SNC setup works fine on Netweaver 7.01 but not on ...

Former Member · ‎11-01-2011

Hi,

We use SNC in conjunction with a kerberos v1.1.1 share library called libgssapi_krb5.shr.o.2.1 on Aix 6.1 servers. This setup works for ERP, BWP, SRM and CRM systems for the past 12 years or so. Late last week, we upgraded one of our ERP 600 EHP4 NW 7.01 systems to ERP 600 EHP5 Nw 7.02 and while the shared library was dynamically loaded, we still get an error from SncInit():

N File "/usr/pkg/krb5/rs_aix53-64/lib/libgssapi_krb5.shr.o.2.1" dynamically l

oaded as GSS-API v2 library.

N The internal Adapter for the loaded GSS-API mechanism identifies as:

N Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

N SncInit(): found snc/identity/as=s:host@ niblick.oit.duke.edu

N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]

N GSS-API(maj): Miscellaneous failure

N GSS-API(min): No such file or directory

N Could't acquire ACCEPTING credentials for

N

N name="p:host/niblick.oit.duke.edu@ ACPUB.DUKE.EDU"

N SncInit(): Fatal -- Accepting Credentials not available!

N <<- SncInit()==SNCERR_GSSAPI

N sec_avail = "false"

M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 237]

The same error occurs on a SRM 7.00 EHP1 NW 7.02 system which was likewise upgraded at the same time as the ERP system mentioned above. The only thing which changed in our setup was the Sap application.

I am in the process of obtaining a xlc C-compiler and compiling gsstest. Anyone have any further suggestions? We have been happily using SNC with kerberos , as mentioned above, for well over a decade. Has the SNC/GSS interface changed in some fashion with NW 7.02? If so, what should we do?

Looking for hope here ....

Sincerely,

Steven McElwee, Duke University

mvoros · ‎11-01-2011

Hi are you sure that you haven't changed hostname of the server. It seems like identity found is s:host@ niblick.oit.duke.edu but it's trying to connect to p:host/niblick.oit.duke.edu@ ACPUB.DUKE.EDU

Cheers

Former Member · ‎11-02-2011

Yes, i am sure that the hostname of the server has not been changed. On the kerberos side, we use the kinit command to create a kerberos cache credential file based on the host's keytab file. There is a routine in the kerberos gssapi library that inputs the resulting cache credential file and creates the s:host@ niblick.oit.duke.edu name, which, i understand, is standard for GSS and, i believe, is used by SNC. This is standard for a GSS "service" name, as i understand.

p:host/niblick.oit.duke.edu@ ACPUB.DUKE.EDU (without the blank sapce after the "@"), on the other hand, is the value for Sap's snc/identity/as profile parameter, and, is, of course, SNC-specific.

Please note that the extra blank space after the "@" character was placed after-the-fact by me so that the original string without the extra blank space would not be interpreted as an email address, thus, prevening me to post/reply to this forum.

thanks for pointing this out and i welcome a better explanation from others far more informed than i am.

Sincerely,

Steven

Former Member · ‎11-02-2011

Oops- A correction - what i said previously in the above response about p:host/niblick.oit.duke.edu@ ACPUB.DUKE.EDU is wrong. The value of the snc parameter, snc/identity/as, is s:host@ niblick.oit.duke.edu. I am not sure where the p:host/niblick.oit.duke.edu@ ACPUB.DUKE.EDU comes from. What i do know is that our kerberos realm is ACPUB.DUKE.EDU and the machine's FQDN is niblick.oit.duke.edu.

Sincerely,

Steven

mvoros · ‎11-02-2011

Hi,

I don't know. You can check really old note 95810 for some help.

Cheers

Former Member · ‎05-15-2012

Hi Steven,

did you get this resolved?

We're currently facing the exact same issue after an upgrade.

Any help would be greatly appreciated.

Cheers, Stefan.

SNC setup works fine on Netweaver 7.01 but not on Netweaver 7.02