- SAP Community
- Products and Technology
- Additional Q&A
- sso dosn't work
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
sso dosn't work
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 11-12-2010 12:35 PM
Hi all,
we have some strange behavior with kinit.
we have a windows dc and trying to get the ticket from it.
we generated the keyfile as described in the document from realtech.
ktutil looks like this:
ktutil: rkt /etc/krb5.keytab
ktutil: l -e
slot KVNO Principal
-
-
-
1 4 SAPService/icosap17.implico.de(at)ads.implico.de (DES cbc mode with RSA-MD5)
but when we try to get a ticket:
/usr/bin/kinit -k SAPService/icosap17.implico.de @ ADS.IMPLICO.DE
we get following error
kinit(v5): Key table entry not found while getting initial credentials
but whe i manually request the ticket:
icosap17:~ # /usr/bin/kinit -V SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE
Password for SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE:
and after entered the password:
Authenticated to Kerberos v5
anyone an idea why i can't request the ticket without entering the password ?
kind regards
Bjoern
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
1) Make sure your sap user can read the keytab file, change it's group ownership to sapsys and make sure you can read it as <sid>adm.
2)
icosap17:~ # /usr/bin/kinit -V SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE
Try specifying the location of the keytab file with '-t' if it asks you for a password, it's possible the default location for your implementation is not in /etc/krb5.keytab
...and read the man pages if you don't understand what the command does.
Nelis
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Nelis,
the keytab is readable:
-rw-r----- 1 root sapsys 78 2010-10-25 10:05 /etc/krb5.keytab
if i try with keyfile i get the same errors
icosap17:o7xadm 55> /usr/bin/kinit -t /etc/krb5.keytab
Password for SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE:
or
icosap17:o7xadm 56> /usr/bin/kinit -t /etc/krb5.keytab SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE
Password for SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE:
and with -k
icosap17:o7xadm 57> /usr/bin/kinit -k -t /etc/krb5.keytab SAPService/icosap17.implico.de(at)ADS.IMPLICO.DE
kinit(v5): Key table entry not found while getting initial credentials
any ideas ?
Bjoern
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
The only other thing I can think of is possibly the following:
1 4 SAPService/icosap17.implico.de(at)ads.implico.de (DES cbc mode with RSA-MD5)
You have exported the keytab using small letters for your domain which is CASE SENSITIVE. It should show as @ ADS.IMPLICO.DE in ktutil like you use it in kinit. Which might explain why it can't "see it".
Nelis
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Answers (0)
- Change start of the week from Monday to Sunday in Human Capital Management Q&A
- SAP Fiori for SAP S/4HANA - Empowering Your Homepage: Enabling My Home for SAP S/4HANA 2023 FPS01 in Technology Blogs by SAP
- Copy from the property of one dimension to the member of another one in the same model in SAC in Technology Q&A
- Getting Analytical Data on different Dates in one CDS Cube in Technology Blogs by SAP
- Error no. L9029 is raised during qRFC processing from EWM in Supply Chain Management Q&A
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.