Kerberos5 with sap and linux - Kerberos

This is a discussion on Kerberos5 with sap and linux - Kerberos ; Dear kerberos experts, i followed a description from c.barbat i found at mit kerberos list to validate kerberos. my environment is: RH REL Red Hat 3.4.6-2 64-bit with Kerberos krb5-libs-1.3.4-27 (Standard from RH) SAP WEB AS Version 6.40 what i ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Kerberos5 with sap and linux

  1. Kerberos5 with sap and linux

    Dear kerberos experts,
    i followed a description from c.barbat i found at mit kerberos list to
    validate kerberos.
    my environment is:

    RH REL Red Hat 3.4.6-2 64-bit with
    Kerberos krb5-libs-1.3.4-27 (Standard from RH)
    SAP WEB AS Version 6.40

    what i did.

    * i generated the snckrb5.so as described
    * i got a keytab file from the windows guys
    * i compiled the gsstest utility from sap sdn
    * i did a kinit for the sap User
    * before i start with sap stuff i tried gsstst wich allready fails
    with following errors:
    "SAPService/gh.de@GH.DE"
    Nametype oid = {1 2 840 113554 1 2 2 1} NT=
    GSS_KRB5_NT_PRINCIPAL_NAME

    TEST: Examining the exported name framing
    Framing details for exported name (Section 3.2, GSS-API v2 spec):
    TOK_ID : 00000: 04 01
    MECH_OID_LEN = 11 : 00002: 00 0b
    OID tag : 00004: 06
    OID len = 9 : 00005: 09
    OID elements : 00006: 2a 86 48 86 f7 12 01 02 02
    = {1 2 840 113554 1 2 2} MECH= Kerberos 5 (v2 - rfc1964)
    NAME_LEN = 22 : 0000f: 00 00 00 16
    NAME : 00013: 53 41 50 53 65 72 76 69 SAPServi
    0001b: 63 65 2f 67 68 2e 64 65 ce/gh.de
    00023: 40 47 48 2e 44 45 @GH.DE
    Status: gss_release_name() ==
    (GSS_S_CALL_INACCESSIBLE_READ|GSS_S_BAD_NAME)
    gss_display_status(0x01020000,GSS_S_GSS_CODE) =
    "A required input parameter could not be read"
    "An invalid name was supplied"
    names.c(251): ERROR: (gss_name_t)out_name was not zeroed by
    gss_release_name()!
    RESULT NOT ok (rc=2)

    Can anyone provide my a snckrb5.so file for my platform, or better give me
    some hints what went wrong ?


    thanks
    Thomas


    -------


    Gebr. Heinemann Kommanditgesellschaft - Hamburg - Registergericht Hamburg - HR A 15017
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Kerberos5 with sap and linux

    Hi Thomas,

    Are you aware that MIT kerberos is not officially supported by SAP,
    esp. in production?

    Eric

    On Jun 19, 2:52 pm, T_K...@gebr-heinemann.de wrote:
    > Can anyone provide my a snckrb5.so file for my platform, or better give me
    > some hints what went wrong ?
    >
    > thanks
    > Thomas




  3. RE: Kerberos5 with sap and linux

    Dear Thomas,

    are you using MIT Kerberos or Heimdahl Kerberos? Many Linux distributions package Heimdahl, which is not as good as MIT...

    Mit freundlichem Gruß / Kind regards / Cordialement

    Calin Barbat

    -----Original Message-----
    From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of T_Kast@gebr-heinemann.de
    Sent: Tuesday, June 19, 2007 2:52 PM
    To: kerberos@mit.edu
    Subject: Kerberos5 with sap and linux

    Dear kerberos experts,
    i followed a description from c.barbat i found at mit kerberos list to validate kerberos.
    my environment is:

    RH REL Red Hat 3.4.6-2 64-bit with
    Kerberos krb5-libs-1.3.4-27 (Standard from RH) SAP WEB AS Version 6.40

    what i did.

    * i generated the snckrb5.so as described
    * i got a keytab file from the windows guys
    * i compiled the gsstest utility from sap sdn
    * i did a kinit for the sap User
    * before i start with sap stuff i tried gsstst wich allready fails with following errors:
    "SAPService/gh.de@GH.DE"
    Nametype oid = {1 2 840 113554 1 2 2 1} NT=
    GSS_KRB5_NT_PRINCIPAL_NAME

    TEST: Examining the exported name framing
    Framing details for exported name (Section 3.2, GSS-API v2 spec):
    TOK_ID : 00000: 04 01
    MECH_OID_LEN = 11 : 00002: 00 0b
    OID tag : 00004: 06
    OID len = 9 : 00005: 09
    OID elements : 00006: 2a 86 48 86 f7 12 01 02 02
    = {1 2 840 113554 1 2 2} MECH= Kerberos 5 (v2 - rfc1964)
    NAME_LEN = 22 : 0000f: 00 00 00 16
    NAME : 00013: 53 41 50 53 65 72 76 69 SAPServi
    0001b: 63 65 2f 67 68 2e 64 65 ce/gh.de
    00023: 40 47 48 2e 44 45 @GH.DE
    Status: gss_release_name() ==
    (GSS_S_CALL_INACCESSIBLE_READ|GSS_S_BAD_NAME)
    gss_display_status(0x01020000,GSS_S_GSS_CODE) =
    "A required input parameter could not be read"
    "An invalid name was supplied"
    names.c(251): ERROR: (gss_name_t)out_name was not zeroed by
    gss_release_name()!
    RESULT NOT ok (rc=2)

    Can anyone provide my a snckrb5.so file for my platform, or better give me some hints what went wrong ?


    thanks
    Thomas


    -------


    Gebr. Heinemann Kommanditgesellschaft - Hamburg - Registergericht Hamburg - HR A 15017
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. RE: Kerberos5 with sap and linux

    Dear Thomas,

    are you using MIT Kerberos or Heimdahl Kerberos? Many Linux distributions package Heimdahl, which is not as good as MIT...

    Mit freundlichem Gruß / Kind regards / Cordialement

    Calin Barbat

    -----Original Message-----
    From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of T_Kast@gebr-heinemann.de
    Sent: Tuesday, June 19, 2007 2:52 PM
    To: kerberos@mit.edu
    Subject: Kerberos5 with sap and linux

    Dear kerberos experts,
    i followed a description from c.barbat i found at mit kerberos list to validate kerberos.
    my environment is:

    RH REL Red Hat 3.4.6-2 64-bit with
    Kerberos krb5-libs-1.3.4-27 (Standard from RH) SAP WEB AS Version 6.40

    what i did.

    * i generated the snckrb5.so as described
    * i got a keytab file from the windows guys
    * i compiled the gsstest utility from sap sdn
    * i did a kinit for the sap User
    * before i start with sap stuff i tried gsstst wich allready fails with following errors:
    "SAPService/gh.de@GH.DE"
    Nametype oid = {1 2 840 113554 1 2 2 1} NT=
    GSS_KRB5_NT_PRINCIPAL_NAME

    TEST: Examining the exported name framing
    Framing details for exported name (Section 3.2, GSS-API v2 spec):
    TOK_ID : 00000: 04 01
    MECH_OID_LEN = 11 : 00002: 00 0b
    OID tag : 00004: 06
    OID len = 9 : 00005: 09
    OID elements : 00006: 2a 86 48 86 f7 12 01 02 02
    = {1 2 840 113554 1 2 2} MECH= Kerberos 5 (v2 - rfc1964)
    NAME_LEN = 22 : 0000f: 00 00 00 16
    NAME : 00013: 53 41 50 53 65 72 76 69 SAPServi
    0001b: 63 65 2f 67 68 2e 64 65 ce/gh.de
    00023: 40 47 48 2e 44 45 @GH.DE
    Status: gss_release_name() ==
    (GSS_S_CALL_INACCESSIBLE_READ|GSS_S_BAD_NAME)
    gss_display_status(0x01020000,GSS_S_GSS_CODE) =
    "A required input parameter could not be read"
    "An invalid name was supplied"
    names.c(251): ERROR: (gss_name_t)out_name was not zeroed by
    gss_release_name()!
    RESULT NOT ok (rc=2)

    Can anyone provide my a snckrb5.so file for my platform, or better give me some hints what went wrong ?


    thanks
    Thomas


    -------


    Gebr. Heinemann Kommanditgesellschaft - Hamburg - Registergericht Hamburg - HR A 15017
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread