SNC - GSS/API Kerberos related errors

Prashant Vijaydas prashant.vijayadas at gmail.com
Wed Jul 30 09:09:23 EDT 2014 

Hello Gurus ,

I am trying to get SNC (SSO) on the SAPGUI working after migrating from
Windows 2008 / Oracle to the Linux RHEL 6.4 /Sybase .
Currently we are testing on the target LINUX  [RHEL 6.4 ] server, against a
Windows AD domain.

The OS part of SSO still works, I get a TGT, klist shows me the correct
credentials, etc., but the ABAP stack does no longer authenticate via SSO.
Kinit works fine with the Linux server getting authenticated at the Windows
AD  [via root]

<h2>Kinit via sbqadm</h2>

orsapbisbx01:sbqadm 51> kinit -V -k SBQADM/<hostname.mydomain.com>@<
MYDOMAIN.COM>
Using default cache: /tmp/krb5cc_500
Using principal: SBQADM/<hostname.mydomain.com>@<MYDOMAIN.COM>
Authenticated to Kerberos v5
Klist shows us the

<h3>Klist shows us the ticket </h3>

orsapbisbx01:sbqadm 141>    klist -e
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: SBQADM/<hostname.mydomain.com>@<MYDOMAIN.COM>

Valid starting     Expires            Service principal
07/30/14 05:27:03  07/30/14 15:27:03  krbtgt/<MYDOMAIN.COM>@<MYDOMAIN.COM>
        renew until 08/06/14 05:27:03, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
orsapbisbx01:sbqadm 142>


<h4>Dev_w</h4>* logs

SNC Is correctly initialized ,as seen in the dev_w* traces

  immediate print option for implicitely closed spool requests is disabled
N  SncInit(): Initializing Secure Network Communication (SNC)
N        AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* =
16/64/64)
N        UserId="sbqadm" (500), envvar USER="sbqadm"
N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)
N  SncInit():   found snc/data_protection/min=2, using 2 (Integrity Level)
N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)
N  SncInit(): found  snc/gssapi_lib=/lib64/libgssglue.so.1
N    File "/lib64/libgssglue.so.1" dynamically loaded as GSS-API v2 library.
N    The internal Adapter for the loaded GSS-API mechanism identifies as:
N    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N  SncInit():   found snc/identity/as=p/krb5:SBQADM/<hostname.mydomain.com
>@<MYDOMAIN.COM>
N  SncInit(): Accepting  Credentials available, lifetime=Expired
N  SncInit(): Initiating Credentials available, lifetime=Expired
M  SNC (Secure Network Communication) enabled

In the SAPGUI
-----------------------
Under the SNC tab, the SNC name is as below
SNC Name: p/krb5:SBQADM/<hostname.mydomain.com>@<MYDOMAIN.COM>

On the SAP server, the SNC name  is typed as below under the SNC  tab of
user account properties?
p:pvijayda at MYDOMAIN.COM

On the front end system
-------------------------------------
I'm using the "gsskrb5.dll" library, which I moved into the directory
%windir%\system32
After that I had to add the system variable SNC_LIB with the value
"gsskrb5.dll".  I tried both manually as well as via the installer from SAP
Note 595341 alternatively.

<h5>Main Error</h5>

Inspite of all these settings, the ABAP stack doesnt authenticate the
users,  the All I get is a funny error popup "<b>SAP System Message: S</b>".

<h6><b>Errors in dev_w* traces</b></h6>

<h7></h7>
N Wed Jul 30 05:36:26 2014
N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3364]
N     GSS-API(maj): Unspecified GSS failure.  Minor code may provide more
information
N     GSS-API(min): No key table entry found for SBQADM/<
hostname.mydomain.com>@<MYDOMAIN.COM>
N      Unable to establish the security context
N  <<- SncProcessInput()==SNCERR_GSSAPI
M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1035]
M
 {root-id=00221982BAFF1ED485FCC3E84CDAD009}_{conn-id=00000000000000000000000000000000}_0

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1040]
M
 {root-id=00221982BAFF1ED485FCC3E84CDAD009}_{conn-id=00000000000000000000000000000000}_0


Is there something wrong with my configuration , I feel the issue is at the
front end, do I need to change my snc/gssapi_lib library  , we were using
/usr/lib64/snckrb5.so  initially , which was compiled for linux from the
snc adapter downloaded from SCN, then tried with with the
/usr/lib64/libgssapi_krb5.so but no success whatsoever

Any help will be greatly appreciated , as we have started going in circles
after nearly 2 weeks of configuration.

Regards
Prashant Vijaydas

More information about the Kerberos mailing list