Kerberos5 with sap and linux

Barbat, Calin c.barbat at osram.de
Wed Jun 20 03:33:21 EDT 2007 

Dear Thomas,

are you using MIT Kerberos or Heimdahl Kerberos? Many Linux distributions package Heimdahl, which is not as good as MIT... 

Mit freundlichem Gruß / Kind regards / Cordialement

Calin Barbat

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of T_Kast at gebr-heinemann.de
Sent: Tuesday, June 19, 2007 2:52 PM
To: kerberos at mit.edu
Subject: Kerberos5 with sap and linux 

Dear kerberos experts,
i followed a description from c.barbat i found at mit kerberos list to validate kerberos.
my environment is:

RH REL Red Hat 3.4.6-2 64-bit with
Kerberos krb5-libs-1.3.4-27 (Standard from RH) SAP WEB AS Version 6.40

what i did.

* i generated the snckrb5.so as described
* i got a keytab file from the windows guys
* i compiled the gsstest utility from sap sdn
* i did a kinit for the sap<sid> User
* before i start with sap stuff i tried gsstst wich allready fails with following errors:
  "SAPService/gh.de at GH.DE"
  Nametype oid = {1 2 840 113554 1 2 2 1}         NT= 
GSS_KRB5_NT_PRINCIPAL_NAME

TEST: Examining the exported name framing
  Framing details for exported name (Section 3.2, GSS-API v2 spec):
    TOK_ID            :   00000: 04 01
    MECH_OID_LEN = 11 :   00002: 00 0b
        OID tag       :   00004: 06
        OID len =   9 :   00005: 09
        OID elements  :   00006: 2a 86 48 86 f7 12 01 02  02
          = {1 2 840 113554 1 2 2}         MECH= Kerberos 5 (v2 - rfc1964)
    NAME_LEN   =   22 :   0000f: 00 00 00 16
    NAME              :   00013: 53 41 50 53 65 72 76 69   SAPServi
                          0001b: 63 65 2f 67 68 2e 64 65   ce/gh.de
                          00023: 40 47 48 2e 44 45         @GH.DE
Status:  gss_release_name() ==
(GSS_S_CALL_INACCESSIBLE_READ|GSS_S_BAD_NAME)
         gss_display_status(0x01020000,GSS_S_GSS_CODE) =
           "A required input parameter could not be read"
           "An invalid name was supplied"
names.c(251): ERROR: (gss_name_t)out_name   was not zeroed by 
gss_release_name()!
RESULT  NOT ok (rc=2)

Can anyone provide my a snckrb5.so file for my platform, or better give me some hints what went wrong ?


thanks
Thomas


-------


Gebr. Heinemann Kommanditgesellschaft - Hamburg - Registergericht Hamburg - HR A 15017
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list