Hi,
is somebody using the above scenario? I want to use MIT Kerberos to implement SNC for a SAP server on Linux.
Then this server and the GUI clients should be able to authenticate (using single sign-on) against a Win2k AD DC.
I'm mainly interested in the configuration details, like the used principal names when authenticating to the win2k ad, in order to make sure I understand the principle. Could you send me your SNC configuration (especially the SAPgui, SAPlogon SNC part and snc/identity/as in the *.PFL files)?
I slightly modified the sources of the GSS-API implementation of MIT Kerberos 1.2.8 to make it return only the rfc1964 compliant mechanism and now it passes a certification test program from SAP: gsstest-1.26. In addition I made the SNC-Adapter (a GSS-API wrapper, with minor additions; available by download from the SAP website) from SAP work on Linux and pass the same test. BTW: The pre-rfc1964 mechanism also passes the test.
(Note however: Tests can only show the presence of bugs but never their absence.)
When I use my snckrb5.so adapter together with SAP R/3 (on Linux), I get the following error message, when trying to establish the security context:
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3423]
N GSS-API(maj): A token was invalid
N GSS-API(min): Mechanism is incorrect
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) [thxxsnc.c 973]
M *** ERROR => ThSncIn: SncProcessInput [thxxsnc.c 978]
M in_ThErrHandle: 1
M *** ERROR => ThSncIn: SncProcessInput (step 4, th_errno 44, action 1, level 1) [thxxhead.c 8787]
Any help or hint in the right direction would be greatly appreciated,
Calin Barbat
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
