to login page and use SYS account then I receive message:
: "ORA-28009: connection to sys should be as sysdba or sysoper"
: but I cannot write "sys as sysdba" in the user field (invalid
: username/password). What should I do?

I had the same problem, when install DB Tools 4.1:

I'm trying to install your DBTools to access Oracle 9.0.1 database in one W2K server. I execute the DB database setup wizard using "084 ORACLE 8.0.4 - 8i - 9i" and if I try to login using SYS account then I receive a message: "ORA-28009: connection to sys should be as sysdba or sysoper" but I cannot write "sys as sysdba" in the user field, because this result in a warning message (invalid username/password). What should I do ? If I try to connect using SQL*plus, no problems:

...
SQL> disconnect
Desconectado de Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production
With the Partitioning option
JServer Release 9.0.1.1.1 - Production
SQL> connect sys@fiscal as sysdba
Informe a senha: ******
Conectado.
SQL> disconnect
Desconectado de Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production
With the Partitioning option
JServer Release 9.0.1.1.1 - Production
...

Noted that the "Host string" must be typed. Maybe the install setup can't find the tnsnames.ora, or something else. When trying to use SYSTEM account, the problem don't appear...

Tks in Adv,
Sbleck

Please grant nessesary permissions using SQL*PLUS. Logon as SYS.

Here is the complete script for the profiler part:

create table ora_monitor.profiler_data (

runid number not null primary key,

run_name varchar2(100) check (rtrim(run_name) != null),

start_time date default sysdate not null,

user_runid number default 1 not null,

run_seq integer default 1 not null,

user_sid number not null,

user_name varchar2(30) default user not null,

run_cpu number default 0,

run_io number default 0,

run_memory number default 0,

run_sorts number default 0,

run_sort_ratio number default 0,

run_gets number default 0,

run_status varchar2(12) default 'INCOMPLETE',

session_name varchar2(100) check (rtrim(session_name) != null),

session_comments varchar2(4000),

run_source long) TABLESPACE TOOLS;

create index ora_monitor.i_profiler_data on ora_monitor.profiler_data (user_name, session_name) TABLESPACE TOOLS;

GRANT SELECT, INSERT, DELETE, UPDATE ON ora_monitor.profiler_data TO PUBLIC;

: Hi,

: I had the same problem, when install DB Tools 4.1: I'm trying to install your
: DBTools to access Oracle 9.0.1 database in one W2K server. I execute the
: DB database setup wizard using "084 ORACLE 8.0.4 - 8i - 9i" and
: if I try to login using SYS account then I receive a message:
: "ORA-28009: connection to sys should be as sysdba or sysoper"
: but I cannot write "sys as sysdba" in the user field, because
: this result in a warning message (invalid username/password). What should
: I do ? If I try to connect using SQL*plus, no problems: ...
: SQL> disconnect
: Desconectado de Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production
: With the Partitioning option
: JServer Release 9.0.1.1.1 - Production
: SQL> connect sys@fiscal as sysdba
: Informe a senha: ******
: Conectado.
: SQL> disconnect
: Desconectado de Oracle9i Enterprise Edition Release 9.0.1.1.1 - Production
: With the Partitioning option
: JServer Release 9.0.1.1.1 - Production
: ...

: Noted that the "Host string" must be typed. Maybe the install setup
: can't find the tnsnames.ora, or something else. When trying to use SYSTEM
: account, the problem don't appear...

: Tks in Adv,
: Sbleck

Hi,

: Please grant nessesary permissions using SQL*PLUS. Logon as SYS.
: Here is the complete script for the profiler part: create table
: ora_monitor.profiler_data (
: GRANT SELECT, INSERT, DELETE, UPDATE ON ora_monitor.profiler_data TO PUBLIC;

Sorry, but I can't understand why granting some rights to a table can solve my initial problem, that is to connect using SYS account...

My problem is in the beginning of the installation, BEFORE creating these auxiliary tables...

Pls give me an answer about what should I do to solve this problem, because trying to install DBTools can only be done when connecting as SYSTEM, not SYS. But, connecting as SYS is the requirement...

Tks in ADV,
Sbleck

Hi,

: Please grant nessesary permissions using SQL*PLUS. Logon as SYS.
: Here is the complete script for the profiler part: create table
: ora_monitor.profiler_data (
: GRANT SELECT, INSERT, DELETE, UPDATE ON ora_monitor.profiler_data TO PUBLIC;

Looked for a reason to receiving ORA-28009 when installing DBTools 4.1 to access Oracle 9i databases, and found something very useful (again) in AskTom site:

ORA-28009: connection to sys should be as sysdba or sysoper

is not really new to Oracle9i but more people will hit it in 9i then in 8i and
before. Oracle9i defaults the init.ora parameter "O7_DICTIONARY_ACCESSIBILITY"
to FALSE whereas all prior releases defaulted it to TRUE.

There are two side effects of this parameter being set to FALSE:

o connect sys/password will not function, you will get the ORA-28009 error

o Access to the "real" data dictionary owned by SYS will not be available to
users, even if they have the SELECT ANY TABLE privelege. These are not the data
dictionary views like ALL_OBJECTS but rather the base tables like SYS.OBJ$ that
will be unaccessible.

Now the first side effect, that "sys/password" will not work without
sysoper/sysdba, is not clearly documented anywhere. The fact that the
O7_DICTIONARY_ACCESSIBILITY init.ora parameter causes this is somewhat hard to
track down -- but that is what is causing this.

The other side effect -- that the "real" data dictionary is not accessible to
normal users is well documented. That is after all the purpose of this
initialization parameter. That said however, there is of course a caveat to
this. Portions of the documentation still state:

If this parameter is set to false and you need to access objects in the
SYS schema, then you must be granted explicit object privilege. Also,
the following roles, which can be granted to the database administrator,
also allow access to dictionary objects: SELECT_CATALOG_ROLE,
EXECUTE_CATALOG_ROLE, and DELETE_CATALOG_ROLE.

But in Oracle9i that is not accurate. There is a new system privilege "SELECT
ANY DICTIONARY" the permits access to the SYS schema (and by default the DBA
role has this privilege granted to it). The "Oracle9i Database README Release
Notes" included with the 9i software does describe this change:

18.3 Data Dictionary Protection

Data dictionary protection is now enabled by default. Specifically, the

O7_DICTIONARY_ACCESSIBILITY init.ora parameter is set to FALSE on

installation. As a result, regular users who are not database administrators

with ANY privileges (for example, SELECT ANY TABLE) can no longer use the

ANY privilege upon data dictionary objects; however, the user can access

non-SYS schema objects using the ANY privilege.

Users making a database administrator user type connection (for example,

CONNECT / AS SYSBDA) can exercise privilege on data dictionary objects,

since SYSDBA has all privileges.

A new system privilege, SELECT ANY DICTIONARY, provides users with SELECT

access to any object in the SYS schema without giving them DBA privileges.

Oracle recommends that the dictionary protection feature remain enabled as

it is a more secure configuration. If O7_DICTIONARY_ACCESSIBILITY is set to

TRUE, then regular users with the ANY privilege can use these privileges --

perhaps maliciously -- to alter data dictionary objects.

My recommendation would be to leave the the O7_DICTIONARY_ACCESSIBILITY set to
false and change scripts that connect as SYS to connect as some other user.
Using the SYS account should be avoided in any case -- you should never use it
to create objects, cannot use it to create triggers and some commands (for
example "set transaction read only") don't even work when connected as SYS.

Consider SYS to be a special account that you never need to use anymore.

More info can be found in the link mentioned below, and I imagine that this could solve what is happening when installing DBTools to access Oracle 9i instances. Now, I imagine that some messages requiring connection as SYS must be changed, too...

Rgds,
Sbleck

Because of the backward-incompatible changes in the Oracle 9i the SYS account cannot be used for regular database connections. As a result, some optional portions of the database setup cannot be run in Oracle9i as they require "SYSDBA" type connection, which is not supported in the current version.

More specifically SYS connection is only needed to grant certain privileges to ORA_MONITOR user and let it access DBMS_xxx system packages and V$ system views. That's why I asked you to use SQL*Plus to connect as SYSDBA and grant these privileges.

: Hi,

: Sorry, but I can't understand why granting some rights to a table can solve
: my initial problem, that is to connect using SYS account...

: My problem is in the beginning of the installation, BEFORE creating these
: auxiliary tables...

: Pls give me an answer about what should I do to solve this problem, because
: trying to install DBTools can only be done when connecting as SYSTEM, not
: SYS. But, connecting as SYS is the requirement...

: Tks in ADV,
: Sbleck

This is all correct. But again the problem is that it cannot connect as SYSDBA and connecting as SYS without SYSDBA is not allowed.

PS. I don't recommend changing O7_DICTIONARY_ACCESSIBILITY as this may affect your other applications.

: Hi,

: Looked for a reason to receiving ORA-28009 when installing DBTools 4.1 to
: access Oracle 9i databases, and found something very useful (again) in
: AskTom site: ORA-28009: connection to sys should be as sysdba or sysoper

: is not really new to Oracle9i but more people will hit it in 9i then in 8i
: and
: before. Oracle9i defaults the init.ora parameter
: "O7_DICTIONARY_ACCESSIBILITY"
: to FALSE whereas all prior releases defaulted it to TRUE.

: There are two side effects of this parameter being set to FALSE: o connect
: sys/password will not function, you will get the ORA-28009 error

: o Access to the "real" data dictionary owned by SYS will not be
: available to
: users, even if they have the SELECT ANY TABLE privelege. These are not the
: data
: dictionary views like ALL_OBJECTS but rather the base tables like SYS.OBJ$
: that
: will be unaccessible.

: Now the first side effect, that "sys/password" will not work
: without
: sysoper/sysdba, is not clearly documented anywhere. The fact that the
: O7_DICTIONARY_ACCESSIBILITY init.ora parameter causes this is somewhat hard
: to
: track down -- but that is what is causing this.

: The other side effect -- that the "real" data dictionary is not
: accessible to
: normal users is well documented. That is after all the purpose of this
: initialization parameter. That said however, there is of course a caveat to
: this. Portions of the documentation still state: If this parameter is set to
: false and you need to access objects in the
: SYS schema, then you must be granted explicit object privilege. Also,
: the following roles, which can be granted to the database administrator,
: also allow access to dictionary objects: SELECT_CATALOG_ROLE,
: EXECUTE_CATALOG_ROLE, and DELETE_CATALOG_ROLE.

: But in Oracle9i that is not accurate. There is a new system privilege
: "SELECT
: ANY DICTIONARY" the permits access to the SYS schema (and by default the
: DBA
: role has this privilege granted to it). The "Oracle9i Database README
: Release
: Notes" included with the 9i software does describe this change: 18.3
: Data Dictionary Protection

: Data dictionary protection is now enabled by default. Specifically, the

: O7_DICTIONARY_ACCESSIBILITY init.ora parameter is set to FALSE on

: installation. As a result, regular users who are not database administrators

: with ANY privileges (for example, SELECT ANY TABLE) can no longer use the

: ANY privilege upon data dictionary objects; however, the user can access

: non-SYS schema objects using the ANY privilege.

: Users making a database administrator user type connection (for example,

: CONNECT / AS SYSBDA) can exercise privilege on data dictionary objects,

: since SYSDBA has all privileges.

: A new system privilege, SELECT ANY DICTIONARY, provides users with SELECT

: access to any object in the SYS schema without giving them DBA privileges.

: Oracle recommends that the dictionary protection feature remain enabled as

: it is a more secure configuration. If O7_DICTIONARY_ACCESSIBILITY is set to

: TRUE, then regular users with the ANY privilege can use these privileges --

: perhaps maliciously -- to alter data dictionary objects.

: My recommendation would be to leave the the O7_DICTIONARY_ACCESSIBILITY set
: to
: false and change scripts that connect as SYS to connect as some other user.
: Using the SYS account should be avoided in any case -- you should never use
: it
: to create objects, cannot use it to create triggers and some commands (for
: example "set transaction read only") don't even work when connected
: as SYS.

: Consider SYS to be a special account that you never need to use anymore.

: More info can be found in the link mentioned below, and I imagine that this
: could solve what is happening when installing DBTools to access Oracle 9i
: instances. Now, I imagine that some messages requiring connection as SYS
: must be changed, too...

: Rgds,
: Sbleck

>: My recommendation would be to leave the the O7_DICTIONARY_ACCESSIBILITY set
>: to
>: false and change scripts that connect as SYS to connect as some other user.
>: Using the SYS account should be avoided in any case -- you should never use
>: it
>: to create objects, cannot use it to create triggers and some commands (for
>: example "set transaction read only") don't even work when connected
>: as SYS.
>: Consider SYS to be a special account that you never need to use anymore.

: This is all correct. But again the problem is that it cannot connect as
: SYSDBA and connecting as SYS without SYSDBA is not allowed.

Ok. Than, the solution to do the same as SYS is...

: PS. I don't recommend changing O7_DICTIONARY_ACCESSIBILITY as this may affect
: your other applications.

Ok. I don't touched this parameter, but should know how can I solve my problem for connecting to 9i databases using DBTools. I tried to use SYSTEM account, but many errors appeared and the only way to put DBTools to run was to grant the required privileges, after the warning messages. BUT, I was afraid due to the fact that during the install phase these errors are appeared that I was not confident with this situation...

Rgds,
Sven

: Ok. Than, the solution to do the same as SYS is...

: Ok. I don't touched this parameter, but should know how can I solve my
: problem for connecting to 9i databases using DBTools. I tried to use
: SYSTEM account, but many errors appeared and the only way to put DBTools
: to run was to grant the required privileges, after the warning messages.
: BUT, I was afraid due to the fact that during the install phase these
: errors are appeared that I was not confident with this situation...

You can use SYSTEM or any other dba account for that purpose. Once the selected objects are installed you can connect as SYS to recompile them and grant the required privileges. What privileges to grant depend on what objects you select to install.

PS. All installation scripts can be found in db_setup.zip file in DB Tools directory.

: Rgds,
: Sven