[tac_plus] problem with tacplus 4.0.4.14

Teet Talviste teet.talviste at elion.ee
Mon Sep 8 08:27:24 UTC 2008 

Hello,
I read the changelon to .15, but didn't see anything concerning my particular 
problem, so i didn't want to upgrade yet, because it's rather bothersome.

Now to the problem. I use before authorization bash script to determine if a 
host is hp or some other switch, which has different priv-lvls from cisco. The 
trouble is, that the script returns 1 most of the time. Although it should 
return 2 as you can see:
#!/bin/sh
if grep -q "^$2\$" /etc/tac-plus/hosts.txt ; then
        echo priv-lvl=3
    else
        echo priv-lvl=15
fi
exit 2

The weird thing is, the script functions fine, when i run it manually, even 
with tacacs user, also sometimes it returns 2 even when run by tacacs daemon, 
so users must try to log in 5 may-be 6 times before they can get 
authenticated. So, am i doing something wrong, or is it a problem with tacacs? 
Almost forgot, i'm using debian etch on x86.

Log output of daemon:

 Mon Sep  8 11:09:24 2008 [1797]: cfg_get_value: name=master isuser=1 
attr=login rec=1                
Mon Sep  8 11:09:24 2008 [1797]: cfg_get_pvalue: returns des CSUMml1owULS2                           
Mon Sep  8 11:09:24 2008 [1797]: cfg_get_value: name=master isuser=1 
attr=nopassword rec=1           
Mon Sep  8 11:09:24 2008 [1797]: cfg_get_intvalue: returns 0                                         
Mon Sep  8 11:09:24 2008 [1797]: cfg_get_hvalue: name=172.16.108.130 attr=key                        
Mon Sep  8 11:09:24 2008 [1797]: cfg_get_hvalue: no host named 172.16.108.130                        
Mon Sep  8 11:09:24 2008 [1797]: cfg_get_phvalue: returns NULL                                       
Mon Sep  8 11:09:27 2008 [1797]: cfg_get_hvalue: name=172.16.108.130 attr=key                        
Mon Sep  8 11:09:27 2008 [1797]: cfg_get_hvalue: no host named 172.16.108.130                        
Mon Sep  8 11:09:27 2008 [1797]: cfg_get_phvalue: returns NULL                                       
Mon Sep  8 11:09:27 2008 [1797]: cfg_get_value: name=master isuser=1 attr=time 
rec=1                 
Mon Sep  8 11:09:27 2008 [1797]: cfg_get_pvalue: returns NULL                                        
Mon Sep  8 11:09:27 2008 [1797]: cfg_get_value: name=master isuser=1 
attr=login rec=1                
Mon Sep  8 11:09:27 2008 [1797]: cfg_get_pvalue: returns des CSUMml1owULS2                           
Mon Sep  8 11:09:27 2008 [1797]: verify Mypassword CSUMml1owULS2                                     
Mon Sep  8 11:09:27 2008 [1797]: Mypassword encrypts to CSUMml1owULS2                                
Mon Sep  8 11:09:27 2008 [1797]: Password is correct                                                 
Mon Sep  8 11:09:27 2008 [1797]: cfg_get_value: name=master isuser=1 
attr=expires rec=1              
Mon Sep  8 11:09:27 2008 [1797]: cfg_get_pvalue: returns NULL                                        
Mon Sep  8 11:09:27 2008 [1797]: Password has not expired <no expiry date set>                       
Mon Sep  8 11:09:27 2008 [1797]: login query for 'master' tty1 from 
172.16.108.130 accepted          
Mon Sep  8 11:09:27 2008 [1797]: cfg_get_hvalue: name=172.16.108.130 attr=key                        
Mon Sep  8 11:09:27 2008 [1797]: cfg_get_hvalue: no host named 172.16.108.130                        
Mon Sep  8 11:09:27 2008 [1797]: cfg_get_phvalue: returns NULL                                       
Mon Sep  8 11:09:27 2008 [1799]: cfg_get_hvalue: name=172.16.108.130 attr=key                        
Mon Sep  8 11:09:27 2008 [1799]: cfg_get_hvalue: no host named 172.16.108.130                        
Mon Sep  8 11:09:27 2008 [1799]: cfg_get_phvalue: returns NULL                                       
Mon Sep  8 11:09:27 2008 [1799]: Start authorization request                                         
Mon Sep  8 11:09:27 2008 [1799]: cfg_get_value: name=master isuser=1 
attr=before rec=1               
Mon Sep  8 11:09:27 2008 [1799]: cfg_get_pvalue: returns /bin/bash /etc/tac-
plus/hp-exec.sh $user $name
Mon Sep  8 11:09:27 2008 [1799]: Before authorization call: /bin/bash 
/etc/tac-plus/hp-exec.sh $user $name
Mon Sep  8 11:09:27 2008 [1799]: substitute: /bin/bash /etc/tac-plus/hp-
exec.sh $user $name               
Mon Sep  8 11:09:27 2008 [1799]: Dollar substitution: /bin/bash /etc/tac-
plus/hp-exec.sh master 172.16.108.130
Mon Sep  8 11:09:27 2008 [1799]: input service=shell                                                          
Mon Sep  8 11:09:27 2008 [1799]: input cmd*                                                                   
Mon Sep  8 11:09:27 2008 [1799]: Error 172.16.108.130: Process write failure                                  
Mon Sep  8 11:09:27 2008 [1799]: cmd /bin/bash /etc/tac-plus/hp-exec.sh $user 
$name returns 1 (unconditional deny)
Mon Sep  8 11:09:27 2008 [1799]: cfg_get_hvalue: name=172.16.108.130 attr=key                                     
Mon Sep  8 11:09:27 2008 [1799]: cfg_get_hvalue: no host named 172.16.108.130                                     
Mon Sep  8 11:09:27 2008 [1799]: cfg_get_phvalue: returns NULL                                                    
Mon Sep  8 11:09:27 2008 [1799]: authorization query for 'master' tty1 from 
172.16.108.130 rejected

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080908/7400e1e6/attachment.html

More information about the tac_plus mailing list