CRS-4563: Insufficient user privileges Encountered When Trying to Start CRS (crsctl start crs) Following OS Patch Application
(Doc ID 2407762.1)
Last updated on DECEMBER 18, 2023
Applies to:
Oracle Database Cloud Exadata Service - Version N/A and laterOracle Database Cloud Service - Version N/A and later
Oracle Database - Enterprise Edition - Version 11.2.0.4 and later
Oracle Database Cloud Schema Service - Version N/A and later
Oracle Database Exadata Express Cloud Service - Version N/A and later
Microsoft Windows x64 (64-bit)
Symptoms
After stopping CRS and rebooting as part of applying an operating system patch, Cluster Ready Services (CRS) cannot be started on one node. The command 'crsctl start crs' is failing with the following errors:
CRS-4000: Command Config failed, or completed with errors.
The following errors appear when running ocrcheck on the "failing" node.
CLSD:An error was encountered while attempting to open log file "D:\ORACLE\11.2.0\grid\log\racnode2\client\ocrcheck_5824.log". Additional diagnostics: (:CLSD00157:)
Output of the Windows command 'whoami' shows a difference in the group configuration from one node to the other:
racnode1_whoami.txt:
D:\ORACLE\SQL>WHOAMI /USER /GROUPS
...
racnode1\oracle S-1-5-21-3361838081-1199148454-413287352-1002
...
Group Name Type SID Attributes
============================================================= ================ ============================================= ===============================================================
...
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
...
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
AS COMPARED TO
racnode2_whoami.txt:
D:\ORACLE\SQL>WHOAMI /USER /GROUPS
...
racnode2\oracle S-1-5-21-3788943988-3048214040-870756408-1001
...
Group Name Type SID Attributes
============================================================= ================ ============================================= ==================================================
...
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only <===== GROUP USED FOR DENY ONLY
...
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only <===== GROUP USED FOR DENY ONLY
*****
As can be observed, there are two permissions or groups on node 'racnode2' that are marked as 'Group used for deny only', which are enabled on node 'racnode1' and even in the case of the Administrators group, this user is marked as 'Group owner'
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| Community Discussions |