Skip to Content
avatar image
Former Member

Kerberos/GSS API changed from RHEL to RHEL6?

Hello Experts,

for our ABAP systems I have configured SSO via standard MIT Kerberos on Linux/Intel (RHEL5) as well as Solaris/SPARC and Solaris/Intel  - works like a charm.

Now when I upgrade the Linux servers to RHEL6, the OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO. All I get is a funny error popup "SAP System Message: S".

Is there any known change of the API from RHEL5 to RHEL6 and ideally a way to work around it?

The entry in dev_wx for the log attempt is:

N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3357]

N        GSS-API(maj): No credentials were supplied, or the credentials were unavailable or inaccessible

N      Unable to establish the security context

N  <<- SncProcessInput()==SNCERR_GSSAPI

M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1034]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1039]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  in_ThErrHandle: 1

M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c   11313]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

The parameters (which are working just fine under RHEL5) are:

snc/enable = 1

snc/gssapi_lib = /usr/lib64/sasl2/libgssapiv2.so

ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so (this is the current PL 43)

sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so

ssf/ssfapi_lib =$(DIR_EXECUTABLE)/libsapcrypto.so

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/extid_login_diag = 1

snc/permit_insecure_start = 1

ssf/name = SAPSECULIB

Installed packages on RHEL5 (all x86_64):

cyrus-sasl-gssapi-2.1.22-7.el5_8.1

krb5-libs-1.6.1-70.el5

krb5-libs-1.6.1-70.el5

krb5-workstation-1.6.1-70.el5

libgssapi-0.10-2

pam_krb5-2.2.14-18.el5

and on RHEL6:

cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64

krb5-libs-1.10.3-10.el6.x86_64

krb5-workstation-1.10.3-10.el6.x86_64

libgssglue-0.1-11.el6.x86_64

pam_krb5-2.3.11-9.el6.x86_64

Any info is much appreciated.

Andreas Niewerth

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Apr 26, 2013 at 10:52 AM

    Hi Andreas

    We are facing almost the exact problem:

    -we use Kerberos with MIT on our AIX and LINUX (RHEL5) since several month without any problem

    -now we've updated one linux machine from RHEL5 to 6

    -we have installed the very same librarys & versions like you (except the PAM libs we don't have installed)

    -via kinit we get the kerberos ticket without problems

    -from the beginning on we have had our ad service accounts with encryption arcfour-hmac

    => if this is DES, then you have to change it or tell in krb5.conf to allow weak encryption. Altough I guess, that you have checked that already (with klist -e)

    At the end we get, when trying to login:

    1) SAP GUI displays this error msg:  "SAP-Systemnachricht: F".

    2) sapni_xxx.trace (With all sap gui debug flags activated) shows:    "Fehler im Security Network Layer (SNC)"

    -> this happens after the client had send a SNC packet with (I guess a containing kerberos ticket) to the server. Then the server responds the above short message. Nothing more or less you can see on a network sniff.

    3) Server side:

    My activities / analysis so far:

    - no changes on client side, no changes on sap kernel

    - rhel6 comes with new kerberos libs

    - rhel6 as kerberos client: => SUCCESS

    - tested kerberized SSO with browser->Apache http on this server (on top of the same kerb-libs and krb5.conf) and an additional 'http' serviceprincipal name on the ad service account => SUCCESS

    - serverside: the only change is (due to new kerb-libs) the SNC-LIB

    =>  this leads me to the point of the referenced library (SNC LIB) on the server (param snc/gssapi_lib)

    Here I found that you used a different one then we ?!

    We use:  /usr/lib64/libgssapi_krb5.so   (which links to /lib64/libgssapi_krb5.so.2.2)

    You use: /usr/lib64/sasl2/libgssapiv2.so

    => What is the right on?

    And: did you try to set ENV for KRB5_TRACE? I'm wondering, if the SNC call is honored there and might show additional hints?

    Martin

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Andreas,

      We got the exact same error as you did [ we are on RHEL 6.4] while using the snc/gssapi/lib=libgssapi_krb5.so.

      I saw that you were able to resolve your problem by changing the API to the new RHEL 6 relevant file i.e./lib64/libgssglue.so.1 .

      I tried to modify our parameter to the value snc/gssapi/lib = /lib64/libgssglue.so.1 .

      We already have the packages krb5-libs & krb5-workstation installed . However we are getting a different error now

      *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3364]

      N        GSS-API(maj): Unspecified GSS failure.  Minor code may provide more information

      N        GSS-API(min): No key table entry found for SBQADM/ @< MYDOMAIN.COM>

      N      Unable to establish the security context

      N  <<- SncProcessInput()==SNCERR_GSSAPI

      M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1035]

      M  {root-id=00221982BAFF1EE4858070692A83CB23}_{conn-id=00000000000000000000000000000000}_0

      M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1040]

      M  {root-id=00221982BAFF1EE4858070692A83CB23}_{conn-id=00000000000000000000000000000000}_0

      Our Kerberos level authentication from Linux to the AD happens correctly via both the SAPServiceSBQ & the SBQADM users i.e. when AD level SPN is created as SAPServiceSBQ or SBQADM

      SBQADM

      =========

      orsapbisbx01:sbqadm 51> kinit -V -f -k SBQADM/ @< MYDOMAIN.COM>

      Using default cache: /tmp/krb5cc_500

      Using principal: SBQADM/ @< MYDOMAIN.COM>

      Authenticated to Kerberos v5

      orsapbisbx01:sbqadm 52>

      orsapbisbx01:sbqadm 121> klist -e

      Ticket cache: FILE:/tmp/krb5cc_500

      Default principal: SBQADM/ @< MYDOMAIN.COM>

      Valid starting     Expires            Service principal

      07/25/14 06:19:27  07/25/14 16:19:27  krbtgt/MYDOMAIN.COM@MYDOMAIN.COM

              renew until 08/01/14 06:19:27, Etype (skey, tkt): arcfour-hmac, arcfour-hmac

      orsapbisbx01:sbqadm 122>

      SAPServiceSBQ

      =================

      orsapbisbx01:sbqadm 61> kinit -V -k SAPServiceSBQ/ @< MYDOMAIN.COM>

      Using default cache: /tmp/krb5cc_500

      Using principal: SAPServiceSBQ/ @< MYDOMAIN.COM>

      Authenticated to Kerberos v5

      orsapbisbx01:sbqadm 62> klist

      Ticket cache: FILE:/tmp/krb5cc_500

      Default principal: SAPServiceSBQ/ @< MYDOMAIN.COM>

      Valid starting     Expires            Service principal

      07/25/14 02:22:24  07/25/14 12:22:29  krbtgt/MYDOMAIN.COM@MYDOMAIN.COM

              renew until 08/01/14 02:22:24

      orsapbisbx01:sbqadm 63>

      Any help will be greatly appreciated, as we are fighting with kerberos for nearly 2 weeks now.

      Regards

      Prashant

  • Apr 24, 2013 at 10:55 AM

    This forum is for the product from SAP called SAP NW SSO. If you need help with open source Kerberos issues you need to use the open source community forums. However, I am sure somebody from SAP or a SAP partner would love to sell you their product for providing Kerberos-based SSO on Linux. You can find details of such products in SAP EcoHub (soon to be SAP Store).

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 24, 2013 at 04:34 PM

    Have you used GSSTEST to see if the Kerberos 5 implementation in RHEL6 is interoperable with SNC? See SAP note 150380 for details. Adding to what Tim writes, SSO using SNC is no longer free of charge. You will have to purchase NWSSO or a 3rd party solution for it.

    https://service.sap.com/sap/support/notes/150380

    Add comment
    10|10000 characters needed characters exceeded

    • You are right. Since you are using a different GSS-API then the one provided by SAP for the Windows platform you are not breaking any licensing terms. SAP did change the licensing terms regarding SNC based SSO when they released the SAP NetWeaver Single Sign-On product but since you are not using the SAP provided library, there is no violation. See SAP note 1684886 for details regarding the recent change to licensing terms.

      Regarding your problem, now you know what means to have a unsupported solution. You could take it up in a RedHat forum and see what can be done.

      https://service.sap.com/sap/support/notes/1684886