@woo,

SAS do not directly interact with your authentication server, so you need to configure PAM/Kerberos authentication in Linux, then you can enable PAM authentication in SAS:

http://support.sas.com/kb/49/432.html

Do not forget that you need to uncomment the following line in /<SASHome>/SASFoundation/9.4/utilities/bin/sasauth.conf:

PAM_SETCREDENTIALS=TRUE

You can test PAM authentication and Kerberos ticket creation by using "proc permtest":

http://support.sas.com/kb/39/891.html

Let me know if you have any questions.

we have host authentication implemented at the moment for sas grid + that PAM_SET...option is already turned off,,,in that case, what can be done from sas end?

also, .odbc.ini file contains i believe three parameters for kerberos authentication and they are,

KrbRealm=

KrbFQDN=

KrbServiceName=

+

users are connecting to hadoop fine from server itself (like putty or so), issues comes in when users trying connect via sas eg,

@woo,

>> we have host authentication implemented at the moment for sas grid + that PAM_SET...option is already turned off,,,in that case, what can be done from sas end?

In this case SAS sessions can use the Kerberos ticket that was created by issuing kinit command from the Linux console. If you want to generate the Kerberos ticket from SAS, you have to configure PAM authentication + uncomment that option in sasauth.conf. Also, WorkspaceServer_usermods.sh should have this script:

workspace_user=$(whoami)
workspace_user_ccaches=$(find /tmp -maxdepth 1 -user ${workspace_user} -type f -name "krb5cc_*" -printf '%T@ %p\n' | sort -k 1nr | sed 's/^[^ ]* //' | head -n 1)
if test ! -z "$workspace_user_ccaches"; then
echo "Most recent krb5 ccache found for '${workspace_user}' at '${workspace_user_ccaches}'."
echo "Cache last modified: $(stat -c%y ${workspace_user_ccaches})"
export KRB5CCNAME=$workspace_user_ccaches
echo "KRB5CCNAME has been set to ${KRB5CCNAME}."
else
echo "No krb5 credentials caches were found in /tmp for '${workspace_user}'."
fi

thank you so much alexal and maheshtalla for your input,

at the moment we are using

sas/access to imapala driver leveraging ODBC - users keeping their own .odbc.ini file

+

sas/access to hadoop driver leveraging hadoop jar files (filename statement) or webhdfs

Also, for Reading -> LDAP authenticaiton and for R+W -> Kerberos authentication

And yes, our etc/krb5.conf file has those details in it,