Oracle 19c中sysbackup用户执行rman任务报ORA-01017
适用范围
Oracle Database 19c
问题概述
Oracle 19c中使用sysbackup用户执行rman相关任务报ORA-01017
问题原因
sysbackup用户权限不足
解决方案
给用户sysbackup授予sysbackup角色。
【说明】Oracle 12c(12.1)开始为便于生产管理对特权管理用户进行了分离,SYSBACKUP 管理权限允许从 Oracle RMAN 或通过 SQL、STARTUP 和 SHUTDOWN
执行 Oracle RMAN 备份和恢复操作,以及执行其他操作从 RMAN 或通过 SQL 执行RMAN 备份和恢复操作。管理权限 (SYSBACKUP) 与预定义用户 (SYSBACKUP)虽然名称相同,功能和作用是不同的,一个是用户,一个权限。
[oracle@19cdb01 ~]$ sqlplus / as sysbackup
SQL*Plus: Release 19.0.0.0.0 - Production on Tue May 19 17:00:41 2026
Version 19.27.0.0.0
Copyright (c) 1982, 2024, Oracle. All rights reserved.
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.27.0.0.0
Hello
------------------------------------------------
Welcome! you are connected to CDB19C database
CONNAME
--------------------------------------------------------------------------------
CDB$ROOT
SYSBACKUP@cdb19c(CDB$ROOT)> show user
USER is "SYSBACKUP"
SYSBACKUP@cdb19c(CDB$ROOT)>
以sysbackup管理权限连接数据库是sysbackup用户
SYSBACKUP@cdb19c(CDB$ROOT)> select username,COMMON,con_id from cdb_users where username='SYSBACKUP';
USERNAME COMMON CON_ID
-------------------- -------------------- ----------
SYSBACKUP YES 1
SYSBACKUP YES 3
SYSBACKUP YES 6
SYSBACKUP@cdb19c(CDB$ROOT)>
sysbackup是一个公共用户,具有以下权限
STARTUP
SHUTDOWN
ALTER DATABASE
ALTER SYSTEM
ALTER SESSION
ALTER TABLESPACE
CREATE CONTROLFILE
CREATE ANY DIRECTORY
CREATE ANY TABLE
CREATE ANY CLUSTER
CREATE PFILE
CREATE RESTORE POINT (including GUARANTEED restore points)
CREATE SESSION
CREATE SPFILE
DROP DATABASE
DROP TABLESPACE
DROP RESTORE POINT (including GUARANTEED restore points)
FLASHBACK DATABASE
RESUMABLE
UNLIMITED TABLESPACE
SELECT ANY DICTIONARY
SELECT ANY TRANSACTION
SELECT
X$ tables (that is, the fixed tables)
V$ and GV$ views (that is, the dynamic performance views)
APPQOSSYS.WLM_CLASSIFIER_PLAN
SYSTEM.LOGSTDBY$PARAMETERS
DELETE/INSERT
SYS.APPLY$_SOURCE_SCHEMA
SYSTEM.LOGSTDBY$PARAMETERS
EXECUTE
SYS.DBMS_BACKUP_RESTORE
SYS.DBMS_RCVMAN
SYS.DBMS_DATAPUMP
SYS.DBMS_IR
SYS.DBMS_PIPE
SYS.SYS_ERROR
SYS.DBMS_TTS
SYS.DBMS_TDB
SYS.DBMS_PLUGTS
SYS.DBMS_PLUGTSP
SELECT_CATALOG_ROLE以下是分析过程:
1、使用sysbackup连接rman
[oracle@19cdb01 ~]$ rman target '"sysbackup/Oracle_2026@cdb19c as sysbackup"'
Recovery Manager: Release 19.0.0.0.0 - Production on Tue May 19 17:14:59 2026
Version 19.27.0.0.0
Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved.
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-00554: initialization of internal recovery manager package failed
RMAN-04005: error from target database:
ORA-01017: invalid username/password; logon denied
[oracle@19cdb01 ~]$
[oracle@19cdb01 ~]$ rman target '"sysbackup/Oracle_2026 as sysbackup"'
Recovery Manager: Release 19.0.0.0.0 - Production on Tue May 19 17:15:50 2026
Version 19.27.0.0.0
Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved.
connected to target database: CDB19C (DBID=559927436)
RMAN>
[oracle@19cdb01 ~]$ sqlplus sysbackup/Oracle_2026@cdb19c as sysbackup
SQL*Plus: Release 19.0.0.0.0 - Production on Tue May 19 17:16:45 2026
Version 19.27.0.0.0
Copyright (c) 1982, 2024, Oracle. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:
ERROR:
ORA-01017: invalid username/password; logon denied
[oracle@19cdb01 ~]$ sqlplus sysbackup/Oracle_2026 as sysbackup
SQL*Plus: Release 19.0.0.0.0 - Production on Tue May 19 17:16:56 2026
Version 19.27.0.0.0
Copyright (c) 1982, 2024, Oracle. All rights reserved.
Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.27.0.0.0
Hello
------------------------------------------------
Welcome! you are connected to CDB19C database
CONNAME
--------------------------------------------------------------------------------
CDB$ROOT
SYSBACKUP@cdb19c(CDB$ROOT)>以sysbackup管理管理连接rman或使用sqlplus时,通过本地操作系统认证方式可以正常连接,通过tns别名连接,均报ORA-01017密码不正确。
2、创建一个备份用户验证
--创建备份用户C##BACKUPUSER并授予sysbackup管理权限
SYS@cdb19c(CDB$ROOT)> create user C##BACKUPUSER identified by Oracle_2026 container=all;
User created.
SYS@cdb19c(CDB$ROOT)> grant sysbackup to C##BACKUPUSER;
Grant succeeded.
SYS@cdb19c(CDB$ROOT)>
--通过C##BACKUPUSER用户连接rman
[oracle@19cdb01 ~]$ rman target '"c##backupuser/Oracle_2026@cdb19c as sysbackup"'
Recovery Manager: Release 19.0.0.0.0 - Production on Tue May 19 17:20:21 2026
Version 19.27.0.0.0
Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved.
connected to target database: CDB19C (DBID=559927436)
RMAN>
--检查C##BACKUPUSER用户对密码文件的权限
SYS@cdb19c(CDB$ROOT)> select USERNAME,SYSDBA,SYSBACKUP,ACCOUNT_STATUS,COMMON,CON_ID from v$pwfile_users;
USERNAME SYSDB SYSBA ACCOUNT_STATUS COM CON_ID
-------------------- ----- ----- ------------------------------ --- ----------
SYS TRUE FALSE OPEN YES 0
C##BACKUPUSER FALSE TRUE OPEN YES 0
SYS@cdb19c(CDB$ROOT)>
从密码文件看C##BACKUPUSER属于sysbackup,即改用户可以使用密码文件。
3、给用户sysbackup授权sql
SYS@cdb19c(CDB$ROOT)> grant sysbackup to sysbackup container=all;
Grant succeeded.
SYS@cdb19c(CDB$ROOT)>
SYS@cdb19c(CDB$ROOT)> select USERNAME,SYSDBA,SYSBACKUP,ACCOUNT_STATUS,COMMON,CON_ID from v$pwfile_users;
USERNAME SYSDB SYSBA ACCOUNT_STATUS COM CON_ID
SYS TRUE FALSE OPEN YES 0
C##BACKUPUSER FALSE TRUE OPEN YES 0
SYSBACKUP FALSE TRUE OPEN YES 0
SYS@cdb19c(CDB$ROOT)>
给用户sysbackup授予sysbackup管理权限后,该用户具有sysbackup用户的密码权限。
4、再次使用sysbackup连接rmansql
[oracle@19cdb01 ~]$ rman target ‘”sysbackup/Oracle_2026@cdb19c as sysbackup”‘
Recovery Manager: Release 19.0.0.0.0 – Production on Tue May 19 17:34:22 2026
Version 19.27.0.0.0
Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved.
connected to target database: CDB19C (DBID=559927436)
RMAN>
sysbackup用户此时可以正常连接rman
5、执行rman任务验证sql
[oracle@19cdb01 ~]$ rman target ‘”sysbackup/Oracle_2026@cdb19c as sysbackup”‘
Recovery Manager: Release 19.0.0.0.0 – Production on Tue May 19 17:34:22 2026
Version 19.27.0.0.0
Copyright (c) 1982, 2019, Oracle and/or its affiliates. All rights reserved.
connected to target database: CDB19C (DBID=559927436)
RMAN> run {
allocate channel c1 device type disk;
backup datafile 1;
run {
2> allocate channel c1 device type disk;
3> backup datafile 1;
4> }
}
using target database control file instead of recovery catalog
allocated channel: c1
channel c1: SID=468 device type=DISK
Starting backup at 19-MAY-26
channel c1: starting full datafile backup set
channel c1: specifying datafile(s) in backup set
input datafile file number=00001 name=/u01/app/oracle/oradata/CDB19C/system01.dbf
channel c1: starting piece 1 at 19-MAY-26
channel c1: finished piece 1 at 19-MAY-26
piece handle=/u01/app/oracle/fra/CDB19C/backupset/2026_05_19/o1_mf_nnndf_TAG20260519T173520_o0rcprxp_.bkp tag=TAG20260519T173520 comment=NONE
channel c1: backup set complete, elapsed time: 00:00:03
Finished backup at 19-MAY-26
Starting Control File and SPFILE Autobackup at 19-MAY-26
piece handle=/u01/app/oracle/fra/CDB19C/autobackup/2026_05_19/o1_mf_s_1233682524_o0rcpw52_.bkp comment=NONE
Finished Control File and SPFILE Autobackup at 19-MAY-26
released channel: c1
RMAN>
“`
验证rman备份可以成功备份一个数据文件。
【小结】在 Oracle 19c 中,sysbackup 是一个具有备份管理权限的数据库角色,其登录依赖于密码文件。
生产环境如果以SYSBACKUP 身份连接,建议不要使用 SYSBACKUP 用户。负责备份和恢复任务的所有 DBA 将共享相同的口令(即共用特权用户)。首先,从责任上讲,这种做法不太可取。此外,以后还无法为特 定的 DBA 回收此权限(除非更改口令)。最好为每个 DBA 创建一个指定的数据库帐户, 并在必要时授予 SYSBACKUP 权限。这样将不共享任何口令,并且可在不影响其他 DBA 的情况下为任一 DBA 撤消 SYSBACKUP。
如果使用的是多租户容器数据库,则 CDB 的每个 PDB 都可以创建一个本地用户并授予该 用户 SYSBACKUP 权限。该用户可以连接到 PDB 并执行 PDB 备份,并且仅能为其连接到 PDB 执行备份。