Kerberos Initialization error with SAP
Ubaid Rahman
ubaid.u.rahman at gsk.com
Thu Dec 8 11:51:59 EST 2011
Hi All
We are trying to set up a SAP SSO over Kerberos and SAP SNC adapter..
After many hurdles we have got to a point where SAP gives the below error:
M load shared library (/usr/lib/snckrb5.so), hdl 1
N File "/usr/lib/snckrb5.so" dynamically loaded as SNC-Adapter.
N The Adapter identifies as:
N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p/krb5:s03adm at WMSERVICE.CORPNET1.COM
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): Miscellaneous failure
N GSS-API(min): No principal in keytab matches desired name
N Could't acquire ACCEPTING credentials for
N
N name="p:s03adm at WMSERVICE.CORPNET1.COM"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 223]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 225]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 9708]
I have copied the output of some Kerberos commands below for reference, please let me know if anybody have any ideas as to what we are doing wrong..
# klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: s03adm at WMSERVICE.CORPNET1.COM
Valid starting Expires Service principal
12/08/11 00:00:01 12/08/11 10:00:02 krbtgt/WMSERVICE.CORPNET1.COM at WMSERVICE.CORPNET1.COM
Renew until 12/09/11 00:00:01
# kvno s03adm
kvno = 6
root at ussapsmr01:/home/root >
# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
------ ------ ------------------------------------------------------
1 5 host/ussapsmr00.wmservice.corpnet1.com at WMSERVICE.CORPNET1.COM
2 5 host/ussapsmr00.wmservice.corpnet1.com at WMSERVICE.CORPNET1.COM
3 5 host/ussapsmr00.wmservice.corpnet1.com at WMSERVICE.CORPNET1.COM
4 6 host/ussapsmr00.wmservice.corpnet1.com at WMSERVICE.CORPNET1.COM
Though I was able to initialize the sidadm user mapped to the service principal, I have not been able to successfully initialize the Principal itself, here is the error when I do that..
# kinit host/ussapsmr00.wmservice.corpnet1.com at WMSERVICE.CORPNET1.COM
Unable to obtain initial credentials.
Status 0x96c73a06 - Client not found in Network Authentication Service database or client locked out.
Appreciate any help in advance - Thanks
Ubaid Rahman
Senior AIX Administrator
SCS C&ES Infrastructure
Admin 1 # 146E
Ph # *.703.2817 (internal) or 919.483.2817 (external)
# 919.314.7177 (cell)
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of kerberos-request at mit.edu
Sent: Wednesday, December 07, 2011 12:09 PM
To: kerberos at mit.edu
Subject: Kerberos Digest, Vol 108, Issue 2
Send Kerberos mailing list submissions to
kerberos at mit.edu
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.mit.edu/mailman/listinfo/kerberos
or, via email, send a message with subject or body 'help' to
kerberos-request at mit.edu
You can reach the person managing the list at
kerberos-owner at mit.edu
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Kerberos digest..."
Today's Topics:
1. MITKRB5-SA-2011-007 KDC null pointer dereference in TGS
handling [CVE-2011-1530] (Tom Yu)
2. test cases compilation encountered error (Bear)
----------------------------------------------------------------------
Message: 1
Date: Tue, 06 Dec 2011 14:07:40 -0500
From: Tom Yu <tlyu at MIT.EDU>
Subject: MITKRB5-SA-2011-007 KDC null pointer dereference in TGS
handling [CVE-2011-1530]
To: kerberos-announce at MIT.EDU
Message-ID: <ldvehwhlds3.fsf at cathode-dark-space.mit.edu>
Content-Type: text/plain; charset="us-ascii"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MITKRB5-SA-2011-007
MIT krb5 Security Advisory 2011-007
Original release: 2011-12-06
Last update: 2011-12-06
Topic: KDC null pointer dereference in TGS handling
CVE-2011-1530
KDC null pointer dereference in TGS handling
CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score: 6.8
Access Vector: Network
Access Complexity: Low
Authentication: Single
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete
CVSSv2 Temporal Score: 5.9
Exploitability: High
Remediation Level: Official Fix
Report Confidence: Confirmed
SUMMARY
=======
In releases krb5-1.9 and later, the KDC can crash due to a null
pointer dereference in code that handles TGS (Ticket Granting Service)
requests. The trigger condition is trivial to produce using
unmodified client software, but requires the ability to authenticate
as a principal in the KDC's realm.
IMPACT
======
An authenticated remote attacker can crash a KDC via null pointer
dereference.
AFFECTED SOFTWARE
=================
* The KDC in krb5-1.9 and later is vulnerable. Earlier releases
predate the internal interface changes that led to this
vulnerability.
FIXES
=====
* Workaround: restart the KDC when it crashes, possibly using an
automated monitoring process.
* Apply the patch:
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index f46cad3..102fbaa 100644
- --- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -67,6 +67,7 @@ check-unix:: rtest
check-pytests::
$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
install::
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c169c54..840a2ef 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -243,7 +243,8 @@ tgt_again:
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
errcode = find_alternate_tgs(request, &server);
firstpass = 0;
- - goto tgt_again;
+ if (errcode == 0)
+ goto tgt_again;
}
}
status = "UNKNOWN_SERVER";
diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
new file mode 100644
index 0000000..1760bcd
- --- /dev/null
+++ b/src/kdc/t_emptytgt.py
@@ -0,0 +1,8 @@
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(start_kadmind=False, create_host=False)
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+if 'not found in Kerberos database' not in output:
+ fail('TGT lookup for empty realm failed in unexpected way')
+success('Empty tgt lookup.')
This patch is also available at
http://web.mit.edu/kerberos/advisories/2011-007-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2011-007-patch.txt.asc
REFERENCES
==========
This announcement is posted at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-007.txt
This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:
http://web.mit.edu/kerberos/advisories/index.html
The main MIT Kerberos web page is at:
http://web.mit.edu/kerberos/index.html
CVSSv2:
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
CVE: CVE-2011-1530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1530
ACKNOWLEDGMENTS
===============
Simo Sorce discovered this vulnerability.
CONTACT
=======
The MIT Kerberos Team security contact address is
<krbcore-security at mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:
pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid MIT Kerberos Team Security Contact <krbcore-security at mit.edu>
DETAILS
=======
The process_tgs_req() function in the KDC has logic that attempts to
find an alternative service principal if the service principal in the
client's TGS-REQ is unknown. If the find_alternate_tgs() helper
function returns an error that is not KRB5_KDB_NOENTRY, it leaves the
server variable holding a null pointer. The process_tgs_req()
function improperly ignores that error, and proceeds to call functions
that dereference the null pointer.
Prior to krb5-1.9, the krb5_db_get_principal() function and related
interfaces had output parameters "more" and "nprincs". The krb5-1.9
release includes changes to these interfaces so that they no longer
have those outputs. Prior to krb5-1.9, the find_alternate_tgs()
function in the KDC had a void return type, and indicated failure by
setting its "more" and "nprincs" outputs appropriately. Its interface
changed in krb5-1.9 to instead return an error code, with
corresponding changes to process_tgs_req(); these changes to
process_tgs_req() were flawed and allow errors other than
KRB5_KDB_NOENTRY to cause a null pointer dereference.
The vulnerable code executes after the KDC authenticates the request,
so an attacker must have first obtained valid initial Kerberos
credentials for the target realm.
REVISION HISTORY
================
2011-12-06 original release
Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)
iQCVAgUBTt5mYabDgE/zdoE9AQIuKAQA0K1YUeTKjEIVjEIufpTanNoipQiWRNCE
alUjkcxQeD3yFK8LU6yKcs0CdTI60FDst3788tUtoGDdwpnbc90Rv8EID00VtgEc
0rI4Nfe32MxP/UlNNVRinWkwtDLWeh1gKQOPXAjeapKQcWAFB3tM/haRnDgCu49I
snM0jQSBFgA=
=FK9G
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos-announce at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce
------------------------------
Message: 2
Date: Wed, 07 Dec 2011 17:09:10 +0800
From: Bear <bear.yang at oracle.com>
Subject: test cases compilation encountered error
To: kerberos at MIT.EDU
Message-ID: <4EDF2D36.3010709 at oracle.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Hi All,
I want to compile the test cases located krb5-1.8.5/src/ccapi/test
single with solaris 11 on i386 platform, but encountered the error below:
=================================
Undefined first referenced
symbol in file
current_test_name test_cc_ccache_clear_kdc_time_offset.o
current_test_activity test_cc_ccache_clear_kdc_time_offset.o
check_cc_ccache_clear_kdc_time_offset test_cc_ccache_clear_kdc_time_offset.o
ld: fatal: symbol referencing errors. No output written to
test_cc_ccache_clear_kdc_time_offset
*** Error code 1
make: Fatal error: Command failed for target
`test_cc_ccache_clear_kdc_time_offset'
=================================
Who can tell me where I can find these symbols?
Thanks.
--
Regards,
Bear
------------------------------
_______________________________________________
Kerberos mailing list
Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
End of Kerberos Digest, Vol 108, Issue 2
****************************************
More information about the Kerberos
mailing list