BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
EmmanuelF
Calcite | Level 5

HI,

 

I face an issue trying to set IWA auth for users. IWA is functional for web application, but i'am unable to start workspace via SASStudio application or via EG.

 

My configuration :

 

-Middle tier, meta, compute on three separate Linux server (RH)

-Workspace server is bind to an LDAP directory via PAM.

-Kerberos binding to AD is functionnal  (other middle tier app starts well with IWA)

 

As you see below, the kerberos auth and delegation seems ok, but the workspace don't start.

 

I guess that I face a user mismatch between the AD and the Ldap (users are lowercase in the ldap  eg :"albert")

 

I wonder if there is a way to bind the username returned by the iwa auth with the ldap user as this one is used to launch the workspace.

 

Or maybe I'am going the wrong way ???

 

 

Here is the ObjectSpawer logs (user have been changed)

 

2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >metaserver< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >bifrmetadev.compagny.fr<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >metaport< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >8561<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >metarepository< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >Foundation<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT  -    >locale< (Client requirement)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >fr_FR<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >objectserver< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >objectserverparms< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >protocol=bridge spawned spp=43996 cid=0 dnsmatch=bifrcompdev.agf.fr pb classfactory=440196D4-90F0-11D0-9F41-00A024BB830C server=OMSOBJ:SERVERCOMPONENT/A5MARO40.AY000009 cel=credentials recon<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -  Environment variables are:
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >METAUSER<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >ALBERT @!*(generatedpassworddomain)*!<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >METAPASS<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >********<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT - Obtained krb5 ccache handle: 7fb898021630
2019-04-12T14:27:54,812 DEBUG [00000057] :ALBERT - Freed krb5 ccache handle: 7fb898021630
2019-04-12T14:27:54,813 ERROR [00000057] :ALBERT - Access denied.
2019-04-12T14:27:54,813 ERROR [00000057] :ALBERT - The launch of server SASApp - Workspace Server for user ALBERT failed.

 

Here is the sasauth-debug.logcat

 

20190412-14:40:25 Authenticating user ALBERT via GSS
20190412-14:40:25 Context username: ALBERT @GROUPE.COMPAGNY.FR
20190412-14:40:25 Context username length: 24
20190412-14:40:25 Server Name: SAS/bifrcompdev.compagny.fr@GROUPE.COMPAGNY.FR
20190412-14:40:25 Unknown user when getting user attributes.
20190412-14:40:25 User ALBERT did not authenticate. Reason: 'Unspecified reason.' (gss)
20190412-14:40:25 Request failed: 'User did not authenticate.'

1 ACCEPTED SOLUTION

Accepted Solutions
alexal
SAS Employee

@EmmanuelF ,

 

You need to configure case insensitive usernames in SSSD. Look for case_sensitive in sssd.conf or talk to your Linux Administrator. Commands like "getent passwd ALBERT" or "getent passwd albert" have to return the same output.

View solution in original post

7 REPLIES 7
alexal
SAS Employee

@EmmanuelF ,

 

Are you sure that a command shown below returns something?

 

getent passwd ALBERT
EmmanuelF
Calcite | Level 5

Hello alexal,

 

getent passwd ALBERT return nothing

 

but

 

getent passwd albert return :

 

albert:*:24242:20000:albert:/net/home/albert:/usr/bin/ksh

alexal
SAS Employee

@EmmanuelF ,

 

What are you using for the authentication on the system level? SSSD or something else?

alexal
SAS Employee

@EmmanuelF ,

 

You need to configure case insensitive usernames in SSSD. Look for case_sensitive in sssd.conf or talk to your Linux Administrator. Commands like "getent passwd ALBERT" or "getent passwd albert" have to return the same output.

EmmanuelF
Calcite | Level 5

@alexal 

 

Hello.

Great ! That solved the issue.

Thank you very much for your help

alexal
SAS Employee

@EmmanuelF ,

 

You are welcome. I'm glad that the problem has been resolved.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 7 replies
  • 1638 views
  • 1 like
  • 2 in conversation