[tac_plus] "Process Write Failure" problem

Mike Richardson doctor at mcc.ac.uk
Tue May 6 07:52:04 UTC 2008 

Hiya,

We've been using Tacacs+ for quite a while now but recently noticed a
problem. When the tacacs daemon tries to execute an external script this can
happen:

cfg_get_value: name=b4ckup isuser=1 attr=after rec=1
cfg_get_value: recurse group = backup
cfg_get_pvalue: returns /usr/local/tacacs/bin/tac_switch.pl $user $name $address
After authorization call: /usr/local/tacacs/bin/tac_switch.pl $user $name $address
substitute: /usr/local/tacacs/bin/tac_switch.pl $user $name $address
Dollar substitution: /usr/local/tacacs/bin/tac_switch.pl b4ckup 10.100.182.2 130.88.249.16
input service=shell
input cmd=copy
input cmd-arg=running-config
input cmd-arg=startup-config
input cmd-arg=<cr>
10.100.182.2: Process write failure
cmd /usr/local/tacacs/bin/tac_switch.pl $user $name $address returns 1 (unconditional deny)
cfg_get_hvalue: name=10.100.182.2 attr=key
cfg_get_hvalue: no host named 10.100.182.2
cfg_get_phvalue: returns NULL
authorization query for 'b4ckup' tty2 from 10.100.182.2 rejected

However it happens at random. The same command can be run several times from
the same switch within seconds and will sometimes work and sometimes won't.

I know that's quite vague so here are some more details. We had a 100%
success rate when the software was run on a couple of Dell servers running
Debian Etch. Then I installed the same software on a couple of HP Proliants
and got the above problem with about a 30-40% failure rate. That's now
settles to about a 1% failure rate. I've no idea what's changed.

I've installed the same software on some Xen virtual servers (on the same
Dell hardware as above) and got 30-40% failure rate. 

The software in use was the F4.0.4-10 version. I upgraded to the -15 version
with exactly the same results. The external program being run has been
replaced with a a couple of very simple scripts ('print "....", exit 0')
written in both perl and bash and gives the same 30-40% failure rate. My
uneducated guess is that there is a problem with the interprocess
communication. 

Do you need any more debugging output? Anything I can do to help?

Mike

-- 
Mike Richardson
Networks
IT Services, University of Manchester
*Plain text only please - attachments stripped on arrival*

More information about the tac_plus mailing list