<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=euc-kr">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>John, I would love for it to be that simple. </div>
<div><br>
</div>
<div>Correct, we can login to the box using AD credentials and it works just fine. </div>
<div><br>
</div>
<div>i.e. "ssh matt@domain@hostname" works just fine ..</div>
<div><br>
</div>
<div>I¡¯m waiting on a domain account in AD to try out straight LDAP authentication. </div>
<div><br>
</div>
<div>Just to be sure, you don¡¯t use a /etc/pam.d/tac_plus file? If you do, what are it¡¯s contents?</div>
<div><br>
</div>
<div>Thanks, Matt</div>
<div><br>
</div>
<div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>John Fraizer <<a href="mailto:john@op-sec.us">john@op-sec.us</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, March 31, 2015 at 9:50 AM<br>
<span style="font-weight:bold">To: </span>Matt Almgren <<a href="mailto:matta@surveymonkey.com">matta@surveymonkey.com</a>><br>
<span style="font-weight:bold">Cc: </span>heasley <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>>, "<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a>" <<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [tac_plus] Authentication using Likewise and AD<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">If you can authenticate to the local box using LDAP (as in, you can log in via SSH using a username/pw pair that is authenticated against LDAP), you should be able to just tell tac_plus password = PAM.
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>--</div>
John Fraizer
<div>LinkedIn profile: <a href="http://www.linkedin.com/in/johnfraizer/" target="_blank">
http://www.linkedin.com/in/johnfraizer/</a></div>
<div><br>
<div><span style="color: rgb(53, 53, 53); font-family: Arial, sans-serif; font-size: 12px; line-height: 12px; background-color: rgb(244, 244, 244);"><br>
</span></div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Tue, Mar 31, 2015 at 9:23 AM, Matt Almgren <span dir="ltr">
<<a href="mailto:matta@surveymonkey.com" target="_blank">matta@surveymonkey.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span class=""><br>
>you want to verify that the user exists in the local unix password file<br>
<br>
</span>But I don¡¯t want it to use the local password file. I want it to pass the<br>
login name to the configured LDAP server that Likewise already knows<br>
about. I *think* this is the way it should work.<br>
<div class="HOEnZb">
<div class="h5"><br>
<br>
<br>
<br>
<br>
On 3/31/15, 9:19 AM, "heasley" <<a href="mailto:heas@shrubbery.net">heas@shrubbery.net</a>> wrote:<br>
<br>
>Tue, Mar 31, 2015 at 02:32:37PM +0000, Matt Almgren:<br>
>> Hey there Heasley,<br>
>><br>
>> I have been successful with local authentication using /etc/passwd and<br>
>> DES. So I know that TACACS and the switch are talking to each other<br>
>>well.<br>
>><br>
>> As for the contents of my pam config, well I©öve tried numerous things.<br>
>><br>
>> Here©ös a few examples:<br>
>><br>
>> 1)<br>
>> auth include common-auth<br>
>> account required pam_nologin.so<br>
>> account include common-auth<br>
>> password include common-auth<br>
>> session optional pam_keyinit.so force revoke<br>
>> session include common-auth<br>
>> session required pam_loginuid.so<br>
>><br>
>><br>
>> Which produces this common error in /var/log/auth.log:<br>
>><br>
>> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):<br>
>>check<br>
>> pass; user unknown<br>
>> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):<br>
>> authentication failure; logname=DOMAIN\matta uid=0 euid=0 tty= ruser=<br>
>> rhost=<br>
><br>
>this seems to be your issue; it looks like pam_unix is receiving a<br>
>ldap-like<br>
>username, but thats not something it can handle, afaik. if Likewise is<br>
>ldap-like and you want to verify that the user exists in the local unix<br>
>password file, then you would need a pam module that strips the "DOMAIN\\"<br>
>portion of the username before calling the passwd handling library<br>
>functions.<br>
<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span>
</body>
</html>