BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
nhvdwalt
Barite | Level 11

Morning team,

 

We have SAS Grid 9.4 on Linux. SAS automatically generates the TGT when the user logs on.

 

When looking at the TGT, it is generated with the Default Principal in lowercaps e.g. x123@MYREALM.COM

 

Is it possible for SAS to generate the TGT with an uppercase i.e. X123@MYREALM.COM ? Our Hadoop only sees you with an uppercase Default Principal.

 

When using kinit on the command line you can achieve this by just making the userid upper or lowercase i.e. kinit X123@MYREALM.COM

 

Thanks,

1 ACCEPTED SOLUTION

Accepted Solutions
alexal
SAS Employee

@nhvdwalt,

 

You can try to change the default principal in TGT through .k5login:

 

1. Any user who would connect to the grid via grid-launched workspace servers will need a ~/.k5login file that contains their user principal. So for an example, assuming his $HOME is /home/x123, then he should have a /home/x123/.k5login that contains "X123@MYREALM.COM".

 

2. A special kinit script should be constructed that is known only to the SAS Object Spawner environment by virtue of an addition to the ObjectSpawner_usermods.sh file to set the PATH to find this kinit before the system kinit command. For example, export PATH=/user/mod/kinit:$PATH .

 

3. This special kinit script should look for the user's .k5login file and extract its contents, or at least its user principal (if say they follow the rules for .k5login file contents syntax). This user principal should be set into a temporary variable (say $MYPRINCIPAL and then be added to the end of the fully-qualified kinit command and arguments. Here is an EXAMPLE of what this MIGHT look like (this is offered as-is, no guarantees or warranties implied!):

 

===
#!/bin/sh
#
MYPRINCIPAL=`cat ~/.k5login | head -1`
#
/usr/bin/kinit -f $* ${MYPRINCIPAL}
exit $?
===

 

NOTES: depending on what hot fix you have, the -f flag might not be needed, in fact, could be counterproductive, so I would leave it off. Also, note that the user's .k5login file might need to have permissions other than simply to the user; for example, the account running the SAS Object Spawner might need read permission to the file. This should not be an issue since you will not have the user password stored there. Lastly, the system kinit command might not be under /usr/bin, so adjust accordingly.

 

Implementing this also, of course, requires a restart of the object spawner(s).

View solution in original post

7 REPLIES 7
alexal
SAS Employee

@nhvdwalt,

 

When you login, you enter the username in lower or upper case?

 

nhvdwalt
Barite | Level 11

Thanks @alexal

 

In Enterprise Guide we log in with lowercaps else UNIX doesn't recognise the user.

alexal
SAS Employee

@nhvdwalt,

 

You can try to change the default principal in TGT through .k5login:

 

1. Any user who would connect to the grid via grid-launched workspace servers will need a ~/.k5login file that contains their user principal. So for an example, assuming his $HOME is /home/x123, then he should have a /home/x123/.k5login that contains "X123@MYREALM.COM".

 

2. A special kinit script should be constructed that is known only to the SAS Object Spawner environment by virtue of an addition to the ObjectSpawner_usermods.sh file to set the PATH to find this kinit before the system kinit command. For example, export PATH=/user/mod/kinit:$PATH .

 

3. This special kinit script should look for the user's .k5login file and extract its contents, or at least its user principal (if say they follow the rules for .k5login file contents syntax). This user principal should be set into a temporary variable (say $MYPRINCIPAL and then be added to the end of the fully-qualified kinit command and arguments. Here is an EXAMPLE of what this MIGHT look like (this is offered as-is, no guarantees or warranties implied!):

 

===
#!/bin/sh
#
MYPRINCIPAL=`cat ~/.k5login | head -1`
#
/usr/bin/kinit -f $* ${MYPRINCIPAL}
exit $?
===

 

NOTES: depending on what hot fix you have, the -f flag might not be needed, in fact, could be counterproductive, so I would leave it off. Also, note that the user's .k5login file might need to have permissions other than simply to the user; for example, the account running the SAS Object Spawner might need read permission to the file. This should not be an issue since you will not have the user password stored there. Lastly, the system kinit command might not be under /usr/bin, so adjust accordingly.

 

Implementing this also, of course, requires a restart of the object spawner(s).

nhvdwalt
Barite | Level 11

Thanks @alexal, this is a good start.

 

How would the user's password be handled with this script ?

alexal
SAS Employee

@nhvdwalt,

 

You need to create a keytab file for your principal, with ktutil. Immediately after creating a keytab file, restrict access to the file with chmod, otherwise, anyone could use the file to "steal your Kerberos identity". Add -kt </path/to/keytab_file> before <principal@REALM> in the kinit command to authenticate without entering the password.

nhvdwalt
Barite | Level 11

Perfect, thanks @alexal

alexal
SAS Employee

@nhvdwalt,

 

You are welcome!

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 7 replies
  • 1519 views
  • 1 like
  • 2 in conversation