topic SAS 9.4 GRID authentication with PAM in Administration and Deployment

SAS 9.4 GRID authentication with PAM

Armando1 — Mon, 30 Nov 2015 22:26:44 GMT

We are trying to configure PAM (with samba) with our SAS 9.4 installation in a RedHat x64 server.But when users try to enter and error appears:

[Error] The launch of server SASApp - Workspace Server for user XXX failed.

we noticed that this error appers because the users don´t have home directory.

Does anyone has had the same problem?

Re: SAS 9.4 GRID authentication with PAM

PaulHomes — Tue, 01 Dec 2015 00:14:33 GMT

There are PAM modules that can create a home directory on demand when required. I have oddjob-mkhomedir installed to do this, but there is also pam_mkhomedir. I use realmd for AD backed PAM authentication and oddjob-mkhomedir is installed along the way - if you are interested in that approach I wrote a blog post about it at http://platformadmin.com/blogs/paul/2015/07/active-directory-authentication-for-sas-on-linux-with-realmd/

Re: SAS 9.4 GRID authentication with PAM

Armando1 — Tue, 01 Dec 2015 16:36:46 GMT

Hi Paul, thnx for your answer.

I tried to make the configuration with the two PAM modules oddjob-mkhomedir and pam_mkhomedir, but all the test was unsuseful.

I share with you the contents of my sasauth file

#############################################

auth        required      pam_env.so
auth        sufficient    pam_winbind.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

session     required      pam_mkhomedir.so skel=/etc/skel umask 0022 silent

########################################################

in addition to this file, they we configured the ga_auth and the eauth_userpass in the directory /etc/pam.d according with this SAS notes:

http://support.sas.com/kb/49/724.html
http://support.sas.com/kb/49/732.html

Re: SAS 9.4 GRID authentication with PAM

PaulHomes — Thu, 03 Dec 2015 03:24:57 GMT

I looked into this further today and did some testing and it seems that pam_oddjob_mkhomedir is not firing from the sasauth PAM config. Whilst I can succesfully have home directories auto-created, via pam_oddjob_mkhomedir, when using ssh and su, it is not working for sasauth. Digging into this further it looks like perhaps sasauth as used by the object spawner is not triggering the session initialization where pam_oddjob_mkhomedir does its work (as does pam_mkhomedir). There are 2 things that seem to suggest this: 1) All of the PAM config samples I have seen in the SAS documentation and usage notes only include the auth and account groups (I have session in my config for testing) 2) the sasauth.conf file has a section related to PAM_SETCREDENTIALS and Centrify where it says: "Centrify requires that pam_setcred be called. sasauth traditionally has not done this, since there's no "session" like an interactive login." Perhaps it is not using pam_open_session either? Whilst I can understand that there might not be a session when sasauth is used by the SAS Metadata Server, when it is used by the SAS Object Spawner to spawn sas processes as that user, that sounds like a session to me.

An alternative to auto-creating the home directories via PAM is to create them during any enterprise directory identity synchronization process you may have set up (e.g. Active Directory to SAS metadata). Having shared home directories via NFS or clustered file system will help here too.

Re: SAS 9.4 GRID authentication with PAM

jakarman — Sat, 05 Dec 2015 20:25:54 GMT

That not working of generic PAM modules makes sense as SAS did rewrite the SSH method by their own and missing a lot of all low level settings to adjust those for common Unix administration. Did you know the metdata login process is single threaded and can be compromised by wait delays as set by those low level ones? Having weird effects of logins delaying for a long time that is a possible cause. Why would you delay logins? It is a protection against mass tries for passwords. Don't use the delay setting of SAS as that is their own internal delay not the one of the OS (another cause of confusing).

By the way Samba is often adviced for a quick connection between Unix/Windows. It is not very sensible as of security issues.
The reason is the limit as of auth_sys being hard on 16. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/s1-nfs-security.html

Re: SAS 9.4 GRID authentication with PAM

PaulHomes — Mon, 24 Apr 2017 12:41:53 GMT

I'd forgotten this comment I posted back in 2015 and only remembered it after seeing it in some Google results whilst researching the very same issue today! 🙂

I spent some more time looking into it and found a solution that I described in a blog post at https://platformadmin.com/blogs/paul/2017/04/sas-user-linux-home-dir-auto-creation/ I'm adding a link here in case someone else has this problem in future and finds this thread.