Morning team,
We have SAS Grid 9.4 on Linux. SAS automatically generates the TGT when the user logs on.
When looking at the TGT, it is generated with the Default Principal in lowercaps e.g. x123@MYREALM.COM
Is it possible for SAS to generate the TGT with an uppercase i.e. X123@MYREALM.COM ? Our Hadoop only sees you with an uppercase Default Principal.
When using kinit on the command line you can achieve this by just making the userid upper or lowercase i.e. kinit X123@MYREALM.COM
Thanks,
You can try to change the default principal in TGT through .k5login:
1. Any user who would connect to the grid via grid-launched workspace servers will need a ~/.k5login file that contains their user principal. So for an example, assuming his $HOME is /home/x123, then he should have a /home/x123/.k5login that contains "X123@MYREALM.COM".
2. A special kinit script should be constructed that is known only to the SAS Object Spawner environment by virtue of an addition to the ObjectSpawner_usermods.sh file to set the PATH to find this kinit before the system kinit command. For example, export PATH=/user/mod/kinit:$PATH .
3. This special kinit script should look for the user's .k5login file and extract its contents, or at least its user principal (if say they follow the rules for .k5login file contents syntax). This user principal should be set into a temporary variable (say $MYPRINCIPAL and then be added to the end of the fully-qualified kinit command and arguments. Here is an EXAMPLE of what this MIGHT look like (this is offered as-is, no guarantees or warranties implied!):
===
#!/bin/sh
#
MYPRINCIPAL=`cat ~/.k5login | head -1`
#
/usr/bin/kinit -f $* ${MYPRINCIPAL}
exit $?
===
NOTES: depending on what hot fix you have, the -f flag might not be needed, in fact, could be counterproductive, so I would leave it off. Also, note that the user's .k5login file might need to have permissions other than simply to the user; for example, the account running the SAS Object Spawner might need read permission to the file. This should not be an issue since you will not have the user password stored there. Lastly, the system kinit command might not be under /usr/bin, so adjust accordingly.
Implementing this also, of course, requires a restart of the object spawner(s).
You can try to change the default principal in TGT through .k5login:
1. Any user who would connect to the grid via grid-launched workspace servers will need a ~/.k5login file that contains their user principal. So for an example, assuming his $HOME is /home/x123, then he should have a /home/x123/.k5login that contains "X123@MYREALM.COM".
2. A special kinit script should be constructed that is known only to the SAS Object Spawner environment by virtue of an addition to the ObjectSpawner_usermods.sh file to set the PATH to find this kinit before the system kinit command. For example, export PATH=/user/mod/kinit:$PATH .
3. This special kinit script should look for the user's .k5login file and extract its contents, or at least its user principal (if say they follow the rules for .k5login file contents syntax). This user principal should be set into a temporary variable (say $MYPRINCIPAL and then be added to the end of the fully-qualified kinit command and arguments. Here is an EXAMPLE of what this MIGHT look like (this is offered as-is, no guarantees or warranties implied!):
===
#!/bin/sh
#
MYPRINCIPAL=`cat ~/.k5login | head -1`
#
/usr/bin/kinit -f $* ${MYPRINCIPAL}
exit $?
===
NOTES: depending on what hot fix you have, the -f flag might not be needed, in fact, could be counterproductive, so I would leave it off. Also, note that the user's .k5login file might need to have permissions other than simply to the user; for example, the account running the SAS Object Spawner might need read permission to the file. This should not be an issue since you will not have the user password stored there. Lastly, the system kinit command might not be under /usr/bin, so adjust accordingly.
Implementing this also, of course, requires a restart of the object spawner(s).
You need to create a keytab file for your principal, with ktutil. Immediately after creating a keytab file, restrict access to the file with chmod, otherwise, anyone could use the file to "steal your Kerberos identity". Add -kt </path/to/keytab_file> before <principal@REALM> in the kinit command to authenticate without entering the password.
Perfect, thanks @alexal
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.