AW: Validation with Kerberos 5, SAP Linux, SNC for SSO

Juan Manuel Sestelo eltoken02 at yahoo.com.ar
Tue Nov 2 10:10:32 EST 2004


Calin / Pavel, 
thanks a lot for your answers!

The SAP user XXXadm didn't have permission for the keytab file. We have already changed the
permissions, and tried it again.
I believe we made some progress in this because the error changed. 
The new log is the following:

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1510]
N        GSS-API(maj): Miscellaneous failure
N        GSS-API(min): No credentials cache found
N      Could't acquire INITIATING credentials for
N
N      name="p:SAPServiceXXX at DOMAIN.COM"
N  SncInit(): Fatal -- Initiating Credentials not available!
N  <<- SncInit()==SNCERR_GSSAPI
N           sec_avail = "false"
M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    223]
M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    225]
M  in_ThErrHandle: 1
M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   8534]


Thanks!

JuanM.



 --- "Barbat, Calin" <> escribió: 
> Did you ensure that the user which starts the SAP server has read permission to the keytab?
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: JuanM []
> Gesendet: Dienstag, 2. November 2004 03:45
> An: kerberos at mit.edu
> Betreff: Validation with Kerberos 5, SAP Linux, SNC for SSO
> 
> 
> We want to install Single Sign on functionality for SAP, with BC-SNC, Kerberos 5 and Active
> Directory, but when we configure SNC in SAP with kerberos we have a validation error as soon as
> start SAP.
> Notice: 
> We have installed SAP over Linux which has Kerberos 5, the library that we are using is
> libgssapi_krb5.so.
> The domain controllers of the AD are Windows 2003.
> 
> The configuration seems to be ok, we create the accounts in the AD (Linux server account
> "hostname" and SAP Service account "SAPServiceXXX"), however when SAP starts we FIND the
> following
> error:
> 
> N  SncInit(): Initializing Secure Network Communication (SNC)
> N        Intel x86 with Linux (st,ascii,SAP_UC/size_t/void* = 8/32/32)
> N  SncInit():   	found snc/data_protection/max=3, using 3 (Privacy Level)
> N  SncInit():   	found snc/data_protection/min=3, using 3 (Privacy Level)
> N  SncInit():   	found snc/data_protection/use=3, using 3 (Privacy Level)
> N  SncInit(): 	found snc/gssapi_lib=/usr/kerberos/lib/libgssapi_krb5.so
> N    File "/usr/kerberos/lib/libgssapi_krb5.so" dynamically loaded as GSS-API v2 library.
> N    The internal Adapter for the loaded GSS-API mechanism identifies as:
> N    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
> N  SncInit():   	found snc/identity/as=p:SAPServiceXXX at DOMAIN.COM
> N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1510]
> N        GSS-API(maj): Miscellaneous failure
> N        GSS-API(min): Permission denied
> N      Could't acquire ACCEPTING credentials for
> N
> N      name="p: SAPServiceXXX at DOMAIN.COM"
> N  SncInit(): Fatal -- Accepting Credentials not available!
> N  <<- SncInit()==SNCERR_GSSAPI
> N           sec_avail = "false"
> 
> 
> I can't find any information for the error code.
> Could you please help me with this problem?
> 
> Thanks in advance!


=====
Saludos.
JuanM.


	

	
		
___________________________________ 
¡Llevate a Yahoo! en tu Unifón! 
Ahora podés usar Yahoo! Messenger en tu Unifón, en cualquier momento y lugar. 
Encontrá más información en: http://ar.mobile.yahoo.com/sms.html 



More information about the Kerberos mailing list