HI, I face an issue trying to set IWA auth for users. IWA is functional for the metadata server, but I am unable to start workspace via SAS EG. My configuration : - meta, compute on two separate Linux server (RH) - Workspace server is bind to an LDAP directory via PAM. - Kerberos binding to AD is functional: on metadata server and the app server - using SAS Integration Technologies Configuration tool I can conenct usink "Negociate" to Metadata, Object Spawner, but not to the Workspace Server As you see below, the kerberos auth and delegation seems ok, but the workspace doesn't start. I've tried all that I could find regarding this error (for example getent user.name@domain.com and getent USER.NAME@domain.com both work) to no avail. 2020-07-01T22:48:16,111 DEBUG [00000047] :user.name - IOM RETURN OMIProxy 0={compRef:7fba8520da20}->CompDtor()
2020-07-01T22:48:16,111 TRACE [00000047] :user.name - IOM LOGIC TKIOM: delete compRef=7fba8520da20 for OMIProxy
2020-07-01T22:48:16,111 DEBUG [00000047] :user.name - Application-specific option lookup skipped because no application name is provided for client 11.
2020-07-01T22:48:16,111 DEBUG [00000047] :user.name - Command being used is /sas/sasconfig/Lev1/SASAppOne/WorkspaceServer/WorkspaceServer.sh.
2020-07-01T22:48:16,111 DEBUG [00000047] :user.name - >noterminal< (Standard options)
2020-07-01T22:48:16,111 DEBUG [00000047] :user.name - >netencryptalgorithm< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >SASProprietary<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >metaserver< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >srvsasmetak01t.company.com<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >metaport< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >8561<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >metarepository< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >Foundation<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >locale< (Client requirement)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >en_US<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >objectserver< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >objectserverparms< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >protocol=bridge spawned spp=39532 cid=0 dnsmatch=srvsasappk01t.company.com pb classfactory=440196D4-90F0-11D0-9F41-00A024BB830C server=OMSOBJ:SERVERCOMPONENT/A504E8PI.AY00000A cel=credentials recon<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - Environment variables are:
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >METAUSER<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >user.name@!*(generatedpassworddomain)*!<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >METAPASS<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - >********<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - Obtained krb5 ccache handle: 7fba8801b8f0
2020-07-01T22:48:16,113 WARN [00000047] :user.name - The destination buffer size was not sufficient for the requested password.
2020-07-01T22:48:16,124 DEBUG [00000047] :user.name - Freed krb5 ccache handle: 7fba8801b8f0
2020-07-01T22:48:16,124 ERROR [00000047] :user.name - Access denied.
2020-07-01T22:48:16,124 ERROR [00000047] :user.name - The launch of server SASAppOne - Workspace Server for user user.name failed.
2020-07-01T22:48:16,124 TRACE [00000047] :user.name - IOM FIRE-EVENT {compRef:7fba8520d960}->ObjectSpawner::ServerFailed():
logicalServer=SASAppOne - Logical Workspace Server
serverComponent=SASAppOne - Workspace Server Here is the sasauth-debug.log: 20200701-22:14:04 KRB5CCNAME was not set; we'll see if something happens later
[...]
20200701-22:48:16 Authenticating user user.name via GSS
20200701-22:48:16 Context username: user.name@company.com
20200701-22:48:16 Context username length: 21
20200701-22:48:16 Server Name: SAS/srvsasappK01t.company.com@company.com
20200701-22:48:16 Unknown user when getting user attributes.
20200701-22:48:16 User user.name did not authenticate. Reason: 'Unspecified reason.' (gss)
20200701-22:48:16 Request failed: 'User did not authenticate.' I am not sure about that warning about KRB5CCNAME, what should I set it to? I've seen this, but I don't seem to find a file named "krb5cc_*". My krb5.conf has by default this option: default_ccache_name = KEYRING:persistent:%{uid} Any ideas?
... View more