BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
karthic2612
Obsidian | Level 7

Hi Team,

 

Unfortunately, we are not able to login to SAS studio with new password created for the user. But, user is able to login with their old password. I am not sure what's happening here.

 

Our environment is SAS 9.4 M5 release and we have configured PAM authentication against LDAP. For 60 days password will expire and users will reset the password from LDAP domain.

 

NOw, after reset the password, users are not able to logon using their new password. But they are able to login successfully using thier old password.

 

I have checked the SAS metadata server logs. Please see below for sample error we got. Could someone help on this issue.

 

2019-06-20T21:47:37,260 TRACE [09362829] :mzvjl - Create Authenticated Token
2019-06-20T21:47:37,260 TRACE [09362829] :mzvjl - Client connection id: 1531489
2019-06-20T21:47:37,260 DEBUG [09362829] :mzvjl - User/Pass authentication for user epcnh
2019-06-20T21:47:37,260 TRACE [09362829] :mzvjl - Calling auth provider...
2019-06-20T21:47:37,260 TRACE [09362829] :mzvjl - Unix OS auth provider called for user epcnh
2019-06-20T21:47:38,732 INFO [09362829] :mzvjl - Access denied.
2019-06-20T21:47:38,732 TRACE [09362829] :mzvjl - bkAuthenticate failed 80BFD100
2019-06-20T21:47:38,732 DEBUG [09362829] :mzvjl - Provider failed: 80bfd100
2019-06-20T21:47:38,732 WARN [09362829] :mzvjl - New client connection (1531489) rejected from server port 8561 for user epcnh. Peer IP address and port are [10.61.xxx.xx]:49326 for APPNAME=Logon Manager 9.4.
2019-06-20T21:47:38,732 INFO [09362829] :mzvjl - Client connection 1531489 closed.

 

Thanks,

Vishal

 

1 ACCEPTED SOLUTION

Accepted Solutions
alexal
SAS Employee

@karthic2612 ,

 

It looks like that Quest doesn't accept the user password:

Jun 20 21:45:11 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:45:39 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:47:37 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>

Have you had a chance to talk to your Quest Administrator about that?

View solution in original post

9 REPLIES 9
Kurt_Bremser
Super User
Unix OS auth provider called for user epcnh

So you do not authenticate to the LDAP source, but against the host operating system. Try to log on via SSH to that UNIX server, and verify that the system itself uses LDAP (for the users in question), and not its internal passwd files.

alexal
SAS Employee

@karthic2612 ,

 

If you are using PAM authentication in sasauth.conf, I would like to review the output from a command shown below:

 

sudo grep -i epcnh /var/log/secure
karthic2612
Obsidian | Level 7

Please see below for your ask.

 


Please see below for your ask.

[mzvjl@ip-10-61-xxx-xx euqyi]$ sudo grep -i epcnh /var/log/secure
Jun 20 20:21:45 ip-10-61-xxx-xx sshd[29146]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sshd> reason: <>
Jun 20 20:21:45 ip-10-61-xxx-xx sshd[29146]: Accepted password for EPCNH from 10.74.xxx.xxx port 49898 ssh2
Jun 20 20:21:45 ip-10-61-xxx-xx sshd[29146]: pam_unix(sshd:session): session opened for user epcnh by (uid=0)
Jun 20 20:21:52 ip-10-61-xxx-xx sudo:   epcnh : TTY=pts/0 ; PWD=/home/epcnh ; USER=root ; COMMAND=/bin/su -
Jun 20 20:21:52 ip-10-61-xxx-xx su[29211]: pam_unix(su-l:session): session opened for user root by epcnh(uid=0)
Jun 20 20:24:07 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:08 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:08 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:16 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:16 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:16 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:16 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:16 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:16 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:41:33 ip-10-61-xxx-xx su[33447]: pam_unix(su:session): session opened for user mzvjl by epcnh(uid=0)
Jun 20 20:42:12 ip-10-61-xxx-xx sshd[33568]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sshd> reason: <>
Jun 20 20:42:12 ip-10-61-xxx-xx sshd[33568]: Accepted password for EPCNH from 10.74.xxx.xxx port 51120 ssh2
Jun 20 20:42:12 ip-10-61-xxx-xx sshd[33568]: pam_unix(sshd:session): session opened for user epcnh by (uid=0)
Jun 20 20:42:17 ip-10-61-xxx-xx sudo:   epcnh : TTY=pts/2 ; PWD=/home/epcnh ; USER=root ; COMMAND=/bin/su -
Jun 20 20:42:17 ip-10-61-xxx-xx su[33640]: pam_unix(su-l:session): session opened for user root by epcnh(uid=0)
Jun 20 20:55:59 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:55:59 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:55:59 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:55:59 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:55:59 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:55:59 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:56:00 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:56:00 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:56:23 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:03:57 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:57 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:58 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:58 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:58 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:59 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:59 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:59 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:59 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:12:10 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:13:31 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:31 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:31 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:32 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:32 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:33 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:33 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:33 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:33 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:23:31 ip-10-61-xxx-xx sshd[41882]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sshd> reason: <Incorrect Password>
Jun 20 21:23:33 ip-10-61-xxx-xx sshd[41882]: Failed password for epcnh from 10.74.xxx.xxx port 53761 ssh2
Jun 20 21:23:46 ip-10-61-xxx-xx sshd[41882]: Accepted password for epcnh from 10.74.xxx.xxx port 53761 ssh2
Jun 20 21:23:46 ip-10-61-xxx-xx sshd[41882]: pam_unix(sshd:session): session opened for user epcnh by (uid=0)
Jun 20 21:36:29 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:36:39 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:44:06 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:07 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:07 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:07 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:07 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:08 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:08 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:08 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:08 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:45:11 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:45:39 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:47:37 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 23:05:23 ip-10-61-xxx-xx sshd[41882]: pam_unix(sshd:session): session closed for user epcnh
Jun 20 23:08:38 ip-10-61-xxx-xx sshd[29146]: pam_unix(sshd:session): session closed for user epcnh
Jun 20 23:09:04 ip-10-61-xxx-xx sshd[33568]: pam_unix(sshd:session): session closed for user epcnh
Jun 21 04:34:48 ip-10-61-xxx-xx sshd[3485]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sshd> reason: <Incorrect Password>
Jun 21 04:34:50 ip-10-61-xxx-xx sshd[3485]: Failed password for epcnh from 10.85.xx.xxport 52768 ssh2
Jun 21 04:34:59 ip-10-61-xxx-xx sshd[3485]: Accepted password for epcnh from 10.85.xx.xxport 52768 ssh2
Jun 21 04:34:59 ip-10-61-xxx-xx sshd[3485]: pam_unix(sshd:session): session opened for user epcnh by (uid=0)
Jun 21 04:45:01 ip-10-61-xxx-xx sshd[3485]: pam_unix(sshd:session): session closed for user epcnh
Jun 21 11:03:07 ip-10-61-xxx-xx sudo:   mzvjl : TTY=pts/2 ; PWD=/home/euqyi ; USER=root ; COMMAND=/bin/grep -i epcnh /var/log/secure

alexal
SAS Employee

@karthic2612 ,

 

It looks like that Quest doesn't accept the user password:

Jun 20 21:45:11 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:45:39 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:47:37 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>

Have you had a chance to talk to your Quest Administrator about that?

karthic2612
Obsidian | Level 7

Yes, we have checked with Quest administartor and resolved the issue.

 

Quest was in disconnected state for a while. Due to that new passwords are not sync and  was not able to validate the new changed password for users.

 

Thanks for your help.

alexal
SAS Employee

@karthic2612 ,

 

I'm glad that the problem has been resolved. Do not forget to mark this thread as resolved.

alexal
SAS Employee

@Kurt_Bremser ,

 

Something is definitely out of sync.

Kurt_Bremser
Super User

We often have a similar problem here because of using a "local" subset of a main LDAP source. Password changes are done in the local base, but some servers connect to the main one. Trying to logon to such servers immediately after a password change ("immediately" meaning within half an hour) regularly leads to locked user-id's. We are, obviously, VERY happy with that setup.

 

Spoiler
Anybody who finds sarcasm can keep it.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 9 replies
  • 3766 views
  • 0 likes
  • 3 in conversation