BC-SNC, MIT Kerberos V, SSO, GSS-API v2

Calin Barbat c.barbat at osram.de
Tue Sep 7 04:04:33 EDT 2004


Norbert Klasen wrote:

> Hello Calin,
> a colleague of mine has worked with BC-SNC (with X.509 certificates
> though). Here's what he said.
>
> Norbert
>
 >Loading GSS-API shared library #1 "/usr/local/lib/libgssapi_krb5.so" ...
 >
 >  Resolving SAP SNC-Adapter functions ...
 >    GSS-API v2  "sapsnc_init_adapter"                  (  opt.   )
(missing)
 >    GSS-API v2  "sapsnc_export_cname_blob"             (  opt.   )
(missing)
 >    GSS-API v2  "sapsnc_import_cname_blob"             (  opt.   )
(missing)
 >  Resolving Misc Support functions ...

points to some files offered by SAP. Try to add the sncadapt-Files to your
project, compile them and add the header-files also. You can find the
required files at the following address:

http://www.sap.com/partners/icc/scenarios/technology/bc-snc.aspx  (SNC
Adapter 1.1)

This should solve the problem.

Mit freundlichen Gruessen / Best regards

Cevat Gürsoy
Senior Consultant
Avinci - The Know-How Company


Thank you very much for your help. In the mean time I already downloaded 
the SNC-Adapter (Martin Rex recommended me to do so and pointed me to 
the same download adress) and wrote a suitable build.Linux file to make 
it compile. Now the SAP server loads both alternatives, either using the 
internal SNC adapter with libgssapi_krb5.so as provided by MIT Kerberos 
V release 1.2.8 or the external SNC adapter snckrb5.so provided by SAP 
(it is basically a wrapper to libgssapi_krb5.so containing the three 
additional functions starting with the prefix "sapsnc_").

Both adapters now pass gsstest-1.26. The remaining issue is that I still 
get the following error output (in dev_w0) when trying to SNC connect to 
the server:

N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3423]
N        GSS-API(maj): A token was invalid
N        GSS-API(min): Mechanism is incorrect
N      Unable to establish the security context
N  <<- SncProcessInput()==SNCERR_GSSAPI
M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    973]
M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    978]
M  in_ThErrHandle: 1
M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1,
level 1) [thxxhead.c   8787]


Perhaps this is some configuration issue, perhaps it has to do with the 
interoperability between the MIT and Win2k Kerberos implementations.
Any help or hint in the right direction would be greatly appreciated,

Calin Barbat





More information about the Kerberos mailing list