[tac_plus] Re: before authorization script problem with 4.0.4.14

john heasley heas at shrubbery.net
Fri Sep 19 18:15:34 UTC 2008 

Fri, Sep 12, 2008 at 12:45:47PM +0300, Teet Talviste:
>  Bitman asked me to mention my problem and solution on the list, so here it 
> goes.
> 
> We use before authorization script to determine priv-lvl of a user for 
> particular hosts. The trouble started, when i moved tacacs from and old P3 to 
> a proper dual-core HP proliant debian server. Tacacs version change was from 
> 4.0.4.9 to 4.0.4.14. The trouble iself is that before authorization script 
> returns 1 (at least tacacs thinks it does.) most of the time, sometimes it 
> worked fine. There is no way the script would return 1, it always returns 2...
> Log shows:
> Mon Sep  8 11:09:27 2008 [1799]: Error 172.16.108.130: Process write failure
> Mon Sep  8 11:09:27 2008 [1799]: cmd /bin/bash /etc/tac-plus/hp-exec.sh $user 
> $name returns 1 (unconditional deny)

The problem is that tacacs expects to write AVPs to the script.  if writing
(sending) them to the process fails, such as if your script doesn't read
any of them and the "stdout" buffer fills or you simply close stdin before
it can occur, tacacs considers it a failure.

I suppose it could be changed to ignore that and use the exit code of the
child/script.  It seems more determinate to leave it as is.

> There is a fix however. Turns out, the script is too fast on the new machine, 
> so adding a line like sleep 1 to a bash script fixes this behavior. Which in 
> itself is strange. I actually wrote a perl script, to test, maybe there was 
> some problem with my previous bash script. But perl script run even faster and 
> i couldn't log in at all, but introducing even 10 microseconds of delay, again 
> fixed the problem.
> 
> I know for sure that if the script runs under: real  0m0.002s, then there will 
> be problems.
> 
> I discovered it when Bitman advised me to run strace against tacacs, and when 
> running strace everything worked fine. I was quite confused atthat point. But 
> then he suggested it was probably time related, so i tried to introduce some 
> lag to my script, and it worked.
> 
> This by the way is with:
> Linux version 2.6.18-4-686 (Debian 2.6.18.dfsg.1-12etch2) (gcc version 4.1.2 
> 20061115 (prerelease) (Debian 4.1.1-21))
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20080912/47e7c03a/attachment.html 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list