Architecting, installing and maintaining your SAS environment

Casing of Default Principal in TGT

Accepted Solution Solved
Reply
Regular Contributor
Posts: 211
Accepted Solution

Casing of Default Principal in TGT

Morning team,

 

We have SAS Grid 9.4 on Linux. SAS automatically generates the TGT when the user logs on.

 

When looking at the TGT, it is generated with the Default Principal in lowercaps e.g. x123@MYREALM.COM

 

Is it possible for SAS to generate the TGT with an uppercase i.e. X123@MYREALM.COM ? Our Hadoop only sees you with an uppercase Default Principal.

 

When using kinit on the command line you can achieve this by just making the userid upper or lowercase i.e. kinit X123@MYREALM.COM

 

Thanks,


Accepted Solutions
Solution
‎09-23-2017 12:20 PM
SAS Employee
Posts: 318

Re: Casing of Default Principal in TGT

@nhvdwalt,

 

You can try to change the default principal in TGT through .k5login:

 

1. Any user who would connect to the grid via grid-launched workspace servers will need a ~/.k5login file that contains their user principal. So for an example, assuming his $HOME is /home/x123, then he should have a /home/x123/.k5login that contains "X123@MYREALM.COM".

 

2. A special kinit script should be constructed that is known only to the SAS Object Spawner environment by virtue of an addition to the ObjectSpawner_usermods.sh file to set the PATH to find this kinit before the system kinit command. For example, export PATH=/user/mod/kinit:$PATH .

 

3. This special kinit script should look for the user's .k5login file and extract its contents, or at least its user principal (if say they follow the rules for .k5login file contents syntax). This user principal should be set into a temporary variable (say $MYPRINCIPAL and then be added to the end of the fully-qualified kinit command and arguments. Here is an EXAMPLE of what this MIGHT look like (this is offered as-is, no guarantees or warranties implied!):

 

===
#!/bin/sh
#
MYPRINCIPAL=`cat ~/.k5login | head -1`
#
/usr/bin/kinit -f $* ${MYPRINCIPAL}
exit $?
===

 

NOTES: depending on what hot fix you have, the -f flag might not be needed, in fact, could be counterproductive, so I would leave it off. Also, note that the user's .k5login file might need to have permissions other than simply to the user; for example, the account running the SAS Object Spawner might need read permission to the file. This should not be an issue since you will not have the user password stored there. Lastly, the system kinit command might not be under /usr/bin, so adjust accordingly.

 

Implementing this also, of course, requires a restart of the object spawner(s).

View solution in original post


All Replies
SAS Employee
Posts: 318

Re: Casing of Default Principal in TGT

@nhvdwalt,

 

When you login, you enter the username in lower or upper case?

 

Regular Contributor
Posts: 211

Re: Casing of Default Principal in TGT

Thanks @alexal

 

In Enterprise Guide we log in with lowercaps else UNIX doesn't recognise the user.

Solution
‎09-23-2017 12:20 PM
SAS Employee
Posts: 318

Re: Casing of Default Principal in TGT

@nhvdwalt,

 

You can try to change the default principal in TGT through .k5login:

 

1. Any user who would connect to the grid via grid-launched workspace servers will need a ~/.k5login file that contains their user principal. So for an example, assuming his $HOME is /home/x123, then he should have a /home/x123/.k5login that contains "X123@MYREALM.COM".

 

2. A special kinit script should be constructed that is known only to the SAS Object Spawner environment by virtue of an addition to the ObjectSpawner_usermods.sh file to set the PATH to find this kinit before the system kinit command. For example, export PATH=/user/mod/kinit:$PATH .

 

3. This special kinit script should look for the user's .k5login file and extract its contents, or at least its user principal (if say they follow the rules for .k5login file contents syntax). This user principal should be set into a temporary variable (say $MYPRINCIPAL and then be added to the end of the fully-qualified kinit command and arguments. Here is an EXAMPLE of what this MIGHT look like (this is offered as-is, no guarantees or warranties implied!):

 

===
#!/bin/sh
#
MYPRINCIPAL=`cat ~/.k5login | head -1`
#
/usr/bin/kinit -f $* ${MYPRINCIPAL}
exit $?
===

 

NOTES: depending on what hot fix you have, the -f flag might not be needed, in fact, could be counterproductive, so I would leave it off. Also, note that the user's .k5login file might need to have permissions other than simply to the user; for example, the account running the SAS Object Spawner might need read permission to the file. This should not be an issue since you will not have the user password stored there. Lastly, the system kinit command might not be under /usr/bin, so adjust accordingly.

 

Implementing this also, of course, requires a restart of the object spawner(s).

Regular Contributor
Posts: 211

Re: Casing of Default Principal in TGT

Thanks @alexal, this is a good start.

 

How would the user's password be handled with this script ?

SAS Employee
Posts: 318

Re: Casing of Default Principal in TGT

@nhvdwalt,

 

You need to create a keytab file for your principal, with ktutil. Immediately after creating a keytab file, restrict access to the file with chmod, otherwise, anyone could use the file to "steal your Kerberos identity". Add -kt </path/to/keytab_file> before <principal@REALM> in the kinit command to authenticate without entering the password.

Regular Contributor
Posts: 211

Re: Casing of Default Principal in TGT

Perfect, thanks @alexal

SAS Employee
Posts: 318

Re: Casing of Default Principal in TGT

@nhvdwalt,

 

You are welcome!

☑ This topic is solved.

Need further help from the community? Please ask a new question.

Discussion stats
  • 7 replies
  • 367 views
  • 1 like
  • 2 in conversation