Hello All,
I am facing a bizarre problem and struggling to find a solution. Please let me know your thoughts on the below if any?
So I have SAS Metadata Group called : SAS Developer .The accounts tab of this Metadata group has Teradata login and password associated with a AUTHDOMAIN called :Test . My SAS Metadata identity is part of this Metadata group and is also part of SAS Administrators groups. So now i login to SAS EG using same Metadata identity connected to same Metadata server and run a LIBNAME with Teradata Engine and above AUTHDOMAIN. I get the Error as shown below.
Libname Td Teradata AUTHDOMAIN=Test server=Sample database=DB1;
NOTE: Credential could not be obtained from SAS metadata server.
WARNING: No login information was available for authdomain Test.
ERROR: Teradata connection: MTDP: EM_GSSINITFAIL(235): call to gss_init failed. .
ERROR: Error in the LIBNAME statement.
I am not sure why i am getting this Error. One of my colleagues who also has a SAS Metadata identity on the same metadata server but who is not part of SAS Administrators group is able to run the above Libname statement successfully. So i logged into SAS MC using unrestricted account (sasadm@saspw) and removed the group SAS Administrators from my Metadata identity. I logged into SAS EG again using my metadata identity connecting to same server and ran the Libname again but got the same error again.
So i ran the below code in SAS EG to retrieve the login information associated with this AUTHDOMAIN ( test) .
%symdel userid password / nowarn;
%put Site: &syssite Release: &sysvlong System: &sysscp &sysscpl; %put &sysuserid;
%macro getOraLogin(authdomain=);
%global userid password;
data _null_;
length authuri loginuri $256 userid $32 password $60;
n=1;
authuri='';
loginuri='';
userid='';
password='';
/***Locate the Authentication Domain in the metadata***/
nobj=metadata_getnobj("omsobj:AuthenticationDomain?@Name='"||"&authdomain"||"'",n,authuri);
/***If it cannot be found, write a message to the log***/
if nobj <= 0 then put 'No authentication domains with this name can be found.';
/***If it was found, retrieve the first Login association***/
else do;
i=1;
rc=metadata_getnasn(authuri, "Logins", i, loginuri);
/***If a Login was found, retrieve the UserID and Password attributes***/
if rc > 0 then do;
rc2=metadata_getattr(loginuri,"UserID",userid);
rc2=metadata_getattr(loginuri,"Password",password);
call symput('userid', userid);
call symput('password',password);
end;
/***If no Logins are found, write a message to the log***/
else put 'There are no logins associated with this authentication domain.';
end;
run;
%mend;
/***Invoke the macro, supplying the authentication domain name***/
%getOraLogin(authdomain=Test)
/***Verify the macro variables (note, the password will be encoded)***/
%put id= &userid pw= &password;
In the SAS log , the id value retrieved was correct but the encoded password value is wrong. Infact the password value i got was {SAS002}B6535B5C02BB1BC110FD31944FC989D3. While searching this issue online i came across this question :
in this same community which was answered by Paul : @PaulHomes . The encoded password is actually the PWENCODE version of 8 asterisks. But i am unable to understand why i get this wrong encoded password instead of correct encoded password associated with login for AUTHDOMAIN Test. My SAS Metadata identity is no longer part of SAS Administrators group and so this wrong password seems strange. I tried restarting SAS servers including Metadata server but it still does not give me right password in the SAS EG log and also the above Libname does not work for me. But for my colleague the password retrieved is correct and the Libname statement also works fine.
So what exactly is going on here?
Thanks.
Not sure what is exactly going wrong with your metadata setup but this is how I would create a unique AUTHDOMAIN access for Teradata:
I suspect the reason it is not working OK for you is you haven't got a special group just for Teradata access.
@SASKiwi Thanks for your suggeston but i tried this and again get the same wrong password in the SAS log. Also the LIBNAME statement gives the same Error .
@pchegoor - I can only conclude that you have two definitions for the Teradata account and password stored in metadata, one which works and one which doesn't and somehow you are picking up the wrong one. Make sure your own account doesn't include the Teradata AuthDomain / Account.
I suggest you work with SAS Tech Support to resolve this. Metadata permissions issues can be tricky to fix.
I do have a ticket Open for this issue with SAS Tech Support but it is going nowhere as of now. Also i just came across the link i referenced above which @PaulHomes had answered and thought it may give me some clue to the issue i am facing . I believe for some reason the SAS Metadata server still thinks i am part of SAS Administrators group even though i removed myself ( Metadata identity) from that group. Also as you suggested I created a exclusive group for Teradata and Only added myself as a member to it. In the accounts tab of this group I associated the Teradata login Id and password with a New AUTHDOMAIN called Tera .But when I run the above SAS code in SAS EG to retrieve this login ID and password using Metadata Interface functions in the Data step I do get the right Id value but the wrong encoded password value : {SAS002}B6535B5C02BB1BC110FD31944FC989D3 . Then when i run the Libname with the AUTHDOMAIN = Tera i get the same Error as mentioned above. But if i add the SAS Administrators group to this Teradata group the Libname Statement runs succesfully even though i am not part of the SAS Administrators group in Metadata .Very puzzling this issue has been so far.
Hi,
If you are seeing the encoded version of 8 asterisks it suggests you are trying to use the library and access the metadata group's password as a highly privileged user and are deliberately not being given the correct password. As you would have seen in the thread you mentioned, someone who is unrestricted or a user administrator has the ability to see all logins but is restricted from fetching real passwords from metadata. This is one of the reasons we don't use unrestricted accounts for day to day work and may set up dual identities for our dual job roles.
I see you have tried removing yourself from the "SAS Administrators" group and that is one possibly path by which you may have gotten your privileged user status, however there may be other paths too. When you log into SAS Management Console what do you see on the status bar?
If option 2 then you are still a member of the unrestricted role by some path. If option 1 then you may still be a user administrator, in which case I would look at someone elses user in SAS Management Console User Manager. If you don't see an empty Logins tab and are not-unrestricted then you are most likely a User Administrator. Another possible but less obvious path is the SAS Metadata Server's adminUsers.txt file - it is unlikely but worth a look if all else fails.
To troubleshoot this, I would recommend you start by looking at the "Metadata Server: Unrestricted" and "Metadata Server: User Administration" roles in SAS Management Console and work backwards. Are you a direct member of the roles? Are you a member of any groups that are direct members of the roles? Are you an indirect member by virtue of any nested group memberships?
A fast way to find this out, and see all paths by which someone is a member of a role is to use the Metacoda User Reviewer Roles tab, or the Metacoda Role Reviewer Members tab. If the source of the problem is not already obvious from the SAS User Manager plug-in, and you would like to try the Metacoda Plug-ins too, then you can register for a 30 day free evaluation at https://www.metacoda.com/ - they will help you track down any less obvious paths.
I hope this helps.
Cheers
Paul
@PaulHomes Thanks Paul for your response. I logged into the Management console and checked the status bar and it displays : Userid as Username on it . I cannot see the login of any other user under the Accounts tab except the logins under my Metadata Identity as expected. Also my Identity is part of Only one Metadata group , a group which i have created for Teradata users of which i am the only member as of now. The Accounts tab of this group has the teradata login and password associated with AUTHDOMAIN called Tera. When i try to retrieve the using the Data Step code run in SAS EG i again end with the 8 astericks encoded password in the SAS log even though the Id value is correct. The Libname with the AUTHDOMAIN=Tera also fails with same Error as mentioned above. But if i add SAS Administrators Group to this Teradata users group then the Libanme works successfully even though i am not part of this group anymore. I checked the adminUsers.txt file and it had only the unrestricted account : sasadm@saspw. I also ran the below Data step code to just confirm which groups my Metadata identify belongs to and it sure confirmed that i only belong to the Teradata users group in Metadata server.
The code below has been borrowed from this link : Solved: Querying the metadata for a list of users and grou... - SAS Support Communities
data users_grps;
/* The LENGTH statement defines variables for function arguments and
assigns the maximum length of each variable. */
length uri name dispname group groupuri $256
id MDUpdate $20;
/* The CALL MISSING routine initializes output variables to missing values.*/
n=1;
call missing(uri, name, dispname, group, groupuri, id, MDUpdate);
/* The METADATA_GETNOBJ function specifies to get the Person objects
in the repository. The n argument specifies to get the first Person object that is
returned. The uri argument will return the actual uri of the Person object that
is returned. The program prints an informational message if no Person objects
are found. */
nobj=metadata_getnobj("omsobj:Person?@Id contains '.'",n,uri);
if nobj=0 then put 'No Persons available.';
/* The DO statement specifies a group of statements to be executed as a unit
for the Person object that is returned by METADATA_GETNOBJ. The METADATA_GETATTR
function gets the values of the object's Name and DisplayName attributes. */
else do while (nobj > 0);
rc=metadata_getattr(uri, "Name", Name);
rc=metadata_getattr(uri, "DisplayName", DispName);
/* The METADATA_GETNASN function gets objects associated via the IdentityGroups
association. The a argument specifies to return the first associated object for
that association type. The URI of the associated object is returned in the
groupuri variable. */
a=1;
grpassn=metadata_getnasn(uri,"IdentityGroups",a,groupuri);
/* If a person does not belong to any groups, set their group
variable to 'No groups' and output their name. */
if grpassn in (-3,-4) then do;
group="No groups";
output;
end;
/* If the person belongs to many groups, loop through the list
and retrieve the Name and MetadataUpdated attributes of each group,
outputting each on a separate record. */
else do while (grpassn > 0);
rc2=metadata_getattr(groupuri, "Name", group);
rc=metadata_getattr(groupuri, "MetadataUpdated", MDUpdate);
a+1;
output;
grpassn=metadata_getnasn(uri,"IdentityGroups",a,groupuri);
end;
/* Retrieve the next person's information */
n+1;
nobj=metadata_getnobj("omsobj:Person?@Id contains '.'",n,uri);
end;
/* The KEEP statement specifies the variables to include in the output data set. */
keep name dispname MDUpdate group;
run;
/* Display the list of users and their groups */
proc report data=users_grps nowd headline headskip;
columns name dispname group MDUpdate;
define name / order 'User Name' format=$30.;
define dispname / order 'Display Name' format=$30.;
define group / order 'Group' format=$30.;
define MDUpdate / display 'Updated' format=$20.;
break after name / skip;
run;
Hi @pchegoor
From your description it sounds like you are not unrestricted and not a user admin so I am puzzled why you would still be granted access to the group login but denied access to the group login password. They fact that someone else has been able to use it successfully rules out the possibility that it has been accidentally stored as 8 asterisks! 😉 I assume that the other user has no access to any other working Teradata logins in metadata by virtue of their own identity logins or any other group logins?
I also assume that you have also been using a new SAS EG session each time you made a change to rule out the use of cached logins by SAS EG? Have you also tried using the right mouse click Display Libname Statement action in the SAS Management Console Data Library Manager plug-in to review the libname statement code and the login it chooses to use? I find that quite useful in troubleshooting login access (as long as it is not a pre-assigned library).
When you say you add the SAS Administrators Group to the Teradata group do you mean SAS Administrators Group as a member of Teradata (or the other way round)? I am puzzled by the result you describe as it sounds very odd from here but then diagnosing security issues is very hard from afar without access to the environment to review. It is good that you are also working with SAS Technical Support as they are the best option with tricky problems like this.
Best of luck
Paul
@PaulHomes This is what I observe with my setup as of now. I have a Metadata group called : Teradata Access where i have associated under the Accounts tab a Teradata ID and Password with an Authdomain called : Tera. My SAS Identity : sastest in the Metadata server right now is the only member of this Metadata group : Teradata Access and also my SAS identity is part of only this group ie the group chosen under Groups and Roles tab of the SAS Identity is Teradata Access. This also means that my SAS identity is not part of any other group including SAS Administrators group . I also set up a Teradata Metadata Library called TD_TERA associating it with a teradata server using Authdomain Tera and using User/Password for Authentication. I have setup all this by logging into SAS Management Console (SMC) using Unrestricted access Id : sasadm@saspw .
Now i login to SMC using sastest and the status bar at the bottom right side confirms i am not signed as an unrestricted user. I right click on the Metadata library :TD_TERA to display the Libname Statement and as expected the Libname statement correctly shows the Teradata ID and password ( encoded) associated with the Authdomain Tera (defined in the Metadata group Teradata Access) . Now i login to SAS EG using sastest and run the Libname with Authdomain option and get the below Error:
26 Libname Td Teradata AUTHDOMAIN="Tera" server=Test database=Sample;
NOTE: Credential could not be obtained from SAS metadata server.
WARNING: No login information was available for authdomain Tera.
ERROR: Teradata connection: MTDP: EM_GSSINITFAIL(235): call to gss_init failed. .
ERROR: Error in the LIBNAME statement.
When I try to assign the meta library :TD_TERA under Libraries in SAS EG i get the Error :
[Error] Teradata connection: MTDP: EM_GSSINITFAIL(235): call to gss_init failed. .
When i try to run the DATA Step code using the Metadata Interface functions to retrieve the ID and password associated with Authdomain Tera , the SAS log shows the correct Teradata ID but the encoded password value is : {SAS002}B6535B5C02BB1BC110FD31944FC989D3 and is obviously wrong since this is the 8 asterisks encoding using PWENCODE.
Now I again login into SAS SMC using sasadm@saspw and remove sastest as a member from the Metadata group Teradata Access and add SAS Administrators group as a member instead. Now my SAS identity sastest is no longer a member of any Metadata Group . I again login into SAS SMC using sastest and confirm that i am not signed in as a unrestricted user. I try to display the Libname of the Metadata Library TD_TERA but this time i am presented with prompt to type the ID and password. This is expected since i have removed sastest from the Teradata Access group in which the Authdomain Tera is associated with a Teradata Id and password as mentioned above. But now if i login into SAS EG with sastest and run the Libname with Authdomain option it runs successfully .
26 Libname Td Teradata AUTHDOMAIN="Tera" server=Test database=Sample;
NOTE: Credential obtained from SAS metadata server.
NOTE: Libref TD was successfully assigned as follows:
Engine: TERADATA
Physical Name: Test
Also When I try to assign the meta library :TD_TERA under Libraries in SAS EG i get no Error .
When i try to run the DATA Step code using the Metadata Interface functions to retrieve the ID and password associated with Authdomain Tera , the SAS log shows the correct Teradata ID but the encoded password value is again : {SAS002}B6535B5C02BB1BC110FD31944FC989D3.
This is indeed a strange behaviour. My ticket with SAS Tech support is still open with no breakthrough yet on this.
@SASKiwi and @PaulHomes have given you comprehensive replies which should help you resolve the issue. As a side note, please consider using a low code interface to quickly retrieve information from SAS metadata rather than Data Step OMI requests which are preferably intended for batch programs.
For running interactive requests on-the-fly, if you have a SAS Base (aka SAS DMS) available like SAS Base on Windows or on Unix/Linux using MobaXterm then you can very easily navigate in the Metadata object hierarchies with Metadata Browser :
https://blogs.sas.com/content/sastraining/2012/06/12/using-metabrowse-to-find-metadata/
There is also a multi purpose (free) tool I'd strongly recommend, seamlessly integrated with the SMC :
Metacoda Metadata Explorer Plugin
https://platformadmin.com/blogs/paul/2012/08/metacoda-metadata-explorer-plug-in/
I am using it almost on a daily basis, this spares me a lot of time when looking around in the metadata repository.
Hi, I see this post was originally posted in 2020. We are moving from 9.4 to Viya (3.5) and I am getting exactly the same error. Essentially we want the user to login to the DB with his own credentials and not with a service/shared account credential.
So I have created a credential for myself pointing to a teradata authdomain and provided my login details. I have removed myself from SAS Administrators.
Getting the same error:
hi, thanks, sorry for delay, in between a lot of things.
I created an authentication domain called teradatadbauth, then I created my credentials for that domain using "My Credentials".
I have found some usage notes that talk to something amiss on LIBPATH, LD_LIBRARY_LIBPATH, etc. related to same error on 9.4. I have passed these onto admin guy to have a look at. Not sure if it applies to Viya.
Thanks again.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.