Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Problem with the Oracle VCS 5.1 resource and DetailMonitor = 1

Created: 10 Apr 2012 • Updated: 11 Apr 2012 | 4 comments
This issue has been solved. See solution.

Hi,

I am attempting to configure the DetailMonitor = 1 option of the Oracle resource in a service group but am running into LogonUser failed error messages in the Oracle_A.txt file. The issue is with the user / domain and password I am using and, I assume, the inability of VCS to connect to the installed Oracle database I have specified under SID.

In an attempt to check this I have attempted to use my own administration account to get this to work but am having no luck, the account in question does work when running "sqlplus / as sysdba" and I am able to run the sql select * from v$database; query that VCS is attempting to execute on the Oracle database.

 

My first question is does anyone know what command is being run by VCS to connect to the database as its not shown in the log files?

 

My second question is does anyone know what I am doing wrong and what permissions will be required by the account VCS uses as I am in a highly locked down environment so have to work within the security framework.

 

main.cf

Oracle XXX_SG-Oracle {

ServiceName = OracleServiceXXX

DelayAfterOnline = 30

DelayAfterOffline = 30

DetailMonitor = 1

Domain = "xxx.xxx.xxx.xxx"

SID = xxx

UserName = xxxxxxxxxx

EncryptedPasswd = xxxxxxxxxxx

SQLFile = "\"C:\\Program Files\\Veritas\\Cluster Server\\bin\\Oracle\\Check.sql\""

SQLTimeOut = 30

}

 

It should be noted that the resource will work fine with the DetailMonitor = 0.

 

Help :)

 

Regards,

Paul

Comments 4 CommentsJump to latest comment

Satish K. Pagare's picture

1. Does anyone know what command is being run by VCS to connect to the database as its not shown in the log files?

A. To see the output in the log files you can set the LogDbg for type Oracle value to DBG_1, this will start putting the more verbose debug logs in the log file. The agent uses a SQL script file (mentioned in attribute SQLFile ), which is executed during detail monitor. The agent creates a temporary script file using the script file mentioned in SQLFile  attribute. It will connect using sqlplus as sysdba before executing the temporary script file.

 

2. My second question is does anyone know what I am doing wrong and what permissions will be required by the account VCS uses as I am in a highly locked down environment so have to work within the security framework.

A. Can you provide the Windows error code mentioned in the log file with LogonUser failure? The agent uses the LogonUser API before executing the SQL script in that user’s context and the user must have the SE_INTERACTIVE_LOGON_NAME account right. Can you check again after changing the rights for the user?.

SOLUTION
Inabus's picture

1)

I have changed the log mode and have now got the following error:

Oracle:xxx_SG-Oracle-xxx:monitor: Error value -100 : Process Error : Error code :1326.

 

2)

I am still looking at my permissions and will provide the answer to the query once I know :)

 

Thanks for your help.

P

Satish K. Pagare's picture

Error 1326 indicates – Logon failure: unknown user name or bad password.

Description for same is –

ERROR_LOGON_FAILURE                Incorrect user name or password.

1326 (0x52E)                                    

It would help to know how was the service group created, was it through the wizard or was it done manually? If the wizard was used then it usually verifies credentials so that error can be ruled out. But if it was done manually then it would help to check all the following attributes –

Domain = "xxx.xxx.xxx.xxx"

UserName = xxxxxxxxxx

EncryptedPasswd = xxxxxxxxxxx

For the password encryption if the value is set using JAVA GUI then it will encrypt and set the password else you can execute following command to get the encrypted password –

vcsencrypt –agent

and then set the attribute using following commands sequence –

  1. haconf –makerw
  2. hares -modify <resourcename> EncryptedPasswd <output of vcsenrypt command>
  3. haconf –dump -makero

Although the error code here does not indicate this but sometimes if the machine time is not in sync with the domain controller, then it affectsthe LogonUser API. Can you also ensure that the machine time is in sync with that of the DC? Youcan execute the following command for same –

NET TIME /domain:<your_domain_name> /SET /Y

Inabus's picture

Satish,

Thanks for your help it pointed me into the right direction.

 

Basically I had an account configured agaisnt the service but wasnt using that account inside the service group as I had had issue getting it to work with the password in the past.

As it turned out I was using the incorrect syntax of password and didnt have the test service acount assigned correctly to the ora_dba local group!

Anyway all working now so thanks for your help!

 

Regards,

Paul