the password cannot be reused 如何破

穷苦书生_万事愁

于 2024-07-28 08:45:00 发布

阅读量1.1k

点赞数 17

分类专栏：数据库文章标签：数据库 oracle

本文链接：https://blog.csdn.net/weixin_tank88921/article/details/140739776

版权

数据库专栏收录该内容

68 篇文章 0 订阅

订阅专栏

ORA-27300、ORA-27301、ORA-27302

[oracle@testosa:/home/oracle]$ oerr ora 27300
27300, 00000, "OS system dependent operation:%s failed with status: %s"
// *Cause:  OS system call error
// *Action: contact Oracle Support
[oracle@testosa:/home/oracle]$ 
[oracle@testosa:/home/oracle]$ oerr ora 27301
27301, 00000, "OS failure message: %s"
// *Cause:  OS system call error
// *Action: contact Oracle Support
//
[oracle@testosa:/home/oracle]$ 
[oracle@testosa:/home/oracle]$ oerr ora 27302
27302, 00000, "failure occurred at: %s"
// *Cause:  OS system call error
// *Action: contact Oracle Support
//
[oracle@testosa:/home/oracle]$

Oracle 执行job:expdp,数据库实例直接宕掉,报错如下:

ORA-27300: OS system dependent operation:semctl failed with status: 22
ORA-27301: OS failure message: Invalid argument
ORA-27302: failure occurred at: sskgpwrm1
ORA-27157: OS post/wait facility removed
ORA-27300: OS system dependent operation:semop failed with status: 36
ORA-27301: OS failure message: Identifier removed
ORA-27302: failure occurred at: sskgpwwait1

数据库版本11.2.0.4,操作系统版本:rhel 7
检查操作系统日志,定时任务日志并无异常;

原因：

On RedHat 7.x, systemd-logind service introduced a new feature to remove all IPC objects when a user fully logs out. The feature is controled by the option RemoveIPC in the /etc/systemd/logind.conf configuration file, see man logind.conf(5) for details.

在 RHEL 7.x的版本里,systemd-logind 服务控制着用户的行为,当用户退出,会清理该用户的所有内存段.那么定时任务的数据泵就有问题了,调用的内存段是oracle的;

查看removeipc的说明:

RemoveIPC= Controls whether System V and POSIX IPC objects belonging to the user shall be removed when the user fully logs out. Takes a boolean argument. If enabled, the user may not consume IPC resources after the last of the user’s sessions terminated. This covers System V semaphores, shared memory and message queues, as well as POSIX shared memory and message queues. Note that IPC objects of the root user are excluded from the effect of this setting. Defaults to “yes”.

The default value for RemoveIPC in RHEL7.2 is yes.

默认值为yes; 所以当有定时任务时:

As a result, when the last oracle or grid user disconnects, the OS removes shared memory segments and semaphores for those users.

As Oracle ASM and Databases use shared memory segments for SGA, removing shared memory segments will crash the Oracle ASM and database instances.

解决办法:

1、Set RemoveIPC=no in /etc/systemd/logind.conf
2、重启服务

systemctl daemon-reload
systemctl restart systemd-logind

参考MOS:

ORA-27300 ORA-27301 ORA-27302 ORA-27157 Database Crash (Doc ID 438205.1)
Failed Install of RAC with ASM: ORA-27300 ORA-27302 ORA-27300 ORA-27301 ORA-27302 (Doc ID 2099563.1)

其他版本类似报错：

https://blog.csdn.net/aicon/article/details/4877826

ORA-28007: the password cannot be reused 如何破

今天在测试一个小功能时发现个人用户密码已过期，当然这时只能去更改密码，改密码时递归更新密码最后更改时间来改变用户状态，此时profile延长过期天数PASSWORD_LIFE_TIME已无法解决，但是大多数需求是希望是通过改密码的动作清除过期标记又不变原密码，当然这时又受到了user profile中PASSWORD_REUSE_TIME的限制，你可能已想到了可以使用alter user identifed by VALUES ‘’; 但是这里也有个小细节。

Oracle 12c 关于密码(password)的几个新特性小结之前记录过12c以后密码引入新的hash算法, 对于没有10的密码版本在dba_user.password列为空，使用identified by values改密码时可以参考 user$.spare4列，该列又是有多个版本的hash值比如S: 或T: 两部分,有S:用于11g,T:用于12c以后。下面直接上测试环境oracle 19.3

SQL> alter user anbob identified by anbob;
alter user anbob identified by anbob
*
ERROR at line 1:
ORA-28007: the password cannot be reused

SQL> alter user anbob identified by anbob_12345;
User altered.

SQL> alter user anbob identified by anbob;
alter user anbob identified by anbob
*
ERROR at line 1:
ORA-28007: the password cannot be reused

提示：

密码无法重用，且原密码hash值已被替换，我们可以尝试创建个其它用户使用相同的密码，利用新生的hash值试试是否可以？

SQL> create user u11 identified by anbob;
User created.

SQL> select spare4 from user$ where name='U11';

SPARE4
---------------------------------------------------------------------------------------------------
S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8;T:EBFA128291183CF3D8404179C02FA6AA54305CA1CE58426E4DB13167E938C8D192340C607C196046B8B9744576564BE08EC6D8AC8D27E23684DD2763DCC3EB39DE97E317E79BF01B484E854C08DC3C38

SQL> alter user anbob identified by values 'S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8;';
User altered.



[oracle@oel7db1 ~]$ sqlplus anbob/anbob@cdb1pdb1

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 18 10:50:17 2022
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.
Last Successful login time: Fri Feb 18 2022 10:04:00 +08:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL>

注：
只使用hash中的第一部分S：的hash值是可以的。我们再用全hash值试试

SQL> alter user anbob identified by values 'S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8;T:EBFA128291183CF3D8404179C02FA6AA54305CA1CE58426E4DB13167E938C8D192340C607C196046B8B9744576564BE08EC6D8AC8D27E23684DD2763DCC3EB39DE97E317E79BF01B484E854C08DC3C38';

User altered.

[oracle@oel7db1 ~]$ sqlplus anbob/anbob@cdb1pdb1

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 18 10:50:17 2022
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Last Successful login time: Fri Feb 18 2022 10:04:00 +08:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL>

Note:
使用spare4全hash值这也是常用的方法，当然是可以的，那这种方法多次更改受reuse限制吗？

SQL> alter user anbob identified by values 'S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8;T:EBFA128291183CF3D8404179C02FA6AA54305CA1CE58426E4DB13167E938C8D192340C607C196046B8B9744576564BE08EC6D8AC8D27E23684DD2763DCC3EB39DE97E317E79BF01B484E854C08DC3C38';
alter user anbob identified by values 'S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8;T:EBFA128291183CF3D8404179C02FA6AA54305CA1CE58426E4DB13167E938C8D192340C607C196046B8B9744576564BE08EC6D8AC8D27E23684DD2763DCC3EB39DE97E317E79BF01B484E854C08DC3C38'
*
ERROR at line 1:
ORA-28007: the password cannot be reused

SQL> alter user anbob identified by values 'S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8;';
User altered.

SQL> alter user anbob identified by values 'S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8;T:EBFA128291183CF3D8404179C02FA6AA54305CA1CE58426E4DB13167E938C8D192340C607C196046B8B9744576564BE08EC6D8AC8D27E23684DD2763DCC3EB39DE97E317E79BF01B484E854C08DC3C38';
alter user anbob identified by values 'S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8;T:EBFA128291183CF3D8404179C02FA6AA54305CA1CE58426E4DB13167E938C8D192340C607C196046B8B9744576564BE08EC6D8AC8D27E23684DD2763DCC3EB39DE97E317E79BF01B484E854C08DC3C38'
*
ERROR at line 1:
ORA-28007: the password cannot be reused

SQL> alter user anbob identified by anbob;
alter user anbob identified by anbob
*
ERROR at line 1:
ORA-28007: the password cannot be reused

SQL> alter user anbob identified by values 'S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8;';
User altered.

SQL> alter user anbob identified by values 'S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8;';
User altered.

NOTE:
使用第一部分S，可以多次重用，但是全hash和密码一样会提示无法复用。那使用第二部分T:呢：

SQL> alter user anbob identified by values 'T:EBFA128291183CF3D8404179C02FA6AA54305CA1CE58426E4DB13167E938C8D192340C607C196046B8B9744576564BE08EC6D8AC8D27E23684DD2763DCC3EB39DE97E317E79BF01B484E854C08DC3C38';
alter user anbob identified by values 'T:EBFA128291183CF3D8404179C02FA6AA54305CA1CE58426E4DB13167E938C8D192340C607C196046B8B9744576564BE08EC6D8AC8D27E23684DD2763DCC3EB39DE97E317E79BF01B484E854C08DC3C38'
*
ERROR at line 1:
ORA-28007: the password cannot be reused

Note:
即使只使用T:部分hash 也是提示密码无法reused, 判断密码reused必定需要记录历史，做个sql trace不难发现记录在user_history$表。

-- enable 10046 trace 
alter user xx identified by xxx;

grep history xxx.trc

select password from user_history$ where user# = :1
insert into user_history$(user#, password, password_date)   values (:1, :2, :3)

SQL> @us u1
Show database usernames from dba_users matching %u1%

USERNAME                  DEFAULT_TABLESPACE        TEMPORARY_TABLESPACE              USER_ID CREATED             ACCOUNT_STATUS                   PROFILE
------------------------- ------------------------- ------------------------------ ---------- ------------------- -------------------------------- --------------------------------------------------------------------------------------------------------------------------------
U1                        USERS                     TEMP                                  121 2021-10-09 04:21:20 OPEN                             DEFAULT

SQL> delete user_history$ where user#=121;
1 row deleted.

SQL> commit;
Commit complete.

SQL> alter user u1 identified by oracle;
User altered.

SQL> select * from user_history$ where user#=121;
     USER#
----------
PASSWORD
------------------------------------------------------------------------------------------------
PASSWORD_DATE
-------------------
       121
T:5F4CEDE26830BA5F6B3EF66B627B883E945D8889E7D1DE5754AFB6B6E585382DD69CCF9DB7CC42F006BBCF8B407899AB7C394BC22B417F39F3C086716CDEFA8F7D7DC0559417978DE51B782D3528FED7
2022-02-18 14:30:37

SQL> select spare4 from user$ where user#=121;

SPARE4
----------------------------------------------------------------------------------------------
S:9A7FF825EFBD78A1C5ED860FC3088C780F7F6937A50D3DB0EC78DC3BFFD7;T:5F4CEDE26830BA5F6B3EF66B627B883E945D8889E7D1DE5754AFB6B6E585382DD69CCF9DB7CC42F006BBCF8B407899AB7C394BC22B417F39F3C086716CDEFA8F7D7DC0559417978DE51B782D3528FED7

Note:
可以看到更改密码是先查询user_history是否存在，改成功后会把新生成的密码insert到user_history一份，但是只有T:部分.

那我们再看下刚才anbob用户的修改历史。

SQL> select PASSWORD from USER_HISTORY$ where user#=106;
PASSWORD
---------------------------------------------------------------------------------
T:BF147920174662BD276FF8DE9B6A46890A756FA02BA088E89913ACB9434A58189A5E65434B9268916977CC3738850253526B0AFD2FB044FA89D97531245FD61DC49758B797C05128EF6CF059869C60C5
T:AB79CEF0BB3392FAF13D4A5C7C58511A6019E95A8AB92C2C3992379D7B7FEBF7787362C487537AEFDBFAC8AB925C2F5E36E39C642E12497390323A64B34B7CBB522C542AC6766B8C533C3694BF223E32
T:5A4B3DF6CB99E373602C746C2A1E63B6E992084D0EEB71B099E042C9F0020F8C130A1DF024CE89041AEC60B335BF6F15EB1DE008E7E88A0F73EE2CCBE3FB736BEFDB8D5AAA7D873246805586F6DE2D93
T:A306056EBE54CBA65699EAD81F1ED10E1E11A07F91EA9F73564B08BFE8E00C4A9CDC3BBEBFE2CF43BB05C3BD40CA0B40CA50ED30402BDB5A87B2FDEB08A5A8219532DFF5FC34678AE7637C4057618055
T:1E39D8D113EAF560659626485613AD570E0638DAF93F48C20B18C1EE19753128350A7745B02FD8DABBD8F9D350D51B033F0B259AD5B9F672EF6FCA8486A7B9D9E5AC67A8E7E13FE4F1A2BF96AB70B16D
T:32AFD96BA43F93813D7D1C0B9AD1013BB5462D1CCB728B1808335A44540A27258737DDCBCD95A27F6834244182CEF387809D363368AAF7ADBE6BA0188347860817CCE51E077FBC91C10C66B5E005FFD2
T:6624621479FE8A249BC6BC449160A3604773F22B5831243677C1C8BFD76D141BEF77EF22706643C56AF445C96B45F6326FAF394D2EA1C9F68039E062EBA549C3871589166FDB06C2B9C14DEB3363020C
S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8
T:EBFA128291183CF3D8404179C02FA6AA54305CA1CE58426E4DB13167E938C8D192340C607C196046B8B9744576564BE08EC6D8AC8D27E23684DD2763DCC3EB39DE97E317E79BF01B484E854C08DC3C38
S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8
S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8
S:B1ED0377396B42B94D79C14F4B0D7566B657EFF83C4EEA0FFD45D8CA57A8

12 rows selected.

Note:
注意可以看到使用identified by values只使用S:部分的也会记录，但不会约束密码复用。

SQL> delete USER_HISTORY$ where user#=106 and PASSWORD like 'T:%';
8 rows deleted.

SQL> commit;
Commit complete.

SQL> alter user anbob identified by anbob;
User altered.

Note:
删掉user_history$中的T:部分的密码历史记录就可以直接复用原密码。哪改密码只用T:部分是否可以呢？

SQL> select spare4 from user$ where user#=106;

SPARE4
--------------------------------------------------------------------------------
S:A5B3B939D517C7A708B14715BCB49A70C627BE9D032BD57835553896DC05;T:A8C8955DA4E42EFC1069F15A6F5A89A0D3C61BF235DEE9366922554A5F27691B81A43812D8C6E7A8A38C1BA1C452372E6C2C5CE339E22935731149A61FB0B41069C06A1109DD04E9464E8DE5E18BA21F

SQL> select * from user_history$ where user#=106;

     USER#
----------
PASSWORD
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
PASSWORD_DATE
-------------------
       106
T:A8C8955DA4E42EFC1069F15A6F5A89A0D3C61BF235DEE9366922554A5F27691B81A43812D8C6E7A8A38C1BA1C452372E6C2C5CE339E22935731149A61FB0B41069C06A1109DD04E9464E8DE5E18BA21F
2022-02-18 14:50:38


SQL> alter user anbob password expire;
User altered.

SQL> select account_status from dba_users where username='ANBOB';
ACCOUNT_STATUS
--------------------------------
EXPIRED

SQL> alter user anbob identified by values 'T:A8C8955DA4E42EFC1069F15A6F5A89A0D3C61BF235DEE9366922554A5F27691B81A43812D8C6E7A8A38C1BA1C452372E6C2C5CE339E22935731149A61FB0B41069C06A1109DD04E9464E8DE5E18BA21F';
alter user anbob identified by values 'T:A8C8955DA4E42EFC1069F15A6F5A89A0D3C61BF235DEE9366922554A5F27691B81A43812D8C6E7A8A38C1BA1C452372E6C2C5CE339E22935731149A61FB0B41069C06A1109DD04E9464E8DE5E18BA21F'
*
ERROR at line 1:
ORA-28007: the password cannot be reused

SQL> delete USER_HISTORY$ where user#=106 and PASSWORD like 'T:%';
1 row deleted.

SQL> commit;
Commit complete.

SQL> alter user anbob identified by values 'T:A8C8955DA4E42EFC1069F15A6F5A89A0D3C61BF235DEE9366922554A5F27691B81A43812D8C6E7A8A38C1BA1C452372E6C2C5CE339E22935731149A61FB0B41069C06A1109DD04E9464E8DE5E18BA21F';
User altered.

SQL> conn anbob/anbob@cdb1pdb1
Connected.

SQL> select account_status from dba_users where username='ANBOB';

ACCOUNT_STATUS
--------------------------------
OPEN

SQL> select spare4 from user$ where user#=106;

SPARE4
-------------------------------------------------------------------------------------------------
T:A8C8955DA4E42EFC1069F15A6F5A89A0D3C61BF235DEE9366922554A5F27691B81A43812D8C6E7A8A38C1BA1C452372E6C2C5CE339E22935731149A61FB0B41069C06A1109DD04E9464E8DE5E18BA21F

Note:
只使用T:部分的密码hash也是可以的，只是密码版本就只有12后的了，会导致低版本的数据库客户端验证失败。之前blog有写过这T部分的hash是有随机码在里面，那生成的hash值就会不一样，如果我们使用之前的相同密码不同hash修复是否也可以呢？

SQL> alter user anbob identified by values 'T:E690A5521F77250BDDA4777B5F9E0497A78E1AC66AF4C9A003577F5442E9B8CA6E2B1F399BCD285872575E55291E5FBCC1F593F15804406AC5D8A8044BBBF626509A9CE3C2D720BE722A5A2822669AF1';
User altered.

[oracle@oel7db1 ~]$ sqlplus anbob/anbob@cdb1pdb1

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 18 15:01:46 2022
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.
Last Successful login time: Fri Feb 18 2022 14:54:51 +08:00

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0

SQL> select * from user_history$ where user#=106;

     USER#
----------
PASSWORD
----------------------------------------------------------------------------------
PASSWORD_DATE
-------------------
       106
T:A8C8955DA4E42EFC1069F15A6F5A89A0D3C61BF235DEE9366922554A5F27691B81A43812D8C6E7A8A38C1BA1C452372E6C2C5CE339E22935731149A61FB0B41069C06A1109DD04E9464E8DE5E18BA21F
2022-02-18 14:54:36

       106
T:E690A5521F77250BDDA4777B5F9E0497A78E1AC66AF4C9A003577F5442E9B8CA6E2B1F399BCD285872575E55291E5FBCC1F593F15804406AC5D8A8044BBBF626509A9CE3C2D720BE722A5A2822669AF1
2022-02-18 15:01:38

Note:
使用历史的密码hash值一样不影响连接使用。

Summary:

对于密码失效需要修改密码不能reused的问题，目前除了使用新密码外，我们可以使用identified by values 指定S:部分，或使用相同密码不同的hash值的T:部分，或使用相同的密码创建其它用户生成的密码hash，或手动清理掉user_history$中的历史记录都可以解决。

穷苦书生_万事愁

关注

17
点赞
踩
8

收藏

觉得还不错? 一键收藏
0
评论
the password cannot be reused 如何破

数据库版本11.2.0.4,操作系统版本:rhel 7检查操作系统日志,定时任务日志并无异常;在 RHEL 7.x的版本里,systemd-logind 服务控制着用户的行为,当用户退出,会清理该用户的所有内存段.那么定时任务的数据泵就有问题了,调用的内存段是oracle的;查看removeipc的说明:默认值为yes;
复制链接

扫一扫

专栏目录