on 09-30-2013 12:16 PM
Hi folks,
I am implementing SSO for a customer on six partitions. Five partitions run without problems. The work processes of the sixth partition fail to start.
Part of ST11 DEV_W0:
.........
SncInit(): Initializing Secure Network Communication (SNC)
IBM i with OS400 (st,ascii,SAP_UC/size_t/void* = 16/64/64)
UserId="p0110" (4294770762), envvar USER="P0110"
SncInit(): found snc/data_protection/max=3, using 3 (Privacy Level)
SncInit(): found snc/data_protection/min=2, using 2 (Integrity Level)
SncInit(): found snc/data_protection/use=9, using 3 (Privacy Level)
SncInit(): found snc/gssapi_lib=/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)
File "/lib/libgssapi_krb5.a(libgssapi_krb5.a.so)" dynamically loaded as GSS-API v2 library.
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
SncInit(): found snc/identity/as=p:SAPService/server11.kunde.ent@KUNDE.ENT
SncInit(): Accepting Credentials available, lifetime=Indefinite
*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1445]
GSS-API(maj): Miscellaneous failure
GSS-API(min): No credentials cache found
Could't acquire INITIATING credentials for
name="p:SAPService/server11.kunde.ent@KUNDE.ENT"
SncInit(): Fatal Initiating Credentials not available!
<<- SncInit()==SNCERR_GSSAPI
sec_avail = "false"
***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 238]
*** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 240]
in_ThErrHandle: 1
*** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 11370]
...............
When I run kinit and klist with the SAP p0110 user everything looks fine
$
> kinit -k SAPService/server11.kunde.ent@KUNDE.ENT
$
> klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_-196541
Default principal: SAPService/server11.kunde.ent@KUNDE.ENT
Valid starting Expires Service principal
09/30/13 15:01:00 09/04/13 01:01:00 krbtgt/KUNDE.ENT@KUNDE.ENT
Renew until 10/01/13 15:01:00
$
The differences on this partition are the strange name of the credentials cache krb5cc_-196541 and the unusually high uid of user p0110.
SAP refuses support as the support Kerberos only on Windows.
Any hints ?
Thanks Fredi
Thank you all for your answers.
The problem is now solved by converting to the new user concept and by changing the User ID Number for P01ADM from the 4294770xxx range to 216 as on the other lpars.
I did this with help of QSYSCHGID command and program which I found in the net.
Regards Fredi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Stark
Could you check the IBM link it may useful to you
http://www.ibm.com/developerworks/tivoli/library/t-ssosapnwas/
Regards
Sriram
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hallo Fredi,
it seems to be a problem with the kerberos server on IBM i; the log msg. indicates a problem with
the ticket cache. Maybe you try to re-install or re-configure the kerberos server? If this does not help you should open a PMR at IBM.
Best Regards,
Joachim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.