AW: AW: Validation with Kerberos 5, SAP Linux, SNC for SSO

Barbat, Calin c.barbat at osram.de
Tue Nov 2 11:22:46 EST 2004 

I forgot that for Linux there was no sncadapt/build.Linux provided,
so I had to write one myself:

     #!/bin/sh
     OBJ=".o"
     CC="cc"
     CFLAGS="-g -DXDEBUG=1"
     RM="rm -f"
     EXE=""
     LD="$CC"
     LDFLAGS="-ldl -lnsl -lpthread -lc"
     LDTARGET='-o $@'
     XD=""
     LDLIBS="-ldl"
     SHEXT=".so"
     SHFLAGS="-fPIC"
     LINK_SHARED='$(CC) -shared -Wl,-export-dynamic -Wl,-soname,$@'
     LINK_SHARED_END=""
     VENLIB="-lgssapi_krb5"
     if [ "$VENLIB" = "" ] ; then
             echo "***"
         echo "*** Please edit $0 and define VENLIB to link your"
         echo "*** GSS-API v2 shared library"
         echo "***"
         exit 1
     fi
     export OBJ CC CFLAGS RM EXE LDLIBS LD LDTARGET LDFLAGS XD
     export SHEXT SHFLAGS LINK_SHARED LINK_SHARED_END VENLIB
     "$@"

Saludos,
Calin.

-----Ursprüngliche Nachricht-----
Von: Juan Manuel Sestelo [mailto:eltoken02 at yahoo.com.ar]
Gesendet: Dienstag, 2. November 2004 16:11
An: kerberos at mit.edu
Betreff: Re: AW: Validation with Kerberos 5, SAP Linux, SNC for SSO


Calin / Pavel, 
thanks a lot for your answers!

The SAP user XXXadm didn't have permission for the keytab file. We have already changed the
permissions, and tried it again.
I believe we made some progress in this because the error changed. 
The new log is the following:

N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1510]
N        GSS-API(maj): Miscellaneous failure
N        GSS-API(min): No credentials cache found
N      Could't acquire INITIATING credentials for
N
N      name="p:SAPServiceXXX at DOMAIN.COM"
N  SncInit(): Fatal -- Initiating Credentials not available!
N  <<- SncInit()==SNCERR_GSSAPI
N           sec_avail = "false"
M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    223]
M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    225]
M  in_ThErrHandle: 1
M  *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c   8534]


Thanks!

JuanM.



 --- "Barbat, Calin" <> escribió: 
> Did you ensure that the user which starts the SAP server has read permission to the keytab?
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: JuanM []
> Gesendet: Dienstag, 2. November 2004 03:45
> An: kerberos at mit.edu
> Betreff: Validation with Kerberos 5, SAP Linux, SNC for SSO
> 
> 
> We want to install Single Sign on functionality for SAP, with BC-SNC, Kerberos 5 and Active
> Directory, but when we configure SNC in SAP with kerberos we have a validation error as soon as
> start SAP.
> Notice: 
> We have installed SAP over Linux which has Kerberos 5, the library that we are using is
> libgssapi_krb5.so.
> The domain controllers of the AD are Windows 2003.
> 
> The configuration seems to be ok, we create the accounts in the AD (Linux server account
> "hostname" and SAP Service account "SAPServiceXXX"), however when SAP starts we FIND the
> following
> error:
> 
> N  SncInit(): Initializing Secure Network Communication (SNC)
> N        Intel x86 with Linux (st,ascii,SAP_UC/size_t/void* = 8/32/32)
> N  SncInit():   	found snc/data_protection/max=3, using 3 (Privacy Level)
> N  SncInit():   	found snc/data_protection/min=3, using 3 (Privacy Level)
> N  SncInit():   	found snc/data_protection/use=3, using 3 (Privacy Level)
> N  SncInit(): 	found snc/gssapi_lib=/usr/kerberos/lib/libgssapi_krb5.so
> N    File "/usr/kerberos/lib/libgssapi_krb5.so" dynamically loaded as GSS-API v2 library.
> N    The internal Adapter for the loaded GSS-API mechanism identifies as:
> N    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
> N  SncInit():   	found snc/identity/as=p:SAPServiceXXX at DOMAIN.COM
> N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [sncxxall.c 1510]
> N        GSS-API(maj): Miscellaneous failure
> N        GSS-API(min): Permission denied
> N      Could't acquire ACCEPTING credentials for
> N
> N      name="p: SAPServiceXXX at DOMAIN.COM"
> N  SncInit(): Fatal -- Accepting Credentials not available!
> N  <<- SncInit()==SNCERR_GSSAPI
> N           sec_avail = "false"
> 
> 
> I can't find any information for the error code.
> Could you please help me with this problem?
> 
> Thanks in advance!


=====
Saludos.
JuanM.


	

	
		
___________________________________ 
¡Llevate a Yahoo! en tu Unifón! 
Ahora podés usar Yahoo! Messenger en tu Unifón, en cualquier momento y lugar. 
Encontrá más información en: http://ar.mobile.yahoo.com/sms.html 

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list