BookmarkSubscribeRSS Feed

There are Linux PAM modules like pam_oddjob_mkhomedir and the older pam_mkhomedir that do the job of automatically creating a home directory for a user that has not logged in before. This removes the requirement for administrators to manually create home directories for new Linux platform users. Unfortunately this does not work as expected with the SAS Object Spawner as it seems that the sasauth module does not trigger PAM session handling. There is a comment in the sasauth.conf file that confirms this (with respect to the use of Centrify): "Centrify requires that pam_setcred be called. sasauth traditionally has not done this, since there's no "session" like an interactive login." The Configuration Guide for SAS 9.4 Foundation for UNIX Environments also states that “Session and password modules are not supported”. In addition to SAS 9.2, 9.3, and 9.4, this also applies to the SAS Object Spawner used by SAS Studio 4.2 with SAS Viya 3.2

 

Whilst this no-session would be true for SAS Metadata Server authentication, it doesn't seem correct for the SAS Object Spawner, when launching standard SAS Workspace Servers as the requesting user, since that launch will fail if the user has no home directory.

 

Can we get the sasauth module enhanced to trigger PAM session handling and avoid the need for workarounds? 

 

See the blog post and comments at https://platformadmin.com/blogs/paul/2017/04/sas-user-linux-home-dir-auto-creation/ for a discussion of why a workaround is necessary because of this.

 

Thanks

Paul

12 Comments
ronan
Lapis Lazuli | Level 10

Excellent idea, Paul. This relieves us of asking for the creation of the user's home folder beforehand.

Kurt_Bremser
Super User

The fact that we will have to switch to a AD-driven AIX server for SAS makes this an important feature for us, also.

DavidWard
Fluorite | Level 6
This is essential, Paul. How can SAS expect anyone to use SASStudio or via without this? SAS need to cater to such standard auth methods.
MichelleHomes
Meteorite | Level 14

There have been a few comments on Paul's blog post regarding the usefulness of the work around and it would be preferred if the creation of the user's home directory could be made within the PAM module itself. SAS R&D, help the SAS admins and consider this a priority please!

 

See the comments... https://platformadmin.com/blogs/paul/2017/04/sas-user-linux-home-dir-auto-creation/#comment-7719

Jlochoa
Obsidian | Level 7

Auto-creation of home directories by PAM modules should be a SAS standard feature.  

tcederqu
Calcite | Level 5

For the admins out there, this is a quick fix for this issue of sasauth not calling for a pam session. Discovered this and it works great!

 

Credit where its due - well written post!

https://platformadmin.com/blogs/paul/2017/04/sas-user-linux-home-dir-auto-creation/

 

You will have to install oddjob if its missing, redhat this is:

yum install oddjob oddjob-mkhomedir 

 

Basically here are the steps in a few lines (as root):

  • vi /etc/pam.d/sasauth-mkhomedir.sh
    #!/bin/sh
    dbus-send --system --dest=com.redhat.oddjob_mkhomedir --print-reply / com.redhat.oddjob_mkhomedir.mkhomedirfor string:"$PAM_USER"
  • chmod +x /etc/pam.d/sasauth-mkhomedir.sh
  • Add to /etc/pam.d/sasauth
    • account optional pam_exec.so /etc/pam.d/sasauth-mkhomedir.sh

My sasauth looks like this as a result:

#%PAM-1.0
#questions - contact tcederquist@intanalytic.com
auth include system-auth
account include system-auth
account optional pam_exec.so /etc/pam.d/sasauth-mkhomedir.sh
password include system-auth

 

JuanS_OCS
Amethyst | Level 16

Hi @tcederqu,

 

thank you! For those interested, the VIRK tool has a playbook to automate this:

https://github.com/sassoftware/virk

 

Which was inspired by the article posted by @PaulHomes 🙂

 

Home Directory Creator Playbook

donalies
SAS Employee

Hi @PaulHomes ,

 

yes this is something worth implementing, as many customers run into this problem and try to find there own solution.

 

Another workaround would be to change SASUSER in sasv9_usermods.cfg:

-sasuser /var/local/sasuser/$USER

Now you can run SAS from a workspace server. But SASStudio still stores some other stuff in the $HOME dir. So you could also set the HOME dir in WorkspaceServer_usermods.sh.

In SASStudio shipped with SAS94 I used this code:

if [ $HOME == "/home/sas" ];then
  export METAUSER_NAME=`echo $METAUSER | cut -f 1 -d @`
  mkdir -p /opt/sas/sasuser/$METAUSER_NAME
  export HOME="/opt/sas/sasuser/$METAUSER_NAME"
fi
ronan
Lapis Lazuli | Level 10

Excellent @donalies ! 🤗 This is a much-needed configuration tip to adapt SAS Studio + Workspace to the authentication bare setup

where only some technical system accounts are provided to run sas compute sessions (e g Workspace server + token). Glad to come back to this thread some years later 🙂 . With $USER and $METAUSER, even with only one system account, you can create personal SASUSER libraries and  - the real achievement imho - pseudo HOME folders for storing .sasstudio personal preferences. This would deserve a separate post of its own. 

jplarios
Quartz | Level 8