LSNRCTL Commands May Yield Frequent TNS-1189 Errors (文档 ID 285439.1)
Oracle Net Services - Version 10.1.0.2.0 to 220.127.116.11 [Release 10.1 to 12.1]
Information in this document applies to any platform.
***Checked for relevance on 25-JUN-2014***
The issue documented here is limited to the version 10g or higher listener or lsnrctl utility.
When using a 10g listener or higher, it is possible that the error TNS-1189 "The listener could not authenticate the user" may occur intermittently (or very frequently) while performing listener operations from within the same LSNRCTL session. For example:
LSNRCTL> set trc_level 16
The listener.ora file may have been edited recently or this is a new installation.
This error is an authentication failure error between LSNRCTL and the tnslsnr process. The user attempted to issue a privileged administrative command, but could not be successfully authenticated by the listener using the local OS authentication mechanism.
This error has been known to happen when multiple network interfaces exist on the same machine as the listener. The failure is due to the LSNRCTL failing its locality check (meaning the LSNRCTL utility is communicating on an IP address, provided by the OS, different than what the the listener is using - causing the authentication failure).
Additional causes for this error, not directly related to the problem described in this note are:
1. The user is running a version of LSNRCTL that is lower than the version of the listener.
2. The user is attempting to administer the listener from a remote node.
3. The listener could not obtain the system resources needed to perform the authentication.
4. The local network connection between the listener and LSNRCTL was terminated unexpectedly during authentication message exchange, such as if LSNRCTL program was suddenly aborted.
5. The communication between the listener and LSNRCTL is being intercepted by a malicious user.
6. The software that the user is running is not following the authentication protocol, indicating a malicious user.
The problem can be worked around by having the LSNRCTL utility utilize the IPC protocol to communicate with the tnslsnr rather than TCP. To do this, insert an IPC address into the listener.ora file and make it the first ADDRESS within an ADDRESS_LIST:
Using the IPC protocol locally will not affect incoming connections.
An alternative solution is to add LOCAL_OS_AUTHENTICATION_listenername=OFF to the listener.ora file and restart the listener.