BookmarkSubscribeRSS Feed
RusselBaisas
Calcite | Level 5

Hi guys,

 

has anyone have any experience with using NIS as authentication? We are having issue with using NIS on using sas studio. Though it works on logging in to servers in all server(mid tier/metadata/compute). it doesnt seem to work with logging in to SAS studio. a little hint of help would be appreciated. Thank you and more power!

7 REPLIES 7
Kurt_Bremser
Super User

SAS studio needs a workspace server instance; this workspace server instance (if it ain't a pooled workspace server) is started using the user's credentials. If that user does not have a "presence" on the host where SAS runs (userid, home directory etc), the instance cannot be started.

Basically, you need to try if you can log on with something like ssh to the SAS host (or at least do a "su username" from another ID there)

RusselBaisas
Calcite | Level 5
hi kurt,

NIS authentication works in all our server setup and logging in to each server from mid tier/compute server to metadata server works.But when i try to login using the browser into sas studio, it doesnt seem to be authenticated. Kindly note i have tested and setup all the ids in Management Console and tested with local ids works when logging in to sas studio. I am also new to this setup. i have 2 suspicion on why it doesnt work

1. NIS authentication is not map to web authentication( i have been trying to search on google if sas have any reference to NIS document but unable to find any)

2. NIS does not authenticate to metadata server. (I am able to login to all our servers using NIS userids via ssh directly with no issue.)

hence would you mind to share me any relevant documents like how technically sas web studio authenticates to metadata server. How to fetch the list of user in metadata server.

Perttu
Fluorite | Level 6

Hi Kurt,

 

I think NIS has no particular role in this. We have NIS authentication and as long as metadata identities map to host accounts and hosts use NIS to authenticate SAS doesn't care what the mechanics are. AFAIK SAS metadata can't even authenticate against NIS. It only knows host, AD and LDAP authentication schemes.

 

If SAS Studio is the only SAS client you are using then make sure the metadata identities are mapped to real host accounts properly.  If other SAS clients work (EG, DIS, ...) and only SAS Studio is not working then again NIS has nothing to do with it. The fault is in SAS Studio or metadata.

 

Hope this helps,

 

Pekk.

PaulHomes
Rhodochrosite | Level 12

When you say it is not working, how is it not working? What error messages are users getting in the SAS Logon Manager web interface? What error messages are you getting in the SAS Object Spawner log files? Are there any interesting error or warning messages in the SAS Metadata Server log files or SAS Web Application Server logs files? By providing more specific details it usually helps to better identify the problem or provide clues on where to look next.

PaulHomes
Rhodochrosite | Level 12

Perhaps a SAS Communities admin could move this from the Web Report Studio community into the SAS Studio community or the Administration and Deployment community? It might get better visibility there.

RusselBaisas
Calcite | Level 5
i think i found the issue to this. In sasauth.conf under metadata server. NIS authentication uses PAM by default. 🙂

# Name: methods Authentication used.
# At least one must be specified. Separate multiple entries
# with spaces.
# Authentication is performed in the order
# specified, from left to right.
# Each method is attempted until one is
# found that has the user identity
# (even if the password is not valid).
# Values:
#
# pw - Use standard /etc/passwd - /etc/shadow authentication.
# On some hosts, this also includes protected password databases
# or OS-provided enhanced security.
#
# pam - Use PAM for authentication. The password database is also
# used to determine the user's UID and GID.
# pam.conf must be configured properly for sasauth. Refer to
# "SAS(R) 9.2 Companion for UNIX Environments" for more information.
#
# ldap - Use LDAP authentication. Be sure to define the LDAP
# parameters below.
#
# ext - Use a custom authentication mechanism. This mechanism is built
# using the authentication kit, available from SAS Technical Support.

methods=pw
ronan
Lapis Lazuli | Level 10

We have some experience with NIS authentication on RHEL 5/6 servers. The following page describes at length the NIS protocol :

 

http://www.yolinux.com/TUTORIALS/NIS.html

 

see also https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Gu...

 

Strictly speaking, NIS/Yellow Page does not require PAM as far as I know. Implementation amongst Linux/Unix flavours may vary, of course. I only know Linux Red Hat in this respect. With RHEL, NIS works independenly of PAM which looks like a centralized identity provider :

 

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/P...

 

NIS impersonates authentication requests to the local host (/etc/passwd, /etc/groups, shadow etc.) and thus enables to use transparently a central identity directory. Applications that need to launch authentication calls to Linux/Unix host stack don't have to be modified.

 

By default, SAS Unix/Linux authentication proxies (a SAS process remotely launched for a SAS Studio terminal rely on the so called SAS Object Spawner daemon, which in turn uses authentication proxies) use local host authentication, with the methods=pw as shown above.

 

If in your case, the server also uses PAM then you'll have to modify the sasauth.cfg file accordingly and restart all SAS services (even the Metadata Server) to take it into account.

 

Take care at the GROUP_NO_CASE parameter , if your NIS accounts have secondary group memberships, the authentication request made on behalf of SAS proxy could not retrieve the Primary group correctly sometimes. 

This happens also when the cache is active (NSCD daemon running).

 

To go further with SAS authentication on Unix/Linux :

 

https://support.sas.com/kb/15/231.html 

 

https://support.sas.com/resources/papers/proceedings14/SAS111-2014.pdf

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 7 replies
  • 1444 views
  • 2 likes
  • 5 in conversation