Forum Discussion

aprocaccino's avatar
3 years ago

User '<anonymous>' attempted to perform a restore

Hello,

Oracle team is complaining that some of their refresh are failing with "failed to open backup file for restore - failover to previous backup".

Investigating, I can see that sometimes, their refreshs are running with an "Anonymous" user which is not allowed to perform the restore, and so that's surely the reason why it fails. I have the following entries in the nbauditreport logs

[root@dc1-bck-srv:~]# nbauditreport | grep -i vmd-rasaora-02
09/29/2022 10:49:17 <anonymous>@vmd-rasaora-02.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-rasaora-01' of type 'Oracle' but is not authorized.
09/29/2022 10:15:55 oracle@vmd-rasaora-02.lux.eib.org User 'oracle' is browsing images of client 'vmp-rasaora-01' of type 'Oracle'.
09/29/2022 09:57:27 <anonymous>@vmd-rasaora-02.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-rasaora-01' of type 'Oracle' but is not authorized.
09/29/2022 09:35:20 <anonymous>@vmd-rasaora-02.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-rasaora-01' of type 'Oracle' but is not authorized.
09/29/2022 09:15:53 oracle@vmd-rasaora-02.lux.eib.org User 'oracle' is browsing images of client 'vmp-rasaora-01' of type 'Oracle'.
09/29/2022 08:48:03 <anonymous>@vmd-rasaora-02.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-rasaora-01' of type 'Oracle' but is not authorized.
09/29/2022 08:25:58 <anonymous>@vmd-rasaora-02.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-rasaora-01' of type 'Oracle' but is not authorized.
09/29/2022 08:15:50 oracle@vmd-rasaora-02.lux.eib.org User 'oracle' is browsing images of client 'vmp-rasaora-01' of type 'Oracle'.
09/29/2022 07:34:59 <anonymous>@vmd-rasaora-02.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-rasaora-01' of type 'Oracle' but is not authorized.
09/29/2022 07:15:48 oracle@vmd-rasaora-02.lux.eib.org User 'oracle' is browsing images of client 'vmp-rasaora-01' of type 'Oracle'.
09/29/2022 07:12:57 <anonymous>@vmd-rasaora-02.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-rasaora-01' of type 'Oracle' but is not authorized.
09/28/2022 19:13:55 oracle@vmd-rasaora-02.lux.eib.org User 'oracle' is browsing images of client 'vmp-rasaora-01' of type 'Oracle'.
09/28/2022 19:01:11 <anonymous>@vmd-rasaora-02.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-rasaora-01' of type 'Oracle' but is not authorized.

Or on another failed server : 

[root@dc1-bck-srv]nbauditreport | grep vmd-oracle-205
09/21/2022 21:43:36      <anonymous>@vmd-oracle-205.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-oracle-142' of type 'Oracle' but is not authorized.
09/21/2022 21:43:33      <anonymous>@vmd-oracle-205.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-oracle-142' of type 'Oracle' but is not authorized.
09/21/2022 20:39:31      <anonymous>@vmd-oracle-205.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-oracle-142' of type 'Oracle' but is not authorized.
09/21/2022 20:39:31      <anonymous>@vmd-oracle-205.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-oracle-142' of type 'Oracle' but is not authorized.
09/21/2022 19:27:18      oracle@vmd-oracle-205.lux.eib.org   User 'oracle' is performing a restore of client 'vmp-oracle-142' of type 'Oracle'.
09/21/2022 19:11:59      <anonymous>@vmd-oracle-205.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-oracle-142' of type 'Oracle' but is not authorized.
09/21/2022 19:11:56      <anonymous>@vmd-oracle-205.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-oracle-142' of type 'Oracle' but is not authorized.
09/21/2022 18:22:31      oracle@vmd-oracle-205.lux.eib.org   User 'oracle' is performing a restore of client 'vmp-oracle-142' of type 'Oracle'.
09/21/2022 18:07:11      <anonymous>@vmd-oracle-205.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-oracle-142' of type 'Oracle' but is not authorized.
09/21/2022 17:01:16      <anonymous>@vmd-oracle-205.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-oracle-142' of type 'Oracle' but is not authorized.
09/21/2022 13:33:34      <anonymous>@vmd-oracle-205.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-oracle-142' of type 'Oracle' but is not authorized.
09/21/2022 13:33:34      <anonymous>@vmd-oracle-205.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-oracle-142' of type 'Oracle' but is not authorized.
09/21/2022 12:27:18      oracle@vmd-oracle-205.lux.eib.org   User 'oracle' is performing a restore of client 'vmp-oracle-142' of type 'Oracle'.

As you can see, sometimes it's the user "oracle" whis is running the restore, and in that case it works.

On a server without problems, there is no mention of this "anonymous" account

[root@dc1-bck-srv]nbauditreport | grep vmt-oracle-121 | grep restore
09/26/2022 12:50:01      oracle@vmt-oracle-121.lux.eib.org   User 'oracle' is performing a restore of client 'vmp-oracle-142' of type 'Oracle'.
09/26/2022 12:50:00      oracle@vmt-oracle-121.lux.eib.org   User 'oracle' is performing a restore of client 'vmp-oracle-142' of type 'Oracle'.
09/26/2022 12:49:53      oracle@vmt-oracle-121.lux.eib.org   User 'oracle' is performing a restore of client 'vmp-oracle-142' of type 'Oracle'.
09/26/2022 12:49:41      oracle@vmt-oracle-121.lux.eib.org   User 'oracle' is performing a restore of client 'vmp-oracle-142' of type 'Oracle'.
09/26/2022 12:49:30      oracle@vmt-oracle-121.lux.eib.org   User 'oracle' is performing a restore of client 'vmp-oracle-142' of type 'Oracle'.
09/26/2022 12:49:18      oracle@vmt-oracle-121.lux.eib.org   User 'oracle' is performing a restore of client 'vmp-oracle-142' of type 'Oracle'.
09/26/2022 12:48:37      oracle@vmt-oracle-121.lux.eib.org   User 'oracle' is performing a restore of client 'vmp-oracle-142' of type 'Oracle'.

Have one of you already experienced those messages ?

  • Do you have OIP or script RMAN your running backup?

    Order precedence in your host client is correct? I already like something about but was job integration for SQL, but was version very old like 7.7.3 and 8.1.2, sometimes I see ghost jobs between my master servers, in your case really strange thats situation.

    • aprocaccino's avatar
      aprocaccino
      Level 3

      No we are using backups with rman scripts, but i'm talking about restores, not backups. 

  • I think that Oracle guys must say what is a difference between success and failed sessions. Look at these which are 1 hour apart and are on the same destination server querying for the same source server:

    09/21/2022 19:11:56 <anonymous>@vmd-oracle-205.lux.eib. User '<anonymous>' attempted to perform a restore of client 'vmp-oracle-142' of type 'Oracle' but is not authorized.
    09/21/2022 18:22:31 oracle@vmd-oracle-205.lux.eib.org User 'oracle' is performing a restore of client 'vmp-oracle-142' of type 'Oracle'.

    My tips for investigation are : sudo/"nosudo" session, direct rman/some application, script/direct call etc. Remember that Oracle restores are managed by RMAN which then passes its parameters to NetBackup.

    Last but not least, check for full volumes on Oracle server.

    Regards

    Michal

     

    • aprocaccino's avatar
      aprocaccino
      Level 3

      Hello,

      I think I've found the source of those messages.

      I saw that logs folders about databases (dbclient, user_ops, sybackup...) didn't have the full permission as required in the documentation.

       

      Veritas NetBackup™ for Oracle Administrator's Guide

      In UNIX, NetBackup uses the /usr/openv/netbackup/logs directory tree for the recording of troubleshooting information. NetBackup also uses this directory tree for progress and communication updates to users and other NetBackup applications. Restrictive permissions on these directories can not only disable the collection of troubleshooting data, but also prevent the application itself from functioning correctly.

      Backup operations and restore operations fail when permissions are too restrictive. We recommend that you make all of the /usr/openv/netbackup/logs directories and subdirectories readable and writeable by all users (777 permissions). 

       

      Backups and restores may fail, or troubleshooting may be hindered if the NetBackup log directories are not readable and writeable by user and application processes. (veritas.com)

      The recommendation is to make the /usr/openv/netbackup/logs (UNIX/Linux) and <install>\NetBackup\logs (Windows) subdirectories readable and writeable by all users.  

      […]
      Most critical is the user_ops subdirectory and its subdirectories.  These must exist and be accessible for the applications to operate correctly.  

      […]

      The dbclient directory must be writeable by the Oracle, SQL-Server, or Teradata user that is performing the backup or restore.

      For some reasons, without full permissions, some restores are working and other are not (despite I was thinking that nothing should work with incorrect setup).

      I have no official confirmation from DBAs that it's resolved now, but I don't see those messages anymore and DBAs are no more complaining for the moment.