[tac_plus] before authorization script problem with 4.0.4.14
Teet Talviste
teet.talviste at elion.ee
Fri Sep 12 09:45:47 UTC 2008
Bitman asked me to mention my problem and solution on the list, so here it
goes.
We use before authorization script to determine priv-lvl of a user for
particular hosts. The trouble started, when i moved tacacs from and old P3 to
a proper dual-core HP proliant debian server. Tacacs version change was from
4.0.4.9 to 4.0.4.14. The trouble iself is that before authorization script
returns 1 (at least tacacs thinks it does.) most of the time, sometimes it
worked fine. There is no way the script would return 1, it always returns 2...
Log shows:
Mon Sep 8 11:09:27 2008 [1799]: Error 172.16.108.130: Process write failure
Mon Sep 8 11:09:27 2008 [1799]: cmd /bin/bash /etc/tac-plus/hp-exec.sh $user
$name returns 1 (unconditional deny)
There is a fix however. Turns out, the script is too fast on the new machine,
so adding a line like sleep 1 to a bash script fixes this behaviour. Which in
itself is strange. I actually wrote a perl script, to test, maybe there was
some problem with my previous bash script. But perl script run even faster and
i couldn't log in at all, but introducing even 10 microseconds of delay, again
fixed the problem.
I know for sure that if the script runs under: real 0m0.002s, then there will
be problems.
I discovered it when Bitman advised me to run strace against tacacs, and when
running strace everything worked fine. I was quite confused atthat point. But
then he suggested it was probably time related, so i tried to introduce some
lag to my script, and it worked.
This by the way is with:
Linux version 2.6.18-4-686 (Debian 2.6.18.dfsg.1-12etch2) (gcc version 4.1.2
20061115 (prerelease) (Debian 4.1.1-21))
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080912/47e7c03a/attachment.html
More information about the tac_plus
mailing list