Hi Rolf-Martin,

When I posted this, I was hoping that I would get one of your very-helpful, well-laid-out replies, and I am happy to see that it is the case.

I guess I'm still a little confused as to whether the sncgss.dyld that is in the application bundle that we distribute internally for our site is part of the official SAP distribution or something we picked up elsewhere, but that's not really relevant to the issue at hand.  (I was brought in for the Kerberos angle; I'm not part of the SAP deployment team here.)

It's good to have confirmation that the non-native alignment is likely to be the issue, my colleagues here suspected it would be relevant.  As you note, the system Kerberos libraries from Apple are compiled with 16-bit alignment; the MIT krb5 libraries also use this alignment on that platform, so the issue is pretty universal.

Reading through the SAP SNC Adapter 1.1 zip file's README gives me a much better sense of how the SNC layer is intended to work.  In particular, there is a built-in adapter for the krb5 mechanism OID, so it should be possible (as is mentioned elsewhere in this forum) to just set SNC_LIB to a library implementing the krb5 GSSAPI mechanism, with no additional shims.  (This means that my statement about exposing API functions with a 'sap' prefix is misleading, as the core program will look for other APIs as well.)

I think there are two obvious paths forward; one is to make a custom build of a gssapi_krb5 library which has the default alignment for the platform and use that directly; the other is to use the SNC documentation/etc. to build a shim around the existing OS X gssapi_krb5 library.  I think the former will be the easiest way to get something working on a developer workstation, but is less preferable for production deployment.  I'll probably do it anyway, just so that I can say that I do have the 7.30rev3 release talking to our servers; we'll need to think more about what our actual deployment strategy will be.

I will try to report back so that others (Erik in particular) can hear what we found to work.

I can confirm that building a GSS-API library (and its support libraries) with the default platform alignment works, setting SNC_LIB to the path to libgssapi_krb5.dylib.

I applied the top commit from https://github.com/kaduk/krb5/commits/sap and built MIT krb5 locally, as I'm more familiar with that build system than the native OS X Heimdal.  Note that MIT krb5 does not currently understand the default API credentials cache used by the base system Kerberos installation, so the hand-build kinit should be used as well as the GSS-API library.

This is a way to get the SAP client running on a developer's system, but it does not seem like the optimal strategy for deployment on user workstations.  I am still investigating building a shim around the system-provided GSS-API library as a SNC Adapter.

Thanks for the openradar link.  The core issue here is what's known as an ABI incompatibility -- the GSS-API library exports a function (well, many functions), and the SAP application calls those functions to implement the SNC.  However, in order to call a function, its arguments need to be passed from the calling function to the implementation, and this is a binary interface.  Arguments can be passed in registers or on the stack, and there is an architecture-specific specification for how the different arguments are passed (which ones go on the stack, or which processor registers, etc.).  The ABI incompatibility we see here is particular to a single GSS-API type (and other types which embed it directly): the gss_OID_desc type is specified as a 32-bit length field and then a pointer to the elements of the OID.  For the x86_64 architecture which is used on modern 64-bit macs, the default layout for such a structure is to have the pointer (which is a 64-bit value) be placed at a memory address which is "64-bit aligned", that is, a multiple of 8 bytes.  Because the gss_OID_desc structure contains a 64-bit-aligned value, the convention requires that structure itself to also be 64-bit aligned.  This, in turn, leaves a 32-bit gap between the end of the 32-bit length field and the start of the pointer.

However, the system-provided GSS-API library for OS X does not use the default layout for this structure, because it has the pragma pack() lines that you noticed, which tell the compiler to force 16-bit alignment for everything.  (As the openradar post notes, this originated for compatibility with MIT krb5's GSS-API library, which also has this historical mistake of 16-bit alignment.)  Because 32 is a multiple of 16, the pointer value in the gss_OID_desc structure can now be placed immediately following the 32-bit length field with no gap.

The ABI incompatibility then results from the SAP application expecting the gss_OID_desc structure to have these 32 bits of padding between the length and the pointer, and putting those unused bytes in place when it calls into the system's GSS-API library, but the system GSS-API library expecting no padding.  When a structure created in one place is used in the other and the pointer dereferenced, the pointer is not interpreted as a valid pointer due to the disagreement about the 32 bits of padding, and dereferencing an invalid pointer causes a segmentation fault (and application crash).

Causing the gsstest program to use the same 16-bit alignment that the GSS-API library uses will, of course, make the gsstest program work, but it cannot have any effect on the actual SAP GUI application that we want to use.

It is interesting that though there are many GSS-API types which consist of a length followed by a pointer, only the gss_OID_desc (and related types) is affected here, because the other types use a size_t for the length instead of an explicit 32-bit length field, and on 64-bit macs, size_t is 64 bits, so there is no padding at all, whether the structure is packed using the default system alignment or explicit 16-bit alignment.

I just got gsstest set up for my thin shim -- I copied build.NetBSD to build.Darwin and tweaked a couple of things, and faked up some values for platform.h under defined(__APPLE__).

Are you doing a full GSS implementation for your SNC adapter or just a thin shim? (Will you be able to make it public?)

Anyway, I first tried invoking it as './gsstest -l /path/to/sncgss.dyld -a <actual principal name>', and got a complaint that actual_mechs from gss_acquire_cred() contains 2 gss_OID elements, 1.3.5.1.5.2.7 (first) and 1.2.840.113554.1.2.2 (krb5, second).  My tests aborted early because no security contexts can be established.  gss_acquire_cred Acc() == (GSS_S_NO_CRED), gss_display_status() = "No credentials were supplied, or the credentials were unavailable or inaccessible."  This seems to be because gsstest needs to be the acceptor as well, so that it can control both sides of the security context exchange; you will need to use the principal name for a keytab that is available on the machine in question (and readable by the user running gsstest).  This should not be the actual production SAP principal!

It seems that the acquire_cred shim may need some persuasion.  I know that in recent MIT krb5's GSS libraries, credential resolution is delayed, so acquire_cred() need not actually acquire credentials (inquire_cred() should suffice to force resolution).  It is possible that the native system Heimdal library is doing something similar.  I will hopefully be pushing my work in progress to https://github.com/kaduk/osxsnc soon, I believe it will fall under a BSD license.

My code is up, and I included a log of the gsstest output as well, for comparison purposes.

I sent mail to Martin Rex asking whether a shim like this should use the existing krb5 adapter ID or if it requires a new one.

Thanks for looking into this. Color me as interested.

Cheers,
John

I tidied up my code a fair amount, plugging memory leaks and checking for malloc failure.  The only outstanding issue that I know of is that it returns failure if the caller attempts to provide channel bindings to gss_init_sec_context() or gss_accept_sec_context().  This should not be a problem in practice, as the specification for GSS channel bindings is somewhat broken and I don't think they are used by the SAP application.

The osxsnc-1.0-beta1 tag is available from https://github.com/kaduk/osxsnc/releases/tag/osxsnc-1.0-beta1 ; I've asked our team here to do some testing against it, and am happy to look at any issues that may arise from external testing as well.

Hi Benjamin,

I am attempting to get SSO working on OS X using your library, but unfortunately I am running into the error you reference in this reply (gss_init_sec_context()).  I had started my own post, http://scn.sap.com/message/14671586, asking about Kerberos SSO on OS X and Rolf referred me here. I'm curious if you could help me understand how to get passed that error.  The full text of the error is on my post.