topic Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA in Administration and Deployment

SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

nirolf — Wed, 01 Jul 2020 20:40:07 GMT

HI,

I face an issue trying to set IWA auth for users. IWA is functional for the metadata server, but I am unable to start workspace via SAS EG.

My configuration :

- meta, compute on two separate Linux server (RH)

- Workspace server is bind to an LDAP directory via PAM.

- Kerberos binding to AD is functional: on metadata server and the app server - using SAS Integration Technologies Configuration tool I can conenct usink "Negociate" to Metadata, Object Spawner, but not to the Workspace Server

As you see below, the kerberos auth and delegation seems ok, but the workspace doesn't start.

I've tried all that I could find regarding this error (for example getent user.name@domain.com and getent USER.NAME@domain.com both work) to no avail.

2020-07-01T22:48:16,111 DEBUG [00000047] :user.name - IOM RETURN OMIProxy 0={compRef:7fba8520da20}->CompDtor()
2020-07-01T22:48:16,111 TRACE [00000047] :user.name - IOM LOGIC TKIOM: delete compRef=7fba8520da20 for OMIProxy
2020-07-01T22:48:16,111 DEBUG [00000047] :user.name - Application-specific option lookup skipped because no application name is provided for client 11.
2020-07-01T22:48:16,111 DEBUG [00000047] :user.name - Command being used is /sas/sasconfig/Lev1/SASAppOne/WorkspaceServer/WorkspaceServer.sh.
2020-07-01T22:48:16,111 DEBUG [00000047] :user.name -    >noterminal< (Standard options)
2020-07-01T22:48:16,111 DEBUG [00000047] :user.name -    >netencryptalgorithm< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >SASProprietary<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >metaserver< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >srvsasmetak01t.company.com<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >metaport< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >8561<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >metarepository< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >Foundation<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >locale< (Client requirement)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >en_US<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >objectserver< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >objectserverparms< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >protocol=bridge spawned spp=39532 cid=0 dnsmatch=srvsasappk01t.company.com pb classfactory=440196D4-90F0-11D0-9F41-00A024BB830C server=OMSOBJ:SERVERCOMPONENT/A504E8PI.AY00000A cel=credentials recon<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -  Environment variables are:
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >METAUSER<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >user.name@!*(generatedpassworddomain)*!<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >METAPASS<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >********<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - Obtained krb5 ccache handle: 7fba8801b8f0
2020-07-01T22:48:16,113 WARN  [00000047] :user.name - The destination buffer size was not sufficient for the requested password.
2020-07-01T22:48:16,124 DEBUG [00000047] :user.name - Freed krb5 ccache handle: 7fba8801b8f0
2020-07-01T22:48:16,124 ERROR [00000047] :user.name - Access denied.
2020-07-01T22:48:16,124 ERROR [00000047] :user.name - The launch of server SASAppOne - Workspace Server for user user.name failed.
2020-07-01T22:48:16,124 TRACE [00000047] :user.name - IOM FIRE-EVENT {compRef:7fba8520d960}->ObjectSpawner::ServerFailed():
 logicalServer=SASAppOne - Logical Workspace Server
 serverComponent=SASAppOne - Workspace Server

Here is the sasauth-debug.log:

20200701-22:14:04 KRB5CCNAME was not set; we'll see if something happens later
[...]
20200701-22:48:16 Authenticating user user.name via GSS
20200701-22:48:16 Context username: user.name@company.com
20200701-22:48:16 Context username length: 21
20200701-22:48:16 Server Name: SAS/srvsasappK01t.company.com@company.com
20200701-22:48:16 Unknown user when getting user attributes.
20200701-22:48:16 User user.name did not authenticate. Reason: 'Unspecified reason.' (gss)
20200701-22:48:16 Request failed: 'User did not authenticate.'

I am not sure about that warning about KRB5CCNAME, what should I set it to? I've seen this, but I don't seem to find a file named "krb5cc_*". My krb5.conf has by default this option:

default_ccache_name = KEYRING:persistent:%{uid}

Any ideas?

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

alexal — Wed, 01 Jul 2020 21:04:36 GMT

@nirolf ,

It looks like your Linux server isn't connected to Active Directory. What is the output of the following command?

getent passwd user.name

Also, we do not support keyrings, only file-based Kerberos tickets.

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

nirolf — Wed, 01 Jul 2020 21:19:30 GMT

The server is connected to AD. Using SAS I can start thw Workspace Server with user.name@company.com but without IWA.

getent user.name@domain.com and getent USER.NAME@domain.com both work, and return:

user.name@company.com:*:1742386352:1112800513:User Name:/home/user.name@company.com:/bin/bash

I changed the krb5.conf to: default_ccache_name = FILE:/tmp/krb5cc_%{uid}

But it seems that the file /tmp/krb5cc_1742386352 gets created only if I run kinit -V user.name@COMPANY.COM. When connecting with EG for example I see this:

[12253] 1593637956.856010: Decrypted AP-REQ with server principal SAS/srvsasappK01t.company.com@company.com: rc4-hmac/03B7
[12253] 1593637956.856011: AP-REQ ticket: user.name@company.com -> SAS/srvsasappK01t.company.com@company.com, session key rc4-hmac/DD52
[12253] 1593637956.856012: Negotiated enctype based on authenticator: aes256-cts
[12253] 1593637956.856013: Authenticator contains subkey: rc4-hmac/A744
[12253] 1593637956.856014: Resolving unique ccache of type MEMORY
[12253] 1593637956.856015: Initializing MEMORY:t2RN587 with default princ user.name@company.com
[12253] 1593637956.856016: Storing user.name@company.com -> krbtgt/company.com@company.com in MEMORY:t2RN587
[12253] 1593637956.856018: Creating AP-REP, time 1593637956.6499, subkey aes256-cts/BEAC, seqnum 497277098
[12253] 1593637956.856029: Resolving unique ccache of type FILE
[12253] 1593637956.856030: Initializing FILE:/tmp/tktPDXsyq with default princ user.name@company.com
[12253] 1593637956.856033: Storing user.name@company.com -> krbtgt/company.com@company.com in FILE:/tmp/tktPDXsyq
[12253] 1593637956.856036: Destroying ccache MEMORY:t2RN587
[12253] 1593637956.856038: Destroying ccache FILE:/tmp/tktPDXsyq

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

alexal — Wed, 01 Jul 2020 21:23:09 GMT

@nirolf ,

20200701-22:48:16 Authenticating user user.name via GSS

I do not see any domains in the user name here. Are you sure you can authenticate on the server using only the user name without specifying a domain?

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

nirolf — Wed, 01 Jul 2020 21:34:29 GMT

Without the domain it doesn't work, but what should I do for that to work? The server is connected to AD using pam.

I noticed that the file tktPDXsyq doesn't exist.

Initializing FILE:/tmp/tktPDXsyq with default princ user.name@company.com
Storing user.name@company.com -> krbtgt/company.com@company.com in FILE:/tmp/tktPDXsyq

If I connect to the Object Spawner I get a new file and that one I can see in /tmp.

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

nirolf — Mon, 14 Sep 2020 14:43:24 GMT

Thanks, that was it, I just forgot to post an update. I edited sssd.conf by adding this line to [sssd] section:

default_domain_suffix = COMPANY.COM

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

alexal — Mon, 14 Sep 2020 15:13:02 GMT

You're welcome. I'm glad the problem has been resolved.