How do I disable one mechanism from Kerberos?

Calin Barbat c.barbat at osram.de
Mon Aug 30 09:14:57 EDT 2004 

Hello to the specialists out there,

I'm trying to pass gsstest-1.27, a test suite - written by Martin Rex of 
SAP and put into the public domain - for the interoperability of the 
Kerberos GSS-API with SAP R/3 BC-SNC in order to achieve SSO (single 
sign-on) from a Linux SMP Server against a Windows 2000 Server Active 
Directory Realm.

After having everything set up and configured, I saw the following 
messages in dev_w0, one of the logs of the SAP R/3 system:

....
N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3423]
N        GSS-API(maj): A token was invalid
N        GSS-API(min): Mechanism is incorrect
N      Unable to establish the security context
N  <<- SncProcessInput()==SNCERR_GSSAPI
M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    973]
M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    978]
M  in_ThErrHandle: 1
M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, 
level 1) [thxxhead.c   8787]
...

Now I'm looking into the source of MIT Kerberos V Release krb5-1.3.4 to 
see how it can be made to work. First to (partially) pass gsstest, then 
run with SAP.

So far I've done some progress, there are only some issues to be solved:

1. Choosing the right mechanism. How can I deactivate one of the 
available mechs?
I saw there are two of them in Kerberos: one conforms to RFC1964 and the 
other is PRE-RFC1964.

2. Some little portion of gsstest has to be commented out as of now, as 
I don't have the incentive to investigate it further right at the moment 
(leads to a nasty crash when trying to copy from pointer 0x1). Not sure 
if it's really, really needed by R/3.

3. I patched gss_display_name() to remove leading blanks and tabs from 
str. This removes the failure of a SAP constraint.

4. The -e option of the gsstest program leads to a crash. The -f option 
works.

5. By hard-wiring the mech selection in gsstest I found out that gsstest 
seems to work with both mechs offered by libgssapi_krb5.so. The default 
selection of the SAP SNC module seems to be PRE-RFC1964. By compiling 
gsstest with the option -ggdb I was able to debug it somewhat more 
comfortably and it looks like the mech selection is based solely on the 
length-field. So the simplest solution seems to be to let only one mech 
left in the library.
My initial question was: how do I do this? And which one would you suggest?

Any hints greatly appreciated and TIA,

Calin Barbat.

More information about the Kerberos mailing list