cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
RupaJ
Lapis Lazuli | Level 10 RupaJ
Lapis Lazuli | Level 10

To create a keytab file for SAS IWA

Posted 12-15-2020 03:35 PM (2988 views)

Hello All, 

 

I understand this is not a SAS question :-), however thought I could still check with experts here :-). I just completed the SAS upgrade in place from 9.4 M5 to M7. Everything went smooth, however I am getting an error when trying to connect to SAS MC with IWA authentication. 

 

Kerberos failure in function krb5_get_init_creds_keytab: Client 'SAS/xxxxxxx@xxxxxxx.LOCAL' not found in Kerberos database (96C73A06). 

 

I looked up online and found the below article that talk about this issue by Stuart Rogers!

 

https://communities.sas.com/t5/SAS-Communities-Library/SAS-9-4-M7-Importance-of-UPN/ta-p/683863

 

Now my question is how do I create the keytab with both UPN and SPN in it? My original command was this

 

addent -password -p "SPN" -k 2 -e RC4-HMAC

 

Now if I need to add the UPN , should I just add another line in the keytab file like below?

 

addent -password -p "UPN" -k 2 -e RC4-HMAC

 

Thanks in advance for clarifying...

 

 

 

 

 

 

0 Likes
Reply
17 REPLIES 17
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: To create a keytab file for SAS IWA

Posted 12-15-2020 04:54 PM (2951 views)  |   In reply to RupaJ
Yes, you would repeat the addent command for each entry you wish to add to the keytab.

https://web.mit.edu/kerberos/krb5-1.18/doc/admin/admin_commands/ktutil.html
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
RupaJ
Lapis Lazuli | Level 10 RupaJ
Lapis Lazuli | Level 10

Re: To create a keytab file for SAS IWA

Posted 12-17-2020 09:59 AM (2861 views)  |   In reply to gwootton

Thanks @gwootton for your response. So I did that and I still get the same error. I modified the keytab to add the UPN info and also modified the /opt/sas/config/Lev1/ level_env_usermods.sh file on the compute server to add the below and restarted the Object spawner and metadata server.

 

SAS_SERVICE_PRINICIPAL=UPN

export SAS_SERVICE_PRINICIPAL

 

Can anyone help me proceed?

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: To create a keytab file for SAS IWA

Posted 12-17-2020 11:14 AM (2851 views)  |   In reply to RupaJ
Are you able to successfully get a ticket for the UPN running kinit against the keytab?
--
Greg Wootton | Principal Systems Technical Support Engineer
Reply
RupaJ
Lapis Lazuli | Level 10 RupaJ
Lapis Lazuli | Level 10

Re: To create a keytab file for SAS IWA

Posted 12-21-2020 02:29 PM (2804 views)  |   In reply to gwootton

No 😞

 

 kinit -kt /etc/sas/SAS.keytab SAS/xxxxxx.local@xxxxxx.LOCAL
kinit: Client 'SAS/xxxxxx.local@xxxxxx.LOCAL' not found in Kerberos database while getting initial credentials

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: To create a keytab file for SAS IWA

Posted 12-21-2020 02:34 PM (2800 views)  |   In reply to RupaJ
That looks like an SPN, not a UPN. SPN is typically something like SERVICE/hostname@REALM whereas UPN is user@REALM. So for example if I had registered SAS/host.example.com@EXAMPLE.COM to user services@EXAMPLE.COM, I'd want my keytab to contain services@EXAMPLE.COM and be able to run kinit -k it /services.keytab services successfully.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
RupaJ
Lapis Lazuli | Level 10 RupaJ
Lapis Lazuli | Level 10

Re: To create a keytab file for SAS IWA

Posted 12-22-2020 10:46 AM (2773 views)  |   In reply to gwootton

@gwootton -- I completely missed this response of yours. Sorry and thanks for so clearly explaining. So here is what I and my linux admin did. The SPN and UPN wree set up the way you explained. And I tried adding the UPN to the keytab and it did not work. So what we did is to make the UPN same as the SPN which is SAS/hostname.EXAMPLE.local@EXAMPLE.LOCAL. Then using KTPASS , my linux admin generated the keytab and that worked fine, meaning I got a krb5cc_**** tciket. However when I tried to connect to SASMC/SASEG with IWA , I got this error. 

 

Kerberos failure in function krb5_get_init_creds_keytab: Pre-authentication failed: Invalid argument

Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: To create a keytab file for SAS IWA

Posted 12-22-2020 10:56 AM (2767 views)  |   In reply to RupaJ
Is the SAS_SERVICE_PRINCIPAL in level_env_usermods.sh set to the UPN you were able to get a Kerberos credential cache with from your keytab?
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
RupaJ
Lapis Lazuli | Level 10 RupaJ
Lapis Lazuli | Level 10

Re: To create a keytab file for SAS IWA

Posted 12-21-2020 04:46 PM (2791 views)  |   In reply to RupaJ

Alright, my linux admin got a good keytab file generated for me that worked. However my SASMC still throwing the below error while connecting. 

 

Kerberos failure in function krb5_get_init_creds_keytab: Pre-authentication failed: Invalid argument

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: To create a keytab file for SAS IWA

Posted 12-21-2020 05:00 PM (2783 views)  |   In reply to RupaJ
So you are able to do a kinit for services@EXAMPLE.COM (for example) against the keytab? If you do klist -k <keytab file> does it list both the UPN and SPN (SAS/hostname@REALM)?
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
RupaJ
Lapis Lazuli | Level 10 RupaJ
Lapis Lazuli | Level 10

Re: To create a keytab file for SAS IWA

Posted 12-22-2020 11:14 AM (2764 views)  |   In reply to gwootton

Yes, I am able to generate a ticket. Here is the 

 

kinit -kt /etc/sas/SAS.keytab SAS/sastestmd.EXAMPLE.local
 cd /tmp
 ls -ltr krb*

-rw------- 1 sasinstaller sas 1728 Dec 22 10:08 krb5cc_444600575

 

 klist -k /etc/sas/SAS.keytab
Keytab name: FILE:/etc/sas/SAS.keytab
KVNO Principal
---- --------------------------------------------------------------------------
14 SAS/sastestmd.example.local@EXAMPLE.LOCAL

So I made the UPN = SPN. So both are set to "SAS/sastestmd.example.local" now. I regenerated the keytab file and was able to generate the tickets as shown above. I also restarted SAS services. SASMC/SASEG and SAS studio are throwing errors. SAS Environment Manager is working fine (with IWA). 

 

SASMC/SASEG is throwing below error. 

Kerberos failure in function krb5_get_init_creds_keytab: Pre-authentication failed: Invalid argument (96C73AD2).

 

SAS Studio is throwing this. 

Kerberos failure in function krb5_get_init_creds_keytab:​ Keytab contains no suitable keys for SAS/​sastest.​example.​local@EXAMPLE.​LOCAL (96C73AB5).

 

 

Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: To create a keytab file for SAS IWA

Posted 12-22-2020 11:24 AM (2754 views)  |   In reply to RupaJ
So SAS_SERVICE_PRINICPAL is set to SAS/sastestmd.example.local@EXAMPLE.LOCAL? The SAS Studio message appears to be referencing a different SPN (sastest instead of sastestmd).
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
RupaJ
Lapis Lazuli | Level 10 RupaJ
Lapis Lazuli | Level 10

Re: To create a keytab file for SAS IWA

Posted 12-22-2020 01:20 PM (2745 views)  |   In reply to gwootton

Do you need to set the  SAS_SERVICE_PRINICPAL @gwootton ? I thought that needs to be done only when your UPN is not same as your SPN. 

 

Yes sastest is the compute server and sastestmd is the metadata /midtier server (We have meta and midtier on the same server)

Reply
RupaJ
Lapis Lazuli | Level 10 RupaJ
Lapis Lazuli | Level 10

Re: To create a keytab file for SAS IWA

Posted 12-22-2020 01:30 PM (2735 views)  |   In reply to gwootton

Also does the SAS_SERVICE_PRINICPAL needs to be set up on both meta and compute tier? 

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: To create a keytab file for SAS IWA

Posted 12-22-2020 01:46 PM (2729 views)  |   In reply to RupaJ
Not setting it would be valid as well, but you mentioned you had modified level_env_usermods.sh to set that value. If you didn't go back and undo that it may be set incorrectly.

If the compute tier has it's own keytab for the Object Spawner it should be for SAS/sastest.example.local@EXAMPLE.LOCAL. If that is the same scenario (UPN=SPN) then you should not need to set SAS_SERVICE_PRINCPAL there either. If SAS/sastest.example.local@EXAMPLE.LOCAL is registered to a different UPN then you would need to set the SAS_SERVICE_PRINCPAL to the UPN there as well.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 17 replies
  • ‎12-15-2020 03:35 PM
  • 2989 views
  • 4 likes
  • 2 in conversation