We are trying to configure PAM (with samba) with our SAS 9.4 installation in a RedHat x64 server.But when users try to enter and error appears:
[Error] The launch of server SASApp - Workspace Server for user XXX failed.
we noticed that this error appers because the users don´t have home directory.
Does anyone has had the same problem?
There are PAM modules that can create a home directory on demand when required. I have oddjob-mkhomedir installed to do this, but there is also pam_mkhomedir. I use realmd for AD backed PAM authentication and oddjob-mkhomedir is installed along the way - if you are interested in that approach I wrote a blog post about it at http://platformadmin.com/blogs/paul/2015/07/active-directory-authentication-for-sas-on-linux-with-re...
Hi Paul, thnx for your answer.
I tried to make the configuration with the two PAM modules oddjob-mkhomedir and pam_mkhomedir, but all the test was unsuseful.
I share with you the contents of my sasauth file
#############################################
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel umask 0022 silent
########################################################
in addition to this file, they we configured the ga_auth and the eauth_userpass in the directory /etc/pam.d according with this SAS notes:
http://support.sas.com/kb/49/724.html
http://support.sas.com/kb/49/732.html
I looked into this further today and did some testing and it seems that pam_oddjob_mkhomedir is not firing from the sasauth PAM config. Whilst I can succesfully have home directories auto-created, via pam_oddjob_mkhomedir, when using ssh and su, it is not working for sasauth. Digging into this further it looks like perhaps sasauth as used by the object spawner is not triggering the session initialization where pam_oddjob_mkhomedir does its work (as does pam_mkhomedir). There are 2 things that seem to suggest this: 1) All of the PAM config samples I have seen in the SAS documentation and usage notes only include the auth and account groups (I have session in my config for testing) 2) the sasauth.conf file has a section related to PAM_SETCREDENTIALS and Centrify where it says: "Centrify requires that pam_setcred be called. sasauth traditionally has not done this, since there's no "session" like an interactive login." Perhaps it is not using pam_open_session either? Whilst I can understand that there might not be a session when sasauth is used by the SAS Metadata Server, when it is used by the SAS Object Spawner to spawn sas processes as that user, that sounds like a session to me.
An alternative to auto-creating the home directories via PAM is to create them during any enterprise directory identity synchronization process you may have set up (e.g. Active Directory to SAS metadata). Having shared home directories via NFS or clustered file system will help here too.
That not working of generic PAM modules makes sense as SAS did rewrite the SSH method by their own and missing a lot of all low level settings to adjust those for common Unix administration. Did you know the metdata login process is single threaded and can be compromised by wait delays as set by those low level ones? Having weird effects of logins delaying for a long time that is a possible cause. Why would you delay logins? It is a protection against mass tries for passwords. Don't use the delay setting of SAS as that is their own internal delay not the one of the OS (another cause of confusing).
By the way Samba is often adviced for a quick connection between Unix/Windows. It is not very sensible as of security issues.
The reason is the limit as of auth_sys being hard on 16. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration...
I'd forgotten this comment I posted back in 2015 and only remembered it after seeing it in some Google results whilst researching the very same issue today! 🙂
I spent some more time looking into it and found a solution that I described in a blog post at https://platformadmin.com/blogs/paul/2017/04/sas-user-linux-home-dir-auto-creation/ I'm adding a link here in case someone else has this problem in future and finds this thread.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.