I migrated from firebird 2.5.x to 3.0
i have changed firebird.conf :
WireCrypt = Enabled
AuthServer = Legacy_Auth, Srp, Win_Sspi
after that here you are what happened:
I can connect from Netbeans IDE using SYSDBA masterkey.
I can connect from FlameRobin (database admin. tool) using SYSDBA with other password.
I can not connect from Wild-Fly server using SYSDBA with that other password.
I am really wondering.!!
I assume you are using Jaybird 2.2.x (or earlier) when connecting from Netbeans and Wildfly. With Firebird 3 a new authentication model was introduced called SRP (Secure Remote Password). Jaybird 2.2.x doesn't support this new authentication model (support will be added in Jaybird 3.0), so you need to use the Legacy_Auth plugin.
Users have a separate identity per plugin, this means that you (can) have two users with the name SYSDBA, one for SRP and one for Legacy_Auth. These users have their own passwords.
So when you connect from Netbeans and Wildfly, you need to specify the password of the legacy authentication user. This password appears to be masterkey, or actually: masterke as legacy passwords are only 8 characters.
When you connect from flamerobin, you can use the 'other' password (of the SRP sysdba user) as flamerobin uses the Firebird 3 fbclient.dll/libfbclient.so and therefor supports the new SRP authentication model.
As far as I know flamerobin should also be able to authenticate with the password of the legacy sysdba user (when login fails, it should try the next plugin). I will test that tomorrow.
Related
I need to create users in Firebird 3.0 embedded databases, but using with standard command returns error.
command:
CREATE USER miusuario
PASSWORD 'miclave';
return:
Engine Error (code = 335544382): Missing user management plugin.
SQL Error (code = -901): Unsuccessful execution caused by system error that does not preclude
successful execution of subsequent statements
I need to create the users on both in runtime and in development.
Any idea how to solve this problem? I've looked in the Firebird documentation and can't get anything to help me.
I do not use the Firebird in server mode, only embedded.
Firebird Embedded does not perform authentication1, and it will accept any username you specify at connect. Creating users is unnecessary, and in your case impossible because it looks like the user management plugin is not configured or available (setting UserManager in firebird.conf). However, even if that plugin was configured, it would be pointless to create users if you only use Firebird Embedded, because Firebird Embedded won't actually use the data of that user.
In Firebird, privileges are granted to usernames not to user records in a security database2. So, even though there exists no user with that username, you can grant it rights (in fact, that is also possible in Firebird server).
You can login (password is ignored) with any username when using Firebird Embedded. The logged in user will then assume any rights granted to that username.
1: This has always been the case on Windows, on Linux this is only the case since Firebird 3, in earlier versions on Linux, Firebird Embedded did perform actual authentication using the security database
2: Except for a small set of privileges like admin in security database and database creation privileges
I'm trying setup Firebird 2.5 with FlameRobin 0.9.3, installed on Windows 10 64bit. The .fdb files are on the same disk of the Firebird machine and the FlameRobin program.
I'm trying to connect EMPLOYEE.FDB file with FlameRobin getting this error.
My settings for this database file below.
I never changed my sysdba password. Is it due to this error ODBC driver?
Edit: I've created a new database on ISQL to try. Username: SYSDBA Password: 31202333
But I am getting same error on FlameRobin.
The error means that your username does not exist (unlikely for SYSDBA), or the password is incorrect*. In Firebird, passwords are system wide, not per database. Check your password (default installations of Firebird on Windows use the password 'masterkey'). Otherwise try resetting the password using gsec.
The fact it might work with ISQL, is that you're using a local path, which may cause ISQL to use Firebird embedded mode, and in embedded mode on Windows, the password is ignored (on the assumption that if you have filesystem access to the database file, you are allowed to open database). I guess that, if instead of 'D:\sq\sample.fdb', you'd use 'localhost:D:\sq\sample.fdb' in ISQL, you would get the same error as in FlameRobin.
*: In Firebird 3 and later it can also mean that the user does not exist for the authentication plugins tried, even though the user may exist for a different authentication plugin.
I have a firebird database in a .fdb file, but the database do not have the SYSDBA user and I don't remember the credentials to login into the database. Are there any way that could reset the database credentials?
Like said by Mark, it is not that the database "does not have SYSDBA user" - databases in Firebird 2.x never have users - but that old trick was used to create SYSDBA named role in order to trigger names collision on login.
After scanning through 2007 Security presentation I have two suggestions for you.
You can try some tool that opens Firebird databases without using Firebird itself to learn what username can pull you out of the deadlock.
One such tool is Database Explorer in the IBExpert. Full IBExpert is paid for non-USSR states and free IBExpert Personal probably does not have the tool. But I hope the tool works in IBExpert Trial. Another tool is IBSurgeon FirstAID. And probably there are more tools featuring data extraction from corrupt databases. You only need to find and read one specific row.
The query to create the blocking role is given on the 23rd page of the presentation.
INSERT INTO RDB$ROLES(RDB$ROLE_NAME, RDB$OWNER_NAME)
VALUES (‘SYSDBA’, ‘LOCKSMITH’);
So you would have to look into the said table, find the row with the said role, and learn the username that has authority over that role (in the example it was LOCKSMITH).
After that you connect to any other database on the same server and you create the user with the name you learnt. Then you use that name to login into the problematic database and to DROP ROLE SYSDBA; COMMIT;.
You also can use Firebird Embedded. All server-coded security checks are bypassed in the Embedded edition of FB 2.x (but if DB designer added some ad hoc security checks in triggers - they will work). So you login into the problematic database using Firebird Embedded edition, any username and any password, and after that you drop the access blocking role.
In Firebird database doesn't contain password (until v3.0 as mentioned by #Arioch'The). The password is used only for server. Another words, you can copy database file from existed server to another (with known password) and open the database file.
I am trying connect to firebird 3.0 throught latest version of ADO.NET provider 5.0.5.0 from my simple test .net application. When i used sysdba user connection is made OK, but if i used other user then connection failed with classic FBException :
Your user name and password are not defined. Ask your database administrator to set up a Firebird login.
"initial catalog=c:\\Database\\Data.fdb;data source=localhost;user id=sysdba;password=sysPass;port number=3050" = OK
"initial catalog=c:\\Database\\Data.fdb;data source=localhost;user id=michal;password=micPass;port number=3050" = failed
But if i am trying connect throught IBExpert or isql , then connection is made OK and i can get data from tables.
Previously i used Firebird 2.1 and then i upgraded to Firebird 3.0 superclassic and get ADO.NET provieder from nuget.Actually i do not need SRP ecryption so I disabled WireCrypt etc. and use Legacy authentication (Firebird 3.0 release notes page 117). Then i created my new user via IBExpert (sysdba was created during installation firebird server).
I do not need migrate users from previous firebird version so I skiped Upgrading a v.2.x Security Database steps.
It is strange that i can connect myUser via IBExpert or isql, but not via ADO.NET provider.
It seems to me unlikely that ADO.NET provider has bug of this type (everyone needed connect via user), so I guess that i have some bad configuration.
I had some bad configurations and I need set correctly:
In firebird.conf, there has to be: WireCrypt = Enabled (not disabled)
Create user account older way (in my case via IBExpert)
The password have to max. length 8 chars (previously you can have more chars and Firebird is omit)
I am creating a NTService Application which use an Embeded Firebird database. When i configure the service run as Administrator account, It works ok. But when i run service as default Local System Account, I get below error.
no permission for read/select access to TABLE XXXX
Why is that ? I belive there is no system tables or etc in Firebird single sql file. And Windows xp dont have linux like file permissions. Please help.
Regards
J
While the embedded version doesn't authenticate users (doesn't check the username and password against security2.fdb) it still checks the SQL privileges of the user. This means that you still have to grant proper user rights to the username and/or role you're using when accessing the database. It probably worked for the Administrator account because in version 2.1, members of administrative Windows groups were mapped to SYSDBA by default (and thus had all rights on all databases). This changed in version 2.5, you now have to manually configure this (see release notes).