on 04-21-2009 2:05 AM
Hi All
I have been searching for the proper documentation for mapping the SAP Users with Windows Domain users, but could'nt get the correct documentation so far. I got one but it was for windows 2000 from Realtech.
All our SAP Systems run on Red Hat Linux Enterprise 5.2 and all our users are to be mapped from Windows 2008 Domain controller to SAP.
Can anyone please throw some light on how to map the sap users to windows users and what are the steps that we need to follow to setup the Application server on linux level?
We followed to set-up the Service Principal Name for sap system and the tickets are getting generated, after I enabled the SNC related profile parameters, the system is not coming up, below the profile parameters I have set and output of dev_w0 file:
Profile Parameters:
snc/gssapi_lib /usr/lib64/snckrb5.so
snc/identity/as p/krb5:SAPService/linuxlabsrv.domainname@DOMAINNAME SNC identity
snc/enable 1 Use SNC
snc/accept_insecure_cpic 1 Permit CPIC without SNC
snc/accept_insecure_rfc 1 Permit RFC without SNC
snc/accept_insecure_gui 1 Permit SAPGUI connections without SNC
snc/accept_insecure_r3int_rfc 1 Permit internal RFC connections without SNC
snc/data_protection/min 1 Min. protection level 1 (authentication)
snc/data_protection/max 3 Max. protection level 3 (encryption)
snc/data_protection/use 3 Use level of snc/data_protection/max
snc/permit_insecure_start 1 Allow execution of external programs without SNC
dev_w0 Errror:
SncInit(): Initializing Secure Network Communication (SNC)
N AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so
N File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.
N The Adapter identifies as:
N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p:sapservicedpi
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information
N GSS-API(min): No principal in keytab matches desired name
N Could't acquire ACCEPTING credentials for
N
N name="p:sapservicedpi@domainname"
M *** ERROR => ErrISetSys: error info too large [err.c 944]
M Mon Apr 20 18:03:05 2009
M LOCATION SAP-Server omtr-sap-pi_DPI_00 on host omtr-sap-pi (wp 0)
M ERROR GSS-API(maj): Unspecified GSS failure. Minor code may provi
M GSS-API(min): No principal in keytab matches desired name
M name="p:sapservicedpi@domainname"
M TIME Mon Apr 20 18:03:05 2009
M RELEASE 700
M COMPONENT SNC (Secure Network Communication)
M VERSION 5
==========================================================================
Can some one please throw some light....
Thanks
Sri
Hi all,
I am getting this error message, can anyone help me on this?
SsfSapSecin: automatic application server initialization for SAPSECULIB
SsfSapSecin: Looking for PSE in database
SsfPseLoad: started...(path=/usr/sap/A01/DVEBMGS01/sec, AS=sapA01, instanceid=01)
SsfPseLoad: Downloading file /usr/sap/A01/DVEBMGS01/sec/SAPSYS.pse (client: , key: SYSPSE, len: 1619)
SsfPseLoad: ended (1 of 1 sucessfully loaded, 1 checked...
MskiCreateLogonTicketCache: Logon Ticket cache created in shared memory.
MskiCreateLogonTicketCache: Logon Ticket cache pointer registered in shared memory.
SncInit(): Initializing Secure Network Communication (SNC)
AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)
SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so
File "/usr/lib64/snckrb5.so" dynamically loaded as external SNC-Adapter.
The SNC-Adapter identifies as:
External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
SncInit(): found snc/identity/as=p:SAPServiceA01'@'DOMAIN
ERROR => SncPAcquireCred()==SNCERR_GSSAPI http://sncxxall.c 1439
GSS-API(maj): Miscellaneous failure
GSS-API(min): No principal in keytab matches desired name
Could't acquire ACCEPTING credentials for
name="p:SAPServiceA01'@'DOMAIN"
SncInit(): Fatal -- Accepting Credentials not available!
<<- SncInit()==SNCERR_GSSAPI
sec_avail = "false"
LOG R19=> ThSncInit, SncInitU ( SNC-000004) http://thxxsnc.c 230
ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) http://thxxsnc.c 232
in_ThErrHandle: 1
ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) http://thxxhead.c 10589
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I just regenerate a keytab file from AD server, but i now i getting an error when i executed kinit -k -t <full-path-to-keytab> <sid>adm/DOMAIN@DOMAIN.
Key table entry not found...
I guess whether is the encryption problem or not, if my Windows is 2008 and SAP in linux any specification have to do first?
I have checked Does use Kerberos Authentication, use DES Encryption only
I have no idea on this, hope you can help me on this.
Thanks,
Thomas
> I just regenerate a keytab file from AD server, but i now i getting an error when i executed kinit -k -t <full-path-to-keytab> <sid>adm/DOMAIN@DOMAIN.
> Key table entry not found...
And you use EXACTLY the same user with the same chars in capitals and non-capitals? Kerberos is very picky about names. "SIDADM" is not the same as "sidadm" is not the same as "SIDadm".
Markus
Hello
I'm configuring SSO on HP-UX, and i encountered the same errors during SAP instance startup:
" *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): Miscellaneous failure
N GSS-API(min): No such file or directory
N Could't acquire ACCEPTING credentials for
N
N name="p:sidadm/domain.com(at)DOMAIN.COM"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
How did you manage to resolve this problem?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
> I'm configuring SSO on HP-UX, and i encountered the same errors during SAP instance startup:
>
> " *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
> N GSS-API(maj): Miscellaneous failure
> N GSS-API(min): No such file or directory
> N Could't acquire ACCEPTING credentials for
> N
did you create a keytab with "ktpass.exe" on your Windows DC and copied that to the system?
Markus
> N SncInit(): found snc/identity/as=p:sapservicedpi
> N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
> N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information
> N GSS-API(min): No principal in keytab matches desired name
> N Could't acquire ACCEPTING credentials for
> N
> N name="p:sapservicedpi@domainname"
You have to generate a Kerberos ticket on your Windows DC and copy that to the Linux box, e. g.
ktpass -princ <sid>adm/<DOMAIN>@>DOMAIN> -mapuser <sid>adm -pass <password> -out <filename>.keytab -kvno 1
Copy then the "<filename>.keytab" to the Linux box.
Then execute once
kinit -k -t <full-path-to-keytab> <sid>adm/DOMAIN@DOMAIN
Check with
klist
if the ticket is accepted.
Create a cron job for user <sid>adm which runs every hour once to update the ticket.
Then restart your instance.
Markus
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Markus
Thank you so much for the inputs, we have created the keytab file from DC with the following options.
-
setspn -A sapservicedpi/FQDN ORM\sapservicedpi
ktpass.exe -princ sapservicedpi/domain@DOMAIN -mapuser ORM\dpiadm -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass master00 -out dpi.keytab
-
after we copied the file to linux and did the kinit, now the output of the command klist as below:
-
login as: root
root@10.12.7.65's password:
Last login: Mon Apr 20 19:02:05 2009 from 10.12.30.11
[root@omtr-sap-pi ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sapservicedpi@DOMAIN
Valid starting Expires Service principal
04/20/09 16:08:32 04/21/09 02:08:38 krbtgt/DOMAIN@DOMAIN
renew until 04/22/09 16:08:32
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
-
Is this the correct process of generating the ticket? and I also wanted to try the command you suggested in the reply.
Thanks again for the reply
Regards
Sri
> after we copied the file to linux and did the kinit, now the output of the command klist as below:
You need to do the kinit with the user the ticket is assigned to - so not as root but as <sid>adm.
> Is this the correct process of generating the ticket? and I also wanted to try the command you suggested in the reply.
Yes - looks good!
That ticket is only valid for the lifetime of the ticket, that's why it's necessary to create a cron job for <sid>adm who does that before the ticket expires.
Looks all good to me.
Now you should be able to start the system with SNC enabled.
Markus
Markus right now once the ticket is getting generated and the output of klist is already posted. now when I am trying to enable the SNC profile parameter the system is not coming up and the dev_w0 output as below (same error):
-
profile parameters in the system
snc/enable = 1
snc/identity/as = p/krb5:sapservicedpi/fqdn@DOMAIN
snc/gssapi_lib = /usr/lib64/snckrb5.so
-
dev_w0
B rule_fae->0, concat_fae->0, concat_fae_or->0
N SncInit(): Initializing Secure Network Communication (SNC)
N AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so
N File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.
N The Adapter identifies as:
N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p:sapservicedpi
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information
N GSS-API(min): No principal in keytab matches desired name
N Could't acquire ACCEPTING credentials for
N
N name="p/krb5:sapservicedpi/fqdn@DOMAIN"
M *** ERROR => ErrISetSys: error info too large [err.c 944]
-
Can you please take a look
Thanks
Sri
Markus
Just changed the profile parameter and did a instance restart, its hanging again with same error:
-
SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so
N File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.
N The Adapter identifies as:
N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p:dpiadm/DOMAIN@DOMAIN
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): Unspecified GSS failure. Minor code may provide more information
N GSS-API(min): No principal in keytab matches desired name
N Could't acquire ACCEPTING credentials for
N
N name="p:dpiadm/DOMAIN@DOMAIN"
M *** ERROR => ErrISetSys: error info too large [err.c 944]
-
What would be other things I need to check?
Thanks
Sri
Unless Windows 2008 does something different than Windows 2003, we never used a /DOMAIN. Our principles in the SAP profile parameters look like:
p:sidadm@DOMAIN and not p:sidadm/DOMAIN@DOMAIN
If you look at the docs in the thread I referenced, you'll also want to schedule a cron job to run kinit again every 4 hours.
Brian
We use
N SncInit(): found snc/identity/as=p:<sid>adm/<DOMAIN>@<DOMAIN>
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=Expired
The error messages suspects the identity not the same as in the generated keytab.
So if you generated
> ktpass.exe -princ sapservicedpi/domain@DOMAIN...
then I would suggest using here the same "sapservicedpi/domain@DOMAIN".
Markus
Thanks Brain & David for the inputs.
Markus even when I am using the format
"sapservicedpi/domain@DOMAIN" in the profile parameters I am
getting the same error.
Next step can I try creating the new keytab file with the format below:
ktpass -princ <sid>adm/<DOMAIN>@>DOMAIN> -mapuser <sid>adm -pass <password> -out <filename>.keytab -kvno 1
David I think we just created the keytab file only for serviceuser.
Thanks
Sri
In continuation to the my previous reply, please see below the result of ktutil, I think we are making progress now the error is different:
-
[root@omtr-sap-pi work]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sapservicedpi @ XXX.XXXXXXXXX .COM
Valid starting Expires Service principal
04/20/09 16:08:32 04/21/09 02:08:38 krbtgt/XXX.XXXXXXXX.COM @ XXX.XXXXXXXX .COM
renew until 04/22/09 16:08:32
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@omtr-sap-pi work]# ktinit
-bash: ktinit: command not found
[root@omtr-sap-pi work]# kinit
Password for sapservicedpi @ XXX.XXXXXXXX .COM:
[root@omtr-sap-pi work]# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
-
-
-
1 2 sapservicedpi/host.xxx.xxxxxxxx .com @ XXX.XXXXXXXX .COM
ktutil:
-
After I got the correct keytab identity I have changed the profile parameter snc/identity/as to "sapservicedpi/host.xxx.xxxxxxxx .com @ XXX.XXXXXXXX .COM" and restarted the instance. Now the error in the dev_w0 changed, please see below:
-
SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so
N File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.
N The Adapter identifies as:
N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p:sapservicedpi/host.xxx.xxxxxxxx .com @ XXX.XXXXXXXX .COM
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): Unspecified GSS failure. Minor code may provide more in formation
N GSS-API(min): Unknown code krb5 195
N Could't acquire INITIATING credentials for
N
N name="p:sapservicedpi/host.xxx.xxxxxxxx .com @ XXX.XXXXXXXX .COM"
M *** ERROR => ErrISetSys: error info too large [err.c 944]
-
Now I am getting the error "GSS-API(min): Unknown code krb5 195".
What would be wrong now?
Thanks
Sri
Yes Markus here is the file:
-
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = XXX.XXXXXXXXXX.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 48h
forwardable = yes
[realms]
XXX.XXXXXXXX.COM = {
kdc = <ldapservername>:88
admin_server = <ldapservername>:749
kpasswd_server = <ldapservername>
}
[domain_realm]
.xxx.xxxxxxxxx.com = XXX.XXXXXXXXXX.COM
xxx.xxxxxxxxx.com = XXX.XXXXXXXXXX.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 90000
renew_lifetime = 90000
forwardable = true
krb4_convert = false
-
Thanks
Sri
> Yes Markus here is the file:
Ok!
Kerberos is VERY VERY picky about authorization specifications with/without capitalization. Make sure you enter the same domain in the exactly same manner in the keytab, krb5.conf and in the profile. So using one time IP and the other time a domain will not work.
Markus
Just to add:
At the time I was trying that the first time, I was not able to use the Kerberos libraries from the OS vendors, none of them worked (SuSE SLES 10 without SP, Solaris 10, HP-UX), I had to compile Kerberos myself (MIT and Heimdal implementation worked, we currently use the MIT one) and link against those.
Markus
Markus/Brain
Good news we got the SNC enabled finally, see the dev_w0 output:
-
N SncInit(): Initializing Secure Network Communication (SNC)
N AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=3, using 3 (Privacy Level)
N SncInit(): found snc/gssapi_lib=/usr/lib64/snckrb5.so
N File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.
N The Adapter identifies as:
N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p:sncsap @ XXX.XXXXXXXX.COM
N SncInit(): Accepting Credentials available, lifetime=Indefinite
N SncInit(): Initiating Credentials available, lifetime=09h 09m 10s
M ***LOG R1Q=> 1& [thxxsnc.c 259]
M SNC (Secure Network Communication) enabled
M CCMS: AlInitGlobals : alert/use_sema_lock = TRUE.
-
Now the next step, enabling the SNC tab in SAP GUI. I have entered the below in the tab "Network -> Checked the option "Activate Secure Network Connection" -> in SNC Name -> "p:sncsap @XXX.XXXXXXXX.COM""
When I am trying to login through GUI I am getting the following error:
SAP System Message
Secured Network Layer (SNC) error
I have already copied the "gssntlm.dll" file from SNC Adapater ZIP file from SAP into client machine system32 folder and renamed it as "sncgss32.dll"
Are there any steps I am missing? Please let us know.
Regards
Sri
Is there not a button or something to look at a more detailed error message? The most common errors are that you have the principle wrong in the SAPGUI SNC tab (this should match the snc/identity/as), you don't have a kerberos ticket issued from the domain controller (we usually lock and unlock our PC), or there is a >5 minute difference between the SAP server and the computer running SAPGUI (kerberos is finicky about time differences when comparing ticket validity).
Brian
> Now the next step, enabling the SNC tab in SAP GUI. I have entered the below in the tab "Network -> Checked the option "Activate Secure Network Connection" -> in SNC Name -> "p:sncsap @XXX.XXXXXXXX.COM""
>
> When I am trying to login through GUI I am getting the following error:
>
> SAP System Message
> Secured Network Layer (SNC) error
>
> I have already copied the "gssntlm.dll" file from SNC Adapater ZIP file from SAP into client machine system32 folder and renamed it as "sncgss32.dll"
Try to set the environment variable
SNC_LIB <path-to-sncgss.dll>
for that user or a system variable.
Logoff the machine and logon, open a cmd.exe check with "set s" if the variable is set. Then try to start SAPGUI again.
Markus
Hi Brain/Markus
Thanks for the all the help so far, I think I am very close to this SSO. As you guys mentioned I have done the following checks:
1. Network tab entry in SAP GUI is same as the entry in profile parameter "snc/identity/as"
2. SNC_LIB environment variable is set "SNC_LIB=C:\WINDOWS\system32\sncgss32.dll" (output from set -s)
3. Time is same in both the SAP App Server and Windows Client as both of them are synchronized to the Server
4. I can see in the SNC tab in SU01 " SNC is active on this application server" and " Canonical name determined" and tried entering "p:sncsap @XXX.XXXXXXXX.COM" and "p:fname.lname @XXX.XXXXXXXX.COM" and some other different options
5. I have checked in the klist -k, the server is having the Valid Ticket
But finally when I am trying to login through SAP GUI, I am getting the same error as mentioned in the last post
Can you please let me know is there anything I am missing out here ?
Thanks
Sri
You'll want to download the kerbtray tool from Microsoft to look at your kerberos ticket on your Windows workstation. This will show you what your principle is. For us, on the SNC tab of SU01 we enter p:<USERNAME>@MILLIKEN.COM
Both the username and the domain need to be capitalized for us. The information from kerbtray will help.
I don't believe the SNC error you're seeing when you start SAPGUI is related to the SU01 data though. Normally you'd get an error that says that your kerberos identity is not known in any of the clients in the SAP system.
As regards system time, we had some problems where some users had manually set their time instead of letting the Windows regional settings handle it. The time comparison is done with UTC, so both the SAP server and the local workstation's time are converted to UTC and then compared. Even though the times look the same, they can be different when converted to UTC.
There should be some more detailed information available in SAPGUI besides the generic SNC error.
Brian
Brain
I have installed the kerbtray and I can see the Kerberos tickets, in the first line it says "Client Principal it shows "fname.lname @XXX.XXXXXXXX.COM" and even I can see some more under that for eg: "krbtgt/XXX.XXXXXXXX.COM" I have entered the same "fname.lname @XXX.XXXXXXXX.COM" in SU01 SNC tab, but still the same error
Any inputs please ?
Thanks
Sri
In continuation I was just looking at dev_w0 file after the start of the server, I found this ERROR, does this error make any sense ?
-
X Thu Apr 23 17:04:05 2009
X *** ERROR => EmActiveData: Invalid Context Handle -1 [emxx.c 2214]
X *** ERROR => EmActiveData: Invalid Context Handle -1 [emxx.c 2214]
X *** ERROR => EmActiveData: Invalid Context Handle -1 [emxx.c 2214]
X
X Thu Apr 23 17:05:05 2009
X *** ERROR => EmActiveData: Invalid Context Handle -1 [emxx.c 2214]
X *** ERROR => EmActiveData: Invalid Context Handle -1 [emxx.c 2214]
N
N Thu Apr 23 17:05:24 2009
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3352]
N GSS-API(maj): An unsupported mechanism was requested
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 976]
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 981]
M in_ThErrHandle: 1
M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 10534]
-
Edited by: Srikar Vankadaru on Apr 24, 2009 1:09 AM
I'm not sure, this may be because of the explicit DES encryption you gave.
I used
http://osdir.com/ml/encryption.kerberos.general/2004-11/msg00007.html
and followed those steps (slightly adapted to Windows 2003).
And: did you enter the principal also in the SAPGUI itself (in the logon entry)?
Markus
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.