lost my SYSDBA password , need help to access firebird 3.0 databases

[Ken Sng]

Hi , 

I've got an old GoldMine v7 CRM system using firebird v3.0 databases. 

It seems the password for SYSDBA doesn't work. Like to know how i can still gain access to the firebird databases .

I've tried to replace the security3.fdb from a fresh install but 'masterkey' password didn't seem to work.

Thanks for your attention and look forward to replies.

Thanks

Ken

[Dimitry Sibiryakov]

Ken Sng wrote 08.06.2026 9:58:
> It seems the password for SYSDBA doesn't work. Like to know how i can still gain
> access to the firebird databases .

1. Connect to security3.fdb in embedded mode as user SYSDBA without password.
2. Use ALTER USER to set any desired password.

Pay attention to user manager plugin: there can be more than one SYSDBA. Drop
those you don't need.

--
WBR, SD.

[Mark Rotteveel]

On 08-06-2026 09:58, Ken Sng wrote:
> I've got an old GoldMine v7 CRM system using firebird v3.0 databases.
>
> It seems the password for SYSDBA doesn't work. Like to know how i can
> still gain access to the firebird databases .
>
> I've tried to replace the security3.fdb from a fresh install but
> 'masterkey' password didn't seem to work.

That is probably because the default security3.fdb does not have a
SYSDBA account for the Srp authentication plugin/user manager, the
default DB only has a SYSDBA account for Legacy_Auth. You need to
connect with embedded and create the sysdba user. Or use the original
security database and alter the sysdba user.

For example:

1. Shutdown Firebird server (so it doesn't hold a lock on the security
database, which happens if the server mode is SuperServer, the default)

2. Connect to any database using embedded, for example, the employee
example database:

isql -user sysdba employee

When connecting with embedded, no password authentication is performed,
so absence of the account or not knowing the password is not a problem.

2a. If you don't have the employee example database, you can also
connect to the security database directly:

isql -user sysdba security.db

3. Create or alter the sysdba user:

create or alter user SYSDBA set password '<new password>' using plugin Srp;

If you need to alter a legacy_auth user, use `using plugin
Legacy_UserManager` instead of `using plugin Srp`.

Mark
--
Mark Rotteveel

[Ken Sng]

Thanks for your reply.

i ran  isql -user sysdba security3.fdb  and got

statement failed sqlstate=28000

no permissoin for read-write access to database security3.fdb

use connect or create database to specify a database

[Dimitry Sibiryakov]

Ken Sng wrote 08.06.2026 10:35:
> i ran  isql -user sysdba security3.fdb  and got
>
> statement failed sqlstate=28000
> no permissoin for read-write access to database security3.fdb

You don't have enough privileges on this server. Call system administrator.

--
WBR, SD.

[Tomasz Dubiel]

Or run CMD as an administrator.

Best regards,

Tomek.

[Ken Sng]

Great Thanks I ran cmd with admin and got connected.

now how do i know i should create sysdba user or alter sysdba ?   Is there a way to see what users i have ?  

Thanks

[Dimitry Sibiryakov]

Ken Sng wrote 08.06.2026 10:43:
> now how do i know i should create sysdba user or alter sysdba ?   Is there a way
> to see what users i have ?

a) ISQL command SHOW USERS.
b) SELECT FROM SEC$USERS.

--
WBR, SD.

[Ken Sng]

Anyways , I ran the  "alter user SYSDBA set password '<new password>' using plugin Srp; and got 
statement failed sqlstate=28k
modify record error
-install incomplete, read compatibility chapter...

then i ran  "alter user SYSDBA set password '<new password>' using plugin Legacy_UserManager; and got
stmt faield, sqlstate=HY000
missing requested mgmt plugin


firstly how do i know if i am altering a  legacy auth user so that i know which of the above 2 alter commands i should run .

secondly, how do i fix the  errors .

Thanks

[Dimitry Sibiryakov]

Ken Sng wrote 08.06.2026 10:49:
> firstly how do i know if i am altering a  legacy auth user so that i know which
> of the above 2 alter commands i should run .

Look in firebird.conf.

> secondly, how do i fix the  errors .

a) Use your old, fully initialized security database
b) Create user instead of alter as described in
https://firebirdsql.org/file/documentation/chunk/en/refdocs/fblangref50/fblangref50-security.html#fblangref50-security
and
https://firebirdsql.org/file/documentation/html/en/firebirddocs/qsg5/firebird-5-quickstartguide.html#qsg5-config-gsec
and
https://raw.githubusercontent.com/FirebirdSQL/firebird/refs/heads/v5.0-release/doc/README.security_database.txt

--
WBR, SD.

[Mark Rotteveel]

On 08-06-2026 10:43, Ken Sng wrote:
> Great Thanks I ran cmd with admin and got connected.
>
> now how do i know i should create sysdba user or alter sysdba ?   Is
> there a way to see what users i have ?

Just use the CREATE OR ALTER USER statement as I did in my original
reply. This either creates it if it doesn't exist, or alters the
existing user.

Mark
--
Mark Rotteveel

[Mark Rotteveel]

On 08-06-2026 10:49, Ken Sng wrote:
> Anyways , I ran the  "alter user SYSDBA set password '<new password>'
> using plugin Srp; and got
> statement failed sqlstate=28k
> modify record error
> -install incomplete, read compatibility chapter...

That means no Srp user has ever been created in this security database,
and you need to use CREATE USER. BTW: this probably means indicates that
you're doing this on the fresh security database, and not your original one.

> then i ran "alter user SYSDBA set password '<new password>' using plugin
> Legacy_UserManager; and got
> stmt faield, sqlstate=HY000
> missing requested mgmt plugin

This means that the Legacy_UserManager is not set in your server
configuration, so you can't use it. It's also unlikely that you want to
use legacy_auth/legacy_usermanager these days.

Mark
--
Mark Rotteveel

[Ken Sng]

> Hi Mark,
>
> Thanks for help.
>
> I was performing those commands on a copy of security3.fdb from a fresh
> install. I've since replaced with the original copy and I managed to run
> the alter user command to change the pwd.
>
> How do verify the pwd is what i've set it to from isql ?
>
> because i'm still not able to connect from my goldmine application and i
> wish to at least verify the sysdba password has been changed correctly.
>
> Thanks again

[Dimitry Sibiryakov]

Ken Sng wrote 08.06.2026 13:42:
> How do verify the pwd is what i've set it to from isql ?

Connect to the server with isql using remote (not embedded) protocol.

--
WBR, SD.

[Mark Rotteveel]

On 08-06-2026 13:42, Ken Sng wrote:
>> Hi Mark,
>>
>> Thanks for help.
>>
>> I was performing those commands on a copy of security3.fdb from a fresh
>> install. I've since replaced with the original copy and I managed to run
>> the alter user command to change the pwd.
>>
>> How do verify the pwd is what i've set it to from isql ?
>>
>> because i'm still not able to connect from my goldmine application and i
>> wish to at least verify the sysdba password has been changed correctly.

Make sure Firebird server is running, and connect through the server to
a database:

isql -user sysdba -password <password> localhost:employee

NOTE: You can't make remote connections like this to the security
database, though you can use xnet://security.db if you're on Windows.

That said, this and your original problem, makes me wonder if that
Goldmine application might be using legacy authentication, and that you
have changed your server configuration to disallow it, so it can no
longer connect.

Also, are you sure this Goldmine actually uses SYSDBA, and not some
other account (using SYSDBA for applications is not a good idea).

Mark
--
Mark Rotteveel

[Ken Sng]

Hi Mark,

I copied the employee.fdb from the examples folder to the firebird 3_0 folder and executed 

isql -user sysdba -password <password> localhost:employee  and was able to connect.

I next repeat the above with one of the Goldmine databases main  and got 

i/o error during createfile (open) operation for file "main'

Erro while trying to open file

system can't find the file specified

and yet the main.fdb file is there exactly like the employee.fdb file is . What does this error really mean ?

my understanding is that the sysdba user is a like a superuser and can connect to any fdb file on the system correct ? In other words the fdb files themselves don't have any access permission of users embedded.

Yes, you are right the Goldmine application uses GMSYSDBA , not sysdba. But per my understanding  above, since sysdba is a superuser, i can ask Goldmine to connect using sysdba user too right ?

As to whether GM uses legacy auth and if i have changed the config to disable legacy auth, how do i check this ?

Thanks

[Dimitry Sibiryakov]

Ken Sng wrote 09.06.2026 16:13:
> I next repeat the above with one of the Goldmine databases main  and got
>
> i/o error during createfile (open) operation for file "main'
> Erro while trying to open file
> system can't find the file specified
>
>
> and yet the main.fdb file is there exactly like the employee.fdb file is . What
> does this error really mean ?

Firebird doesn't have "default file extension" so it doesn't modify database
name as sent by client. So "main" and "main.fdb" are different things and when
Goldmine wants database "main", file "main" is tried, not "main.fdb".
Consult Goldmine documentation about setup. Perhaps there is requirement to
add database alias "main" into databases.conf.

--
WBR, SD.

[Elmar Haneke]

Am 09.06.26 um 16:13 schrieb Ken Sng:

Hi Mark,

I copied the employee.fdb from the examples folder to the firebird 3_0 folder and executed 

isql -user sysdba -password <password> localhost:employee  and was able to connect.

employee obviously is an entry in databases.conf redirecting it to employee.fdb.

I next repeat the above with one of the Goldmine databases main  and got 

i/o error during createfile (open) operation for file "main'

Erro while trying to open file

system can't find the file specified

there is no such entry redirecting 'main' to 'main.fdb'

and yet the main.fdb file is there exactly like the employee.fdb file is . What does this error really mean ?

my understanding is that the sysdba user is a like a superuser and can connect to any fdb file on the system correct ? In other words the fdb files themselves don't have any access permission of users embedded.

database permission problems certainly do not result in an 'file not found' error.

Yes, you are right the Goldmine application uses GMSYSDBA , not sysdba. But per my understanding  above, since sysdba is a superuser, i can ask Goldmine to connect using sysdba user too right ?

As to whether GM uses legacy auth and if i have changed the config to disable legacy auth, how do i check this ?

read the usertable in security database.

[Ken Sng]

Hi,

i've added the entry in databases.conf

and now i get a new error saying "unsupported on-disk structure for file c:\...\main.dbd ; found 101. support 12.0

seems like a incompatibility issue. 

but i've not upgraded firebird not the databases since my last successful access.

Anyone can shed light on this pls. Thanks 

[Dimitry Sibiryakov]

Ken Sng wrote 10.06.2026 5:25:
> and now i get a new error saying "unsupported on-disk structure for file c:\...
> \main.dbd ; found 101. support 12.0

"main.dbd" is not "main.fdb" and most likely it is a not Firebird database at
all.

--
WBR, SD.

[Ken Sng]

typo on my end. main.fdb is what it says