Kerberos Initialization error with SAP

[Ubaid Rahman]

Hi All

We are trying to set up a SAP SSO over Kerberos and SAP SNC adapter..

After many hurdles we have got to a point where SAP gives the below error:

M load shared library (/usr/lib/snckrb5.so), hdl 1
N File "/usr/lib/snckrb5.so" dynamically loaded as SNC-Adapter.
N The Adapter identifies as:
N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N SncInit(): found snc/identity/as=p/krb5:s03...@WMSERVICE.CORPNET1.COM
N *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1432]
N GSS-API(maj): Miscellaneous failure
N GSS-API(min): No principal in keytab matches desired name
N Could't acquire ACCEPTING credentials for
N
N name="p:s03...@WMSERVICE.CORPNET1.COM"
N SncInit(): Fatal -- Accepting Credentials not available!
N <<- SncInit()==SNCERR_GSSAPI
N sec_avail = "false"
M ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c 223]
M *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c 225]
M in_ThErrHandle: 1
M *** ERROR => SncInitU (step 1, th_errno 44, action 3, level 1) [thxxhead.c 9708]


I have copied the output of some Kerberos commands below for reference, please let me know if anybody have any ideas as to what we are doing wrong..

# klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: s03...@WMSERVICE.CORPNET1.COM

Valid starting Expires Service principal
12/08/11 00:00:01 12/08/11 10:00:02 krbtgt/WMSERVICE.C...@WMSERVICE.CORPNET1.COM
Renew until 12/09/11 00:00:01

# kvno s03adm
kvno = 6

root@ussapsmr01:/home/root >
# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
------ ------ ------------------------------------------------------
1 5 host/ussapsmr00.wmser...@WMSERVICE.CORPNET1.COM
2 5 host/ussapsmr00.wmser...@WMSERVICE.CORPNET1.COM
3 5 host/ussapsmr00.wmser...@WMSERVICE.CORPNET1.COM
4 6 host/ussapsmr00.wmser...@WMSERVICE.CORPNET1.COM

Though I was able to initialize the sidadm user mapped to the service principal, I have not been able to successfully initialize the Principal itself, here is the error when I do that..

# kinit host/ussapsmr00.wmser...@WMSERVICE.CORPNET1.COM
Unable to obtain initial credentials.
Status 0x96c73a06 - Client not found in Network Authentication Service database or client locked out.

Appreciate any help in advance - Thanks


Ubaid Rahman
Senior AIX Administrator
SCS C&ES Infrastructure
Admin 1 # 146E
Ph # *.703.2817 (internal) or 919.483.2817 (external)
      # 919.314.7177 (cell)  

-----Original Message-----
From: kerberos...@mit.edu [mailto:kerberos...@mit.edu] On Behalf Of kerberos...@mit.edu
Sent: Wednesday, December 07, 2011 12:09 PM
To: kerb...@mit.edu
Subject: Kerberos Digest, Vol 108, Issue 2

Send Kerberos mailing list submissions to
kerb...@mit.edu

To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.mit.edu/mailman/listinfo/kerberos
or, via email, send a message with subject or body 'help' to
kerberos...@mit.edu

You can reach the person managing the list at
kerbero...@mit.edu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Kerberos digest..."


Today's Topics:

1. MITKRB5-SA-2011-007 KDC null pointer dereference in TGS
handling [CVE-2011-1530] (Tom Yu)
2. test cases compilation encountered error (Bear)


----------------------------------------------------------------------

Message: 1
Date: Tue, 06 Dec 2011 14:07:40 -0500
From: Tom Yu <tl...@MIT.EDU>
Subject: MITKRB5-SA-2011-007 KDC null pointer dereference in TGS
handling [CVE-2011-1530]
To: kerberos...@MIT.EDU
Message-ID: <ldvehwh...@cathode-dark-space.mit.edu>
Content-Type: text/plain; charset="us-ascii"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-007

MIT krb5 Security Advisory 2011-007
Original release: 2011-12-06
Last update: 2011-12-06

Topic: KDC null pointer dereference in TGS handling


CVE-2011-1530
KDC null pointer dereference in TGS handling

CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score: 6.8

Access Vector: Network
Access Complexity: Low
Authentication: Single
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Complete

CVSSv2 Temporal Score: 5.9

Exploitability: High
Remediation Level: Official Fix
Report Confidence: Confirmed

SUMMARY
=======

In releases krb5-1.9 and later, the KDC can crash due to a null
pointer dereference in code that handles TGS (Ticket Granting Service)
requests. The trigger condition is trivial to produce using
unmodified client software, but requires the ability to authenticate
as a principal in the KDC's realm.

IMPACT
======

An authenticated remote attacker can crash a KDC via null pointer
dereference.

AFFECTED SOFTWARE
=================

* The KDC in krb5-1.9 and later is vulnerable. Earlier releases
predate the internal interface changes that led to this
vulnerability.

FIXES
=====

* Workaround: restart the KDC when it crashes, possibly using an
automated monitoring process.

* Apply the patch:

diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index f46cad3..102fbaa 100644
- --- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -67,6 +67,7 @@ check-unix:: rtest

check-pytests::
$(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)

install::
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c169c54..840a2ef 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -243,7 +243,8 @@ tgt_again:
if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
errcode = find_alternate_tgs(request, &server);
firstpass = 0;
- - goto tgt_again;
+ if (errcode == 0)
+ goto tgt_again;
}
}
status = "UNKNOWN_SERVER";
diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
new file mode 100644
index 0000000..1760bcd
- --- /dev/null
+++ b/src/kdc/t_emptytgt.py
@@ -0,0 +1,8 @@
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(start_kadmind=False, create_host=False)
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+if 'not found in Kerberos database' not in output:
+ fail('TGT lookup for empty realm failed in unexpected way')
+success('Empty tgt lookup.')


This patch is also available at

http://web.mit.edu/kerberos/advisories/2011-007-patch.txt

A PGP-signed patch is available at

http://web.mit.edu/kerberos/advisories/2011-007-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-007.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

http://web.mit.edu/kerberos/index.html

CVSSv2:

http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-1530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1530

ACKNOWLEDGMENTS
===============

Simo Sorce discovered this vulnerability.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-...@mit.edu>. When sending sensitive information,
please PGP-encrypt it using the following key:

pub 2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid MIT Kerberos Team Security Contact <krbcore-...@mit.edu>

DETAILS
=======

The process_tgs_req() function in the KDC has logic that attempts to
find an alternative service principal if the service principal in the
client's TGS-REQ is unknown. If the find_alternate_tgs() helper
function returns an error that is not KRB5_KDB_NOENTRY, it leaves the
server variable holding a null pointer. The process_tgs_req()
function improperly ignores that error, and proceeds to call functions
that dereference the null pointer.

Prior to krb5-1.9, the krb5_db_get_principal() function and related
interfaces had output parameters "more" and "nprincs". The krb5-1.9
release includes changes to these interfaces so that they no longer
have those outputs. Prior to krb5-1.9, the find_alternate_tgs()
function in the KDC had a void return type, and indicated failure by
setting its "more" and "nprincs" outputs appropriately. Its interface
changed in krb5-1.9 to instead return an error code, with
corresponding changes to process_tgs_req(); these changes to
process_tgs_req() were flawed and allow errors other than
KRB5_KDB_NOENTRY to cause a null pointer dereference.

The vulnerable code executes after the KDC authenticates the request,
so an attacker must have first obtained valid initial Kerberos
credentials for the target realm.

REVISION HISTORY
================

2011-12-06 original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iQCVAgUBTt5mYabDgE/zdoE9AQIuKAQA0K1YUeTKjEIVjEIufpTanNoipQiWRNCE
alUjkcxQeD3yFK8LU6yKcs0CdTI60FDst3788tUtoGDdwpnbc90Rv8EID00VtgEc
0rI4Nfe32MxP/UlNNVRinWkwtDLWeh1gKQOPXAjeapKQcWAFB3tM/haRnDgCu49I
snM0jQSBFgA=
=FK9G
-----END PGP SIGNATURE-----
_______________________________________________
kerberos-announce mailing list
kerberos...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos-announce


------------------------------

Message: 2
Date: Wed, 07 Dec 2011 17:09:10 +0800
From: Bear <bear...@oracle.com>
Subject: test cases compilation encountered error
To: kerb...@MIT.EDU
Message-ID: <4EDF2D36...@oracle.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

Hi All,

I want to compile the test cases located krb5-1.8.5/src/ccapi/test
single with solaris 11 on i386 platform, but encountered the error below:

=================================
Undefined first referenced
symbol in file
current_test_name test_cc_ccache_clear_kdc_time_offset.o
current_test_activity test_cc_ccache_clear_kdc_time_offset.o
check_cc_ccache_clear_kdc_time_offset test_cc_ccache_clear_kdc_time_offset.o
ld: fatal: symbol referencing errors. No output written to
test_cc_ccache_clear_kdc_time_offset
*** Error code 1
make: Fatal error: Command failed for target
`test_cc_ccache_clear_kdc_time_offset'
=================================

Who can tell me where I can find these symbols?

Thanks.

--

Regards,

Bear



------------------------------

_______________________________________________
Kerberos mailing list
Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


End of Kerberos Digest, Vol 108, Issue 2
****************************************

[Mark Pröhl]

Hi,

you need to create a keytab with entries for the principal
s03...@WMSERVICE.CORPNET1.COM instead of
host/ussapsmr00.wmser...@WMSERVICE.CORPNET1.COM

You can test your keytab with the following command line:

kinit -k -t /path/to/your/keytab s03...@WMSERVICE.CORPNET1.COM

IIRC you have to run this command on a regular base (i.e. by cron) to
maintain a credential cache for the SAP service account

Regards,

Mark Pröhl

Ubaid Rahman wrote:
> Hi All
>
> We are trying to set up a SAP SSO over Kerberos and SAP SNC adapter..
>
> After many hurdles we have got to a point where SAP gives the below error:
>
> M load shared library (/usr/lib/snckrb5.so), hdl 1
> N File "/usr/lib/snckrb5.so" dynamically loaded as SNC-Adapter.
> N The Adapter identifies as:
> N External SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2

> N SncInit(): foundsnc/identity/as=p/krb5:s03...@WMSERVICE.CORPNET1.COM

[Ubaid Rahman]

Hi Mark

Thanks for your help..

I did as you suggested and reimported the keytab file with the new SPN, but when I tried to kinit, it same "Password not correct". We did get a fresh keytab created, but still the same error.

# kinit -k -t /etc/krb5/krb5.keytab s03...@WMSERVICE.CORPNET1.COM
Password not correct

Any ideas?

Ubaid Rahman
Senior AIX Administrator
SCS C&ES Infrastructure
Admin 1 # 146E
Ph # *.703.2817 (internal) or 919.483.2817 (external)
      # 919.314.7177 (cell)  

[Mark Pröhl]

Ubaid Rahman wrote:
> Thanks for your help..
>
> I did as you suggested and reimported the keytab file with the new SPN, but when I tried to kinit, it same "Password not correct". We did get a fresh keytab created, but still the same error.
>

> # kinit -k -t /etc/krb5/krb5.key...@WMSERVICE.CORPNET1.COM
> Password not correct
How did you create the keytab?

If your kerberos infrastructure is based on active directory then there
are many ways to produce keytabs. E.g. you could use ktpass.exe on windows:
If s03adm is the name of the SAP service account in active directory then

c:\> ktpass.exe /out s03adm.keytab /mapuser
s03...@WMSERVICE.CORPNET1.COM /princ s03...@WMSERVICE.CORPNET1.COM
/rndPass /crypto ALL /ptype KRB5_NT_PRINCIPAL

should do the job. Copy s03adm.keytab in a secure way to your SAP server
and test again with kinit -k -t ...

If that fails, please send the output of klist -k -e and the contents of
krb5.conf.

[Ubaid Rahman]

The Keytab was created the following way: will give your way a try when the AD person comes in tomorrow. Thanks

D:\Temp>ktpass -princ s03...@WMSERVICE.CORPNET1.COM -mapuser WMSERVICE\s03adm -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass Sap03ss0 -out s03adm.keytab
Targeting domain controller: us1sxdmc0016.wmservice.corpnet1.com
Failed to set property "servicePrincipalName" to "s03adm" on Dn "CN=S03ADM,CN=Us
ers,DC=wmservice,DC=corpnet1,DC=com": 0x13.
WARNING: Unable to set SPN mapping data.
If S03ADM already has an SPN mapping installed for s03adm, this is no cause for concern.
Key created.
Output keytab to s03adm.keytab:
Keytab version: 0x502
keysize 55 s03...@WMSERVICE.CORPNET1.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 6 etype
0x3 (DES-CBC-MD5) keylength 8 (0xe5a2b376fb6e89c4)
Account S03ADM has been set for DES-only encryption.

-----Original Message-----
From: Mark Pröhl [mailto:ma...@mproehl.net]
Sent: Sunday, December 11, 2011 5:56 AM
To: Ubaid Rahman
Cc: kerb...@mit.edu
Subject: Re: Kerberos Initialization error with SAP

[Mark Pröhl]

you are using a very weak cryptographic key (DES-CBC-MD5). That should
not be necessary if you are not using a very old version of AIX. Could
you try again with my suggested ktpass command line? (and remove the
desonly from the service account)


BTW: your command line contains a clear text password and the output ouf
ktpass.exe contains the corresponding key. you should not include this
information in an email.

--
Mark Pröhl
ma...@mproehl.net
www.kerberos-buch.de

[Ubaid Rahman]

Had the ktpass run on AD server the way you suggested, except that it wouldn't take "/crypto ALL", so we created it without the crypto

Still no luck.. I get the following when I do the kinit

ktutil: root@ussapsmr01:/home/uur88980 >

# kinit -k -t /etc/krb5/krb5.keytab s03...@WMSERVICE.CORPNET1.COM

Unable to obtain initial credentials.

Status 0x96c73ab5 - Key table entry not found.

Output of klist -k -e and copy of krb5.conf below (as requested):

# klist -k -e
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
---- ---------
6 s03...@WMSERVICE.CORPNET1.COM (ArcFour with HMAC/md5)


Copy of krb5.conf file:

[libdefaults]
default_realm = WMSERVICE.CORPNET1.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab


[realms]
WMSERVICE.CORPNET1.COM = {
kdc = US1SXDMC0016.wmservice.corpnet1.com:88
admin_server = US1SXDMC0016.wmservice.corpnet1.com
default_domain = wmservice.corpnet1.com
kpasswd_server = US1SXDMC0016.wmservice.corpnet1.com
}

[domain_realm]
wmservice.corpnet1.com = WMSERVICE.CORPNET1.COM
US1SXDMC0016.wmservice.corpnet1.com = WMSERVICE.CORPNET1.COM

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log

Thanks
Ubaid Rahman
Senior AIX Administrator
SCS C&ES Infrastructure
Admin 1 # 146E
Ph # *.703.2817 (internal) or 919.483.2817 (external)
      # 919.314.7177 (cell)  

-----Original Message-----
From: Mark Pröhl [mailto:ma...@mproehl.net]
Sent: Monday, December 12, 2011 2:01 PM
To: Ubaid Rahman
Cc: kerb...@mit.edu
Subject: Re: Kerberos Initialization error with SAP

you are using a very weak cryptographic key (DES-CBC-MD5). That should
not be necessary if you are not using a very old version of AIX. Could
you try again with my suggested ktpass command line? (and remove the
desonly from the service account)


BTW: your command line contains a clear text password and the output ouf
ktpass.exe contains the corresponding key. you should not include this
information in an email.

Ubaid Rahman wrote:
> The Keytab was created the following way: will give your way a try when the AD person comes in tomorrow. Thanks
>

> D:\Temp>ktpass -princ s03...@WMSERVICE.CORPNET1.COM -mapuser WMSERVICE\s03adm -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set +desonly -pass -out s03adm.keytab

> Targeting domain controller: us1sxdmc0016.wmservice.corpnet1.com
> Failed to set property "servicePrincipalName" to "s03adm" on Dn "CN=S03ADM,CN=Us
> ers,DC=wmservice,DC=corpnet1,DC=com": 0x13.
> WARNING: Unable to set SPN mapping data.
> If S03ADM already has an SPN mapping installed for s03adm, this is no cause for concern.
> Key created.
>
>

[Douglas E. Engert]

On 12/12/2011 2:16 PM, Ubaid Rahman wrote:
> Had the ktpass run on AD server the way you suggested, except that it wouldn't take "/crypto ALL", so we created it without the crypto
>
> Still no luck.. I get the following when I do the kinit

Are your DCs all 2008, all 2003 or some of each?

Sounds like the wrong ktpass. the 2008 version has the /crypto All
http://technet.microsoft.com/en-us/library/cc753771(WS.10).aspx

The kinit -k will send an AS-REQ using all enc-type the library and
krb5.conf will support. On non AD KDCs, the KDC would have
all the matching keys to the keytab, and would then return a ticket
using the strongest enc-type that was in the keytab.

AD does not store the keys, but generates them on the fly from
the password of the account. AD can then send the AS-REP using
a enc-type for a key that is not in the keytab.

With AD 2008, you can set the msDS-supportedEncryptionTypes attribute
of the account to match the keys in the keytab.

http://msdn.microsoft.com/en-us/library/cc223853(v=prot.10).aspx

Wireshark can be run on the client to format the Kerberos packets,
and can be very helpful in situations like this.

Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444

[Mark Pröhl]

If there is only one rc4-hmac key in the keytab file, than you should
add the following configuration line to the [libdefaults] section of
krb5.conf:

default_tkt_enctypes = arcfour-hmac-md5

And test kinit -k ... again.

A newer verison of ktpass.exe to create a keytab with /crypto ALL would
of course be a better solution

Mark Pröhl
ma...@mproehl.net
www.kerberos-buch.de

[Ubaid Rahman]

No luck..

root@ussapsmr01:/home/uur88980 >
# kinit -k s03...@WMSERVICE.CORPNET1.COM

Unable to obtain initial credentials.

Status 0x96c73a0e - KDC has no support for encryption type.
root@ussapsmr01:/home/uur88980 >
# grep arcfour-hmac /etc/krb5/krb5.conf
default_tkt_enctypes = arcfour-hmac
root@ussapsmr01:/home/uur88980 >

I tried it with -md5 at the end too, but same error.

[Douglas E. Engert]

On 12/13/2011 12:26 PM, Ubaid Rahman wrote:
> No luck..
>
> root@ussapsmr01:/home/uur88980>
> # kinit -k s03...@WMSERVICE.CORPNET1.COM
> Unable to obtain initial credentials.
> Status 0x96c73a0e - KDC has no support for encryption type.
> root@ussapsmr01:/home/uur88980>
> # grep arcfour-hmac /etc/krb5/krb5.conf
> default_tkt_enctypes = arcfour-hmac
> root@ussapsmr01:/home/uur88980>
>
> I tried it with -md5 at the end too, but same error.

A tcpdump/pcap network trace of the packets would show what
is being requested. The Kerberos packets can be formatted by
Wireshark on some other platform if needed.

What versions of AD are you running?
What version of AIX?
What version of Kerberos?
Is this IBM's port of some other Kerberos?

What are the values of the AD account attributes
userAccountControl and msDS-supportedEncryptionAccounts
for s03...@WMSERVICE.CORPNET1.COM

Is the ADS_UF_USE_DES_KEY_ONLY bit still on in the userAccountControl?
http://msdn.microsoft.com/en-us/library/windows/desktop/ms680832(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/cc223853(v=prot.10).aspx