John-<div><br></div><div>Are you proposing that 'service=shell' is the problem? I've tried setting that within the configuration as well. It doesn't even read it. This config:</div><div><div><br></div><div>
group = admin {</div><div> default service = permit</div><div> service = shell {</div><div> priv-lvl = 15</div><div> brcd-role = admin</div><div> }</div><div>}</div></div>
<div><br></div><div>Results in this:</div><div><br></div><div><div>Tue Jan 24 07:48:39 2012 [13317]: Start authorization request</div><div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_value: name=jathan isuser=1 attr=acl rec=1</div>
<div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_value: recurse group = admin</div><div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_pvalue: returns NULL</div><div>Tue Jan 24 07:48:39 2012 [13317]: do_author: user='jathan'</div>
<div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_value: name=jathan isuser=1 attr=before rec=1</div><div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_value: recurse group = admin</div><div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_pvalue: returns NULL</div>
<div>Tue Jan 24 07:48:39 2012 [13317]: user 'jathan' found</div><div>Tue Jan 24 07:48:39 2012 [13317]: exec authorization request for jathan</div><div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_svc_node: username=jathan N_svc_exec proto= svcname= rec=1</div>
<div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_svc_node: recurse group = admin</div><div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_svc_node: returns NULL</div><div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_svc_node: username=jathan N_svc_cmd proto= svcname= rec=1</div>
<div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_svc_node: recurse group = admin</div><div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_svc_node: returns NULL</div><div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_value: name=jathan isuser=1 attr=svc_dflt rec=1</div>
<div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_value: recurse group = admin</div><div>Tue Jan 24 07:48:39 2012 [13317]: cfg_get_intvalue: returns 22</div><div>Tue Jan 24 07:48:39 2012 [13317]: exec permitted by default</div>
<div>Tue Jan 24 07:48:39 2012 [13317]: Writing AUTHOR/PASS_ADD size=18</div></div><div><br></div><div>In my past experience all the magc happens in "service = shell". Are there other solutions?</div><div><br><div class="gmail_quote">
On Mon, Jan 23, 2012 at 11:57 AM, heasley <span dir="ltr"><<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Mon, Jan 23, 2012 at 09:41:01AM -0800, Jathan McCollum:<br>
<div class="im">> I am still having the exact same problem.<br>
><br>
> The tac_plus daemon is NOT sending optional a/v pairs over the wire at all.<br>
> I had been in communication with Dan back in September about modifying<br>
> do_auth.py to be able to append or remove a/v pairs. Currently do_auth.py<br>
> is only able to replace existing pairs. I was going to try to contribute<br>
> code to make do_auth.py do this, but it got de-prioritized until last week<br>
> and I had to move onto something else. I am just now revisiting this issue.<br>
><br>
> Using this configuration:<br>
><br>
> group = admin {<br>
> default service = permit<br>
> service = exec {<br>
</div> ^^^^^^^^^^^^^^<br>
<div><div class="h5">> optional brcd-role = admin<br>
> priv-lvl = 15<br>
> }<br>
> }<br>
> user = jathan {<br>
> login = cleartext jathan<br>
> pap = cleartext jathan<br>
> member = admin<br>
> }<br>
><br>
> And running tac_plus with maximum debug output, you see this when I login<br>
> to the device and it sends the authorization request:<br>
><br>
> Mon Jan 23 09:26:11 2012 [11716]: Start authorization request<br>
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: name=jathan isuser=1<br>
> attr=acl rec=1<br>
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: recurse group = admin<br>
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_pvalue: returns NULL<br>
> Mon Jan 23 09:26:11 2012 [11716]: do_author: user='jathan'<br>
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: name=jathan isuser=1<br>
> attr=before rec=1<br>
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_value: recurse group = admin<br>
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_pvalue: returns NULL<br>
> Mon Jan 23 09:26:11 2012 [11716]: user 'jathan' found<br>
> Mon Jan 23 09:26:11 2012 [11716]: exec authorization request for jathan<br>
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: username=jathan<br>
> N_svc_exec proto= svcname= rec=1<br>
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: recurse group = admin<br>
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: found N_svc_exec proto=<br>
> svcname=<br>
> Mon Jan 23 09:26:11 2012 [11716]: exec is explicitly permitted by line 6<br>
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: username=jathan<br>
> N_svc_exec proto= svcname= rec=1<br>
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: recurse group = admin<br>
> Mon Jan 23 09:26:11 2012 [11716]: cfg_get_svc_node: found N_svc_exec proto=<br>
> svcname=<br>
> Mon Jan 23 09:26:11 2012 [11716]: nas:service=shell (passed thru)<br>
</div></div> ^^^^^^^^^^^^^^^^^<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Jathan.<br>--<br>
</div>