Oracle Guest Account

I found this great discussion on the Oracle Guest account and thought I would share. Here is a link to the thread in Yahoo Groups.

Here is an excerpt from the post sent in by John Healy:

<-- Begin excerpt -->

You are no longer able to login as GUEST, even with the correct password, through the standard login screen.

I believe this was implemented in 11.5.10.2 (CU2), but possibly in 11.5.10.

There is however, a necessary back door which must remain into the system, which does let you login as GUEST.

Because of this "back door" it is mandatory that the GUEST user has No Responsibilities and that there is No Password expiration on the GUEST user.

The Lack of Responsibilities prevents the GUEST user from completing the Login.

A message will come up stating that the user has no valid responsibilities and return the user to the login screen.

The Requirement of No Password expiration on the GUEST user exists because;

If someone gets the GUEST password and attempts to login, they will get the password expiration screen and be requested to change the password.

If someone does this, No-One will be able to access the Jinitiator (GUI) forms in the system.

There is a complex process that allows the transition from the initial home page to Jinitiator (GUI) forms without the user having to login a second time.

This process requires the synchronization of the GUEST password with other files on the system.

This also means that No-One should Ever change the guest password without Very Careful coordination with the DBA.

The necessary files Must stay in sync with the internal GUEST password.

There may also be issues if the GUEST password is changed and patches are applied or an upgrade is done, and the same lockout may occur.

In a nutshell;

Don't change the GUEST password, as it is not necessary.

Simply Removing/Disabling all Responsibilities for GUEST prevents any successful login.

It is Dangerous to attempt to change the GUEST password without DBA coordination.

A mistake in this coordination will lockout all users from Jinitiator (GUI).

Patching and/or Upgrades may also Break Jinitiator (GUI) access so leave the default password.

Patching and/or Upgrades almost always require certain High Level accounts to be set back to their original defaults.

This is due to the fact that Oracle Can Not know your passwords, and the process needs to access the system through these high level accounts to perform the patch /upgrade process.

Oracle does not magically patch/upgrade your system but uses the tools available that you would use to perform the changes.

This is why either the upgrade changes the passwords, or the DBA is required to change them for successful patching/upgrades.

John Healy III
Corporate Oracle System Administrator
Carnival Corporation & plc


<-- End excerpt -->