This pos covers the below scenarios:
- Recovering from lost sys password using OS authentication on Unix.
- Recovering the lost sys password using passwordfile authentication on Unix.
- Recovering from lost sys password using NTS authentication on Windows.
- Recovering the lost sys password using passwordfile authentication on Windows.
The methods to be used rely on:
1. OS authentication
2. passwordfile authentication.
Recovering from lost sys password using OS authentication on Unix
1. Make sure that the OS user that is logged on is member of the dba group. If the dba group is not known, check the file:
$ ORACLE_HOME/rdbms/lib/config.c (or config.s)
2. Make sure that the sqlnet.ora file does not contain the:
sqlnet.authentication_services
parameter. If this parameter exists, it should be commented out.
3. check the ORACLE_HOME, ORACLE_SID and PATH parameters. They must correspond to the parameters of the Oracle instance where the SYS password has been lost.
4. connect to the instance using:
$ sqlplus /nolog sql> connect / as sysdba
5. Change the sys password using:
sql> alter user sys identified by [new password];
If a passwordfile is in use, the command would update the password file as well, so there is no need to recreate this file.
Recovering the lost sys password using passwordfile authentication on Unix
If the SYS password is not known and the OS authentication is not an option, this method can be used. This method assumes that the SYS account is not accessible, hence an abrupt shutdown for the database could be needed.
1. Make sure that the initialization parameter REMOTE_LOGIN_PASSWORDFILE is set to SHARED or EXCLUSIVE. Changing this parameter value requires an instance restart.
2. Disable OS authentication, if it is enabled for some reason, by setting:
sqlnet.authentication_services=(none)
in the sqlnet.ora file (backup the existing sqlnet.ora file before making any changes).
3. go to the OS destination for the passwordfile:
$ cd $ORACLE_HOME/dbs
4. Make a backup of the previous passwordfile:
$ cp orapw$ORACLE_SID orapw$ORACLE_SID.bak
5. Recreate the passwordfile using the orapwd command:
$ orapwd file=orapw$ORACLE_SID password=[new sys password]
6. Try to connect using the new password.
$ sqlplus /nolog connect sys as sysdba
7. As an additional check, if the above is successful, query:
sql> select * from v$pwfile_users;
If it returns at least one line, then everything is ok and the new passwordfile is in use.
8. Change the sys password in the data dictionary using:
sql> alter user sys identified by [new password];
Of course, the new password must match the new password of the passwordfile, if that password is to be kept, or it can be set to something else if the initial password is to be changed. This command would update the passwordfile as well.
9. If the test in step does not succeed, the instance must be restarted. It could be that, if no sysdba or sysoper access is possible, that the instance must be brought down abruptly, do this by:
– killing a background process (preferably kill SMON, so PMON can still do some cleanup).
– removing the shared memory resources using ipcrm if they are not removed by my PMON.
10. After restarting the instance, check if the SYS password is operational and if there is at least one entry in v$pwfile_users. If other users previously had entries in the passwordfile, grant them SYSDBA or SYSOPER again.
11. Restore the sqlnet.ora file from the backup executed at step #2, if needed.
Recovering from lost sys password using NTS authentication on Windows
1. Make sure that the OS user that is logged on is a member of the Windows ORA_DBA group.
2. Also make sure that the sqlnet.ora file has the following line:
sqlnet.authentication_services = (nts)
3. Connect to the instance using:
$ sqlplus /nolog connect / as sysdba
4. Change the sys password using:
sql> alter user sys identified by [new password];
If a passwordfile is in use, the command would update the password file as well, so there is no need to recreate this file.
Recovering the lost sys password using passwordfile authentication on Windows
If the SYS password is not known and the OS authentication is not an option, this method can be used. This method assumes that the SYS account is not accessible, hence a shutdown for the database could be needed, this can be accomplished by stopping the OracleServiceSID on your system.
1. Make sure that the initialization parameter REMOTE_LOGIN_PASSWORDFILE is set to SHARED or EXCLUSIVE.
2. disable OS authentication, if it is enabled for some reason, by setting:
sqlnet.authentication_services=(none)
in the sqlnet.ora file
3. go to the OS destination for the passwordfile:
cd %ORACLE_HOME%\database
4. Make a backup of the previous passwordfile:
cp pwd[SID].ora pwd[SID].ora.bak
5. Recreate the passwordfile using the orapwd command:
orapwd file=pwd[SID].ora password=[new sys password]
6. Try to connect using the new password.
sqlplus /nolog connect sys as sysdba
7. As an additional check, if the above is successful, query:
sql> select * from v$pwfile_users;
If it returns at least one line, then everything is ok and the new passwordfile is in use.
8. change the sys password in the data dictionary using:
sql> alter user sys identified by [new password];
Of course, the new password must match the new password of the passwordfile, if that password is to be kept, or it can be set to something else if the initial password is to be changed. This command would update the passwordfile as well.
9. If the test in step does not succeed, the instance must be restarted. This can be done by restarting the service.
10. After restarting the instance, check if the SYS password is operational and if there is at least one entry in v$pwfile_users. If other users previously had entries in the passwordfile, grant them SYSDBA or SYSOPER again.
11. re-enable NTS authentication by setting:
sqlnet.authentication_services=(nts)
if needed.