Kerberos Authentication via SAS EG

helannivas88 · Posted 09-13-2018 10:20 AM

Hi,

We are connecting to MSSQL server using Windows Authentication mode and we are succeeded in connecting to that. But we do have a problem whenever we issue the libname statement in SAS EG stating Kerberos ticket expiration

Have identified that whenever we login to SSH first and then issue the libname, we don't see any issue in the connection. But when we connect to SAS EG first and then if we issue the libname statement , we do face issue.

Kerberos ticket is getting generated/renewed whenever we login to SSH under tmp directory but not getting generated using SAS EG(at first).

Is there any SAS configuration file to update Kerberos ticket renewal to rectify this issue??

Thanks and Regards,

Helan Nivas G

alexal · Posted 09-13-2018 10:25 AM

@helannivas88,

You have to configure PAM authentication as described in this SAS note:

http://support.sas.com/kb/49/432.html

After that, please make sure that "PAM_SETCREDENTIALS=TRUE" is uncommented in your /<SASHome>/SASFoundation/9.4/utilities/bin/sasauth.conf. Also, do not forget to restart the object spawner.

Besides of all of, you have to set KRB5CCNAME, you can do that through this script in WorkspaceServer_usermods.sh:

workspace_user=$(whoami)
workspace_user_ccaches=$(find /tmp -maxdepth 1 -user ${workspace_user} -type f -name "krb5cc_*" -printf '%T@ %p\n' | sort -k 1nr | sed 's/^[^ ]* //' | head -n 1)

if test ! -z "$workspace_user_ccaches"; then
            echo "Most recent krb5 ccache found for '${workspace_user}' at '${workspace_user_ccaches}'."
            echo "Cache last modified: $(stat -c%y ${workspace_user_ccaches})"
            export KRB5CCNAME=$workspace_user_ccaches
            echo "KRB5CCNAME has been set to ${KRB5CCNAME}."
else
            echo "No krb5 credentials caches were found in /tmp for '${workspace_user}'."
fi