Solved

ORA-01031 when running Intellisnap Backup of RAC


Badge +3

Dear all,

 

we currently see the ORA-01031 “Insufficient privileges” error in the Oracle alertlog when running an intellisnap backup of a RAC database. The comands to run are 

alter database begin backup

ALTER DATABASE BACKUP CONTROLFILE TO '+DGDATA/backup.ctl.galaxy’ REUSE

alter database end backup

 

Each command results in an ORA-01031.

 

User used to backup has SYSBACKUP privileges.

 

Any ideas to solve this issue are welcome!

 

Thanks,

Christoph

icon

Best answer by westwood71 8 April 2021, 14:25

View original

10 replies

Userlevel 7
Badge +23

Hey @westwood71 , thanks for your first post!

Checking our incidents for this error, I have some documentation for you here.

Are you using an Administrator or non-administrator account?

Oracle Connect String for Oracle RAC Instances

The Oracle connect string is a user account that has database administrator privileges that you use to access the standard and recovery catalog databases.

Note: If you want to use a user account other than ‘sys’, you must grant the SYSDBA or SYSBACKUP (in Oracle version 12 or more recent versions) privilege to the user account.

The account information is provided as a connect string with the following information:

  • The Oracle database user ID
  • The password for the user ID
  • The Oracle service name

You can use separate accounts to access the standard database and the recovery catalog database. The recovery catalog database user account must have recovery catalog owner privileges.

By default, the user account for the standard database has administration privileges. If you want to use a different account, use the following table for the user account requirements to access the database:

Account type

The user account must have:

Administrator

  • Oracle database administration privileges
  • SYSDBA or SYSBACKUP (in Oracle version 12 or more recent versions), ALTER SYSTEM, and SELECT ANY TABLE system privileges.

Non-administrator

Access to specific objects (as opposed to the admin account with the SELECT ANY TABLE privilege)

For example:

  • SELECT ON "SYS"."V_$DATABASE"
  • SELECT ON "SYS"."V_$DATAFILE"
  • SELECT ON "SYS"."V_$SESSION"
  • SELECT ON "SYS"."DBA_TABLESPACES"
  • GRANT SELECT ON "SYS"."V_$ARCHIVE_DEST" TO "USER_NAME

The Oracle database administrator can establish all other accounts except an Impersonate User account.

Copied from:

https://documentation.commvault.com/commvault/v11_sp19/article?p=114971.htm

 

Badge +3

Thanks Mike

That is what we did. The user got the SYSBACKUP privilege.

Using RMAN on the commandline everything works fine.

 

 

Userlevel 7
Badge +23

@westwood71 , to confirm, are you saying this is resolved and working fine now, or that this works via command line, but not via the GUI?

Want to be sure you’re getting what you need :grinning:

Badge +3

It is working on the RMANcommandline but not in the Commvault GUI

Userlevel 7
Badge +23

Appreciate the confirmation.

Which user do you have in the console configuration as per this doc in step 5d?

https://documentation.commvault.com/commvault/v11_sp19/article?p=20911.htm

Generally if something works on Command line but not in the GUI, it’s a right of the user specified in the configuration, or if there’s a script involved, the user specified has no rights to access the script location (or run the script).

Badge +3

Thanks,

the user configured in the GUI is the same as I used on the CLI. On the CLI I set the environment variables for ORACLE_HOME and ORACLE_SID to the same values as configured in the GUI. 

So my intention is to have a look to the connection string configured in the GUI. Does this makes sense?

Userlevel 7
Badge +23

It makes sense for sure.  I’m going to loop in some other folks on this thread for feedback.

Userlevel 4
Badge +7

Hey @westwood71 ,

It’s quite tricky to troubleshoot this without a review of the configuration + logs - can you confirm the following please?

  • How many nodes in the RAC
  • Inter-connectivity between the RAC nodes using the same account + connection string (Can you connect from Node1 → Node2 in SQL*Plus as the account and issue that command without a privilege error)
  • Does a normal traditional backup (Not IntelliSnap) work ?

 

Thanks

Badge +3

Hi Edd,

there are two nodes in the RAC.

Using the connections string I am able to connect from node1 → node2 but the command fails with the same error.

Does that mean we have to change database parameter (e.g. remote_os_roles=true)?

 

 

Badge +3

Hi all,

The issue was that sysbackup role was granted on current container only.

Granting sysbackup to user with “container=all” resolves the issue.

 

Thanks!

Reply