on 03-21-2013 3:05 PM
Hello,
we are trying to implement Single Sign-on using AIX kerberos and Windows Active Directory, but we are facing some dificulties.
Here's our landscape
AIX Server: vbtrmz00.telecom.pt
AD: vmqptp02.ptp-qa.corppt-qa.local
We created the user on active directory and created the keytab file with the following parameters:
C:\>setspn -A SSOTRM/vbtrmz00.telecom.pt PTP-QA\trmadm
Registering ServicePrincipalNames for CN=trmadm,OU=Service Accounts,OU=SAP,OU=LS
B-PIC,OU=DC_PT,DC=ptp-qa,DC=corppt-qa,DC=local
SSOTRM/vbtrmz00.telecom.pt
Updated object
C:\>ktpass -princ SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL -mapuser PTP-QA\trmadm -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -mapop set -pass XXXXXXX -out sap.keytab
Targeting domain controller: VMQPTP02.ptp-qa.corppt-qa.local
Using legacy password setting method
Successfully mapped SSOTRM/vbtrmz00.telecom.pt to trmadm.
Key created.
Output keytab to sap.keytab:
Keytab version: 0x502
keysize 84 SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL ptype 1 (KRB5_NT_PR
INCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x0417ecfdd84a80184ccfca8eb02
169d4)
-------------------------------------------------------------------------------------------------------------------------------------------------------
On SAP profile we added the following parameters:
snc/enable 1
snc/identity/as p:SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL
snc/data_protection/max 1
snc/data_protection/min 1
snc/data_protection/use 1
snc/gssapi_lib /usr/sap/TRM/SYS/exe/run/libsapcrypto.o
snc/accept_insecure_cpic 1
snc/accept_insecure_gui 1
snc/accept_insecure_rfc 1
snc/permit_insecure_start 1
snc/force_login_screen 1
rdisp/dynamic_wp_check FALSE
rdisp/configurable_wp_no 0
rdisp/wp_no_restricted 0
rslg/new_layout 9
ssf/ssfapi_lib /usr/sap/TRM/SYS/exe/run/libsapcrypto.o
ssf/name SAPSECULIB
sec/libsapsecu /usr/sap/TRM/SYS/exe/run/libsapcrypto.o
------------------------------------------------------------------------------------------------------------------------------------------
On AIX we have the following on krb5.conf
[libdefaults]
default_realm = PTP-QA.CORPPT-QA.LOCAL
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
[realms]
PTP-QA.CORPPT-QA.LOCAL = {
kdc = vmqptp02.ptp-qa.corppt-qa.local:88
admin_server = vmqptp02.ptp-qa.corppt-qa.local:749
default_domain = ptp-qa.corppt-qa.local
}
[domain_realm]
.ptp-qa.corppt-qa.local = PTP-QA.CORPPT-QA.LOCAL
vmqptp02.ptp-qa.corppt-qa.local = PTP-QA.CORPPT-QA.LOCAL
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
[appdefaults]
autologin=true
forward=true
forwardable=true
renewable=true
encrypt=true
--------------------------------------------------------------------------------------------------
on AIX using ktutil we imported successfully the keytab.
When we try to generate initial ticket using kinit we have 2 results:
OK -
[root@vbtrmz00: /usr/krb5/bin ]# kinit trmadm
Password for trmadm@PTP-QA.CORPPT-QA.LOCAL:
XXXXXXXXXXXXXXXXX
java.io.IOException: Primary principals do not match
Done!
New ticket is stored in cache file /root/krb5cc_root
NOT OK -
[root@vbtrmz00: /usr/krb5/bin ]# kinit -k SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL
com.ibm.security.krb5.KrbException, status code: 6
message: Client not found in Kerberos database
at com.ibm.security.krb5.KrbAsRep.<init>(KrbAsRep.java:38)
at com.ibm.security.krb5.KrbAsReq.getReply(KrbAsReq.java:79)
at com.ibm.security.krb5.internal.tools.Kinit.a(Kinit.java:12)
at com.ibm.security.krb5.internal.tools.Kinit.<init>(Kinit.java:156)
at com.ibm.security.krb5.internal.tools.Kinit.main(Kinit.java:98)
com.ibm.security.krb5.KrbException, status code: 6
message: Client not found in Kerberos database
When we start SAP with parameter snc/enable = 1 the system stops with thw following error on dev_w0 file:
SncInit(): Initializing Secure Network Communication (SNC)
N IBM RS/6000 with AIX (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N SncInit(): found snc/data_protection/max=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/min=1, using 1 (Authentication Level)
N SncInit(): found snc/data_protection/use=1, using 1 (Authentication Level)
N SncInit(): found snc/gssapi_lib=/usr/sap/TRM/SYS/exe/run/libsapcrypto.o
N File "/usr/sap/TRM/SYS/exe/run/libsapcrypto.o" dynamically loaded as GSS-API v2 library.
N The internal Adapter for the loaded GSS-API mechanism identifies as:
N Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
N *** ERROR => SncPGSSImportName()==SNCERR_GSSAPI [sncxxall.c 2630]
N GSS-API(maj): An invalid name was supplied
N Import of a name failed
N name="p:SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL"
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 237]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 239]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11329]
Can anyone help?
Pedro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
thanks for your answer, I will check with guys from AD and do a search by the user SSOTRM/vbtrmz00.telecom.pt@PTP-QA.CORPPT-QA.LOCAL
Do you think that it may be the cause of the error mentioned on the de_w0 file?
Regards,
Pedro
Hi Pedro,
Can you see the follow links :
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.