[krbdev.mit.edu #7028] libgssapi_krb5.so.2.2 crashes

patrick.obergfoell@kern.ag via RT rt-comment at krbdev.mit.edu
Tue Nov 29 10:03:51 EST 2011 

Dear all,

here little more information to the specific problem: 
I get the following error with the MIT Kerberos5 Implementation--Libraries 
on SLES 11 SP1. 
Version: krb5-1.6.3-133.46.1
The libgssapi_krb5.so.2.2 crashes

We use the MIT Kerberos5 Implementation as desribed in the attachement: 
- SSOforSAPNWASABAPonPower.pdf

AS Primary Domain Controller and Key Distribution Center we use the 
Microsoft Windows 2008 SR2. 

Service Principal Name is set: 
setspn -A SAPService/sapcusc00.kern.intra KERN\c00adm

The keytab is generated on the Windows AD server and then copied to the 
host with the SAP system on it. 

To test if the keytab works run kinit -k <service_principal_name> on the 
linux hosts host. 
The SPN must be exactly the same as in the keytab. 
Kinit will compare the given SPN with the one in the keytab and if they 
are the same, no password is needed to request a kerberos ticket because 
it was already  defined in the keytab.

/usr/bin/kinit ?V ?k SAPService/sapcusc00.kern.intra at KERN.INTRA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - 
sapcusc00:c00adm 51> /usr/bin/kinit -V -k 
SAPService/sapcusc00.kern.intra at KERN.INTRA
Authenticated to Kerberos v5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Test with 
/usr/bin/klist
- - - - - - - - - - - - - - - - - - - - - - - - - - - - 
sapcusc00:c00adm 81> /usr/bin/klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: SAPService/sapcusc00.kern.intra at KERN.INTRA

Valid starting     Expires            Service principal
11/25/11 14:34:32  11/26/11 00:35:03  krbtgt/KERN.INTRA at KERN.INTRA
        renew until 11/26/11 14:34:32


Kerberos 4 ticket cache: /tmp/tkt1002
klist: You have no tickets cached
- - - - - - - - - - - - - - - - - - - - - - - - - - - - 


SAP's support is strictly limited to SAP's side of the code which calls 
external products according to the definition of the GSS-API v2 interface 
specification (rfc-2743, rfc-2744) with the constraints published as part
of SAP's BC-SNC interoperability certification.

In general, checking your MIT Kerberos library with SAPs tool "GSSTEST" 
(see below) should give you some indication whether you library is 
interoperable with SAP R/3.
The Result of the Test is attached as gsstest_Result.zip - krb5_2_2.log. 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Everything seems to be OK. 

Test with 
klist
- - - - - - - - - - - - - - - - - - - - - - - - - - - - 
sapcusc00:c00adm 52> klist
Credentials cache /home/c00adm/krb5cc_c00adm cannot be found

sapcusc00:c00adm 53> echo $path
/sapdb/programs/bin /usr/lib64/jvm/jre/bin . /home/c00adm 
/usr/sap/C00/SYS/exe/run /home/c00adm/bin /usr/bin /bin /usr/sbin /sbin 
/usr/local/bin /usr/bin/X11 /usr/X11R6/bin /usr/games /usr/lib/mit/bin 
/usr/lib/mit/sbin
- - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Check for File klist
Find File
 ./tmp/sapinst_exe.4415.1303146124/jre/bin/
     klist 
 ./usr/bin/ 
     klist 
 ./usr/lib64/jvm/java-1_4_2-ibm-1.4.2/jre/bin/
     klist 
 ./usr/lib/mit/bin/ 
     klist 

Check for File libgssapi_krb5.so.2.2
Find File 
 ./usr/lib64/ 
     libgssapi_krb5.so.2.2
 ./usr/lib/ 
     libgssapi_krb5.so.2.2

Here my questions: 
Is this a known bug of the Version krb5-1.6.3-133.46.1?
Or could it be a configuration problem?
Which Version patches the error? 
What else can I contribute to find a solution. 

The error is thrown at the moment the workprocess in the SAP System ist 
startet. 
error.log (fully attached gsstest_Result.zip - dev_w0)

N  SncInit(): Initializing Secure Network Communication (SNC)
N        AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 
16/64/64)
N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)
N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication 
Level)
N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)
N  SncInit(): found  snc/gssapi_lib=/usr/lib64/snckrb5.so
N    File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.
N    The Adapter identifies as:
N    External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
M  ------------------ C-STACK ----------------------
(CTrcStack2+0x82)[0x6c3972]
(SigIGenAction+0x2ad)[0x198e04d]
/lib64/libpthread.so.0[0x7f6b1874c5d0]
(sem_wait+0x2b)[0x12bf25b]
/lib64/libcom_err.so.2(add_error_table+0x2d)[0x7f699964782d]
/usr/lib64/libgssapi_krb5.so.2[0x7f6999d1930b]
/lib64/libpthread.so.0(pthread_once+0x53)[0x7f6b18749a83]
/usr/lib64/libgssapi_krb5.so.2[0x7f6999d18813]
/usr/lib64/libgssapi_krb5.so.2(gss_indicate_mechs+0x34)[0x7f6999d1fb34]
/usr/lib64/snckrb5.so(sapgss_indicate_mechs+0x1d)[0x7f6999f3ff5d]
(SncPDLInit+0x3dc)[0x18f163c]
(SncInit+0x537)[0x18f0777]
(SncInitU+0x53)[0x18e3263]
(ThSncInit+0x8b)[0x5cd7ab]
(ThInit+0xd45)[0x556165]
(ThStart+0x11b)[0x55826b]
(DpMain+0x228)[0x4bdf68]
/lib64/libc.so.6(__libc_start_main+0xe6)[0x7f6b183fdbc6]

Best regards

Patrick Obergföll
Berater
Produkt Manager
Fon: +49 (761) 791 878-130
----------------------------------------------------------------------------------------------------

Kern Aktiengesellschaft 
Wentzinger Straße 17, 79106 Freiburg
Home: http://www.kern.ag/
Vorstand: Eckhard Moos (Vors.), Ekkehard Seiler 
Vorsitzender des Aufsichtsrats: Dr. Winfried A. Adam 
Handelsregister: HRB 6021, Amtsgericht Freiburg im Breisgau
----------------------------------------------------------------------------------------------------
Der Austausch von Nachrichten mit der Kern Aktiengesellschaft via E-Mail 
dient ausschließlich Informationszwecken. Dieses Dokument ist vertraulich 
und ausschließlich für den Adressaten bestimmt. Falls Sie diese E-Mail 
versehentlich bekommen haben, rufen Sie uns bitte unverzüglich an und 
löschen Sie diese Nachricht. Jegliche Art von Reproduktion, Verbreitung, 
Vervielfältigung, Modifikation, Verteilung ist ebenso untersagt wie die 
Publikation dieser Nachricht an Dritte strengstens verboten ist. 
Rechtsgeschäftliche Erklärungen werden über dieses Medium grundsätzlich 
nicht entgegengenommen oder versandt, es sei denn die Kern AG und der 
jeweilige auch zukünftige Vertragspartner haben sich zuvor ausdrücklich 
und gesondert über eine solche Vorgehensweise geeinigt.
The correspondence with Kern Aktiengesellschaft via email is intended only 
for information purposes.This document may contain confidential or legally 
privileged information and is intended solely for the individual(s) named 
above. If you are not an intended recipient or have received this email in 
error, please notify the sender immediately and delete this email. Any 
unauthorized publication, use, dissemination or disclosure of this message 
is strictly prohibited. This medium is not to be used for legally binding 
communication, unless Kern AG and its respective or future contract party 
have previously explicitly and specifically agreed upon this course of 
action.

More information about the krb5-bugs mailing list