I am having trouble shutting down a local oracle database. I've googled the problem, and the SYSTEM user I am using is in the ora_dba domain, and I also noticed that I need the sqlnet.ora in my ORACLE_HOME/network/admin folder, but I do not have a network/admin folder in my oracle home. All I have is a middleware folder. I am installing all of this to be able to publish a BPEL process to a local weblogic instance, and this has taken me a little over two days just trying to get this all set up. I am starting to get a bit frustrated lol. Here's the error I am getting below:
In order to startup/shutdown the oracle instance you need extended privileges - Oracle database SYS privileges.
As soon as your Windows user DOMAIN\user has been granted group 'ora_dba', you are authorized on the OS-level to log into the database as user SYS.
C:\>sqlplus / as sysdba
SQL>show user
SQL>USER is "SYS"
SQL>shutdown immediate
Related
Our business has just changed Active Directories and the domain changed, from "YMS" to "YMSNET". So I used to be able to log in with "YMS\tkol" and I can now log in with "YMSNET\tkol" (these usernames and domains are faked for the purpose of example), but when I log in as that now, I can't actually expand any of the databases or look at any of the tables, I can just see a list of the database names. When I try to expand a database in the UI it says "This database is not accessible (Object Explorer)."
Now I have another user, called "sqluser", and I keep trying to use that user to log in as well by changing the Authentication Method to SQL Server Authentication rather than Windows Authentication. But I get Microsoft SQL Server, Error: 4064
Now I know this sqluser user exists and the password is correct, because I can authenticate to the server and successfully interact with the tables from an external process on a separate computer on the same network (node.js, package mssql). And I used the query on the accepted answer on this question, and found my sqluser is there, with roles db_accessadmin, db_ddladmin, db_owner. And yet it still won't let me log in with that user in the SQL Server Management Studio UI
How can I get this working again and log in with my sqluser account? Or add the appropriate permissions for my YMSNET\tkol account?
--- edit ---
My first idea is that, because I can log into the UI with YMSNET\tkol, but I can interact with the databases externally with sqluser, that there is some query or command I can run with sqluser that will add permissions for YMSNET\tkol so that that user can now look at all the databases and tables. I don't know which commands I'd run for that.
It can be because your account's default database is mapped to some another db which is not available for you, for instance, you have no permissions there, or that database not exists anymore etc.
Your organization DBA can fix it by:
ALTER LOGIN [sqluser] WITH DEFAULT_DATABASE = [rightDB]
Default db name can be checked by:
select default_database_name from sys.server_principals
where name = 'sqluser'
This property can be overridden by opening "Options" of SSMS connection window and specifying it explicitly:
I have a (S:\) drive with permissions for only myself and the SYSTEM user.
I just downloaded SQL SERVER EXPRESS 2017, and when I go to create a new database, it cannot see that drive as a place to create the database.
I tried giving the Everyone group full permissions on the drive, and then it showed up as a place to make the new database.
I am wondering what user I need to actually give permissions too, as it is clearly not running under my user, since my user has full control on the drive, and it's not running as SYSTEM, since that user has full control of the drive. I don't want to give "Everyone" permissions to the drive.
Note: Doing a bit more experiments, after removing the Everyone permissions, I went looking through my users list (in the Security tab of the Drive properties), and the only user that looks to have anything to do with SQL is SQLServer2005SQLBrowserUser${myUserName}, but giving this user full control did not allow SSMS to see the drive again.
Run this query:
SELECT * FROM sys.dm_server_services
And you will see current available services on your SQL Server instance and the account mapped to each one. Add permissions to the one that's below the servicename: SQL Server (MSSQLSERVER), it will be most likely NT Service\MSSQLSERVER.
If you use Jobs on the Agent, you will need to give permissions to that account also.
I have an Advantage Database Server that works as expected when it is not a member of Active Directory Domain. However, once I join the domain, I can no longer connect to the database services. I checked to see if the database server service was still running and it was. I even checked the file permissions of the database files and added the appropriate user to the folder without any luck.
Does anybody know if there is anything that might be preventing connections to the database server from being established?
Even when you join the domain, you should still be able to log on as the original user, who should still have the same access rights to software applications and the DB.
Are you logging on as a domain user, or are you still logging on as the old local account? When you say "connect to the db services" do you mean launch a local app?
Is the service running as a specified user? Or is it local system etc? What is the desired goal in joining the domain?
More information needed... thanks!
I am installing Maximo 7.5 Admin Workstation. I am on part 3 of 3, where I am installing the Maximo Asset Management. I am using my Windows domain account that has local Administrator rights.
This is the error I see on the screen:
When I review the CTGInstallTrace00.log , the relevant part is:
C:\Windows\Temp>"C:\PROGRA~1\IBM\SQLLIB\bin\db2" create db 'maxdb75'
ALIAS 'maxdb75' using codeset UTF-8 territory US pagesize 32 K
SQL1092N "MYUSERACCT" does not have the authority to perform the
requested command or operation.
What I have tried:
I tried to assign DBADM privilege to a Windows domain user account using DB2 command line? Logged in as the domain user with Administrators role, I went to Start > IBM DB2 > DB2COPY1 (Default) > Command Line Tools > Command Windows - Administrator. I tried to run db2 grant DBADM to MYUSERACCT -- I just get returned back to the command prompt.
I also tried logging in as local\db2admin and trying to grant DBADM privilege to the domain account. I don't know if I got the syntax wrong, or something else is not done correctly. If I type db2 grant DBADM to user MYUSERACCT then I get this error:
DB21034E The command was processed as an SQL statement because it was
not a valid Command Line Processor command. During SQL processing it
returned: SQL1024N A database connection does not exists.
SQLSTATE=08003
This article explains the SQL1024N error somewhat.
You can only grant the DBADM privilege on an existing database, and you must be connected to that database to issue the GRANT SQL statement, obviously.
If you took time to check the manual, you'd know that the user needs SYSADM or SYSCTRL authority to create a database. These authorities are granted to members of the group specified in the SYSADM_GROUP or SYSCTRL_GROUP instance configuration parameters.
To avoid this error later on in the installation, the Maximo 7.5 installation should be performed using a local account with Administrators role. Domain User with Administrator role may cause issues depending on what the policies are on the Domain.
You will know there is an issue with rights, if you are unable to "Verify Installation Requirements" successfully (part 1 of 3)
Although the middleware installation may run smoothly (part 2 of 3), the Maximo Asset Management install (part 3 of 3) may fail with the DB2 database creation error.
I'm running an IIS 7 Website with an AppPool of Integrated Pipeline Mode.
The AppPools does NOT run under NetworkService, etc.. identity (by purpose), but uses its own AppPool Identitiy (IIS AppPool\MyAppPool).
This is a so called service account or virtual account.
(a user account, which is not a full account...)
I'd like to give this service account (IIS AppPool\MyAppPool) permissions to connect to my SQL Server 2008 Express (running in Mixed Auth. Mode).
While SQL Server can add any normal user account, the IIS AppPool\MyAppPool virtual account cannot be added to the valid logons (SQL Server says, that the account cannot be found).
Is there any trick, anything I need to enable to make the virtual accounts work?
(the w3wp.exe process runs under this identity according to taskmgr, but I cannot use the account in NTFS security either...)
Thanks for your help!
The "IIS APPPOOL\AppPoolName" will work, but as mentioned previously, it does not appear to be a valid AD name so when you search for it in the "Select User or Group" dialog box, it won't show up (actually, it will find it, but it will think its an actual system account, and it will try to treat it as such...which won't work, and will give you the error message about it not being found).
How I've gotten it to work is:
In SQL Server Management Studio, look for the Security folder (the security folder at the same level as the Databases, Server Objects, etc. folders...not the security folder within each individual database)
Right click logins and select "New Login"
In the Login name field, type IIS APPPOOL\YourAppPoolName - do not click search
Fill whatever other values you like (i.e., authentication type, default database, etc.)
Click OK
As long as the AppPool name actually exists, the login should now be created.
CREATE LOGIN [IIS APPPOOL\MyAppPool] FROM WINDOWS;
CREATE USER MyAppPoolUser FOR LOGIN [IIS APPPOOL\MyAppPool];
You can solve like this,
Open "Applications Pools",
You should right click that you have choosed application pool. Then choose
"Advanced Settings".
Click three point on the Identity tab then you should choose "LocalSystem" from field of "Built-in-account"
If you do this way, you don't need to create a user in database.
If you're going across machines, you either need to be using NETWORK SERVICE, LOCAL SYSTEM, a domain account, or a SQL 2008 R2 (if you have it) Managed Service Account (which is my preference if you had such an infrastructure). You can not use an account which is not visible to the Active Directory domain.
As a side note processes that uses virtual accounts (NT Service\MyService and IIS AppPool\MyAppPool) are still running under the "NETWORK SERVICE" account as this post suggests http://www.adopenstatic.com/cs/blogs/ken/archive/2008/01/29/15759.aspx. The only difference is that these processes are members of the "NT Service\MyService" or "IIS AppPool\MyAppPool" groups (as these are actually groups and not users). This is also the reason why the processes authenticate at the network as the machine the same way NETWORK SERVICE account does.
The way to secure access is not to depend upon this accounts not having NETWORK SERVICE privileges but to grant more permissions specifically to "NT Service\MyService" or "IIS AppPool\MyAppPool" and to remove permissions for "Users" if necessary.
If anyone has more accurate or contradictional information please post.
Look at: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
USE master
GO
sp_grantlogin 'IIS APPPOOL\<AppPoolName>'
USE <yourdb>
GO
sp_grantdbaccess 'IIS APPPOOL\<AppPoolName>', '<AppPoolName>'
sp_addrolemember 'aspnet_Membership_FullAccess', '<AppPoolName>'
sp_addrolemember 'aspnet_Roles_FullAccess', '<AppPoolName>'
This may be what you are looking for...
http://technet.microsoft.com/en-us/library/cc730708%28WS.10%29.aspx
I would also advise longer term to consider a limited rights domain user, what you are trying works fine in a silo machine scenario but you are going to have to make changes if you move to another machine for the DB server.
I figured it out through trial and error... the real chink in the armor was a little known setting in IIS in the Configuration Editor for the website in
Section: system.webServer/security/authentication/windowsAuthentication
From: ApplicationHost.config <locationpath='ServerName/SiteName' />
called useAppPoolCredentials (which is set to False by default. Set this to True and life becomes great again!!! Hope this saves pain for the next guy....
In my case the problem was that I started to create an MVC Alloy sample project from scratch in using Visual Studio/Episerver extension and it worked fine when executed using local Visual studio iis express.
However by default it points the sql database to LocalDB and when I deployed the site to local IIS it started giving errors some of the initial errors I resolved by:
1.adding the local site url binding to C:/Windows/System32/drivers/etc/hosts
2. Then by editing the application.config found the file location by right clicking on IIS express in botton right corner of the screen when running site using Visual studio and added binding there for local iis url.
3. Finally I was stuck with "unable to access database errors" for which I created a blank new DB in Sql express and changed connection string in web config to point to my new DB and then in package manager console (using Visual Studio) executed Episerver DB commands like -
1. initialize-epidatabase
2. update-epidatabase
3. Convert-EPiDatabaseToUtc
For the ApplicationPoolIdentity, add a login/user in MSSQL as IIS_IUSRS which is corresponding to the default pool.