Architecting, installing and maintaining your SAS environment

SAS 9.4 GRID authentication with PAM

Reply
New Contributor
Posts: 3

SAS 9.4 GRID authentication with PAM

We are trying to configure PAM (with samba) with our SAS 9.4 installation in a RedHat x64 server.But when users try to enter and error appears:

 

[Error] The launch of server SASApp - Workspace Server for user XXX failed.

 

we noticed that this error appers because the users don´t have home directory.

 

 

 

Does anyone has had the same problem?


grid.JPG
PROC Star
Posts: 392

Re: SAS 9.4 GRID authentication with PAM

There are PAM modules that can create a home directory on demand when required. I have oddjob-mkhomedir installed to do this, but there is also pam_mkhomedir. I use realmd for AD backed PAM authentication and oddjob-mkhomedir is installed along the way - if you are interested in that approach I wrote a blog post about it at http://platformadmin.com/blogs/paul/2015/07/active-directory-authentication-for-sas-on-linux-with-re...

New Contributor
Posts: 3

Re: SAS 9.4 GRID authentication with PAM

Hi Paul, thnx for your answer.
 
I tried to make the configuration with the two PAM modules oddjob-mkhomedir and pam_mkhomedir, but all the test was unsuseful.

I share with you the contents of my sasauth file

#############################################

auth        required      pam_env.so
auth        sufficient    pam_winbind.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

session     required      pam_mkhomedir.so skel=/etc/skel umask 0022 silent

########################################################

in addition to this file, they we configured the ga_auth and the eauth_userpass in the directory /etc/pam.d according with this SAS notes:

 

http://support.sas.com/kb/49/724.html
http://support.sas.com/kb/49/732.html

PROC Star
Posts: 392

Re: SAS 9.4 GRID authentication with PAM

I looked into this further today and did some testing and it seems that pam_oddjob_mkhomedir is not firing from the sasauth PAM config.  Whilst I can succesfully have home directories auto-created, via  pam_oddjob_mkhomedir, when using ssh and su, it is not working for sasauth. Digging into this further it looks like perhaps sasauth as used by the object spawner is not triggering the session initialization where pam_oddjob_mkhomedir does its work (as does pam_mkhomedir). There are 2 things that seem to suggest this: 1) All of the PAM config samples I have seen in the SAS documentation and usage notes only include the auth and account groups (I have session in my config for testing) 2) the sasauth.conf file has a section related to PAM_SETCREDENTIALS and Centrify where it says: "Centrify requires that pam_setcred be called. sasauth traditionally has not done this, since there's no "session" like an interactive login." Perhaps it is not using pam_open_session either? Whilst I can understand that there might not be a session when sasauth is used by the SAS Metadata Server, when it is used by the SAS Object Spawner to spawn sas processes as that user, that sounds like a session to me.

 

An alternative to auto-creating the home directories via PAM is to create them during any enterprise directory identity synchronization process you may have set up (e.g. Active Directory to SAS metadata). Having shared home directories via NFS or clustered file system will help here too.

Valued Guide
Posts: 3,208

Re: SAS 9.4 GRID authentication with PAM

[ Edited ]

That not working of generic PAM modules makes sense as SAS did rewrite the SSH method by their own and missing a lot of all low level settings to adjust those for common Unix administration. Did you know the metdata login process is single threaded and can be compromised by wait delays as set by those low level ones? Having weird effects of logins delaying for a long time that is a possible cause. Why would you delay logins? It is a protection against mass tries for passwords.  Don't use the delay setting of SAS as that is their own internal delay not the one of the OS (another cause of confusing).

By the way Samba is often adviced for a quick connection between Unix/Windows. It  is not  very sensible as of security issues.
The reason is the limit as of auth_sys being hard on 16. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration...

---->-- ja karman --<-----
PROC Star
Posts: 392

Re: SAS 9.4 GRID authentication with PAM

I'd forgotten this comment I posted back in 2015 and only remembered it after seeing it in some Google results whilst researching the very same issue today! Smiley Happy

 

I spent some more time looking into it and found a solution that I described in a blog post at https://platformadmin.com/blogs/paul/2017/04/sas-user-linux-home-dir-auto-creation/  I'm adding a link here in case someone else has this problem in future and finds this thread.

Ask a Question
Discussion stats
  • 5 replies
  • 1035 views
  • 4 likes
  • 3 in conversation