Today I’m going to describe how to configure SAS to generate a Kerberos ticket when you log in to SAS Studio or SAS Enterprise Guide. Very often I see questions about that, also many people state that when they log in to the server directly and invoke Base SAS from a command line, they can utilize a Kerberos authentication, but not in SAS Studio or SAS Enterprise Guide. What is going on? How to fix it?
First of all, let’s talk about how authentication works in SAS. SAS has a few authentication methods:
All of these authentication methods are described in SAS® 9.4 Intelligence Platform: Security Administration Guide, Third Edition -> Introduction to Auth.... We are going to focus only on Pluggable authentication modules (PAM), which extends UNIX host authentication.
By default, if you didn’t select PAM authentication during initial deployment, SAS will use host authentication, which means sasauth module will make authentication calls to the OS.
A Kerberos authentication in SAS can be utilized either through PAM and/or IWA/GSSAPI. In our case, we will be configuring only PAM.
1. I assume that you have already configured Kerberos authentication on your system, either through SSSD or something else. So the first step would be enabling PAM authentication in SAS. The process of enabling PAM in SAS is described in a SAS note below:
2. Next, make sure that this line is uncommented in /SASHome/SASFoundation/9.4/utilities/bin/sasauth.conf:
PAM_SETCREDENTIALS=TRUE
Without this setting, sasauth module won’t call pam_setcred, which is responsible for a Kerberos ticket creation.
3. Restart the object spawner
/SASConfig/Lev/ObjectSpawner/ObjectSpawner.sh restart
4. After that everytime the user authenticates is SAS, a Kerberos ticket should be created on the system. Please note that you have to use file-based tickets in your Kerberos configuration. SAS doesn’t support tickets from a keyring.
5. The last step will be the workspace server configuration, you have to let the workspace server know which ticket it has to use. You can do that through a custom script added to the WorkspaceServer_usermods.sh.
If you are using Linux:
workspace_user=$(whoami)
workspace_user_ccaches=$(find /tmp -maxdepth 1 -user ${workspace_user} -type f -name "krb5cc_*" -printf '%T@ %p\n' | sort -k 1nr | sed 's/^[^ ]* //' | head -n 1)
if test ! -z "$workspace_user_ccaches"; then
echo "Most recent krb5 ccache found for '${workspace_user}' at '${workspace_user_ccaches}'."
echo "Cache last modified: $(stat -c%y ${workspace_user_ccaches})"
export KRB5CCNAME=$workspace_user_ccaches
echo "KRB5CCNAME has been set to ${KRB5CCNAME}."
else
echo "No krb5 credentials caches were found in /tmp for '${workspace_user}'."
fi
Please note if you are using Centrify, file name pattern for a Kerberos ticket might not start with krb5cc. In some cases, and of course depends on your configuration a file name might start with tkt. If that applies to you, you have to adjust -name option in the script above.
If you are using AIX:
workspace_user=$(whoami)
workspace_user_ccaches=$(find /var/krb5/security/creds/* ! -name . -prune -type f -name "krb*" -user $(whoami) | sort -k 1nr | head -1)
if [ ! -z "${workspace_user_ccaches}" ]
then echo "Most recent krb5 ccache found for '${workspace_user}' at '${workspace_user_ccaches}'."
case "${OS}" in
AIX) istat ${workspace_user_ccaches} | grep '^Last modified'
;;
*) echo "Cache last modified: $(stat -c%y ${workspace_user_ccaches})"
;;
esac
export KRB5CCNAME=${workspace_user_ccaches}
echo "KRB5CCNAME has been set to ${KRB5CCNAME}."
else echo "No krb5 credentials caches were found in /tmp for '${workspace_user}'."
fi
6. Relogin to SAS Studio or SAS Enterprise Guide and make sure that environment variable with name KRB5CCNAME has been set:
%put KRB5CCNAME: %sysget(KRB5CCNAME);
As I said above, you can also utilize Kerberos authentication through IWA/GSSAPI, but that will be a subject for another post.
This is great - I've seen the material of this article come up in multiple places when searching the web, we've followed the instructions here, we use Quest One Identity on RHEL6.1 and we're still unable to create krb5_* files in /tmp when logging into EG. I'm not sure if it has to do with the hand-off between pam-vas3 and pam-setcred. Note: the krb5_* files show up in /tmp when we ssh into the server directly.
Thoughts?
Thanks
Jay
I'm glad you found that article useful. I did configure SAS along with Quest multiple times, so let me open a track for you and schedule a call to verify your settings. I will send you a message today.
Alex
Thank you for this article. I've never used SAS, I inherited a project, of course.
I am able to create the krb5 token/ticket logging in through the web page console. Put in the expected /tmp.
The WorkspaceServer_usermods.sh run successfully.
If I ssh into the server and run sqlplus /@aippdev (the name in tnsnames.ora) I connect without issue.
My Issue is how to use the Kerberos token/ticket in the connection string within SAS Studio? I get errors if the username and password are present or missing in the connection string.
Could you please show an example on how to connect to an Oracle database using Kerberos? I can't find any documentation that shows the proper connection string to use.
Thanks for your help.
Mike
Are you sure the KRB5CCNAME environment variable was set? What is the current value of KRB5CCNAME?
%put KRB5CCNAME: %sysget(KRB5CCNAME);
If the KRB5CCNAME environment variable is set and contains a valid ticket, you should be able to connect to Oracle using the following libname statement:
libname ora oracle path=<Oracle-database-specification>;
Registration is now open for SAS Innovate 2025 , our biggest and most exciting global event of the year! Join us in Orlando, FL, May 6-9.
Sign up by Dec. 31 to get the 2024 rate of just $495.
Register now!
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.