BookmarkSubscribeRSS Feed
pchegoor
Pyrite | Level 9

Hello All,

 

I am facing a bizarre problem and struggling to find a solution. Please let me know your thoughts on the below if any?

 

So I have SAS Metadata Group called : SAS Developer .The accounts  tab of this Metadata group  has Teradata login and password associated with a AUTHDOMAIN called :Test .  My SAS Metadata identity is part of this Metadata group and is also part of SAS Administrators groups. So now i login to SAS EG using same Metadata identity connected to same Metadata server  and run a  LIBNAME with Teradata Engine and above AUTHDOMAIN.  I get the Error as shown below.


Libname Td Teradata AUTHDOMAIN=Test server=Sample database=DB1;
NOTE: Credential could not be obtained from SAS metadata server. WARNING: No login information was available for authdomain Test. ERROR: Teradata connection: MTDP: EM_GSSINITFAIL(235): call to gss_init failed. . ERROR: Error in the LIBNAME statement.

I am not sure why i am getting this Error.  One of my colleagues who also has a SAS Metadata identity on the same metadata server but who is not part of SAS Administrators group is able to run the above Libname statement successfully. So i logged into SAS MC using unrestricted account (sasadm@saspw) and removed the group SAS Administrators from my Metadata identity. I logged into SAS EG again using my metadata identity connecting to same server and ran the Libname again but got the same error again.

 

So i ran the below code in SAS EG  to retrieve the login information associated  with this AUTHDOMAIN ( test) .

 

%symdel userid password / nowarn;

%put Site: &syssite    Release: &sysvlong    System: &sysscp &sysscpl;    %put &sysuserid;
%macro getOraLogin(authdomain=);
  %global userid password;
 
  data _null_;
    length authuri loginuri $256 userid $32 password $60;
    n=1;
    authuri='';
    loginuri='';
    userid='';
    password='';
       /***Locate the Authentication Domain in the metadata***/
	
    nobj=metadata_getnobj("omsobj:AuthenticationDomain?@Name='"||"&authdomain"||"'",n,authuri);
 
      /***If it cannot be found, write a message to the log***/
    if nobj <= 0 then put 'No authentication domains with this name can be found.';
      /***If it was found, retrieve the first Login association***/
    else do;
      i=1;
     rc=metadata_getnasn(authuri, "Logins", i, loginuri);
        /***If a Login was found, retrieve the UserID and Password attributes***/
     if rc > 0 then do;
       rc2=metadata_getattr(loginuri,"UserID",userid);
       rc2=metadata_getattr(loginuri,"Password",password);
       call symput('userid', userid);
       call symput('password',password);
     end;
        /***If no Logins are found, write a message to the log***/
     else put 'There are no logins associated with this authentication domain.';
    end;
  run;
%mend;
 
   /***Invoke the macro, supplying the authentication domain name***/
%getOraLogin(authdomain=Test)
 
   /***Verify the macro variables (note, the password will be encoded)***/
%put id= &userid pw= &password;

In the SAS log , the  id  value  retrieved was correct  but the encoded password value is wrong. Infact the password value i got was  {SAS002}B6535B5C02BB1BC110FD31944FC989D3. While searching this issue online i came across this question :

https://communities.sas.com/t5/Administration-and-Deployment/Login-password-not-getting-updated-in-S...

in this same community which was answered by Paul : @PaulHomes   .  The encoded password is actually the PWENCODE version of 8 asterisks.   But i am unable to understand why i get this wrong encoded password instead of correct encoded password associated with login for AUTHDOMAIN Test. My SAS Metadata identity is no longer part of SAS Administrators group and so this wrong password seems strange. I tried restarting SAS servers including Metadata server  but it still does not give me right password in the SAS EG log  and also the above Libname does not work for me. But for my colleague the password retrieved is correct and the Libname statement also works fine.

 

So what exactly is going on here?

 

Thanks.

 

18 REPLIES 18
SASKiwi
PROC Star

Not sure what is exactly going wrong with your metadata setup but this is how I would create a unique AUTHDOMAIN access for Teradata:

  1. Create new Auth Domain under User Manager, like TeradataAuth
  2. Create a new user group called say Teradata Users
  3. On the Account tab of Teradata Users, add the Teradata Auth Domain - TeradataAuth - plus the Teradata account and password
  4. Now add the users (or user groups) who require Teradata access to the Teradata Users group

I suspect the reason it is not working OK for you is you haven't got a special group just for Teradata access.

pchegoor
Pyrite | Level 9

@SASKiwi   Thanks for your suggeston but i tried this and  again get the same wrong password in the SAS log. Also the LIBNAME statement gives the same Error .

SASKiwi
PROC Star

@pchegoor  - I can only conclude that you have two definitions for the Teradata account and password stored in metadata, one which works and one which doesn't and somehow you are picking up the wrong one. Make sure your own account doesn't include the Teradata AuthDomain / Account. 

 

I suggest you work with SAS Tech Support to resolve this. Metadata permissions issues can be tricky to fix.

pchegoor
Pyrite | Level 9

@SASKiwi 

 

I do have a ticket Open for this issue with SAS Tech Support but it is going nowhere as of now.  Also  i just came across the link i referenced above which @PaulHomes had answered and thought it may give me some clue to the issue i am facing .  I believe for some reason the SAS Metadata server still thinks i am part of SAS Administrators group  even though i removed myself ( Metadata identity) from that group. Also as you suggested I created a exclusive group for Teradata and Only added myself as a member to it.  In the accounts tab of this group  I associated the Teradata login Id and password with a New AUTHDOMAIN called Tera .But when I run the above SAS code in SAS EG to retrieve this login ID and password using Metadata Interface functions in the Data step I do get the right  Id value but the wrong encoded password value : {SAS002}B6535B5C02BB1BC110FD31944FC989D3 .  Then when i run the Libname with the AUTHDOMAIN = Tera  i get the same Error as mentioned above. But if i add the SAS Administrators group to this Teradata group  the Libname Statement runs succesfully even though i am not part of the SAS Administrators group in Metadata .Very puzzling this issue has been so far.

 

 

PaulHomes
Rhodochrosite | Level 12

Hi,

 

If you are seeing the encoded version of 8 asterisks it suggests you are trying to use the library and access the metadata group's password as a highly privileged user and are deliberately not being given the correct password. As you would have seen in the thread you mentioned, someone who is unrestricted or a user administrator has the ability to see all logins but is restricted from fetching real passwords from metadata. This is one of the reasons we don't use unrestricted accounts for day to day work and may set up dual identities for our dual job roles.

 

I see you have tried removing yourself from the "SAS Administrators" group and that is one possibly path by which you may have gotten your privileged user status, however there may be other paths too. When you log into SAS Management Console what do you see on the status bar?

  1. userid as User Name
  2. userid as Unrestricted

If option 2 then you are still a member of the unrestricted role by some path. If option 1 then you may still be a user administrator, in which case I would look at someone elses user in SAS Management Console User Manager. If you don't see an empty Logins tab and are not-unrestricted then you are most likely a User Administrator. Another possible but less obvious path is the SAS Metadata Server's adminUsers.txt file - it is unlikely but worth a look if all else fails.

 

To troubleshoot this, I would recommend you start by looking at the "Metadata Server: Unrestricted" and "Metadata Server: User Administration" roles in SAS Management Console and work backwards. Are you a direct member of the roles? Are you a member of any groups that are direct members of the roles? Are you an indirect member by virtue of any nested group memberships?

 

A fast way to find this out, and see all paths by which someone is a member of a role is to use the Metacoda User Reviewer Roles tab, or the Metacoda Role Reviewer Members tab. If the source of the problem is not already obvious from the SAS User Manager plug-in, and you would like to try the Metacoda Plug-ins too, then you can register for a 30 day free evaluation at https://www.metacoda.com/ - they will help you track down any less obvious paths.

 

I hope this helps.

Cheers
Paul

pchegoor
Pyrite | Level 9

@PaulHomes   Thanks Paul for your response. I logged into the Management console and checked the status bar  and it displays : Userid  as Username  on it .  I cannot see the login of any other user under the Accounts tab except the logins under my Metadata Identity as expected.  Also my Identity is part of Only one Metadata group , a group which i have created  for Teradata users of which i am the only member as of now.  The Accounts tab of this group has the teradata login and password associated with AUTHDOMAIN called Tera.  When i try to retrieve the using the Data Step code run in SAS EG i again end with the 8 astericks encoded password in the SAS log even though the Id value is correct. The Libname with the AUTHDOMAIN=Tera also fails with same Error as mentioned above. But if i add SAS Administrators Group to this Teradata users group then the Libanme works successfully even though i am not part of this group anymore. I checked the adminUsers.txt file and it had only the unrestricted account : sasadm@saspw.   I also ran the below Data step code to just confirm which groups my Metadata identify belongs to and it sure confirmed that i only belong to the Teradata users group in Metadata server.

 

The code below has been borrowed from this link : Solved: Querying the metadata for a list of users and grou... - SAS Support Communities

 

data users_grps; 
  
/* The LENGTH statement defines variables for function arguments and 
assigns the maximum length of each variable.  */   
  
  length uri name dispname group groupuri $256 
id MDUpdate $20; 
  
/* The CALL MISSING routine initializes output variables to missing values.*/ 
  
  n=1; 
      call missing(uri, name, dispname, group, groupuri, id, MDUpdate); 
  
     
  /* The METADATA_GETNOBJ function specifies to get the Person objects 
in the repository. The n argument specifies to get the first Person object that is 
returned. The uri argument will return the actual uri of the Person object that 
is returned. The program prints an informational message if no Person objects 
are found. */ 
  
      nobj=metadata_getnobj("omsobj:Person?@Id contains '.'",n,uri); 
  if nobj=0 then put 'No Persons available.'; 
  
/* The DO statement specifies a group of statements to be executed as a unit 
for the Person object that is returned by METADATA_GETNOBJ. The METADATA_GETATTR 
function gets the values of the object's Name and DisplayName attributes. */ 
  
  else do while (nobj > 0); 
     rc=metadata_getattr(uri, "Name", Name); 
     rc=metadata_getattr(uri, "DisplayName", DispName); 
  
  
/* The METADATA_GETNASN function gets objects associated via the IdentityGroups 
association. The a argument specifies to return the first associated object for 
that association type. The URI of the associated object is returned in the 
groupuri variable.  */ 
  
   a=1; 
     grpassn=metadata_getnasn(uri,"IdentityGroups",a,groupuri); 
         
        /* If a person does not belong to any groups, set their group 
          variable to 'No groups' and output their name. */ 
  
     if grpassn in (-3,-4) then do; 
            group="No groups"; 
        output; 
     end; 
  
        /* If the person belongs to many groups, loop through the list 
          and retrieve the Name and MetadataUpdated attributes of each group, 
            outputting each on a separate record. */ 
  
     else do while (grpassn > 0); 
        rc2=metadata_getattr(groupuri, "Name", group); 
        rc=metadata_getattr(groupuri, "MetadataUpdated", MDUpdate); 
        a+1; 
        output; 
        grpassn=metadata_getnasn(uri,"IdentityGroups",a,groupuri); 
     end; 
        
       /* Retrieve the next person's information */ 
  
     n+1; 
     nobj=metadata_getnobj("omsobj:Person?@Id contains '.'",n,uri); 
  end; 
  
/* The KEEP statement specifies the variables to include in the output data set. */ 
  
  keep name dispname MDUpdate group; 
run; 
  
   /* Display the list of users and their groups */ 
proc report data=users_grps nowd headline headskip; 
  columns name dispname group MDUpdate; 
  define name / order 'User Name' format=$30.; 
  define dispname / order 'Display Name' format=$30.; 
  define group / order 'Group' format=$30.; 
  define MDUpdate / display 'Updated' format=$20.; 
  break after name / skip; 
run; 

 

PaulHomes
Rhodochrosite | Level 12

Hi @pchegoor 

From your description it sounds like you are not unrestricted and not a user admin so I am puzzled why you would still be granted access to the group login but denied access to the group login password. They fact that someone else has been able to use it successfully rules out the possibility that it has been accidentally stored as 8 asterisks! 😉 I assume that the other user has no access to any other working Teradata logins in metadata by virtue of their own identity logins or any other group logins?

 

I also assume that you have also been using a new SAS EG session each time you made a change to rule out the use of cached logins by SAS EG? Have you also tried using the right mouse click Display Libname Statement action in the SAS Management Console Data Library Manager plug-in to review the libname statement code and the login it chooses to use? I find that quite useful in troubleshooting login access (as long as it is not a pre-assigned library).

 

When you say you add the SAS Administrators Group to the Teradata group do you mean SAS Administrators Group as a member of Teradata (or the other way round)? I am puzzled by the result you describe as it sounds very odd from here but then diagnosing security issues is very hard from afar without access to the environment to review. It is good that you are also working with SAS Technical Support as they are the best option with tricky problems like this.

 

Best of luck

Paul

pchegoor
Pyrite | Level 9

@PaulHomes     This is what I observe with my setup  as of now.   I have a Metadata group called : Teradata Access where i have associated under the Accounts tab  a Teradata ID  and Password with an Authdomain called : Tera.  My SAS Identity : sastest  in the Metadata server right now is the only member of  this Metadata group : Teradata Access and also my SAS identity is part of only this group ie the group chosen under Groups and Roles tab of the SAS Identity is Teradata Access.  This also means that my SAS identity is  not part of any other group  including SAS Administrators group .  I also set up a Teradata Metadata Library called TD_TERA  associating it with a teradata server  using Authdomain Tera  and using  User/Password for Authentication I have setup all this by logging into SAS Management Console (SMC) using Unrestricted access Id  : sasadm@saspw . 

 

Now i login to  SMC using  sastest   and the status bar at the bottom right side confirms i am not signed as an unrestricted user. I right click on the Metadata library :TD_TERA to display the Libname Statement and as expected the Libname statement  correctly shows the Teradata ID and password ( encoded)  associated with the Authdomain Tera (defined in the Metadata group Teradata Access) . Now i login to SAS EG using sastest  and run the Libname with Authdomain option and get the below Error:

 

26         Libname Td Teradata AUTHDOMAIN="Tera" server=Test database=Sample;
NOTE:  Credential could not be obtained from SAS metadata server.
WARNING: No login information was available for authdomain Tera.
ERROR: Teradata connection: MTDP: EM_GSSINITFAIL(235): call to gss_init failed. .
ERROR: Error in the LIBNAME statement.

When I  try to  assign the meta library  :TD_TERA  under Libraries in SAS EG i get the Error :

[Error] Teradata connection: MTDP: EM_GSSINITFAIL(235): call to gss_init failed. .

When i try to run the  DATA Step code using the Metadata Interface functions to retrieve the ID and password associated with Authdomain Tera , the SAS log shows the correct Teradata ID but the encoded password value is : {SAS002}B6535B5C02BB1BC110FD31944FC989D3  and is obviously wrong  since this is the  8 asterisks encoding using PWENCODE.

 

Now I again login into SAS SMC  using sasadm@saspw  and remove  sastest  as a member from the  Metadata group Teradata Access and add SAS Administrators group as a member instead.  Now my SAS identity sastest is no longer a member of any Metadata Group .  I again login into SAS SMC  using sastest  and confirm that i am not signed in as a unrestricted user. I try to display the Libname of the Metadata Library TD_TERA but this time i am presented with prompt to type the ID  and password. This is expected since i have removed sastest from the Teradata Access group in which  the Authdomain Tera is associated with a Teradata Id and password as mentioned above.  But now if i login into SAS EG with sastest and run the Libname with Authdomain option  it runs successfully .

 

26         Libname Td Teradata AUTHDOMAIN="Tera" server=Test database=Sample;
NOTE:  Credential obtained from SAS metadata server.
NOTE: Libref TD was successfully assigned as follows: 
 Engine:        TERADATA 
 Physical Name: Test

Also When I  try to  assign the meta library  :TD_TERA  under Libraries in SAS EG i get no Error .  

When i try to run the  DATA Step code using the Metadata Interface functions to retrieve the ID and password associated with Authdomain Tera , the SAS log shows the correct Teradata ID but the encoded password value is again : {SAS002}B6535B5C02BB1BC110FD31944FC989D3.

 

This is indeed a strange behaviour.  My ticket with SAS Tech support is still open with no breakthrough yet on this.

 

 

ronan
Lapis Lazuli | Level 10

@SASKiwi  and @PaulHomes have given you comprehensive replies which should help you resolve the issue. As a side note, please consider using a low code interface to quickly retrieve information from SAS metadata rather than Data Step OMI requests which are preferably intended for batch programs.

 

For running interactive requests on-the-fly, if you have a SAS Base (aka SAS DMS) available like SAS Base on Windows or on Unix/Linux using MobaXterm then you can very easily navigate in the Metadata object hierarchies with Metadata Browser :

https://blogs.sas.com/content/sastraining/2012/06/12/using-metabrowse-to-find-metadata/

 

There is also a multi purpose (free) tool I'd strongly recommend, seamlessly integrated with the SMC :

Metacoda Metadata Explorer Plugin 

 

https://platformadmin.com/blogs/paul/2012/08/metacoda-metadata-explorer-plug-in/

 

I am using it almost on a daily basis, this spares me a lot of time when looking around in the metadata repository. 

brendanb
Obsidian | Level 7

Hi, I see this post was originally posted in 2020. We are moving from 9.4 to Viya (3.5) and I am getting exactly the same error. Essentially we want the user to login to the DB with his own credentials and not with a  service/shared account credential.

So I have created a credential for myself pointing to a teradata authdomain and provided my login details. I have removed myself from SAS Administrators.

Getting the same error: 

NOTE: Credential could not be obtained from Viya credentials service.
WARNING: No login information was available for authdomain TERADATADBAUTH.
ERROR: Teradata connection: MTDP: EM_GSSINITFAIL(235): call to gss_init failed. .
ERROR: Error in the LIBNAME statement.
Has this been fixed yet, I have not seen a solution to this.

 

 

gwootton
SAS Super FREQ
Are you running your code in SAS Studio or from the command line?

Viya does not have the same limitation as SAS 9 of not being a member of the unrestricted or user administration roles so being a member of SAS Administrators should not be an issue, however in Viya if you are running from the command line you do not by defeault have an authentication token so cannot pull credentials from the credentials microservice. For authdomain option to work you would need the SERVICESBASEURL option to be set (telling SAS where the microservices can be reached) and the SAS_VIYA_TOKEN environment variable populated with a valid authentication token.

Gerry talks about authentication in this way here under the "There are a couple of additional steps": https://communities.sas.com/t5/SAS-Communities-Library/Making-SAS-programs-stored-on-the-file-system...
--
Greg Wootton | Principal Systems Technical Support Engineer
brendanb
Obsidian | Level 7
Hi, thank you. I am running this in Studio, which will eventually run in JES job. I will read upon the link. Thank you.
gwootton
SAS Super FREQ
If you are running the code in SAS Studio on Viya these messages indicate your user does not have a user/password stored in Environment Manager under "My Credentials" in the "TERADATADBAUTH" domain. How did you create the credentials for yourself?

NOTE: Credential could not be obtained from Viya credentials service.
WARNING: No login information was available for authdomain TERADATADBAUTH.

Here is the documentation on managing credentials in Viya.

Manage My Credentials
https://go.documentation.sas.com/doc/en/calcdc/3.5/calcredentials/n1tfaj0ycsd1xsn14hyhso38530t.htm
--
Greg Wootton | Principal Systems Technical Support Engineer
brendanb
Obsidian | Level 7

hi, thanks, sorry for delay, in between a lot of things.

I created an authentication domain called teradatadbauth, then I created my credentials for that domain using "My Credentials".

I have found some usage notes that talk to something amiss on LIBPATH, LD_LIBRARY_LIBPATH, etc. related to same error on 9.4. I have passed these onto admin guy to have a look at. Not sure if it applies to Viya.

Thanks again.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 18 replies
  • 7741 views
  • 10 likes
  • 6 in conversation