Thin mode ORA-01017: invalid username/password with 12.1.0.2 #26
Comments
|
I'll see if I can get a 12.1.0.2 database to test with. It may, however, not be the version directly but some configuration that the thin driver isn't supporting. Can you provide additional information on your configuration (contents of sqlnet.ora, connect string, etc.)? |
|
Ok. I set up a brand new 12.1.0.2 database and I am able to connect without any difficulties. Can you take a look at the contents of this column for your user? |
|
ASRAJAG@EBS_EBSP⏳ >select password_versions from dba_users where username = user; PASSWORD_VERSIONS 10G 11G 12C |
|
sqlnet.ora echo $CONNECT_STRING -- EBS_EBSP= |
|
@Arunosaur is there anything 'special' about the username or password? Do connections work if you use a different schema on the same DB? Is your password case sensitive? Are you using a proxy user e.g |
|
I am not using a proxy user. My user is straight forward. And password is case sensitive. I have a special character and a number, upper and lower case letter. That is the only user I am allowed to login as. |
|
This will be tricky (but important) for us solve, so we'll have to ask more questions: What OS is the database running on? |
|
We are on exadata, recently upgraded to X9. ASRAJAG@EBS_EBSP⏳ >SELECT platform_id, platform_name FROM v$database PLATFORM_ID PLATFORM_NAME ASRAJAG@EBS_EBSP⏳ >SELECT dbms_utility.port_string FROM DUAL; PORT_STRING x86_64/Linux 2.4.xx |
|
I'm seeing this exact same issue. Thick client connects, thin does not. Oracle version 12.1.0.2.0 import oracledb
|
|
@Arunosaur @E179522 |
Unfortunately I have zero control over the database. Its managed by another group in the company and those folks are completely unwilling to help troubleshoot. |
It is not something quick from my side as well, as I have to maintain the passwords to be the same across multiple databases (somewhere between 30 and 50) for some db links to work. I will let you know as soon as I can. Thanks |
cjbj
changed the title
@E179522 good idea. Can you confirm this resolved the error for you? |
|
@Arunosaur: here's something to look forward to: Gradual Password rollover. |
But, this is Oracle 12. |
|
@Arunosaur that's why I said "look forward to" |
Got it. Thank you. Now that password rollover has been back ported, I need to check on our non ebs databases. I wish e-business suite could be moved to 19c sooner. |
|
I seem to running into the same problem with invalid username and password. The first reasonable assumption is the credentials or connection string are wrong, but that's not the case. To prove this and illustrate the problem is identical on more than one platform I wrote a simple test that either loads the older cx_Oracle or the new oracledb library and ran it both on Mac and Windows. Here is the simple test I used (I have obscured the credentials and connection string for security reasons). The username and password are mixed case alphanumeric in the ASCII range, no special characters. Simply changing which library is imported by editing the comment on the import shows cx_Oracle works as expected but oracledb fails with:
FWIW the behavior the same when used with SQLAlchemy, albeit with some different error reporting. The Oracle database I'm connecting to is version 19c. Here is version information for the Mac and Windows systems I tested on (caveat: I could not run with cx_Oracle on the Mac because it's an M1 which does not have the Oracle Client Libraries available for the M1): |
|
Oh, forgot to mention, this is with the thin client, or at least it should be since I did not explicitly enable thick client mode. |
|
@jdennis can you try changing the password to update the stored hashes as mentioned in #26 (comment) ? |
|
@cjbj I'm sorry, I'm not able to change the password because of the way the database is managed internally. |
|
@cjbj Out of curiosity, do you suspect the problem is you are hashing the password locally but the hash algorithm on the target database is different and hence the hashes do not match? Also, I'm not sure how cx_Python and the Oracle client libraries interact but there must be some difference between that and the new implementation in oracledb because the former works. |
|
cx_Oracle uses the Oracle Client libraries which have support for the older password hashes that were in use prior to 11g. Can you perform the same query noted above? Do you have a server side sqlnet.ora file? |
|
@jdennis |
|
Similar issue here. I can connect to numerous Oracle databases using DBVisualizer or cx_oracle on my Windows machine but I cannot get oracledb to connect on my M1 MacBook Pro. Oracle 19c I’ve reset my password and still connecting through other means but not oracledb |
|
You're saying that you are getting this issue connecting to a 19c database? Do you have a sqlnet.ora on the server? |
|
@anthony-tuininga I am receiving ORA-01017 on my MacBook Pro M1 when using oracledb. Looks like Oracle 19.15.0.0. Upgraded from 12 a few months back. Password versions shows 10G 11G and 12C for my username. I know it’s not an invalid username or password because…
I’m not one of our DBAs so I’m not positive we have an sqlnet.ora but I believe we do. I can see a copy of one in a backup directory we’re using right now. I do not have permission to read it. I can chat with DBAs tomorrow. Am I looking for something specific? |
|
@cjbj I changed the password today and still the same, it works with thick client but not thin client. |
|
@anthony-tuininga yes we have a sqlnet.ora on the server side. |
|
I am having this exact same problem in a 19c database (we came from 12.1 a few months ago. But they changed every password after the change). I can connect trough dbeaver and the same progam works with cx_oracle 7.3 (I was going to upgrade to 8.3 when I found python-oracledb). I am using Thin mode. Never tried Thick mode. I ran the select: select password_versions from dba_users where username = :user I asked my colleagues about SQLNET.ORA and received a file with this: @anthony-tuininga Below I ran the program with PYO_DEBUG_PACKETS enabled. I changed some sensitive information (you will see a bunch aaaaa in the packets). Hope it helps. If you need anything else, just ask. But I am not dba and anything I need from them is hard to get, unfortunately. |
|
@antoniolucasnobar, the sqlnet.ora you supplied is the one for the client but I need to see the one on the server. Can you find out what that one contains? Looking at the packet output it looks like the server is sending the regular 12c verifier challenge -- so this seems to be something different. I'll see if I can get any more information on how to debug this situation. You should be able to do this: The call to oracledb.init_oracle_client() will cause the thick client to be used (and is functionally the same as cx_Oracle 8.3 with a few additions). Commenting out that line will cause the thin driver to be used. That way you can flip back and forth between the modes without having to change any other part of your code. Hopefully we can get to the bottom of this issue! |
|
A bit of additional information. In the packet that contains the challenge is what is referred to as a "verifier type". The value in your packet @antoniolucasnobar, is not the one we are expecting. I am asking internally to see how that can be configured so I can address that issue. It would be useful if @Arunosaur and @notqualifiedforthis can also supply the output from setting the environment variable |
|
I've confirmed internally that the verifier type returned by the server is the 10g verifier type -- which is not supported by the thin driver at this time. Considering the age of the verifier type and the fact that it is relatively insecure (compared to more recent verifier types) I don't know if there will be an effort to implement the 10g verifier type. You can check the value of the parameter in SQL*Plus using the following command: If you all can verify using one of these techniques and discuss with your DBAs if/when this value might be changed, let me know those results and I can discuss internally whether we should support the 10g verifier or not. |
|
@anthony-tuininga I would have to type my packet manually on my phone or personal machine. Is there any specific value I can provide? I asked DBAs for the |
|
@anthony-tuininga about the sqlnet.ora, I will have to wait the dba's response. I do not know when they will do that. Sorry. I did not want to use the thick connection, because it doubles the docker image size and the time to build is way bigger. But I will try it tomorrow (it is almost noon in here). About the 10g verifier - you said it is relatively insecure. Would you have links so I can show them? If I just say that, I feel they will not believe me. To the thin connection to work, we just need to change the sec_case_sensitive_logon param to true? Right now it is false, like you can see below (from a docker image, I do not have sqlplus installed in my machine): sigep-scripts-sqlplus-sqlplus-1 | Connected to: |
|
@notqualifiedforthis, Interesting! The part that I need looks like this (in a packet received from the server, just before the server rejects the connection): I only need to know what the part is just before the next key. In this example the value is @antoniolucasnobar, the value of As for the relative insecurity: here is a presentation that discusses the different hash functions and very distinctly recommends the use of the 12c verifier: https://www.oradba.ch/2020/12/security-best-practice-oracle-passwords-but-secure/. I can probably provide an official reference if that is going to help? |
|
@anthony-tuininga mine appears to be much shorter so I'm guessing these are the wrong lines of code |
|
Yes, that indicates you are using the 10g verifier. The |
|
I'll send the link you provided earlier to my DBAs & Tech Lead and ask them to start conversations. Any official references you can provide would also help. Thanks for your help! |
|
@notqualifiedforthis, @antoniolucasnobar, I edited the comment above to indicate that if you set |
|
@anthony-tuininga would case sensitive logon=TRUE work with allowed login server version=10? It's just the combination of FALSE/10 causing problems? |
|
I was able to replicate this issue now by simply setting |
…d when the database sends a password challenge with a verifier type that is not recognized, instead of "ORA-01017: invalid username/password" (#26).
|
@Arunosaur, @notqualifiedforthis, @antoniolucasnobar, I have pushed a patch that generates this error now: It is unlikely that support will be added for the 10g verifier considering its age and its relative insecurity. So that leaves you with the following choice:
Thanks for all of your help in getting to this point! |
|
@anthony-tuininga we flipped the case sensitive logon parameter to TRUE in a test environment and I can confirm python-oracledb is connecting over the thin client. Now the fun piece of understanding impact and moving through our environments. |
|
@anthony-tuininga I have a similar issue, there is a slight difference though db: 19c Can connect with the thick driver, but not with the thin version if it's Oracle LDAP user account. If you prefer I can open another issue rather than asking here. Thanks, P.S. This is strikingly similar to ODP.Net issue with Managed/Unmanaged drivers that I wasn't able to resolve for years. |
|
Yes, open a new issue (enhancement). If you're referring to external authentication using LDAP then that is known not to be supported. Provide details on your configuration (relevant items in sqlnet.ora, tnsnames.ora, etc.) |
|
Thank you, will do. |
python-oracledb in thin mode" is now raised when the database sends a password challenge with a verifier type that is not recognized, instead of "ORA-01017: invalid username/password" (#26).
|
The patch I mentioned was just released in python-oracledb 1.0.3. If you need the 10g password verifier support, please open a new enhancement request -- but recognize that it will be unlikely to be implemented considering the age and relative insecurity of the verifier. |
platform.platform: Darwin-20.6.0-x86_64-i386-64bit
sys.maxsize > 2**32: True
platform.python_version: 3.7.13
oracledb.version: 1.0.1
Database Version: 12.1.0.2.0
Crash (error)
python test-2.py
('12.1.0.2.0',)
python test-2.py
Traceback (most recent call last):
File "test-2.py", line 10, in
with oracledb.connect(user=un, password=pw, dsn=cs) as connection:
File "/Users/asrajag/miniconda3/envs/oracle/lib/python3.7/site-packages/oracledb/connection.py", line 1000, in connect
return conn_class(dsn=dsn, pool=pool, params=params, **kwargs)
File "/Users/asrajag/miniconda3/envs/oracle/lib/python3.7/site-packages/oracledb/connection.py", line 128, in init
impl.connect(params_impl)
File "src/oracledb/impl/thin/connection.pyx", line 345, in oracledb.thin_impl.ThinConnImpl.connect
File "src/oracledb/impl/thin/connection.pyx", line 163, in oracledb.thin_impl.ThinConnImpl._connect_with_params
File "src/oracledb/impl/thin/connection.pyx", line 129, in oracledb.thin_impl.ThinConnImpl._connect_with_description
File "src/oracledb/impl/thin/connection.pyx", line 250, in oracledb.thin_impl.ThinConnImpl._connect_with_address
File "src/oracledb/impl/thin/protocol.pyx", line 205, in oracledb.thin_impl.Protocol._connect_phase_two
File "src/oracledb/impl/thin/protocol.pyx", line 296, in oracledb.thin_impl.Protocol._process_message
oracledb.exceptions.DatabaseError: ORA-01017: invalid username/password; logon denied
Thick mode works, thin mode does not.
5. Include a runnable Python script that shows the problem.
The text was updated successfully, but these errors were encountered: