kerberos authentication error after upgrading to SLES12SP2

This document (7022689) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Linux Enterprise Server for SAP Applications

Situation

SAP GUI fails to login / authenticate users using SSO (Single Sign on) after upgrading systems from SLES11sp4 to SLES12sp2.  Seeing a GSSAPI error.
ERROR:
***************** SAP work process logs*****************
N  *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [/bas/742_REL/sr 3616]
N        GSS-API(maj): Unspecified GSS failure.  Minor code may provide more information
N        GSS-API(min): Program called an obsolete, deleted function
N      Unable to establish the security context
N  <<- SncProcessInput()==SNCERR_GSSAPI
M  *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) for T7_U10324_M0 failed (len=2198) [thxxsnc.c    1156]
M  {root-id=005056AE24271ED7A2B433801C49FA46}_{conn-id=00000000000000000000000000000000}_0

Resolution

The krb5 library has been officially released in maintenance updates.
Fix included in krb5-1.12.5-40.23.2 or above.

An environment variable needs to be set along with using updated code.

To set this environment variable for your SAP environment, you need to determine which shell your sap processes are using.
You can see which shell they are using in the /etc/passwd file.

If using bash shell environment, you can set this globally by adding the following to /etc/bash.bashrc.local
export GSSAPI_ASSUME_MECH_MATCH=1

If using csh, you can add the following to the /etc/csh.cshrc.local
setenv GSSAPI_ASSUME_MECH_MATCH 1

Cause

krb5 library was updated in SLES12 and has some additional checks inside it which are not being passed in or presented while trying to authenticate

Additional Information

krb5 code now looks for environment variable "GSSAPI_ASSUME_MECH_MATCH=1" and the offending condition that caused SSO failure would be disabled.
Problem seen with following versions:
  krb5 1.12.5-40.13.1
  krb5 1.12.5-40.16.1

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022689
  • Creation Date: 26-Feb-2018
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center