cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO with RHEL7: ERROR: OUCH! Lifetime has increased by

Former Member

on ‎07-09-2015 7:19 PM

0 Kudos

Hello everybody,

we have upgraded the SAP System NW 701 ERP 604 Kernel 721 ext unicode

to Linux RHEL7 and installed the follwoing packages:

cyrus-sasl-gssapi-2.1.26-17.el7.x86_64

krb5-libs-1.12.2-14.el7.x86_64

pam_krb5-2.4.8-4.el7.x86_64

krb5-workstation-1.12.2-14.el7.x86_64

and customized SNC Parameter in SAP and active Directory.

In GSS Test we get this error:

ERROR: OUCH! Lifetime has increased by 20195 sec while 0 sec passed!

RESULT  NOT ok (rc=1)

ERROR: OUCH! Lifetime has increased by 20195 sec while 0 sec passed!

Status:  gss_compare_name() == (GSS_S_COMPLETE)

      result = FALSE

ERROR: acquiring default credentials: comparison of name1 and name2 failed!

RESULT  NOT ok (rc=2)

ERROR: acquiring default credentials: comparison of name1 and name2 failed!

RESULT  NOT ok (rc=2)

Have any boddy an idea about this error?

many thanks / Esfandiar

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

cris_hansen
Advisor
Advisor
‎07-14-2015 1:53 PM
0 Kudos

Hello Esfandiar,

This doesn't look like a SAP generated message.

For SNC, please read SAP note 150380.

I recommend using the SAP SSO v2.0 product. Find more here and here.

Regards,

Cris

Show replies
Show replies
Former Member
‎07-16-2015 8:47 AM
0 Kudos

Dear Cris, thanks for your answer. This scenario should work as for this year. NW-SSO will be implimented next year.Is it a problem with the KRB patch due to RHEL7 ??

/ many thanks / Esfandiar

cris_hansen
Advisor
Advisor
‎07-16-2015 6:17 PM
0 Kudos

Hello Esfandiar,

I really don't have more inputs here, as this approach (using kerberos libraries from OS) is not supported. In SAP note 150380 you have background information about how SAP addresses SNC using kerberos.

Rergards,

Cris

Former Member
‎08-12-2015 11:39 AM
0 Kudos

we found this worarround solution due to SSO under RHEL 7 :

1) download krb5-lib-source-Paket from RHEL5 of RedHat  (krb5-1.6.1-70.el5_9.2.src.rpm)

·         Install it on a System with RHEL5)  – rpm –i krb5-1.6.1-70.el5_9.2.src.rpm

·         after that is a  krb5-1.6.1.tar.gz-File created. (this secure file is needed for RHEL7 and should be compiled as follows:

·         ./configure –prefix=/.../libgssapi-rhel5

·      and ..    make install

·        -->  libgssapi_krb5.so.2.2 is created .

2) the profile parameter in SAP:  snc/gssapi_lib=/.../libgssapi-rhel5/lib/libgssapi_krb5.so.2.2

·       

restart SAP

--> libgssapi-rhel5 cab be copied to other Systems (and change the paramater in SAP)

Best Regards / Esfandiar

christoph_greiner2
Explorer
‎09-11-2015 2:22 PM
0 Kudos

Hello,

with RHEL7.2 it is fixed:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.2_Release_Notes...

Negotiate Authentication Streamlined with mod_auth_gssapi

Identity Management now uses the mod_auth_gssapi module, which uses GSSAPI calls instead of direct Kerberos calls used by the previously used mod_auth_kerb module.

Ask a Question