Hello All,
I understand this is not a SAS question :-), however thought I could still check with experts here :-). I just completed the SAS upgrade in place from 9.4 M5 to M7. Everything went smooth, however I am getting an error when trying to connect to SAS MC with IWA authentication.
Kerberos failure in function krb5_get_init_creds_keytab: Client 'SAS/xxxxxxx@xxxxxxx.LOCAL' not found in Kerberos database (96C73A06).
I looked up online and found the below article that talk about this issue by Stuart Rogers!
https://communities.sas.com/t5/SAS-Communities-Library/SAS-9-4-M7-Importance-of-UPN/ta-p/683863
Now my question is how do I create the keytab with both UPN and SPN in it? My original command was this
addent -password -p "SPN" -k 2 -e RC4-HMAC
Now if I need to add the UPN , should I just add another line in the keytab file like below?
addent -password -p "UPN" -k 2 -e RC4-HMAC
Thanks in advance for clarifying...
Thanks @gwootton for your response. So I did that and I still get the same error. I modified the keytab to add the UPN info and also modified the /opt/sas/config/Lev1/ level_env_usermods.sh file on the compute server to add the below and restarted the Object spawner and metadata server.
export SAS_SERVICE_PRINICIPAL
Can anyone help me proceed?
No 😞
kinit -kt /etc/sas/SAS.keytab SAS/xxxxxx.local@xxxxxx.LOCAL
kinit: Client 'SAS/xxxxxx.local@xxxxxx.LOCAL' not found in Kerberos database while getting initial credentials
@gwootton -- I completely missed this response of yours. Sorry and thanks for so clearly explaining. So here is what I and my linux admin did. The SPN and UPN wree set up the way you explained. And I tried adding the UPN to the keytab and it did not work. So what we did is to make the UPN same as the SPN which is SAS/hostname.EXAMPLE.local@EXAMPLE.LOCAL. Then using KTPASS , my linux admin generated the keytab and that worked fine, meaning I got a krb5cc_**** tciket. However when I tried to connect to SASMC/SASEG with IWA , I got this error.
Kerberos failure in function krb5_get_init_creds_keytab: Pre-authentication failed: Invalid argument
Alright, my linux admin got a good keytab file generated for me that worked. However my SASMC still throwing the below error while connecting.
Kerberos failure in function krb5_get_init_creds_keytab: Pre-authentication failed: Invalid argument
Yes, I am able to generate a ticket. Here is the
kinit -kt /etc/sas/SAS.keytab SAS/sastestmd.EXAMPLE.local
cd /tmp
ls -ltr krb*
-rw------- 1 sasinstaller sas 1728 Dec 22 10:08 krb5cc_444600575
klist -k /etc/sas/SAS.keytab
Keytab name: FILE:/etc/sas/SAS.keytab
KVNO Principal
---- --------------------------------------------------------------------------
14 SAS/sastestmd.example.local@EXAMPLE.LOCAL
So I made the UPN = SPN. So both are set to "SAS/sastestmd.example.local" now. I regenerated the keytab file and was able to generate the tickets as shown above. I also restarted SAS services. SASMC/SASEG and SAS studio are throwing errors. SAS Environment Manager is working fine (with IWA).
SASMC/SASEG is throwing below error.
Kerberos failure in function krb5_get_init_creds_keytab: Pre-authentication failed: Invalid argument (96C73AD2).
SAS Studio is throwing this.
Kerberos failure in function krb5_get_init_creds_keytab: Keytab contains no suitable keys for SAS/sastest.example.local@EXAMPLE.LOCAL (96C73AB5).
Do you need to set the SAS_SERVICE_PRINICPAL @gwootton ? I thought that needs to be done only when your UPN is not same as your SPN.
Yes sastest is the compute server and sastestmd is the metadata /midtier server (We have meta and midtier on the same server)
Also does the SAS_SERVICE_PRINICPAL needs to be set up on both meta and compute tier?
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.