Hi Team,
Unfortunately, we are not able to login to SAS studio with new password created for the user. But, user is able to login with their old password. I am not sure what's happening here.
Our environment is SAS 9.4 M5 release and we have configured PAM authentication against LDAP. For 60 days password will expire and users will reset the password from LDAP domain.
NOw, after reset the password, users are not able to logon using their new password. But they are able to login successfully using thier old password.
I have checked the SAS metadata server logs. Please see below for sample error we got. Could someone help on this issue.
2019-06-20T21:47:37,260 TRACE [09362829] :mzvjl - Create Authenticated Token
2019-06-20T21:47:37,260 TRACE [09362829] :mzvjl - Client connection id: 1531489
2019-06-20T21:47:37,260 DEBUG [09362829] :mzvjl - User/Pass authentication for user epcnh
2019-06-20T21:47:37,260 TRACE [09362829] :mzvjl - Calling auth provider...
2019-06-20T21:47:37,260 TRACE [09362829] :mzvjl - Unix OS auth provider called for user epcnh
2019-06-20T21:47:38,732 INFO [09362829] :mzvjl - Access denied.
2019-06-20T21:47:38,732 TRACE [09362829] :mzvjl - bkAuthenticate failed 80BFD100
2019-06-20T21:47:38,732 DEBUG [09362829] :mzvjl - Provider failed: 80bfd100
2019-06-20T21:47:38,732 WARN [09362829] :mzvjl - New client connection (1531489) rejected from server port 8561 for user epcnh. Peer IP address and port are [10.61.xxx.xx]:49326 for APPNAME=Logon Manager 9.4.
2019-06-20T21:47:38,732 INFO [09362829] :mzvjl - Client connection 1531489 closed.
Thanks,
Vishal
It looks like that Quest doesn't accept the user password:
Jun 20 21:45:11 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:45:39 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:47:37 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Have you had a chance to talk to your Quest Administrator about that?
Unix OS auth provider called for user epcnh
So you do not authenticate to the LDAP source, but against the host operating system. Try to log on via SSH to that UNIX server, and verify that the system itself uses LDAP (for the users in question), and not its internal passwd files.
If you are using PAM authentication in sasauth.conf, I would like to review the output from a command shown below:
sudo grep -i epcnh /var/log/secure
Please see below for your ask.
Please see below for your ask.
[mzvjl@ip-10-61-xxx-xx euqyi]$ sudo grep -i epcnh /var/log/secure
Jun 20 20:21:45 ip-10-61-xxx-xx sshd[29146]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sshd> reason: <>
Jun 20 20:21:45 ip-10-61-xxx-xx sshd[29146]: Accepted password for EPCNH from 10.74.xxx.xxx port 49898 ssh2
Jun 20 20:21:45 ip-10-61-xxx-xx sshd[29146]: pam_unix(sshd:session): session opened for user epcnh by (uid=0)
Jun 20 20:21:52 ip-10-61-xxx-xx sudo: epcnh : TTY=pts/0 ; PWD=/home/epcnh ; USER=root ; COMMAND=/bin/su -
Jun 20 20:21:52 ip-10-61-xxx-xx su[29211]: pam_unix(su-l:session): session opened for user root by epcnh(uid=0)
Jun 20 20:24:07 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:08 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:08 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:16 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:16 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:16 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:16 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:16 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:24:16 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:41:33 ip-10-61-xxx-xx su[33447]: pam_unix(su:session): session opened for user mzvjl by epcnh(uid=0)
Jun 20 20:42:12 ip-10-61-xxx-xx sshd[33568]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sshd> reason: <>
Jun 20 20:42:12 ip-10-61-xxx-xx sshd[33568]: Accepted password for EPCNH from 10.74.xxx.xxx port 51120 ssh2
Jun 20 20:42:12 ip-10-61-xxx-xx sshd[33568]: pam_unix(sshd:session): session opened for user epcnh by (uid=0)
Jun 20 20:42:17 ip-10-61-xxx-xx sudo: epcnh : TTY=pts/2 ; PWD=/home/epcnh ; USER=root ; COMMAND=/bin/su -
Jun 20 20:42:17 ip-10-61-xxx-xx su[33640]: pam_unix(su-l:session): session opened for user root by epcnh(uid=0)
Jun 20 20:55:59 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:55:59 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:55:59 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:55:59 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:55:59 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:55:59 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:56:00 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:56:00 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 20:56:23 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:03:57 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:57 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:58 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:58 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:58 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:59 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:59 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:59 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:03:59 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:12:10 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:13:31 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:31 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:31 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:32 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:32 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:33 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:33 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:33 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:13:33 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:23:31 ip-10-61-xxx-xx sshd[41882]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sshd> reason: <Incorrect Password>
Jun 20 21:23:33 ip-10-61-xxx-xx sshd[41882]: Failed password for epcnh from 10.74.xxx.xxx port 53761 ssh2
Jun 20 21:23:46 ip-10-61-xxx-xx sshd[41882]: Accepted password for epcnh from 10.74.xxx.xxx port 53761 ssh2
Jun 20 21:23:46 ip-10-61-xxx-xx sshd[41882]: pam_unix(sshd:session): session opened for user epcnh by (uid=0)
Jun 20 21:36:29 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:36:39 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:44:06 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:07 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:07 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:07 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:07 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:08 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:08 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:08 ip-10-61-xxx-xx sasauth[25271]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:44:08 ip-10-61-xxx-xx sasauth[32387]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:45:11 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:45:39 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:47:37 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 23:05:23 ip-10-61-xxx-xx sshd[41882]: pam_unix(sshd:session): session closed for user epcnh
Jun 20 23:08:38 ip-10-61-xxx-xx sshd[29146]: pam_unix(sshd:session): session closed for user epcnh
Jun 20 23:09:04 ip-10-61-xxx-xx sshd[33568]: pam_unix(sshd:session): session closed for user epcnh
Jun 21 04:34:48 ip-10-61-xxx-xx sshd[3485]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sshd> reason: <Incorrect Password>
Jun 21 04:34:50 ip-10-61-xxx-xx sshd[3485]: Failed password for epcnh from 10.85.xx.xxport 52768 ssh2
Jun 21 04:34:59 ip-10-61-xxx-xx sshd[3485]: Accepted password for epcnh from 10.85.xx.xxport 52768 ssh2
Jun 21 04:34:59 ip-10-61-xxx-xx sshd[3485]: pam_unix(sshd:session): session opened for user epcnh by (uid=0)
Jun 21 04:45:01 ip-10-61-xxx-xx sshd[3485]: pam_unix(sshd:session): session closed for user epcnh
Jun 21 11:03:07 ip-10-61-xxx-xx sudo: mzvjl : TTY=pts/2 ; PWD=/home/euqyi ; USER=root ; COMMAND=/bin/grep -i epcnh /var/log/secure
It looks like that Quest doesn't accept the user password:
Jun 20 21:45:11 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Jun 20 21:45:39 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <succeeded disconnected> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <>
Jun 20 21:47:37 ip-10-61-xxx-xx sasauth[31986]: pam_vas: Authentication <failed> for <Active Directory> user: <epcnh> account: <AWS\EPCNH> service: <sasauth> reason: <Incorrect Password>
Have you had a chance to talk to your Quest Administrator about that?
Yes, we have checked with Quest administartor and resolved the issue.
Quest was in disconnected state for a while. Due to that new passwords are not sync and was not able to validate the new changed password for users.
Thanks for your help.
I'm glad that the problem has been resolved. Do not forget to mark this thread as resolved.
Could it be that you used a LDAP source built for testing, which is not synchronized with the "main" LDAP?
We often have a similar problem here because of using a "local" subset of a main LDAP source. Password changes are done in the local base, but some servers connect to the main one. Trying to logon to such servers immediately after a password change ("immediately" meaning within half an hour) regularly leads to locked user-id's. We are, obviously, VERY happy with that setup.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.