BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
MarkPeskir
Obsidian | Level 7

We recently migrated from a non-distributed Windows VA environment to a distributed Redhat Linux VA environment. All services are running, including web and web app servers. I can access the VA website, login, and see all the defined items from our old enviornment. Management Console also connects successfully.

 

When I attempt to start any LASR server in the new environment from the Administrator panel in VA, I get the below error. Note that I can stop and start LASR servers in the old Windows environment.

Also, I did Validate the Logical Workspace Server, using a designated account svc_sassvr.

 

-------------- Task Summary --------------
EXCEPTION (SASJob PreCode) . com.sas.svcs.jobexecution.client.TaskExecutionException: com.sas.services.connection.LoginException: The user "Mark Peskir" could not log on to the server "SASApp - Logical Workspace Server". cause: com.sas.services.connection.LoginException: The user "Mark Peskir" could not log on to the server "SASApp - Logical Workspace Server".

 

Thanks

Mark

1 ACCEPTED SOLUTION

Accepted Solutions
JuanS_OCS
Amethyst | Level 16

🙂 I like your positiviness, I think that is a good quality.

 

Yes indeed, I think PAM will be your solution. Once you can log on into the machine as your user, this means your host is able to authenticate against AD/LDAP, therefore SAS should able to do the same, since SAS it is configured (no problem there) to authenticate against the host itself.

View solution in original post

14 REPLIES 14
SASKiwi
PROC Star

I'm guessing that you haven't given your user account a SAS VA role in the VA metadata - SAS VA Data Administrator is one of the three roles for VA.

MarkPeskir
Obsidian | Level 7
My user is part of a custom built admin group, which has the role Visual Analytics: Administration, and Visual Analytics Data Builder Administrators, and Visual Analytics Data Administrators.
SASKiwi
PROC Star

OK looks good. Then check that Mark is a valid OS account on your SAS application server and your account has the correct credentials stored in SAS VA metadata (user/password). 

JuanS_OCS
Amethyst | Level 16

Hi,

 

I guess you have SAS token Authentication on your Workspace server.

 

If you do, please check that this users (or his group or VA admins) are in the same group where the SAS Token Authetication account it is registered.

 

If you don't you can always (exceptionally) try to log on locally on the server with this account and try to oepn and run a basic procedure in the SAS base sesion created by WorkspaceServer.sh or WorkspaceServer.bat. You should see the error there. Probably not enough access to the SASWork or the SAS logs location.

MarkPeskir
Obsidian | Level 7
The DefaultAuth mode is against our AD, and Mark is valid and active there. The AD credentials seem to be passing back and forth ok, although no one but a service account can log on to the Logical Workspace Server, which is causing a variety of other issues like no users can log in to SAS Studio.

Anyone know what I do to add users, or fully open access, to the Logical Workspace Server?

I do have Management Studio.


JuanS_OCS
Amethyst | Level 16

@MarkPeskir,

 

of course, up to you, you can ignore the advise provided (maybe you did not understand or you don't see it interesting), but if your experience is that nobody else answered with your last message, I would strongly recommend you to not post the same message on copy&paste mode. At least, please rewrite it of provide some additional input, to help us to understand better your problems.

 

Thank you.

Best regards,

Juan

MarkPeskir
Obsidian | Level 7

Juan,

Allow me to plead ignorance to that copy paste post. I've been chasing down some other issues and haven't been back here in a while...not sure how that got put up, but it was absolutely not done by me, nor intentional.

I will look into your advised steps today. I don't doubt this error is an indication of a bad setup; the guy we had doing our SAS install was pretty terrible.  (And that guy is me, lol)

MarkPeskir
Obsidian | Level 7

The server is Red Hat Enterprise Linux Server release 7.2 (Maipo).
The SASApp - Logical Workspace Server is configured for Host Username/Password, using Server Access Security. It is not set to use SAS token authentication.

Mark cannot seem to authenticate to the box directly (via Putty) using USER@DOMAIN.COM, DOMAIN\USER or DOMAIN/USER. If another format should be used, let me know.

I am learning that connecting Linux to AD without using PAM is an uncommon way to do so, and I am thinking now that it's not really as connected as I hoped it is. I am going to reconfigure the server to connect using PAM and see where that gets me.

JuanS_OCS
Amethyst | Level 16

🙂 I like your positiviness, I think that is a good quality.

 

Yes indeed, I think PAM will be your solution. Once you can log on into the machine as your user, this means your host is able to authenticate against AD/LDAP, therefore SAS should able to do the same, since SAS it is configured (no problem there) to authenticate against the host itself.

MarkPeskir
Obsidian | Level 7
Juan,
it does appear PAM is the heart of the issue. TKGrid is a separate concern altogether, but I wanted to close this out marking your suggestion as the solution.
Upon further inspection, it seems I had winbind AND sssd running to authenticate, and it was causing authentication collisions. I'm turning off sssd.
Thank you!
JuanS_OCS
Amethyst | Level 16

Something else, not related to solve your problem, just some additional information that might help sooner or later:

 

1- Some considerations for Linux 7: http://support.sas.com/kb/53/997.html  and http://support.sas.com/kb/43/820.html 

2- I am not sure what is going to be the usage of VA ar your company.

If, let's say, users won;t connect to the OS directly (SAS Enterprise Guide and such), and you have troubles with PAM, it might be interesting for you to change the Host Authentication to SAS Token Authentication on the Workspace server ( http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#n0rhb6yftn8srbn1wq... )and just let the LDAP authentication to the metadata server ( http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#n0w8oa3erw568vn192... ), which is just a couple of configuration parameters (very easy configuration).

MarkPeskir
Obsidian | Level 7

So I've been working on our PAM configuration, and it's still not perfect, but it is better.

More importantly for this thread, I get a new error message now:

 

-1
-------------- Task Summary --------------
SUCCESS (SASJob PreCode)
SUCCESS (Set Grid Node Count)
ERRORS  (Start Server)
----------------------------------------------
ERROR: Failed to enumerate available compute nodes in the distributed computing environment.
ERROR: Failed to open TKGrid library.
ERROR: The bridge for SAS High-Performance Analytics encountered an internal error.

 

both /etc/gridhosts and /opt/TKGrid/grid/hosts show all the servers, and pings work fine.

SSH has been setup on all servers, for my account and several others as well.

 

Where do I look for more details?  Or, how do I fix this?

MarkPeskir
Obsidian | Level 7
The DefaultAuth mode is against our AD, and Mark is valid and active there. The AD credentials seem to be passing back and forth ok, although no one but a service account can log on to the Logical Workspace Server, which is causing a variety of other issues like no users can log in to SAS Studio.

Anyone know what I do to add users, or fully open access, to the Logical Workspace Server?

I do have Management Studio.


JuanS_OCS
Amethyst | Level 16

Have you tried, as proposed, to connect with one of those AD accounts directly to the server, and try to run the WorkspaceServer.sh, or .bat? This will give you the hints you need. I expect someone missed some pre-requisites during the migration.

 

In the meantime could you please let us know...:

- Your server, is Windows or LInux?

- Your Workspace Server (on the SAS Management Console), is it configured for SAS Token Authentication or different authentication? Please follow these steps:

 

  1. Log on to SAS Management Console as someone who has user administration capabilities (for example, sasadm@saspw).
  2. On the Plug-ins tab, expand Server Manager and the application server server context (for example, SASApp). Right-click the logical server icon (for example, SASApp - Logical Workspace Server) and select Properties.
  3. On the Options tab, check if  SAS token authentication is selected, Cancel.
    Only if SAS Token Authentication is selected:
  4. Expand the logical server icon , select the server icon , right-click, and select Properties.
  5. On the Options tab, from the Launch Credentials check the selected login . The most basic choice is the account for the SAS General Servers group (the sassrv login), but could be also lasradm,

 

sas-innovate-2024.png

Join us for SAS Innovate April 16-19 at the Aria in Las Vegas. Bring the team and save big with our group pricing for a limited time only.

Pre-conference courses and tutorials are filling up fast and are always a sellout. Register today to reserve your seat.

 

Register now!

Tips for filtering data sources in SAS Visual Analytics

See how to use one filter for multiple data sources by mapping your data from SAS’ Alexandria McCall.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 14 replies
  • 5902 views
  • 0 likes
  • 3 in conversation