cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

unlock sap* and DDIC users in max db

Go to solution
Former Member

on ‎05-23-2007 9:21 AM

0 Kudos

We have SAP on SUSE ES linux with back end as Maxdb 7.5

SAP* and DDIC go locked and while trying with Sql statement

select * from usr02 where mandt='000' and bname='sap*';

unknown table name usr02 sqlstate 42000

could any one help us

swamy

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member237781
Explorer
‎05-23-2007 9:32 AM
0 Kudos

Swamy,

how do you submit the sql statement (which user, which tool) ?

Log on to your Linux box as <sid>adm and run this command:

sqlcli -U DEFAULT "select * from usr02 where mandt='000' and bname='SAP*'"

Best Regards,

Henning

Show replies
Show replies
Former Member
‎05-23-2007 9:42 AM
0 Kudos

Dear Henning,

great. the statement could be executed and returned value "0". still the problem persists.

do we need to update or it shall get updated with default password

with regards

swamy

former_member237781
Explorer
‎05-23-2007 9:52 AM
0 Kudos

Swamy,

if SAP* is not in the usr02 table, it probably has been deleted, which would be the first step to unlock a locked SAP* user (in case all users are locked and no user is left to unlock the others in SU01).

The next steps would be:

- add this parameter to instance profile /usr/sap/<SID>/SYS/profile/<SID>_DVEBMGS<instance>_<host> :

 login/no_automatic_user_sapstar = 0

- restart SAP system

- logon to SAP system (client 000) as SAP* with password "pass" . This only works if SAP* does not exist in that client.

- create a new SAP* user with SU01, e.g. as a copy from DDIC and group SAP*

- keep the password this time

Best Regards,

Henning

andreas_herzog
Active Contributor
‎05-23-2007 9:53 AM
0 Kudos

-> your sap release?

-> are you sure user SAP* exists in client 000?

usually you would NOT update the password ovf SAP* but <b>delete the user</b> in the specifiecd client, which opens the (back)door to login to that client using SAP* and password PASS...remember: a user SAP* (incl. authorizations etc.) is not the same as the SAP`which is hard coded into the system...so, when threre is no user SAP you can still use the "hard coded" one...assuming that specific profile paramreters ar not set (like <i>login/no_automatic_user_sapstar</i>)

GreetZ, AH

Former Member
‎05-23-2007 10:04 AM
0 Kudos

Thank u Mr. GreetZ

SAP release ECC 6.0

SAP* exists in client 000

we could see the list of clients and users with flag set.

in case of SAP* and DDIC the flag is seen as 128.

how to delete the sap* user.

with regards

swamy

former_member237781
Explorer
‎05-23-2007 10:12 AM
0 Kudos

It looks like SAP* has been deleted from client 000, since its not in usr02.

If you still want to delete it , run this command as <sid>adm> :


sqlcli -U DEFAULT "delete from usr02 where mandt='000' and bname='SAP*'"

Best Regards,

Henning

andreas_herzog
Active Contributor
‎05-23-2007 10:33 AM
0 Kudos

...or <b>unlock it</b> by using (you still need the password...)

> sqlcli -U DEFAULT "update usr02 set uflag ='0' where mandt='000' and bname='SAP*'"

GreetZ, AH

Former Member
‎05-23-2007 11:15 AM
0 Kudos

Thank u Mr. Greetz and Mr. Henning,

I have tried both command first to update and then delete the user. the return code for both the executions is '0"

however when executed the statement select mandt, bname, uflag from usr02 it is returning the with print which has the output vlaue for 000 sap* 128.

neither it is getting updated or deleted.

regards

swamy

Former Member
‎05-23-2007 11:52 AM
0 Kudos

Mr. Henning,

we tried the following:

add this parameter to instance profile /usr/sap/<SID>/SYS/profile/<SID>_DVEBMGS<instance>_<host> :

login/no_automatic_user_sapstar = 0

- restart SAP system

- logon to SAP system (client 000) as SAP* with password "pass" . This only works if SAP* does not exist in that client.

when we try to log-in to the system

"password logon no longer possible - too many failed attempts

former_member237781
Explorer
‎05-23-2007 12:55 PM
0 Kudos

Can you post your full sqlcli session ? (commands, output etc.)

-- Henning

Former Member
‎05-23-2007 1:29 PM
0 Kudos

Mr. Henning

when i give a command in sidadm > sqlcli -U DEFAULT "select * from usr02 where mandt='000' and bname='sap*'"

it prints follows

  • 0;

when i give sqlcli -U DEFAULT "select mandt,bname,uflag from usr02"

it gives like

mandt bname uflag

000 ddic 128

000 sap* 128

000 sapcpic 0

001 ddic 0

001 sap* 0

so what i understood is if uflag is 128 it is locked by user

if it is 0 it is unlock

Former Member
‎05-23-2007 1:36 PM
0 Kudos

Mr.Henning

Thanks a lot for ur support.

i got a solution now

With Regards

swamy

Former Member
‎09-16-2008 9:30 AM
0 Kudos

Hi Swamay,

Could you pls tell me the solution, i am facing the same problem now.

regards,

Samson

hannes_kuehnemund
Active Contributor
‎09-20-2008 10:43 AM
0 Kudos

Hi Samson,

just follow the steps above... This is already the solution

Thanks,

Hannes

Former Member
‎10-19-2009 8:22 AM
0 Kudos

Write al the queries in upper case

Former Member
‎08-10-2010 9:51 PM
0 Kudos

we have a problem now with another client - 011. someone tried to log into several administrative accounts using bad passwords and ended up locking all we would use to unlock other accounts.

does this same approach apply to resetting the sap* login for other clients?

Thanks, George

Answers (0)

Ask a Question