cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ORA-01031 (Insufficient Privileges) after moving server to new domain

Go to solution
Former Member

on ‎06-12-2007 1:07 PM

0 Kudos

Hello SAP/Oracle experts,

We recently performed a 'lift & shift' to move our SAP test system (QAS) from our HQ to our hosting partner's data centre. Although SAP works fine, we've lost the ability to run database operations through DB13. We now receive ORA-01031 - Insufficient Privileges errors whenever we try anything through DB13.

Because moving the server involved changing the Windows domain to which it belonged, we created a trust relationship between old and new domains so that we didn't have to change the details of QASADM and SAPServiceQAS. We ran the usual oradbuser.sql and sapdba_role.sql scripts. We also removed and reassigned the ORA_QAS_DBA and ORA_QAS_OPER groups to the QASADM and SAPServiceQAS users. All of which seems to have made no difference and we still get ORA-01031 errors in DB13.

Even stranger though is the fact that at the Oracle level, user sys is able to log in 'as sysdba', whilst user system cannot. e.g.

sqlplus “sys/<password>@qas as sysdba” – Works.

sqlplus “sys/<password> as sysdba” – Works.

sqlplus “/ as sysdba” – Doesn’t work

sqlplus “system/<password>@qas as sysdba” – Doesn’t work.

sqlplus “system/<password> as sysdba” – Doesn’t work.

This leads me to believe that the problem is not SAP-related (i.e. sapdba_role won't fix it!), but is more likely Oracle-related and perhaps down to the fact that ths system was built in one domain, but now resides in another. I guess the easiest thing to do would be to create QASADM and SAPServiceQAS accounts in the new domain and try that, but that's clutching at straws and doesn't explain why Oracle user sys works, whilst system doesn't.

Has anyone moved servers between domains and experienced similar problems?

Thanks in advance of any help,

Arwel.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎06-12-2007 1:44 PM
0 Kudos

is the recommended procedure when moving SAP Systems (or the server where they installed on) from one Domain to the next one (at least if the user accounts are in the same domain as the Server).

You have following dependencies when installing in a domain:

1. domain groups

2. local groups containing domain groups and/or domain accounts

3. Domain Accounts

4. maybe domain groups are used in Access Control Lists of local Files / Directories

5. User rights Assignment in registry

6. as in Oracle Database internal users reflecting Operating System users.

In Windows Security Objects (ACLs of Files, Directories) a Windows Account is referenced by it's SID which is unique (you can have a look at those strings in Upper Keys of the Registry HKEY_USERS). This means that a Domain User XYZ in Domain A has a different SID than Domain User XYZ in Domain B. The same applies to Windows Groups.

As a result of this c:\documents and Settings\XYZ will not be for the use with the same name if you move the computer to a diferent domain.

Windows will create something like c:\documents and Settings\XYZ.NEW_DOMAIN. As a result of this all envrionment variables of XYZ in the old domain are not visible in the new domain, because they are stored in the users registry which resides in c:\documents and Settings\XYZ\ntuser.dat in the old domain and c:\documents and Settings\XYZ.NEW_DOMAIN\ntuser.dat in the new domain.

Too many things to do, to many possibilities you can make mistakes - therefore --> homogenious system copy.

regards

Peter

Show replies
Show replies

Answers (1)

Answers (1)

former_member204746
Active Contributor
‎06-12-2007 3:32 PM
0 Kudos

re-run sapdba_role.sql as per SAP note 400241.

Show replies
Show replies
Ask a Question