problem when configuring sso to linux-systems with an W2k8-DC
we are planing to update our Windows domain controllers to Windows 2008 and i am responsible to test the SSO to our SAP-Systems.
For the systems running on a windows server, it was no problem. But the ones running under linux are causing some trouble and i cannot find a solution in SDN/SAPNet, with google or anywhere else. And so i'm starting a new thread for this.
Here is my test scenario:
name of domain: company.internal
name of W2k8-dc: dc2008
name of sap-server: sap15
Here are the steps i have performed so far, mostly following a whitepaper from realtech which is linked to in other threads concerning sso/active directory/linux.
- create the user pudadm in the AD on dc2008 (cannot change password, password never expires)
- create a SPN with
setspn -A SAP_PUD/sap15.company.internal COMPANY\pudadm
"COMPANY\pudadm" is the user logon name for pre-windows 2000 systems
- create a keytab with
ktpass -princ SAP_PUD/sap15.company.internal @ COMPANY.INTERNAL -mapuser COMPANY\pudadm -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass <password for pudadm> -out sap.keytab
Output looks ok, and i copy this file to /tmp on sap15 the linux-server.
As root on sap15 i copy the key from sap.keytab to /etc/krb5.keytab by using ktutil (rkt / wkt). With ktutil i can see that there is no problem for this step, the key is properly copied to /etc/krb5.keytab. When i list the key with ktutil, the vno value is the same as the one in the output when creating the keytab file on dc2008.
Still being root, i try to get a ticket granting ticket and enter
kinit -V -k SAP_PUD/sap15.company.internal @ COMPANY.INTERNAL
and get the error "Key table entry not found while getting initial credentials". Which means, as far as i know, that either the host or the user is not listed in the keytab file.
I tried some other combinations with company.internal, COMPANY.INTERNAL or just COMPANY and so on, but had no luck.
Any help would be appreciated.
Thanks and reagrds,
- the blanks before and afther the @ are just here, beause of forum rules
- /etc/krb5.conf is configured
- i know about sap note 1292886 and the microsoft patch is already applied to the dc2008
Tim Alsop replied
I can guarantee that using Windows 2000 domain controllers is not going to change anything. The problem you are having is locat to the linux host, since this error means that kinit cannot find the principal entry in the keytab - it hasn't even got as far as sending the as-req to the KDC (e.g. Active Directory).
Regarding prices and commercial products - If you are intersted, I can give you a very competitive price quote.
- Please remember that the cost is more than license costs when comparing open source Kerberos with commercially supported implementations. You also need to consider people cost and support. Look at how long it is taking you to make this work and the cost of your time ? If you are having difficulty with this now and then later your company deploys this solution, what happens if nobody can logon because of a broken Kerberos library ? Who do you get help from ?