Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Kerberos/GSS API changed from RHEL to RHEL6?

Hello Experts,

for our ABAP systems I have configured SSO via standard MIT Kerberos on Linux/Intel (RHEL5) as well as Solaris/SPARC and Solaris/Intel  - works like a charm.

Now when I upgrade the Linux servers to RHEL6, the OS part of SSO still works, I get a TGT, klist shows me the correct credentials, etc., but the ABAP stack does no longer authenticate via SSO. All I get is a funny error popup "SAP System Message: S".

Is there any known change of the API from RHEL5 to RHEL6 and ideally a way to work around it?

The entry in dev_wx for the log attempt is:

N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [sncxxall.c 3357]

N        GSS-API(maj): No credentials were supplied, or the credentials were unavailable or inaccessible

N      Unable to establish the security context

N  <<- SncProcessInput()==SNCERR_GSSAPI

M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c    1034]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c    1039]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

M  in_ThErrHandle: 1

M  *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c   11313]

M  {root-id=001999B7BD5C1ED2AB982A0ECF295DD0}_{conn-id=00000000000000000000000000000000}_0

The parameters (which are working just fine under RHEL5) are:

snc/enable = 1

snc/gssapi_lib = /usr/lib64/sasl2/libgssapiv2.so

ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so (this is the current PL 43)

sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so

ssf/ssfapi_lib =$(DIR_EXECUTABLE)/libsapcrypto.so

login/accept_sso2_ticket = 1

login/create_sso2_ticket = 2

snc/accept_insecure_cpic = 1

snc/accept_insecure_gui = 1

snc/accept_insecure_rfc = 1

snc/extid_login_diag = 1

snc/permit_insecure_start = 1

ssf/name = SAPSECULIB

Installed packages on RHEL5 (all x86_64):

cyrus-sasl-gssapi-2.1.22-7.el5_8.1

krb5-libs-1.6.1-70.el5

krb5-libs-1.6.1-70.el5

krb5-workstation-1.6.1-70.el5

libgssapi-0.10-2

pam_krb5-2.2.14-18.el5

and on RHEL6:

cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64

krb5-libs-1.10.3-10.el6.x86_64

krb5-workstation-1.10.3-10.el6.x86_64

libgssglue-0.1-11.el6.x86_64

pam_krb5-2.3.11-9.el6.x86_64

Any info is much appreciated.

Andreas Niewerth

Tags:
Former Member

Helpful Answer

by
Not what you were looking for? View more on this topic or Ask a question