Skip Menu |
 

To: krb5-bugs@mit.edu
Subject: libgssapi_krb5.so.2.2 crashes
From: patrick.obergfoell@kern.ag
Date: Thu, 24 Nov 2011 13:19:43 +0100
Download (untitled) / with headers
text/plain 3.6KiB
Dear all,

I get the following error with the MIT Kerberos5 Implementation--Libraries on SLES 11 SP1.
Version: krb5-1.6.3-133.46.1
The libgssapi_krb5.so.2.2 crashes

Here my questions:
Is this a known bug of the Version krb5-1.6.3-133.46.1?
Or could it be a configuration problem?
Which Version patches the error?

error.log

N  SncInit(): Initializing Secure Network Communication (SNC)
N        AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)
N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)
N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)
N  SncInit(): found  snc/gssapi_lib=/usr/lib64/snckrb5.so
N    File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.
N    The Adapter identifies as:
N    External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
M  ------------------ C-STACK ----------------------
(CTrcStack2+0x82)[0x6c3972]
(SigIGenAction+0x2ad)[0x198e04d]
/lib64/libpthread.so.0[0x7f6b1874c5d0]
(sem_wait+0x2b)[0x12bf25b]
/lib64/libcom_err.so.2(add_error_table+0x2d)[0x7f699964782d]
/usr/lib64/libgssapi_krb5.so.2[0x7f6999d1930b]
/lib64/libpthread.so.0(pthread_once+0x53)[0x7f6b18749a83]
/usr/lib64/libgssapi_krb5.so.2[0x7f6999d18813]
/usr/lib64/libgssapi_krb5.so.2(gss_indicate_mechs+0x34)[0x7f6999d1fb34]
/usr/lib64/snckrb5.so(sapgss_indicate_mechs+0x1d)[0x7f6999f3ff5d]
(SncPDLInit+0x3dc)[0x18f163c]
(SncInit+0x537)[0x18f0777]
(SncInitU+0x53)[0x18e3263]
(ThSncInit+0x8b)[0x5cd7ab]
(ThInit+0xd45)[0x556165]
(ThStart+0x11b)[0x55826b]
(DpMain+0x228)[0x4bdf68]
/lib64/libc.so.6(__libc_start_main+0xe6)[0x7f6b183fdbc6]



Best regards

Dr. Patrick Obergföll
Berater
Produkt Manager

Fon: +49 (761) 791 878-130

----------------------------------------------------------------------------------------------------
Kern Aktiengesellschaft

Wentzinger Stra�e 17, 79106 Freiburg

Home: http://www.kern.ag/

Vorstand: Eckhard Moos (Vors.), Ekkehard Seiler
Vorsitzender des Aufsichtsrats: Dr. Winfried A. Adam
Handelsregister: HRB 6021, Amtsgericht Freiburg im Breisgau
----------------------------------------------------------------------------------------------------

Der Austausch von Nachrichten mit der Kern Aktiengesellschaft via E-Mail dient ausschlie�lich Informationszwecken. Dieses Dokument ist vertraulich und ausschlie�lich für den Adressaten bestimmt. Falls Sie diese E-Mail versehentlich bekommen haben, rufen Sie uns bitte unverzüglich an und löschen Sie diese Nachricht. Jegliche Art von Reproduktion, Verbreitung, Vervielfältigung, Modifikation, Verteilung ist ebenso untersagt wie die Publikation dieser Nachricht an Dritte strengstens verboten ist. Rechtsgeschäftliche Erklärungen werden über dieses Medium grundsätzlich nicht entgegengenommen oder versandt, es sei denn die Kern AG und der jeweilige auch zukünftige Vertragspartner haben sich zuvor ausdrücklich und gesondert über eine solche Vorgehensweise geeinigt.

The correspondence with Kern Aktiengesellschaft via email is intended only for information purposes.This document may contain confidential or legally privileged information and is intended solely for the individual(s) named above. If you are not an intended recipient or have received this email in error, please notify the sender immediately and delete this email. Any unauthorized publication, use, dissemination or disclosure of this message is strictly prohibited. This medium is not to be used for legally binding communication, unless Kern AG and its respective or future contract party have previously explicitly and specifically agreed upon this course of action.

To: rt@krbdev.mit.edu
Subject: [krbdev.mit.edu #7028]
From: patrick.obergfoell@kern.ag
Date: Tue, 29 Nov 2011 16:03:26 +0100
RT-Send-Cc:
Download gsstest_Result.zip
application/zip 14.1KiB

Message body not shown because it is not plain text.

Message body not shown because it is not plain text.

Download SSOforSAPNWASABAPonPower.pdf
application/octet-stream 636.7KiB

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 6.7KiB
Download (untitled) / with headers
text/html 12.3KiB
Dear all,

here little more information to the specific problem:  

I get the following error with the MIT Kerberos5 Implementation--Libraries on SLES 11 SP1.
Version: krb5-1.6.3-133.46.1
The libgssapi_krb5.so.2.2 crashes

We use the MIT Kerberos5 Implementation as desribed in the attachement:  
- SSOforSAPNWASABAPonPower.pdf

AS Primary Domain Controller and Key Distribution Center we use the Microsoft Windows 2008 SR2.

Service Principal Name is set:  
setspn -A SAPService/sapcusc00.kern.intra KERN\c00adm

The keytab is generated on the Windows AD server and then copied to the host with the SAP system on it.

To test if the keytab works run kinit -k <service_principal_name> on the linux hosts host.
The SPN must be exactly the same as in the keytab.
Kinit will compare the given SPN with the one in the keytab and if they are the same, no password is needed to request a kerberos ticket because it was already  defined in the keytab.

/usr/bin/kinit –V –k SAPService/sapcusc00.kern.intra@KERN.INTRA
- - - - - - - - - - - - - - - - - - - - - - - - - - - -  
sapcusc00:c00adm 51> /usr/bin/kinit -V -k SAPService/sapcusc00.kern.intra@KERN.INTRA
Authenticated to Kerberos v5
- - - - - - - - - - - - - - - - - - - - - - - - - - - -  

Test with
/usr/bin/klist
- - - - - - - - - - - - - - - - - - - - - - - - - - - -  
sapcusc00:c00adm 81> /usr/bin/klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: SAPService/sapcusc00.kern.intra@KERN.INTRA

Valid starting     Expires            Service principal
11/25/11 14:34:32  11/26/11 00:35:03  krbtgt/KERN.INTRA@KERN.INTRA
        renew until 11/26/11 14:34:32


Kerberos 4 ticket cache: /tmp/tkt1002
klist: You have no tickets cached
- - - - - - - - - - - - - - - - - - - - - - - - - - - -  


SAP's support is strictly limited to SAP's side of the code which calls external products according to the definition of the GSS-API v2 interface specification (rfc-2743, rfc-2744) with the constraints published as part
of SAP's BC-SNC interoperability certification.

In general, checking your MIT Kerberos library with SAPs tool "GSSTEST" (see below) should give you some indication whether you library is interoperable with SAP R/3.
The Result of the Test is attached as gsstest_Result.zip - krb5_2_2.log.
- - - - - - - - - - - - - - - - - - - - - - - - - - - -  

Everything seems to be OK.

Test with
klist
- - - - - - - - - - - - - - - - - - - - - - - - - - - -  
sapcusc00:c00adm 52> klist
Credentials cache /home/c00adm/krb5cc_c00adm cannot be found

sapcusc00:c00adm 53> echo $path
/sapdb/programs/bin /usr/lib64/jvm/jre/bin . /home/c00adm /usr/sap/C00/SYS/exe/run /home/c00adm/bin /usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/bin/X11 /usr/X11R6/bin /usr/games /usr/lib/mit/bin /usr/lib/mit/sbin
- - - - - - - - - - - - - - - - - - - - - - - - - - - -  

Check for File klist
Find File
 ./tmp/sapinst_exe.4415.1303146124/jre/bin/
     klist                                
 ./usr/bin/                              
     klist                                  
 ./usr/lib64/jvm/java-1_4_2-ibm-1.4.2/jre/bin/
     klist                                  
 ./usr/lib/mit/bin/                          
     klist                                  

Check for File libgssapi_krb5.so.2.2
Find File
 ./usr/lib64/            
     libgssapi_krb5.so.2.2
 ./usr/lib/              
     libgssapi_krb5.so.2.2

Here my questions:
Is this a known bug of the Version krb5-1.6.3-133.46.1?
Or could it be a configuration problem?
Which Version patches the error?
What else can I contribute to find a solution.

The error is thrown at the moment the workprocess in the SAP System ist startet.
error.log (fully attached gsstest_Result.zip - dev_w0)

N  SncInit(): Initializing Secure Network Communication (SNC)
N        AMD/Intel x86_64 with Linux (st,ascii,SAP_UC/size_t/void* = 16/64/64)
N  SncInit():   found snc/data_protection/max=3, using 3 (Privacy Level)
N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)
N  SncInit():   found snc/data_protection/use=3, using 3 (Privacy Level)
N  SncInit(): found  snc/gssapi_lib=/usr/lib64/snckrb5.so
N    File "/usr/lib64/snckrb5.so" dynamically loaded as SNC-Adapter.
N    The Adapter identifies as:
N    External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
M  ------------------ C-STACK ----------------------
(CTrcStack2+0x82)[0x6c3972]
(SigIGenAction+0x2ad)[0x198e04d]
/lib64/libpthread.so.0[0x7f6b1874c5d0]
(sem_wait+0x2b)[0x12bf25b]
/lib64/libcom_err.so.2(add_error_table+0x2d)[0x7f699964782d]
/usr/lib64/libgssapi_krb5.so.2[0x7f6999d1930b]
/lib64/libpthread.so.0(pthread_once+0x53)[0x7f6b18749a83]
/usr/lib64/libgssapi_krb5.so.2[0x7f6999d18813]
/usr/lib64/libgssapi_krb5.so.2(gss_indicate_mechs+0x34)[0x7f6999d1fb34]
/usr/lib64/snckrb5.so(sapgss_indicate_mechs+0x1d)[0x7f6999f3ff5d]
(SncPDLInit+0x3dc)[0x18f163c]
(SncInit+0x537)[0x18f0777]
(SncInitU+0x53)[0x18e3263]
(ThSncInit+0x8b)[0x5cd7ab]
(ThInit+0xd45)[0x556165]
(ThStart+0x11b)[0x55826b]
(DpMain+0x228)[0x4bdf68]
/lib64/libc.so.6(__libc_start_main+0xe6)[0x7f6b183fdbc6]

Best regards

Patrick Obergföll
Berater
Produkt Manager

Fon: +49 (761) 791 878-130

----------------------------------------------------------------------------------------------------
Kern Aktiengesellschaft

Wentzinger Stra�e 17, 79106 Freiburg

Home: http://www.kern.ag/

Vorstand: Eckhard Moos (Vors.), Ekkehard Seiler
Vorsitzender des Aufsichtsrats: Dr. Winfried A. Adam
Handelsregister: HRB 6021, Amtsgericht Freiburg im Breisgau
----------------------------------------------------------------------------------------------------

Der Austausch von Nachrichten mit der Kern Aktiengesellschaft via E-Mail dient ausschlie�lich Informationszwecken. Dieses Dokument ist vertraulich und ausschlie�lich für den Adressaten bestimmt. Falls Sie diese E-Mail versehentlich bekommen haben, rufen Sie uns bitte unverzüglich an und löschen Sie diese Nachricht. Jegliche Art von Reproduktion, Verbreitung, Vervielfältigung, Modifikation, Verteilung ist ebenso untersagt wie die Publikation dieser Nachricht an Dritte strengstens verboten ist. Rechtsgeschäftliche Erklärungen werden über dieses Medium grundsätzlich nicht entgegengenommen oder versandt, es sei denn die Kern AG und der jeweilige auch zukünftige Vertragspartner haben sich zuvor ausdrücklich und gesondert über eine solche Vorgehensweise geeinigt.

The correspondence with Kern Aktiengesellschaft via email is intended only for information purposes.This document may contain confidential or legally privileged information and is intended solely for the individual(s) named above. If you are not an intended recipient or have received this email in error, please notify the sender immediately and delete this email. Any unauthorized publication, use, dissemination or disclosure of this message is strictly prohibited. This medium is not to be used for legally binding communication, unless Kern AG and its respective or future contract party have previously explicitly and specifically agreed upon this course of action.