Re: [firebird-support] Re: How to check and (possibly) repair new authorization system on Firebird 3.0.1
On 2017-03-01 09:59, Dmitry Yemanov dim...@users.sourceforge.net [firebird-support] wrote: > 01.03.2017 11:58, jonatan.laurit...@yahoo.dk wrote: > >> OK, I have working Firebird 3.0.1 installation and I have copied >> security3.fdb from the broken Firebird installation and now I am also >> receiving the error message. So - security3.fdb is somehow broken, >> problem is in security3.fdb > > It's not broken, it just misses SYSDBA account. That is not entirely true: the security database is not initialized for SRP, creating a user (any user) with the SRP user manager should be enough. If I recall correctly that initialization doesn't automatically create a SYSDBA account (but I can't check right now). Mark
Re: [firebird-support] Re: How to check and (possibly) repair new authorization system on Firebird 3.0.1
On 2017-03-01 11:41, jonatan.laurit...@yahoo.dk [firebird-support] wrote: > Solution found - I had to use the "create user" command with the > "using" clause: > SQL> create user SYSDBA password 'masterkey' using plugin Srp; > > My firebird.cong indicated that Legacy_Auth is the first (default) > user manager and it was necessary for isql to know that Srp manager > had to be used: > UserManager = Legacy_Auth, Srp > > So - my conclusions about the improvement of the Firebird Release > notes: > p.119 of the PDF document contains important notice: > "This initialization is not required and should NOT be performed if > you have configured the server to use legacy > (pre-Firebird 3 style) authentication and user management." > Actually this is not true! Clients want to check 'Enable authorization > for legacy Firebird clients' and they want to use Firebird 3 > gds32.dll/fbclient.dll and in such cases the initialization is > required. > > p.119 also provides the example of create user command. It could be > helpful to add note about "using" clause. Without such notice the > initialization procedure can not be completed as described. Those instructions work if the UserManager setting is left with the default (so that the SRP user manager is first), otherwise you have to explicitly state which plugin needs to be used to create the user. Mark
[firebird-support] Re: How to check and (possibly) repair new authorization system on Firebird 3.0.1
Solution found - I had to use the "create user" command with the "using" clause: SQL> create user SYSDBA password 'masterkey' using plugin Srp; My firebird.cong indicated that Legacy_Auth is the first (default) user manager and it was necessary for isql to know that Srp manager had to be used: UserManager = Legacy_Auth, Srp So - my conclusions about the improvement of the Firebird Release notes: p.119 of the PDF document contains important notice: "This initialization is not required and should NOT be performed if you have configured the server to use legacy (pre-Firebird 3 style) authentication and user management." Actually this is not true! Clients want to check 'Enable authorization for legacy Firebird clients' and they want to use Firebird 3 gds32.dll/fbclient.dll and in such cases the initialization is required. p.119 also provides the example of create user command. It could be helpful to add note about "using" clause. Without such notice the initialization procedure can not be completed as described.
[firebird-support] Re: How to check and (possibly) repair new authorization system on Firebird 3.0.1
isql allowed to change the password of the SYSDBA account but that did not removed original error message about "installation incomplete"...
[firebird-support] Re: How to check and (possibly) repair new authorization system on Firebird 3.0.1
OK - I am starting to understand. Apparently client had Firebird default instance Windows registry entry from the Firebird installations of the previous versions. That is why Firebird 3.0 installation wizard did not displayed extended configuration form with the possibility to initialize security3 database and create SYSDBA account. So - it might be possible that I should execute steps from the Firebird 3.0 release notes "Initializing the Security Database". However, something is still broken. My initialization session ended with error: C:\Program Files\Firebird\Firebird_3_0>isql -user sysdba employee Database: employee, User: SYSDBA SQL> create user SYSDBA password 'masterkey'; Statement failed, SQLSTATE = 23000 add record error -violation of PRIMARY or UNIQUE KEY constraint "INTEG_2" on table "PLG$USERS" -Problematic key value is ("PLG$USER_NAME" = 'SYSDBA') SQL> So - it reports that SYSDBA account is present!
[firebird-support] Re: How to check and (possibly) repair new authorization system on Firebird 3.0.1
01.03.2017 11:37, jonatan.laurit...@yahoo.dk wrote: > Actually, I don't understand this thing about old and new authorization > system. Does it mean that there are two SYSDBA and other user accounts - > one for old and other for new authorization system and does it mean that > there are two sets of passwords? Exactly. Dmitry
[firebird-support] Re: How to check and (possibly) repair new authorization system on Firebird 3.0.1
01.03.2017 11:58, jonatan.laurit...@yahoo.dk wrote: > OK, I have working Firebird 3.0.1 installation and I have copied > security3.fdb from the broken Firebird installation and now I am also > receiving the error message. So - security3.fdb is somehow broken, > problem is in security3.fdb It's not broken, it just misses SYSDBA account. Dmitry
[firebird-support] Re: How to check and (possibly) repair new authorization system on Firebird 3.0.1
OK, I have working Firebird 3.0.1 installation and I have copied security3.fdb from the broken Firebird installation and now I am also receiving the error message. So - security3.fdb is somehow broken, problem is in security3.fdb
[firebird-support] Re: How to check and (possibly) repair new authorization system on Firebird 3.0.1
Actually, I don't understand this thing about old and new authorization system. Does it mean that there are two SYSDBA and other user accounts - one for old and other for new authorization system and does it mean that there are two sets of passwords? Is it safe to check 'Enable authorization for legacy Firebird clients?' during installations - is it right that this check only adds new capabilites and does not broke any original capabilities?