From alan.mckinnon at gmail.com Wed Nov 4 13:07:15 2009 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 4 Nov 2009 15:07:15 +0200 Subject: [tac_plus] Different auth per device per user Message-ID: <200911041507.15155.alan.mckinnon@gmail.com> Hi, Using 4.0.4.18 on FreeBSD. Short description: I have a need to give a select bunch of users one level of access on some devices and a much more restrictive access everywhere else. How can I do this? Longer version: My users are divided into 4 roles (1-4) in increasing level of access, the access they get applies to any device they can reach. The network is broken up into core routers, non-core routers and customer hosting switches. There's a team which configures and installs the customer switches, I want them to be able configure anything on those devices (role 4 in my setup) but to have role 2 on every other device. I can't quite seem to find a clean way to configure this. The closest I can get is an acl and group just for switches and exclude them from everywhere else. In an ideal world, this would suit me fine (I know it doesn't work): acl = hosting_acl { } group = hosting_group { acl = hosting_acl } group = role_2 { } user = hosting_engineer { group = hosting_group group = role_2 } With the first group having precedence and the second being a de-facto default. I'm OK with setting up the various rules so that conflicts don't happen (or fixing them when they do). I've seen patches around that allow multiple groups, but was wondering if there's a clean alternative in the shipped code. Another alternative is enableacl which is somewhat limiting, but I can live with that (aka I can force the user's manager to live with that). -- alan dot mckinnon at gmail dot com From dan.schmidt at uplinkdata.com Wed Nov 4 16:57:56 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Wed, 4 Nov 2009 09:57:56 -0700 Subject: [tac_plus] Re: Different auth per device per user In-Reply-To: <200911041507.15155.alan.mckinnon@gmail.com> References: <200911041507.15155.alan.mckinnon@gmail.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC74954@che-exch-003.uplinkdata.com> do_auth - see www.tacacs.org -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Wednesday, November 04, 2009 6:07 AM To: tac_plus at shrubbery.net Subject: [tac_plus] Different auth per device per user Hi, Using 4.0.4.18 on FreeBSD. Short description: I have a need to give a select bunch of users one level of access on some devices and a much more restrictive access everywhere else. How can I do this? Longer version: My users are divided into 4 roles (1-4) in increasing level of access, the access they get applies to any device they can reach. The network is broken up into core routers, non-core routers and customer hosting switches. There's a team which configures and installs the customer switches, I want them to be able configure anything on those devices (role 4 in my setup) but to have role 2 on every other device. I can't quite seem to find a clean way to configure this. The closest I can get is an acl and group just for switches and exclude them from everywhere else. In an ideal world, this would suit me fine (I know it doesn't work): acl = hosting_acl { } group = hosting_group { acl = hosting_acl } group = role_2 { } user = hosting_engineer { group = hosting_group group = role_2 } With the first group having precedence and the second being a de-facto default. I'm OK with setting up the various rules so that conflicts don't happen (or fixing them when they do). I've seen patches around that allow multiple groups, but was wondering if there's a clean alternative in the shipped code. Another alternative is enableacl which is somewhat limiting, but I can live with that (aka I can force the user's manager to live with that). -- alan dot mckinnon at gmail dot com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From kissg at ssg.ki.iif.hu Wed Nov 4 20:34:09 2009 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Wed, 4 Nov 2009 21:34:09 +0100 (CET) Subject: [tac_plus] Re: Different auth per device per user In-Reply-To: <200911041507.15155.alan.mckinnon@gmail.com> References: <200911041507.15155.alan.mckinnon@gmail.com> Message-ID: > Short description: > I have a need to give a select bunch of users one level of access on some > devices and a much more restrictive access everywhere else. How can I do this? > > Longer version: > My users are divided into 4 roles (1-4) in increasing level of access, the > access they get applies to any device they can reach. The network is broken up > into core routers, non-core routers and customer hosting switches. > > There's a team which configures and installs the customer switches, I want > them to be able configure anything on those devices (role 4 in my setup) but > to have role 2 on every other device. > > I can't quite seem to find a clean way to configure this. The closest I can > get is an acl and group just for switches and exclude them from everywhere > else. > > In an ideal world, this would suit me fine (I know it doesn't work): > > acl = hosting_acl { } > group = hosting_group { > acl = hosting_acl > > } > group = role_2 { } > > user = hosting_engineer { > group = hosting_group > group = role_2 > } Maybe this helps you: http://www.shrubbery.net/pipermail/tac_plus/2007-August/000125.html Regards Gabor From dan.schmidt at uplinkdata.com Wed Nov 4 21:22:12 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Wed, 4 Nov 2009 14:22:12 -0700 Subject: [tac_plus] Re: Different auth per device per user In-Reply-To: References: <200911041507.15155.alan.mckinnon@gmail.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC7495C@che-exch-003.uplinkdata.com> Were you ever able to fix the problems I found in that patch? -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Kiss Gabor (Bitman) Sent: Wednesday, November 04, 2009 1:34 PM To: Alan McKinnon Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: Different auth per device per user > Short description: > I have a need to give a select bunch of users one level of access on some > devices and a much more restrictive access everywhere else. How can I do this? > > Longer version: > My users are divided into 4 roles (1-4) in increasing level of access, the > access they get applies to any device they can reach. The network is broken up > into core routers, non-core routers and customer hosting switches. > > There's a team which configures and installs the customer switches, I want > them to be able configure anything on those devices (role 4 in my setup) but > to have role 2 on every other device. > > I can't quite seem to find a clean way to configure this. The closest I can > get is an acl and group just for switches and exclude them from everywhere > else. > > In an ideal world, this would suit me fine (I know it doesn't work): > > acl = hosting_acl { } > group = hosting_group { > acl = hosting_acl > > } > group = role_2 { } > > user = hosting_engineer { > group = hosting_group > group = role_2 > } Maybe this helps you: http://www.shrubbery.net/pipermail/tac_plus/2007-August/000125.html Regards Gabor _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dan.schmidt at uplinkdata.com Wed Nov 4 22:53:49 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Wed, 4 Nov 2009 15:53:49 -0700 Subject: [tac_plus] IOS-XR BUG botches scripts Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC74961@che-exch-003.uplinkdata.com> IOS-XR does not send $address when in conf t. Shows up as unknown in accounting, and will ruin any after authorization script that expects a variable, because none is sent. tac_plus should handle this better. if $address == NULL, $address == "unknown" From shemminger at vyatta.com Thu Nov 5 19:22:04 2009 From: shemminger at vyatta.com (Stephen Hemminger) Date: Thu, 5 Nov 2009 11:22:04 -0800 Subject: [tac_plus] tacacs+ 64 bit fix Message-ID: <20091105112204.290bd8a3@s6510> If tacacs+ server is compiled and run on 64 bit machine (common now). On these machines sizeof(int) == 8 bytes, which is not same as uint32. It will fail because the session_id which is declared as int will encrypted as a 64 bit value. From fe31e5361c9e51096dacbc8c1f54b2a59366d3d1 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 5 Nov 2009 11:19:29 -0800 Subject: [PATCH] fix encrypt on 64 bit --- encrypt.c | 7 ++++--- 1 files changed, 4 insertions(+), 3 deletions(-) diff --git a/encrypt.c b/encrypt.c index a0971d0..2a5a341 100644 --- a/encrypt.c +++ b/encrypt.c @@ -37,9 +37,10 @@ * * */ -void -create_md5_hash(int session_id, char *key, u_char version, u_char seq_no, - u_char *prev_hash, u_char *hash) +static void +create_md5_hash(uint32_t session_id, const char *key, + u_char version, u_char seq_no, + const u_char *prev_hash, u_char *hash) { u_char *md_stream, *mdp; int md_len; -- 1.6.3.3 From heas at shrubbery.net Thu Nov 5 19:39:18 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 5 Nov 2009 19:39:18 +0000 Subject: [tac_plus] Re: tacacs+ 64 bit fix In-Reply-To: <20091105112204.290bd8a3@s6510> References: <20091105112204.290bd8a3@s6510> Message-ID: <20091105193918.GH19371@shrubbery.net> Thu, Nov 05, 2009 at 11:22:04AM -0800, Stephen Hemminger: > If tacacs+ server is compiled and run on 64 bit machine (common now). > On these machines sizeof(int) == 8 bytes, which is not same as uint32. > It will fail because the session_id which is declared as int will encrypted > as a 64 bit value. thats not right. int should be 4 bytes on all machines as defined by spec. long should be 8 bytes on 64bit machines. what o/s and what version of tacacs? > >From fe31e5361c9e51096dacbc8c1f54b2a59366d3d1 Mon Sep 17 00:00:00 2001 > From: Stephen Hemminger > Date: Thu, 5 Nov 2009 11:19:29 -0800 > Subject: [PATCH] fix encrypt on 64 bit > > --- > encrypt.c | 7 ++++--- > 1 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/encrypt.c b/encrypt.c > index a0971d0..2a5a341 100644 > --- a/encrypt.c > +++ b/encrypt.c > @@ -37,9 +37,10 @@ > * > * > */ > -void > -create_md5_hash(int session_id, char *key, u_char version, u_char seq_no, > - u_char *prev_hash, u_char *hash) > +static void > +create_md5_hash(uint32_t session_id, const char *key, > + u_char version, u_char seq_no, > + const u_char *prev_hash, u_char *hash) > { > u_char *md_stream, *mdp; > int md_len; > -- > 1.6.3.3 > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dan.schmidt at uplinkdata.com Thu Nov 5 21:01:18 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Thu, 5 Nov 2009 14:01:18 -0700 Subject: [tac_plus] Re: tacacs+ 64 bit fix In-Reply-To: <20091105193918.GH19371@shrubbery.net> References: <20091105112204.290bd8a3@s6510> <20091105193918.GH19371@shrubbery.net> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC74973@che-exch-003.uplinkdata.com> ILP64 defines int as 64 bits http://www.ibm.com/developerworks/library/l-port64.html -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley Sent: Thursday, November 05, 2009 12:39 PM To: Stephen Hemminger Cc: tac_plus at shrubbery.net Subject: [tac_plus] Re: tacacs+ 64 bit fix Thu, Nov 05, 2009 at 11:22:04AM -0800, Stephen Hemminger: > If tacacs+ server is compiled and run on 64 bit machine (common now). > On these machines sizeof(int) == 8 bytes, which is not same as uint32. > It will fail because the session_id which is declared as int will encrypted > as a 64 bit value. thats not right. int should be 4 bytes on all machines as defined by spec. long should be 8 bytes on 64bit machines. what o/s and what version of tacacs? > >From fe31e5361c9e51096dacbc8c1f54b2a59366d3d1 Mon Sep 17 00:00:00 2001 > From: Stephen Hemminger > Date: Thu, 5 Nov 2009 11:19:29 -0800 > Subject: [PATCH] fix encrypt on 64 bit > > --- > encrypt.c | 7 ++++--- > 1 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/encrypt.c b/encrypt.c > index a0971d0..2a5a341 100644 > --- a/encrypt.c > +++ b/encrypt.c > @@ -37,9 +37,10 @@ > * > * > */ > -void > -create_md5_hash(int session_id, char *key, u_char version, u_char seq_no, > - u_char *prev_hash, u_char *hash) > +static void > +create_md5_hash(uint32_t session_id, const char *key, > + u_char version, u_char seq_no, > + const u_char *prev_hash, u_char *hash) > { > u_char *md_stream, *mdp; > int md_len; > -- > 1.6.3.3 > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From shemminger at vyatta.com Thu Nov 5 21:25:21 2009 From: shemminger at vyatta.com (Stephen Hemminger) Date: Thu, 5 Nov 2009 13:25:21 -0800 Subject: [tac_plus] Re: tacacs+ 64 bit fix In-Reply-To: <20091105193918.GH19371@shrubbery.net> References: <20091105112204.290bd8a3@s6510> <20091105193918.GH19371@shrubbery.net> Message-ID: <20091105132521.32a0fa1f@nehalam> On Thu, 5 Nov 2009 19:39:18 +0000 john heasley wrote: > Thu, Nov 05, 2009 at 11:22:04AM -0800, Stephen Hemminger: > > If tacacs+ server is compiled and run on 64 bit machine (common now). > > On these machines sizeof(int) == 8 bytes, which is not same as uint32. > > It will fail because the session_id which is declared as int will encrypted > > as a 64 bit value. > > thats not right. int should be 4 bytes on all machines as defined by > spec. long should be 8 bytes on 64bit machines. > > what o/s and what version of tacacs? Depends on the OS. I was just being paranoid. For Linux: char 1 short 2 int 4 long 8 So all is okay. From heas at shrubbery.net Thu Nov 5 22:18:19 2009 From: heas at shrubbery.net (john heasley) Date: Thu, 5 Nov 2009 22:18:19 +0000 Subject: [tac_plus] Re: tacacs+ 64 bit fix In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BCC74973@che-exch-003.uplinkdata.com> References: <20091105112204.290bd8a3@s6510> <20091105193918.GH19371@shrubbery.net> <05CC562AFB5A9446A1BC3F66AD04A3BCC74973@che-exch-003.uplinkdata.com> Message-ID: <20091105221819.GE17928@shrubbery.net> Thu, Nov 05, 2009 at 02:01:18PM -0700, Schmidt, Daniel: > ILP64 defines int as 64 bits > > http://www.ibm.com/developerworks/library/l-port64.html sigh. never seen ILP64. the great thing about standards is that there are so many choose from. anyway, does anything actually use ILP64? does anything use SILP64? It sems that there are many other things that'd need to be fixed if either of these models are used [in anything we care about]. > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley > Sent: Thursday, November 05, 2009 12:39 PM > To: Stephen Hemminger > Cc: tac_plus at shrubbery.net > Subject: [tac_plus] Re: tacacs+ 64 bit fix > > Thu, Nov 05, 2009 at 11:22:04AM -0800, Stephen Hemminger: > > If tacacs+ server is compiled and run on 64 bit machine (common now). > > On these machines sizeof(int) == 8 bytes, which is not same as uint32. > > It will fail because the session_id which is declared as int will > encrypted > > as a 64 bit value. > > thats not right. int should be 4 bytes on all machines as defined by > spec. long should be 8 bytes on 64bit machines. > > what o/s and what version of tacacs? > > > >From fe31e5361c9e51096dacbc8c1f54b2a59366d3d1 Mon Sep 17 00:00:00 > 2001 > > From: Stephen Hemminger > > Date: Thu, 5 Nov 2009 11:19:29 -0800 > > Subject: [PATCH] fix encrypt on 64 bit > > > > --- > > encrypt.c | 7 ++++--- > > 1 files changed, 4 insertions(+), 3 deletions(-) > > > > diff --git a/encrypt.c b/encrypt.c > > index a0971d0..2a5a341 100644 > > --- a/encrypt.c > > +++ b/encrypt.c > > @@ -37,9 +37,10 @@ > > * > > * > > */ > > -void > > -create_md5_hash(int session_id, char *key, u_char version, u_char > seq_no, > > - u_char *prev_hash, u_char *hash) > > +static void > > +create_md5_hash(uint32_t session_id, const char *key, > > + u_char version, u_char seq_no, > > + const u_char *prev_hash, u_char *hash) > > { > > u_char *md_stream, *mdp; > > int md_len; > > -- > > 1.6.3.3 > > > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From ccoueffe at ecritel.net Fri Nov 6 09:19:06 2009 From: ccoueffe at ecritel.net (COUEFFE Charly) Date: Fri, 6 Nov 2009 10:19:06 +0100 Subject: [tac_plus] tacacs problem with Nexus Message-ID: Hi, I'd like use tac_plus for aaa on Nexus 5000, but it's doesn't work. It's ok with the Catalyst. I have remark that Nexus use pap authentication and I have add this line on each user on tacacs.conf : pap = . Someone have testing with Nexus? Regards, Charly -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091106/4f225b8f/attachment.html From dan.schmidt at uplinkdata.com Mon Nov 9 19:24:53 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Mon, 9 Nov 2009 12:24:53 -0700 Subject: [tac_plus] pap = file? Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC749A3@che-exch-003.uplinkdata.com> no pap = file? 1171 case S_pap: 1172 if (user->pap) { 1173 parse_error("Duplicate value for %s %s and %s on line %d", 1174 codestring(sym_code), user->pap, 1175 sym_buf, sym_line); 1176 tac_exit(1); 1177 } 1178 sym_get(); 1179 parse(S_separator); 1180 switch(sym_code) { 1181 1182 case S_cleartext: 1183 case S_des: 1184 sprintf(buf, "%s ", sym_buf); 1185 sym_get(); 1186 strcat(buf, sym_buf); 1187 user->pap = tac_strdup(buf); 1188 break; 1189 1190 default: 1191 parse_error("expecting 'cleartext', or 'des' keyword after " 1192 "'pap =' on line %d", sym_line); 1193 } 1194 sym_get(); 1195 continue; From jmbicalho at gmail.com Mon Nov 9 18:41:03 2009 From: jmbicalho at gmail.com (Joel Bicalho) Date: Mon, 9 Nov 2009 16:41:03 -0200 Subject: [tac_plus] TAC-PLUS/AD Message-ID: <9d3a56fc0911091041q2705bd25qe013d6d206cc84e7@mail.gmail.com> Hey guys, I have a couple of cisco switchs, a linux server and a windows 2003 with active directory. I want to install the tac-plus in my linux server and then tie it into the windows 2003 (AD) using PAM/kerberos. I want to use the Active directory to authenticate the users. The problem is, I dont know how to do it.... Would you have any step-by-step to do it? our could show me where to find it?? I couldnt find it on google....... thank you in advance!!! -- Joel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091109/345a6421/attachment.html From prozaconstilts at gmail.com Mon Nov 9 23:58:57 2009 From: prozaconstilts at gmail.com (adam) Date: Mon, 09 Nov 2009 18:58:57 -0500 Subject: [tac_plus] Re: TAC-PLUS/AD In-Reply-To: <9d3a56fc0911091041q2705bd25qe013d6d206cc84e7@mail.gmail.com> References: <9d3a56fc0911091041q2705bd25qe013d6d206cc84e7@mail.gmail.com> Message-ID: <4AF8ACC1.40708@gmail.com> Joel Bicalho wrote: > Hey guys, > > I have a couple of cisco switchs, a linux server and a windows 2003 with > active directory. > I want to install the tac-plus in my linux server and then tie it into the > windows 2003 (AD) using PAM/kerberos. > I want to use the Active directory to authenticate the users. > The problem is, I dont know how to do it.... > Would you have any step-by-step to do it? our could show me where to find > it?? > I couldnt find it on google....... > thank you in advance!!! > > Here are instructions I posted for pam_ldap in January for RHEL5. You should be able to mostly replace pam_ldap with pam_krb5, and skip step 10 below. I'm not really a kerberos expert, but I assume on top of these instructions, you should get your /etc/krb5.conf set up, as well as your service principals and such... 1. Install the pam-devel package and tcp_wrappers via yum: yum install pam-devel tcp_wrappers 2. Obtain the latest tac_plus from ftp://ftp.shrubbery.net/pub/tac_plus/ I used version F4.0.4.15 3. unpack tac_plus: tar xfz tacacs+- 4. Run configure: ./configure --bindir=/usr/local/bin --sbindir=/usr/local/sbin --localstatedir=/var/local/tacacs --sysconfdir=/etc --with-logfile=/var/log/tacacs/tacacs --with-pidfile=/var/run/tacacs.pid --with-acctfile=/var/log/tacacs/acctfile Note that the above configure choices were my own, you can choose whatever values you want. 5. Make sure the pam libraries were found. Look at the output of configure for a line that looks like this: checking for pam_start in -lpam... yes If that says yes, then the daemon will compile with pam support. If it says no, then configure is unable to find your pam libraries. Make sure you performed Step 1. 6. compile tac_plus: make 7. install tac_plus make install 8. Configure tac_plus. While there are many more configurations to be done to make tac_plus work as a whole, the pam specific configuration is as follows: Edit the tac_plus conf file, and define your users as such: user = { login = PAM } Currently, tac_plus only allows authentication using pam (since pam is only used for authentication anyway). Authorizations are still configured within the conf file, no ldap groups allowed :( 9. Define a pam stack for tac_plus. cd /etc/pam.d vi tac_plus My pam stack config is as follows: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so Note that this config also works well for system-auth. If you want all authentication for your server to use ldap (graphical login, ssh, etc.), you can place the above into system-auth, and the define tac_plus as follows: auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so 10. Configure your ldap.conf. This is where you define your ldap server, binddn, attribute maps, etc. Note that on RHEL5, there are two ldap.conf files. One is in /etc/openldap and the other is just in /etc. PAM will stat both files upon invocation, and the second one it stats will override the first. I usually modify /etc/openldap/ldap.conf, and then symlink /etc/ldap.conf to it. That's it. At this point, assuming you have everything setup right, you should be able to use your LDAP server for authentication. To troubleshoot, I normally run the tacacs daemon in the foreground with debugging on: tac_plus -C /path/to/tac_plus.conf -L -p 49 -d16 -g and then try to authenticate. So far, I have found a couple caveats that will make life very sad. First, if you decide to run tac_plus from xinetd in linux (which I suggest you do, to utilize tcp wrappers properly), then you should set up your /etc/xinetd.d/tacacs conf file as follows: service tacacs { socket_type = stream protocol = tcp wait = no disable = no user = root server = /path/to/tac_plus server_args = -C /path/to/tac_plus.conf -L -p 49 -i -d 16 cps = 50 10 flags = IPv4 } The server must be run as root. Because you are talking to PAM, then you must have root privileges, or else it will not work. Secondly, if you are using xinetd, in your ldap.conf file, turn off debugging. When run from xinetd with ldap debugging on, the ldap libs will output debug code to stderr. Since you are running the daemon from within xinetd, there is no stderr to output to, and the tac_plus daemon upon discovering this broken pipe will fail and exit. Whether this is a tac_plus or xinetd problem I'm not sure, but it's there all the same. You can use the -g option to run in the foreground to test your ldap conf if you wish, but once you start to use xinetd, make sure that the debug directive in your ldap.conf is off. From heas at shrubbery.net Tue Nov 10 04:15:51 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 10 Nov 2009 04:15:51 +0000 Subject: [tac_plus] Re: TAC-PLUS/AD In-Reply-To: <4AF8ACC1.40708@gmail.com> References: <9d3a56fc0911091041q2705bd25qe013d6d206cc84e7@mail.gmail.com> <4AF8ACC1.40708@gmail.com> Message-ID: <20091110041551.GE3041@shrubbery.net> > So far, I have found a couple caveats that will make life very sad. > First, if you decide to run tac_plus from xinetd in linux (which I > suggest you do, to utilize tcp wrappers properly), then you should set > up your /etc/xinetd.d/tacacs conf file as follows: it shouldnt be necessary to use inted to use tcp_wrappers. what is the problem? From swatermann at gmail.com Tue Nov 17 20:35:46 2009 From: swatermann at gmail.com (Stefan Watermann) Date: Tue, 17 Nov 2009 21:35:46 +0100 Subject: [tac_plus] PAP password in file possible? Message-ID: <4B030922.2000704@gmail.com> Hi all, I'm currently working on getting authentication to a Cisco NAM2 module using TACACS work. The box is using PAP and "login = file " (username:password:::::) does not work. Also using "pap = file " does not work. The only thing which worked was "pap = des ", which I'm using within a group. Is it possible to manage the passwords for all of my users in a file? I would like to be able to provide a PAP password for each of my users. Many thanks in advance. Regards, Stefan From alan.mckinnon at gmail.com Tue Nov 17 21:08:37 2009 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 17 Nov 2009 23:08:37 +0200 Subject: [tac_plus] Re: PAP password in file possible? In-Reply-To: <4B030922.2000704@gmail.com> References: <4B030922.2000704@gmail.com> Message-ID: <200911172308.37993.alan.mckinnon@gmail.com> On Tuesday 17 November 2009 22:35:46 Stefan Watermann wrote: > Hi all, > > I'm currently working on getting authentication to a Cisco NAM2 module > using TACACS work. > > The box is using PAP and "login = file " > (username:password:::::) does not work. > > Also using "pap = file " does not work. > The only thing which worked was "pap = des ", which > I'm using within a group. > > Is it possible to manage the passwords for all of my users in a file? > I would like to be able to provide a PAP password for each of my users. I had the same a while back, and resorted to putting "pap = des " in the user section. This wasn't a big deal for me as my tac_plus.conf is generated on the fly from a backend database which reduces it to a mere exercise in string manipulation in perl Earlier than that I also need to put other password into a file. I determined the only place this is supported is for the user's own login password. If I'm wrong in this, I'm sure John will be along shortly to correct me :-) -- alan dot mckinnon at gmail dot com From hailumeng at gmail.com Wed Nov 18 00:59:29 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Tue, 17 Nov 2009 18:59:29 -0600 Subject: [tac_plus] Issue with Cisco switch authentication against Microsoft Active Directory Message-ID: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> Hi all, I'm trying to set up tac_plus in CentOS 5.3. tac_plus has been compiled with pam and tcp_wrapper. I configured my switch as below: aaa new-model aaa authentication login default group tacacs+ local-case aaa authentication enable default group tacacs+ enable aaa authorization exec default tacacs+ aaa accounting exec default start-stop tacacs+ aaa accounting network start-stop tacacs+ tacacs+ host 10.0.0.11 tacacs+ key mykey I configured /etc/tac_plus.conf to use local setting firstly. It worked. Then I tried to use pam with ldap to authenticate against the microsoft active directory. I snifferred the traffic and saw there was an error when my tacacs server was doing query against Active Directory. The error is *problem 2001* (*NO_OBJECT*). Do you guys have similar problem when you set up this kind of authentication? I listed the main configuration files below: ************************************************************** /etc/pam.d/tac_plus #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so ********************************************* /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session optional pam_ldap.so *******************************************************8 /etc/ldap.conf host 10.0.0.100 base ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com binddn cn=network services,ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com #bindpw ohsosecret # no secret set scope sub ssl no nss_schema rfc2307bis nss_base_passwd ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub nss_base_shadow ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub nss_base_group ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub referrals no # otherwise it goes freakishly slow I linked /etc/openldap/ldap.conf to /etc/ldap.conf. I didn't enable ssl for ldap. I think the problem could be in the configuration of ldap.conf or it doesn't match the configuration in Active Directory. In my AD, I have "security groups" OU and in this OU I have "network services" group. Maybe the issue also stays in nss mapping? I searched some articles. It seems like nss mapping must be correct to authenticate through Linux box against Active Directory. Another question about active directory is: Do I need create a separate OU to hold the user accounts who will have rights to login Cisco devices? I saw someone said the user account in tacacs server must not be in other groups. If the separate OU is needed and the user must be only in this new OU, it will lose the flexibility to use the current Active Directory which is already configured. Please give me some help on this. Very appreciated. Thanks. Lou -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091117/03eedad2/attachment.html From prozaconstilts at gmail.com Wed Nov 18 03:16:27 2009 From: prozaconstilts at gmail.com (adam) Date: Tue, 17 Nov 2009 22:16:27 -0500 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> References: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> Message-ID: <4B03670B.8030204@gmail.com> Hailu Meng wrote: > Hi all, > > I'm trying to set up tac_plus in CentOS 5.3. tac_plus has been compiled with > pam and tcp_wrapper. I configured my switch as below: > > aaa new-model > aaa authentication login default group tacacs+ local-case > aaa authentication enable default group tacacs+ enable > aaa authorization exec default tacacs+ > aaa accounting exec default start-stop tacacs+ > aaa accounting network start-stop tacacs+ > tacacs+ host 10.0.0.11 > tacacs+ key mykey > > I configured /etc/tac_plus.conf to use local setting firstly. It worked. > Then I tried to use pam with ldap to authenticate against the microsoft > active directory. I snifferred the traffic and saw there was an error when > my tacacs server was doing query against Active Directory. The error > is *problem > 2001* (*NO_OBJECT*). > > Do you guys have similar problem when you set up this kind of > authentication? I listed the main configuration files below: > ************************************************************** > /etc/pam.d/tac_plus > > #%PAM-1.0 > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > session required pam_loginuid.so > > ********************************************* > /etc/pam.d/system-auth > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 > session optional pam_ldap.so > > *******************************************************8 > /etc/ldap.conf > > > host 10.0.0.100 > base ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com > binddn cn=network services,ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com > #bindpw ohsosecret # no secret set > scope sub > ssl no > > > nss_schema rfc2307bis > nss_base_passwd ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > nss_base_shadow ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > nss_base_group ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > > referrals no # otherwise it goes freakishly slow > > I linked /etc/openldap/ldap.conf to /etc/ldap.conf. I didn't enable ssl for > ldap. > > I think the problem could be in the configuration of ldap.conf or it doesn't > match the configuration in Active Directory. In my AD, I have "security > groups" OU and in this OU I have "network services" group. > Maybe the issue also stays in nss mapping? I searched some articles. It > seems like nss mapping must be correct to authenticate through Linux box > against Active Directory. > > Another question about active directory is: Do I need create a separate OU > to hold the user accounts who will have rights to login Cisco devices? I saw > someone said the user account in tacacs server must not be in other groups. > If the separate OU is needed and the user must be only in this new OU, it > will lose the flexibility to use the current Active Directory which is > already configured. > > Please give me some help on this. Very appreciated. > > Thanks. > > Lou > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091117/03eedad2/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus I think you're missing a few key items from your ldap.conf: pam_filter objectclass=User pam_login_attribute sAMAccountName These directives will tell pam pretty much two things: 1. pam_filter = an ldap filter that restricts who can actually authenticate. This is wonderfully handy as it lets you build an AD group that you can then look for when you auth a user, and not have to modify your AD structure e.g. pam_filter &(objectclass=User)(member=cn=my_group,ou=my_ou,dc=my_domain) This tells pam that you can only authenticate if you are a "User" (and not a service or other non-person account type), and that you are a member of the group specified. Assuming all your user accounts exist somewhere under the base OU you specified above, this lets you search them out, and use AD groups w/o messing w/ your AD structure. 2. pam_login_attribute sAMAccountName By default, when using openldap, logging in as 'joe' causes pam_ldap to look in the LDAP store for a record like uid=joe,(+base). For you, this means pam_ldap will ask the AD for any object that has uid=joe anywhere under your base ou: ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com. But in Active Directory land, user accounts don't have a 'uid' field that gets populated with your login name, it uses a different field, called sAMAccountName. This directive tells pam to look for sAMAccountName=joe when talking to the active directory, which is what the AD is expecting. Also, you can subtract tac_plus from the mix and just try to make sure pam works. In your ldap.conf, you can put a line like debug 256 to get lots of debug into on console and in log files, and then run su - , subbing in your AD user account name. The higher the debug number, the more debug output you'll get. Adam From hailumeng at gmail.com Wed Nov 18 04:11:09 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Tue, 17 Nov 2009 22:11:09 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <4B03670B.8030204@gmail.com> References: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> <4B03670B.8030204@gmail.com> Message-ID: <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> Hi Adam, Thank you very much for replying me so quick. This is really helpful. I will try it tomorrow and let you know what I will find out. Thanks a lot. Appreciated. Lou On Tue, Nov 17, 2009 at 9:16 PM, adam wrote: > Hailu Meng wrote: > >> Hi all, >> >> I'm trying to set up tac_plus in CentOS 5.3. tac_plus has been compiled >> with >> pam and tcp_wrapper. I configured my switch as below: >> >> aaa new-model >> aaa authentication login default group tacacs+ local-case >> aaa authentication enable default group tacacs+ enable >> aaa authorization exec default tacacs+ >> aaa accounting exec default start-stop tacacs+ >> aaa accounting network start-stop tacacs+ >> tacacs+ host 10.0.0.11 >> tacacs+ key mykey >> >> I configured /etc/tac_plus.conf to use local setting firstly. It worked. >> Then I tried to use pam with ldap to authenticate against the microsoft >> active directory. I snifferred the traffic and saw there was an error when >> my tacacs server was doing query against Active Directory. The error >> is *problem >> 2001* (*NO_OBJECT*). >> >> Do you guys have similar problem when you set up this kind of >> authentication? I listed the main configuration files below: >> ************************************************************** >> /etc/pam.d/tac_plus >> >> #%PAM-1.0 >> auth include system-auth >> account required pam_nologin.so >> account include system-auth >> password include system-auth >> session optional pam_keyinit.so force revoke >> session include system-auth >> session required pam_loginuid.so >> >> ********************************************* >> /etc/pam.d/system-auth >> >> #%PAM-1.0 >> # This file is auto-generated. >> # User changes will be destroyed the next time authconfig is run. >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 >> password sufficient pam_unix.so md5 shadow nullok try_first_pass >> use_authtok >> password sufficient pam_ldap.so use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session [success=1 default=ignore] pam_succeed_if.so service in >> crond quiet use_uid >> session required pam_unix.so >> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 >> session optional pam_ldap.so >> >> *******************************************************8 >> /etc/ldap.conf >> >> >> host 10.0.0.100 >> base ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com >> binddn cn=network services,ou=security >> groups,dc=hq,dc=corp,dc=myhouse,dc=com >> #bindpw ohsosecret # no secret set >> scope sub >> ssl no >> >> >> nss_schema rfc2307bis >> nss_base_passwd ou=security >> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >> nss_base_shadow ou=security >> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >> nss_base_group ou=security >> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >> >> referrals no # otherwise it goes freakishly slow >> >> I linked /etc/openldap/ldap.conf to /etc/ldap.conf. I didn't enable ssl >> for >> ldap. >> >> I think the problem could be in the configuration of ldap.conf or it >> doesn't >> match the configuration in Active Directory. In my AD, I have "security >> groups" OU and in this OU I have "network services" group. >> Maybe the issue also stays in nss mapping? I searched some articles. It >> seems like nss mapping must be correct to authenticate through Linux box >> against Active Directory. >> >> Another question about active directory is: Do I need create a separate OU >> to hold the user accounts who will have rights to login Cisco devices? I >> saw >> someone said the user account in tacacs server must not be in other >> groups. >> If the separate OU is needed and the user must be only in this new OU, it >> will lose the flexibility to use the current Active Directory which is >> already configured. >> >> Please give me some help on this. Very appreciated. >> >> Thanks. >> >> Lou >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091117/03eedad2/attachment.html_______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> > > I think you're missing a few key items from your ldap.conf: > > pam_filter objectclass=User > pam_login_attribute sAMAccountName > > These directives will tell pam pretty much two things: > > 1. pam_filter = an ldap filter that restricts who can actually > authenticate. This is wonderfully handy as it lets you build an AD group > that you can then look for when you auth a user, and not have to modify your > AD structure e.g. > > pam_filter > &(objectclass=User)(member=cn=my_group,ou=my_ou,dc=my_domain) > > This tells pam that you can only authenticate if you are a "User" (and not > a service or other non-person account type), and that you are a member of > the group specified. Assuming all your user accounts exist somewhere under > the base OU you specified above, this lets you search them out, and use AD > groups w/o messing w/ your AD structure. > > 2. pam_login_attribute sAMAccountName > > By default, when using openldap, logging in as 'joe' causes pam_ldap to > look in the LDAP store for a record like uid=joe,(+base). For you, this > means pam_ldap will ask the AD for any object that has uid=joe anywhere > under your base ou: ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com. > > But in Active Directory land, user accounts don't have a 'uid' field that > gets populated with your login name, it uses a different field, called > sAMAccountName. This directive tells pam to look for sAMAccountName=joe when > talking to the active directory, which is what the AD is expecting. > > Also, you can subtract tac_plus from the mix and just try to make sure pam > works. In your ldap.conf, you can put a line like > > debug 256 > > to get lots of debug into on console and in log files, and then run su - > , subbing in your AD user account name. The higher the debug > number, the more debug output you'll get. > > Adam > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091117/5e604f5b/attachment.html From hailumeng at gmail.com Wed Nov 18 04:33:04 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Tue, 17 Nov 2009 22:33:04 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> References: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> <4B03670B.8030204@gmail.com> <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> Message-ID: <8dabae5b0911172033i21db304fr25c8418dc8ef250d@mail.gmail.com> Hi Adam, By the way, as you said. It appears I don't need create another new group for this authentication purpose. I already have one group setup and I want every one in this group can be authenticated. And also these users are the members for other groups. Does it matter for this case? I mean one user in multiple groups? And how about nss mapping? Do I need do some configuration for them? Like, nss_schema rfc2307bis nss_base_passwd ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub nss_base_shadow ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub nss_base_group ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub Thanks. Lou On Tue, Nov 17, 2009 at 10:11 PM, Hailu Meng wrote: > Hi Adam, > > Thank you very much for replying me so quick. This is really helpful. I > will try it tomorrow and let you know what I will find out. Thanks a lot. > > Appreciated. > > Lou > > > On Tue, Nov 17, 2009 at 9:16 PM, adam wrote: > >> Hailu Meng wrote: >> >>> Hi all, >>> >>> I'm trying to set up tac_plus in CentOS 5.3. tac_plus has been compiled >>> with >>> pam and tcp_wrapper. I configured my switch as below: >>> >>> aaa new-model >>> aaa authentication login default group tacacs+ local-case >>> aaa authentication enable default group tacacs+ enable >>> aaa authorization exec default tacacs+ >>> aaa accounting exec default start-stop tacacs+ >>> aaa accounting network start-stop tacacs+ >>> tacacs+ host 10.0.0.11 >>> tacacs+ key mykey >>> >>> I configured /etc/tac_plus.conf to use local setting firstly. It worked. >>> Then I tried to use pam with ldap to authenticate against the microsoft >>> active directory. I snifferred the traffic and saw there was an error >>> when >>> my tacacs server was doing query against Active Directory. The error >>> is *problem >>> 2001* (*NO_OBJECT*). >>> >>> Do you guys have similar problem when you set up this kind of >>> authentication? I listed the main configuration files below: >>> ************************************************************** >>> /etc/pam.d/tac_plus >>> >>> #%PAM-1.0 >>> auth include system-auth >>> account required pam_nologin.so >>> account include system-auth >>> password include system-auth >>> session optional pam_keyinit.so force revoke >>> session include system-auth >>> session required pam_loginuid.so >>> >>> ********************************************* >>> /etc/pam.d/system-auth >>> >>> #%PAM-1.0 >>> # This file is auto-generated. >>> # User changes will be destroyed the next time authconfig is run. >>> auth required pam_env.so >>> auth sufficient pam_unix.so nullok try_first_pass >>> auth requisite pam_succeed_if.so uid >= 500 quiet >>> auth sufficient pam_ldap.so use_first_pass >>> auth required pam_deny.so >>> >>> account required pam_unix.so broken_shadow >>> account sufficient pam_localuser.so >>> account sufficient pam_succeed_if.so uid < 500 quiet >>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>> account required pam_permit.so >>> >>> password requisite pam_cracklib.so try_first_pass retry=3 >>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>> use_authtok >>> password sufficient pam_ldap.so use_authtok >>> password required pam_deny.so >>> >>> session optional pam_keyinit.so revoke >>> session required pam_limits.so >>> session [success=1 default=ignore] pam_succeed_if.so service in >>> crond quiet use_uid >>> session required pam_unix.so >>> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 >>> session optional pam_ldap.so >>> >>> *******************************************************8 >>> /etc/ldap.conf >>> >>> >>> host 10.0.0.100 >>> base ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com >>> binddn cn=network services,ou=security >>> groups,dc=hq,dc=corp,dc=myhouse,dc=com >>> #bindpw ohsosecret # no secret set >>> scope sub >>> ssl no >>> >>> >>> nss_schema rfc2307bis >>> nss_base_passwd ou=security >>> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >>> nss_base_shadow ou=security >>> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >>> nss_base_group ou=security >>> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >>> >>> referrals no # otherwise it goes freakishly slow >>> >>> I linked /etc/openldap/ldap.conf to /etc/ldap.conf. I didn't enable ssl >>> for >>> ldap. >>> >>> I think the problem could be in the configuration of ldap.conf or it >>> doesn't >>> match the configuration in Active Directory. In my AD, I have "security >>> groups" OU and in this OU I have "network services" group. >>> Maybe the issue also stays in nss mapping? I searched some articles. It >>> seems like nss mapping must be correct to authenticate through Linux box >>> against Active Directory. >>> >>> Another question about active directory is: Do I need create a separate >>> OU >>> to hold the user accounts who will have rights to login Cisco devices? I >>> saw >>> someone said the user account in tacacs server must not be in other >>> groups. >>> If the separate OU is needed and the user must be only in this new OU, it >>> will lose the flexibility to use the current Active Directory which is >>> already configured. >>> >>> Please give me some help on this. Very appreciated. >>> >>> Thanks. >>> >>> Lou >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091117/03eedad2/attachment.html_______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>> >> >> I think you're missing a few key items from your ldap.conf: >> >> pam_filter objectclass=User >> pam_login_attribute sAMAccountName >> >> These directives will tell pam pretty much two things: >> >> 1. pam_filter = an ldap filter that restricts who can actually >> authenticate. This is wonderfully handy as it lets you build an AD group >> that you can then look for when you auth a user, and not have to modify your >> AD structure e.g. >> >> pam_filter >> &(objectclass=User)(member=cn=my_group,ou=my_ou,dc=my_domain) >> >> This tells pam that you can only authenticate if you are a "User" (and not >> a service or other non-person account type), and that you are a member of >> the group specified. Assuming all your user accounts exist somewhere under >> the base OU you specified above, this lets you search them out, and use AD >> groups w/o messing w/ your AD structure. >> >> 2. pam_login_attribute sAMAccountName >> >> By default, when using openldap, logging in as 'joe' causes pam_ldap to >> look in the LDAP store for a record like uid=joe,(+base). For you, this >> means pam_ldap will ask the AD for any object that has uid=joe anywhere >> under your base ou: ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com. >> >> But in Active Directory land, user accounts don't have a 'uid' field that >> gets populated with your login name, it uses a different field, called >> sAMAccountName. This directive tells pam to look for sAMAccountName=joe when >> talking to the active directory, which is what the AD is expecting. >> >> Also, you can subtract tac_plus from the mix and just try to make sure pam >> works. In your ldap.conf, you can put a line like >> >> debug 256 >> >> to get lots of debug into on console and in log files, and then run su - >> , subbing in your AD user account name. The higher the debug >> number, the more debug output you'll get. >> >> Adam >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091117/5efd6d5b/attachment.html From prozaconstilts at gmail.com Wed Nov 18 12:57:44 2009 From: prozaconstilts at gmail.com (adam) Date: Wed, 18 Nov 2009 07:57:44 -0500 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911172033i21db304fr25c8418dc8ef250d@mail.gmail.com> References: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> <4B03670B.8030204@gmail.com> <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> <8dabae5b0911172033i21db304fr25c8418dc8ef250d@mail.gmail.com> Message-ID: <4B03EF48.20706@gmail.com> Hailu Meng wrote: > Hi Adam, > > By the way, as you said. It appears I don't need create another new > group for this authentication purpose. I already have one group setup > and I want every one in this group can be authenticated. And also these > users are the members for other groups. Does it matter for this case? I > mean one user in multiple groups? > > And how about nss mapping? Do I need do some configuration for them? Like, > > nss_schema rfc2307bis > nss_base_passwd ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > nss_base_shadow ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > > nss_base_group ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > > Thanks. > > Lou > On Tue, Nov 17, 2009 at 10:11 PM, Hailu Meng > wrote: > > Hi Adam, > > Thank you very much for replying me so quick. This is really > helpful. I will try it tomorrow and let you know what I will find > out. Thanks a lot. > > Appreciated. > > Lou > > > On Tue, Nov 17, 2009 at 9:16 PM, adam > wrote: > > Hailu Meng wrote: > > Hi all, > > I'm trying to set up tac_plus in CentOS 5.3. tac_plus has > been compiled with > pam and tcp_wrapper. I configured my switch as below: > > aaa new-model > aaa authentication login default group tacacs+ local-case > aaa authentication enable default group tacacs+ enable > aaa authorization exec default tacacs+ > aaa accounting exec default start-stop tacacs+ > aaa accounting network start-stop tacacs+ > tacacs+ host 10.0.0.11 > tacacs+ key mykey > > I configured /etc/tac_plus.conf to use local setting > firstly. It worked. > Then I tried to use pam with ldap to authenticate against > the microsoft > active directory. I snifferred the traffic and saw there was > an error when > my tacacs server was doing query against Active Directory. > The error > is *problem > 2001* (*NO_OBJECT*). > > Do you guys have similar problem when you set up this kind of > authentication? I listed the main configuration files below: > ************************************************************** > /etc/pam.d/tac_plus > > #%PAM-1.0 > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > session required pam_loginuid.so > > ********************************************* > /etc/pam.d/system-auth > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is > run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] > pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok > try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so > service in > crond quiet use_uid > session required pam_unix.so > session required pam_mkhomedir.so skel=/etc/skel/ > umask=0077 > session optional pam_ldap.so > > *******************************************************8 > /etc/ldap.conf > > > host 10.0.0.100 > base ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com > binddn cn=network services,ou=security > groups,dc=hq,dc=corp,dc=myhouse,dc=com > #bindpw ohsosecret # no secret set > scope sub > ssl no > > > nss_schema rfc2307bis > nss_base_passwd ou=security > groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > nss_base_shadow ou=security > groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > nss_base_group ou=security > groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > > referrals no # otherwise it goes freakishly slow > > I linked /etc/openldap/ldap.conf to /etc/ldap.conf. I didn't > enable ssl for > ldap. > > I think the problem could be in the configuration of > ldap.conf or it doesn't > match the configuration in Active Directory. In my AD, I > have "security > groups" OU and in this OU I have "network services" group. > Maybe the issue also stays in nss mapping? I searched some > articles. It > seems like nss mapping must be correct to authenticate > through Linux box > against Active Directory. > > Another question about active directory is: Do I need create > a separate OU > to hold the user accounts who will have rights to login > Cisco devices? I saw > someone said the user account in tacacs server must not be > in other groups. > If the separate OU is needed and the user must be only in > this new OU, it > will lose the flexibility to use the current Active > Directory which is > already configured. > > Please give me some help on this. Very appreciated. > > Thanks. > > Lou > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091117/03eedad2/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > I think you're missing a few key items from your ldap.conf: > > pam_filter objectclass=User > pam_login_attribute sAMAccountName > > These directives will tell pam pretty much two things: > > 1. pam_filter = an ldap filter that restricts who can actually > authenticate. This is wonderfully handy as it lets you build an > AD group that you can then look for when you auth a user, and > not have to modify your AD structure e.g. > > pam_filter > &(objectclass=User)(member=cn=my_group,ou=my_ou,dc=my_domain) > > This tells pam that you can only authenticate if you are a > "User" (and not a service or other non-person account type), and > that you are a member of the group specified. Assuming all your > user accounts exist somewhere under the base OU you specified > above, this lets you search them out, and use AD groups w/o > messing w/ your AD structure. > > 2. pam_login_attribute sAMAccountName > > By default, when using openldap, logging in as 'joe' causes > pam_ldap to look in the LDAP store for a record like > uid=joe,(+base). For you, this means pam_ldap will ask the AD > for any object that has uid=joe anywhere under your base ou: > ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com. > > But in Active Directory land, user accounts don't have a 'uid' > field that gets populated with your login name, it uses a > different field, called sAMAccountName. This directive tells pam > to look for sAMAccountName=joe when talking to the active > directory, which is what the AD is expecting. > > Also, you can subtract tac_plus from the mix and just try to > make sure pam works. In your ldap.conf, you can put a line like > > debug 256 > > to get lots of debug into on console and in log files, and then > run su - , subbing in your AD user account name. The > higher the debug number, the more debug output you'll get. > > Adam > > > A user being a member of multiple groups shouldn't be a problem. Just be sure that the account you specify for your binddn has the ability to see the "memberof" information about your users. Also, you'll probably need to specify the password for the network services user in the bindpw for it to work... All the nss bits shouldn't be necessary for pam to work. From dan.schmidt at uplinkdata.com Tue Nov 17 22:19:14 2009 From: dan.schmidt at uplinkdata.com (Schmidt, Daniel) Date: Tue, 17 Nov 2009 15:19:14 -0700 Subject: [tac_plus] Re: PAP password in file possible? In-Reply-To: <200911172308.37993.alan.mckinnon@gmail.com> References: <4B030922.2000704@gmail.com> <200911172308.37993.alan.mckinnon@gmail.com> Message-ID: <05CC562AFB5A9446A1BC3F66AD04A3BCC74A30@che-exch-003.uplinkdata.com> Brought this up couple weeks ago, actually. Didn't see pap = file as option in code. -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon Sent: Tuesday, November 17, 2009 2:09 PM To: tac_plus at shrubbery.net Subject: [tac_plus] Re: PAP password in file possible? On Tuesday 17 November 2009 22:35:46 Stefan Watermann wrote: > Hi all, > > I'm currently working on getting authentication to a Cisco NAM2 module > using TACACS work. > > The box is using PAP and "login = file " > (username:password:::::) does not work. > > Also using "pap = file " does not work. > The only thing which worked was "pap = des ", which > I'm using within a group. > > Is it possible to manage the passwords for all of my users in a file? > I would like to be able to provide a PAP password for each of my users. I had the same a while back, and resorted to putting "pap = des " in the user section. This wasn't a big deal for me as my tac_plus.conf is generated on the fly from a backend database which reduces it to a mere exercise in string manipulation in perl Earlier than that I also need to put other password into a file. I determined the only place this is supported is for the user's own login password. If I'm wrong in this, I'm sure John will be along shortly to correct me :-) -- alan dot mckinnon at gmail dot com _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From hailumeng at gmail.com Thu Nov 19 03:18:24 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Wed, 18 Nov 2009 21:18:24 -0600 Subject: [tac_plus] One stupid question about ldapsearch in CentOS Message-ID: <8dabae5b0911181918p1d93e139mc35d1fb58d6ebd3e@mail.gmail.com> Hi All, I'm in the troubleshooting for authentication against MS Active Directory. Here I want to use ldapsearch command in CentOS. But this command can't be found in my build. I installed server version of CentOS. And configured ldap.conf and enabled the ldap authentication by authconfig. Don't know why it's not there. Please help! Thank you! Lou -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091118/d5ac4582/attachment.html From CJones at enterprisedata.com.au Thu Nov 19 05:45:57 2009 From: CJones at enterprisedata.com.au (Chris Jones) Date: Thu, 19 Nov 2009 16:45:57 +1100 Subject: [tac_plus] Re: One stupid question about ldapsearch in CentOS In-Reply-To: <8dabae5b0911181918p1d93e139mc35d1fb58d6ebd3e@mail.gmail.com> References: <8dabae5b0911181918p1d93e139mc35d1fb58d6ebd3e@mail.gmail.com> Message-ID: <61C1A30B39817D4DACC0C5CA4DF79CCAD491E8A9@syd1exstore01.entdata.local> Hi Lou, "yum install openldap-clients" should give you what you need. Regards, Chris -----Original Message----- From: tac_plus-bounces at shrubbery.net [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Hailu Meng Sent: Thursday, 19 November 2009 2:18 PM To: tac_plus at shrubbery.net Subject: [tac_plus] One stupid question about ldapsearch in CentOS Hi All, I'm in the troubleshooting for authentication against MS Active Directory. Here I want to use ldapsearch command in CentOS. But this command can't be found in my build. I installed server version of CentOS. And configured ldap.conf and enabled the ldap authentication by authconfig. Don't know why it's not there. Please help! Thank you! Lou -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091118/d5ac4582/attachment.html _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you receive this email by mistake, please notify the author and do not make any use of the email. We do not waive any privilege, confidentiality or copyright associated with it. Please consider the environment before printing this e-mail. From hailumeng at gmail.com Fri Nov 20 01:12:16 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Thu, 19 Nov 2009 19:12:16 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911191342n2b0ece0dm745b150ff5811426@mail.gmail.com> References: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> <4B03670B.8030204@gmail.com> <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> <8dabae5b0911172033i21db304fr25c8418dc8ef250d@mail.gmail.com> <4B03EF48.20706@gmail.com> <8dabae5b0911191342n2b0ece0dm745b150ff5811426@mail.gmail.com> Message-ID: <8dabae5b0911191712r18ec4c70p707a42d4c512ea29@mail.gmail.com> Forgot to post to the mailing list. I'm feeling getting close to the end. After modifying the ldap.conf and bind a correct user in my group. Right now I can see the packets snifferred through ethereal shows LDAP found my userid. The packet shows out all the user information from Active Directory. This means LDAP did succeeded in finding my userid. But when I input the password. It just got denied. I'm sure the password is correct. So I doubt it could have some setup about password in ldap.conf is wrong. By the way, I added debug=256 and logdir=/var/log/ldap in ldap.conf, but no log is captured for ldap. Not sure why. Here is my current ldap.conf ****************************** > > ******** > host 10.xx.x.15 > base ou=User Accounts,dc=home,dc=corp,dc=myhome,dc=org > ldap_version 3 > scope sub > binddn CN=test,OU=User Accounts,dc=home,dc=corp,dc=myhome,dc=org > bindpw mypass > rootbinddn dc=home,dc=corp,dc=myhome,dc=org > # The port. > # Optional: default is 389. SSL LDAP Port 636 > port 389 > # RFC2307bis naming contexts > nss_base_passwd dc=home,dc=corp,dc=myhome,dc=org?sub > nss_base_shadow dc=home,dc=corp,dc=myhome,dc=org?sub > nss_base_group dc=home,dc=corp,dc=myhome,dc=org?sub > # RFC 2307 (AD) mappings > nss_map_objectclass posixAccount User > nss_map_objectclass shadowAccount User > nss_map_attribute uid sAMAccountName > nss_map_attribute cn sAMAccountName > nss_map_attribute gecos cn > > # PAM_LDAP options > pam_login_attribute sAMAccountName > pam_filter objectclass=User > pam_password ad > logdir /var/log/ldap > debug 1024 > ssl no > timelimit 30 > bind_timelimit 30 > > I'm thinking pam_password is wrong? I didn't see any packet in ethereal > related to password authentication. So I doubt the password hasn't been sent > out to Active Directory. Please help me. Thank you very much!!! > > Lou On Thu, Nov 19, 2009 at 3:42 PM, Hailu Meng wrote: > Hi Adam, > > I'm feeling getting close to the end. After modifying the ldap.conf and > bind a correct user in my group. Right now I can see the packets snifferred > through ethereal shows LDAP found my userid. The packet shows out all the > user information from Active Directory. This means LDAP did succeeded in > finding my userid. But when I input the password. It just got denied. I'm > sure the password is correct. So I doubt it could have some setup about > password in ldap.conf is wrong. By the way, I added debug=256 and > logdir=/var/log/ldap in ldap.conf, but no log is captured for ldap. Not sure > why. Here is my current ldap.conf > ************************************** > host 10.xx.x.15 > base ou=User Accounts,dc=home,dc=corp,dc=myhome,dc=org > ldap_version 3 > scope sub > binddn CN=test,OU=User Accounts,dc=home,dc=corp,dc=myhome,dc=org > bindpw mypass > rootbinddn dc=home,dc=corp,dc=myhome,dc=org > # The port. > # Optional: default is 389. SSL LDAP Port 636 > port 389 > # RFC2307bis naming contexts > nss_base_passwd dc=home,dc=corp,dc=myhome,dc=org?sub > nss_base_shadow dc=home,dc=corp,dc=myhome,dc=org?sub > nss_base_group dc=home,dc=corp,dc=myhome,dc=org?sub > # RFC 2307 (AD) mappings > nss_map_objectclass posixAccount User > nss_map_objectclass shadowAccount User > nss_map_attribute uid sAMAccountName > nss_map_attribute cn sAMAccountName > nss_map_attribute gecos cn > > # PAM_LDAP options > pam_login_attribute sAMAccountName > pam_filter objectclass=User > pam_password ad > logdir /var/log/ldap > debug 1024 > ssl no > timelimit 30 > bind_timelimit 30 > > I'm thinking pam_password is wrong? I didn't see any packet in ethereal > related to password authentication. So I doubt the password hasn't been sent > out to Active Directory. Please help me. Thank you very much!!! > > Lou > > On Wed, Nov 18, 2009 at 6:57 AM, adam wrote: > >> Hailu Meng wrote: >> >>> Hi Adam, >>> >>> By the way, as you said. It appears I don't need create another new group >>> for this authentication purpose. I already have one group setup and I want >>> every one in this group can be authenticated. And also these users are the >>> members for other groups. Does it matter for this case? I mean one user in >>> multiple groups? >>> >>> And how about nss mapping? Do I need do some configuration for them? >>> Like, >>> >>> nss_schema rfc2307bis >>> nss_base_passwd ou=security >>> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >>> nss_base_shadow ou=security >>> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >>> >>> nss_base_group ou=security >>> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >>> >>> Thanks. >>> >>> Lou >>> On Tue, Nov 17, 2009 at 10:11 PM, Hailu Meng >> hailumeng at gmail.com>> wrote: >>> >>> Hi Adam, >>> >>> Thank you very much for replying me so quick. This is really >>> helpful. I will try it tomorrow and let you know what I will find >>> out. Thanks a lot. >>> >>> Appreciated. >>> >>> Lou >>> >>> >>> On Tue, Nov 17, 2009 at 9:16 PM, adam >> > wrote: >>> >>> Hailu Meng wrote: >>> >>> Hi all, >>> >>> I'm trying to set up tac_plus in CentOS 5.3. tac_plus has >>> been compiled with >>> pam and tcp_wrapper. I configured my switch as below: >>> >>> aaa new-model >>> aaa authentication login default group tacacs+ local-case >>> aaa authentication enable default group tacacs+ enable >>> aaa authorization exec default tacacs+ >>> aaa accounting exec default start-stop tacacs+ >>> aaa accounting network start-stop tacacs+ >>> tacacs+ host 10.0.0.11 >>> tacacs+ key mykey >>> >>> I configured /etc/tac_plus.conf to use local setting >>> firstly. It worked. >>> Then I tried to use pam with ldap to authenticate against >>> the microsoft >>> active directory. I snifferred the traffic and saw there was >>> an error when >>> my tacacs server was doing query against Active Directory. >>> The error >>> is *problem >>> 2001* (*NO_OBJECT*). >>> >>> Do you guys have similar problem when you set up this kind of >>> authentication? I listed the main configuration files below: >>> ************************************************************** >>> /etc/pam.d/tac_plus >>> >>> #%PAM-1.0 >>> auth include system-auth >>> account required pam_nologin.so >>> account include system-auth >>> password include system-auth >>> session optional pam_keyinit.so force revoke >>> session include system-auth >>> session required pam_loginuid.so >>> >>> ********************************************* >>> /etc/pam.d/system-auth >>> >>> #%PAM-1.0 >>> # This file is auto-generated. >>> # User changes will be destroyed the next time authconfig is >>> run. >>> auth required pam_env.so >>> auth sufficient pam_unix.so nullok try_first_pass >>> auth requisite pam_succeed_if.so uid >= 500 quiet >>> auth sufficient pam_ldap.so use_first_pass >>> auth required pam_deny.so >>> >>> account required pam_unix.so broken_shadow >>> account sufficient pam_localuser.so >>> account sufficient pam_succeed_if.so uid < 500 quiet >>> account [default=bad success=ok user_unknown=ignore] >>> pam_ldap.so >>> account required pam_permit.so >>> >>> password requisite pam_cracklib.so try_first_pass >>> retry=3 >>> password sufficient pam_unix.so md5 shadow nullok >>> try_first_pass >>> use_authtok >>> password sufficient pam_ldap.so use_authtok >>> password required pam_deny.so >>> >>> session optional pam_keyinit.so revoke >>> session required pam_limits.so >>> session [success=1 default=ignore] pam_succeed_if.so >>> service in >>> crond quiet use_uid >>> session required pam_unix.so >>> session required pam_mkhomedir.so skel=/etc/skel/ >>> umask=0077 >>> session optional pam_ldap.so >>> >>> *******************************************************8 >>> /etc/ldap.conf >>> >>> >>> host 10.0.0.100 >>> base ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com >>> binddn cn=network services,ou=security >>> groups,dc=hq,dc=corp,dc=myhouse,dc=com >>> #bindpw ohsosecret # no secret set >>> scope sub >>> ssl no >>> >>> >>> nss_schema rfc2307bis >>> nss_base_passwd ou=security >>> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >>> nss_base_shadow ou=security >>> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >>> nss_base_group ou=security >>> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >>> >>> referrals no # otherwise it goes freakishly slow >>> >>> I linked /etc/openldap/ldap.conf to /etc/ldap.conf. I didn't >>> enable ssl for >>> ldap. >>> >>> I think the problem could be in the configuration of >>> ldap.conf or it doesn't >>> match the configuration in Active Directory. In my AD, I >>> have "security >>> groups" OU and in this OU I have "network services" group. >>> Maybe the issue also stays in nss mapping? I searched some >>> articles. It >>> seems like nss mapping must be correct to authenticate >>> through Linux box >>> against Active Directory. >>> >>> Another question about active directory is: Do I need create >>> a separate OU >>> to hold the user accounts who will have rights to login >>> Cisco devices? I saw >>> someone said the user account in tacacs server must not be >>> in other groups. >>> If the separate OU is needed and the user must be only in >>> this new OU, it >>> will lose the flexibility to use the current Active >>> Directory which is >>> already configured. >>> >>> Please give me some help on this. Very appreciated. >>> >>> Thanks. >>> >>> Lou >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >>> >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091117/03eedad2/attachment.html >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> >>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>> >>> >>> I think you're missing a few key items from your ldap.conf: >>> >>> pam_filter objectclass=User >>> pam_login_attribute sAMAccountName >>> >>> These directives will tell pam pretty much two things: >>> >>> 1. pam_filter = an ldap filter that restricts who can actually >>> authenticate. This is wonderfully handy as it lets you build an >>> AD group that you can then look for when you auth a user, and >>> not have to modify your AD structure e.g. >>> >>> pam_filter >>> &(objectclass=User)(member=cn=my_group,ou=my_ou,dc=my_domain) >>> >>> This tells pam that you can only authenticate if you are a >>> "User" (and not a service or other non-person account type), and >>> that you are a member of the group specified. Assuming all your >>> user accounts exist somewhere under the base OU you specified >>> above, this lets you search them out, and use AD groups w/o >>> messing w/ your AD structure. >>> >>> 2. pam_login_attribute sAMAccountName >>> >>> By default, when using openldap, logging in as 'joe' causes >>> pam_ldap to look in the LDAP store for a record like >>> uid=joe,(+base). For you, this means pam_ldap will ask the AD >>> for any object that has uid=joe anywhere under your base ou: >>> ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com. >>> >>> But in Active Directory land, user accounts don't have a 'uid' >>> field that gets populated with your login name, it uses a >>> different field, called sAMAccountName. This directive tells pam >>> to look for sAMAccountName=joe when talking to the active >>> directory, which is what the AD is expecting. >>> >>> Also, you can subtract tac_plus from the mix and just try to >>> make sure pam works. In your ldap.conf, you can put a line like >>> >>> debug 256 >>> >>> to get lots of debug into on console and in log files, and then >>> run su - , subbing in your AD user account name. The >>> higher the debug number, the more debug output you'll get. >>> >>> Adam >>> >>> >>> >>> >> A user being a member of multiple groups shouldn't be a problem. Just be >> sure that the account you specify for your binddn has the ability to see the >> "memberof" information about your users. Also, you'll probably need to >> specify the password for the network services user in the bindpw for it to >> work... >> >> >> All the nss bits shouldn't be necessary for pam to work. >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091119/006d4d67/attachment.html From prozaconstilts at gmail.com Fri Nov 20 02:46:29 2009 From: prozaconstilts at gmail.com (adam) Date: Thu, 19 Nov 2009 21:46:29 -0500 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911191712r18ec4c70p707a42d4c512ea29@mail.gmail.com> References: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> <4B03670B.8030204@gmail.com> <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> <8dabae5b0911172033i21db304fr25c8418dc8ef250d@mail.gmail.com> <4B03EF48.20706@gmail.com> <8dabae5b0911191342n2b0ece0dm745b150ff5811426@mail.gmail.com> <8dabae5b0911191712r18ec4c70p707a42d4c512ea29@mail.gmail.com> Message-ID: <4B060305.60106@gmail.com> Hailu Meng wrote: > Forgot to post to the mailing list. > > I'm feeling getting close to the end. After modifying the ldap.conf and > bind a correct user in my group. Right now I can see the packets > snifferred through ethereal shows LDAP found my userid. The packet shows > out all the user information from Active Directory. This means LDAP did > succeeded in finding my userid. But when I input the password. It just > got denied. I'm sure the password is correct. So I doubt it could have > some setup about password in ldap.conf is wrong. By the way, I added > debug=256 and logdir=/var/log/ldap in ldap.conf, but no log is captured > for ldap. Not sure why. Here is my current ldap.conf > ****************************** > > ******** > host 10.xx.x.15 > base ou=User Accounts,dc=home,dc=corp,dc=myhome,dc=org > ldap_version 3 > scope sub > binddn CN=test,OU=User Accounts,dc=home,dc=corp,dc=myhome,dc=org > bindpw mypass > rootbinddn dc=home,dc=corp,dc=myhome,dc=org > # The port. > # Optional: default is 389. SSL LDAP Port 636 > port 389 > # RFC2307bis naming contexts > nss_base_passwd dc=home,dc=corp,dc=myhome,dc=org?sub > nss_base_shadow dc=home,dc=corp,dc=myhome,dc=org?sub > nss_base_group dc=home,dc=corp,dc=myhome,dc=org?sub > # RFC 2307 (AD) mappings > nss_map_objectclass posixAccount User > nss_map_objectclass shadowAccount User > nss_map_attribute uid sAMAccountName > nss_map_attribute cn sAMAccountName > nss_map_attribute gecos cn > > # PAM_LDAP options > pam_login_attribute sAMAccountName > pam_filter objectclass=User > pam_password ad > logdir /var/log/ldap > debug 1024 > ssl no > timelimit 30 > bind_timelimit 30 > > I'm thinking pam_password is wrong? I didn't see any packet in > ethereal related to password authentication. So I doubt the password > hasn't been sent out to Active Directory. Please help me. Thank you > very much!!! > > Lou > > > > On Thu, Nov 19, 2009 at 3:42 PM, Hailu Meng > wrote: > > Hi Adam, > > I'm feeling getting close to the end. After modifying the ldap.conf > and bind a correct user in my group. Right now I can see the packets > snifferred through ethereal shows LDAP found my userid. The packet > shows out all the user information from Active Directory. This means > LDAP did succeeded in finding my userid. But when I input the > password. It just got denied. I'm sure the password is correct. So I > doubt it could have some setup about password in ldap.conf is wrong. > By the way, I added debug=256 and logdir=/var/log/ldap in ldap.conf, > but no log is captured for ldap. Not sure why. Here is my current > ldap.conf > ************************************** > host 10.xx.x.15 > base ou=User Accounts,dc=home,dc=corp,dc=myhome,dc=org > ldap_version 3 > scope sub > binddn CN=test,OU=User Accounts,dc=home,dc=corp,dc=myhome,dc=org > bindpw mypass > rootbinddn dc=home,dc=corp,dc=myhome,dc=org > # The port. > # Optional: default is 389. SSL LDAP Port 636 > port 389 > # RFC2307bis naming contexts > nss_base_passwd dc=home,dc=corp,dc=myhome,dc=org?sub > nss_base_shadow dc=home,dc=corp,dc=myhome,dc=org?sub > nss_base_group dc=home,dc=corp,dc=myhome,dc=org?sub > # RFC 2307 (AD) mappings > nss_map_objectclass posixAccount User > nss_map_objectclass shadowAccount User > nss_map_attribute uid sAMAccountName > nss_map_attribute cn sAMAccountName > nss_map_attribute gecos cn > > # PAM_LDAP options > pam_login_attribute sAMAccountName > pam_filter objectclass=User > pam_password ad > logdir /var/log/ldap > debug 1024 > ssl no > timelimit 30 > bind_timelimit 30 > > I'm thinking pam_password is wrong? I didn't see any packet in > ethereal related to password authentication. So I doubt the password > hasn't been sent out to Active Directory. Please help me. Thank you > very much!!! > > Lou > > On Wed, Nov 18, 2009 at 6:57 AM, adam > wrote: > > Hailu Meng wrote: > > Hi Adam, > > By the way, as you said. It appears I don't need create > another new group for this authentication purpose. I already > have one group setup and I want every one in this group can > be authenticated. And also these users are the members for > other groups. Does it matter for this case? I mean one user > in multiple groups? > > And how about nss mapping? Do I need do some configuration > for them? Like, > > nss_schema rfc2307bis > nss_base_passwd ou=security > groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > nss_base_shadow ou=security > groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > > nss_base_group ou=security > groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > > Thanks. > > Lou > On Tue, Nov 17, 2009 at 10:11 PM, Hailu Meng > > >> > wrote: > > Hi Adam, > > Thank you very much for replying me so quick. This is really > helpful. I will try it tomorrow and let you know what I > will find > out. Thanks a lot. > > Appreciated. > > Lou > > > On Tue, Nov 17, 2009 at 9:16 PM, adam > > >> wrote: > > Hailu Meng wrote: > > Hi all, > > I'm trying to set up tac_plus in CentOS 5.3. > tac_plus has > been compiled with > pam and tcp_wrapper. I configured my switch as below: > > aaa new-model > aaa authentication login default group tacacs+ > local-case > aaa authentication enable default group tacacs+ > enable > aaa authorization exec default tacacs+ > aaa accounting exec default start-stop tacacs+ > aaa accounting network start-stop tacacs+ > tacacs+ host 10.0.0.11 > tacacs+ key mykey > > I configured /etc/tac_plus.conf to use local setting > firstly. It worked. > Then I tried to use pam with ldap to authenticate > against > the microsoft > active directory. I snifferred the traffic and > saw there was > an error when > my tacacs server was doing query against Active > Directory. > The error > is *problem > 2001* (*NO_OBJECT*). > > Do you guys have similar problem when you set up > this kind of > authentication? I listed the main configuration > files below: > > ************************************************************** > /etc/pam.d/tac_plus > > #%PAM-1.0 > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > session required pam_loginuid.so > > ********************************************* > /etc/pam.d/system-auth > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time > authconfig is > run. > auth required pam_env.so > auth sufficient pam_unix.so nullok > try_first_pass > auth requisite pam_succeed_if.so uid > >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < > 500 quiet > account [default=bad success=ok > user_unknown=ignore] > pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so > try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow > nullok > try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] > pam_succeed_if.so > service in > crond quiet use_uid > session required pam_unix.so > session required pam_mkhomedir.so > skel=/etc/skel/ > umask=0077 > session optional pam_ldap.so > > > *******************************************************8 > /etc/ldap.conf > > > host 10.0.0.100 > base ou=security > groups,dc=hq,dc=corp,dc=myhouse,dc=com > binddn cn=network services,ou=security > groups,dc=hq,dc=corp,dc=myhouse,dc=com > #bindpw ohsosecret # no secret set > scope sub > ssl no > > > nss_schema rfc2307bis > nss_base_passwd ou=security > groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > nss_base_shadow ou=security > groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > nss_base_group ou=security > groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub > > referrals no # otherwise it goes > freakishly slow > > I linked /etc/openldap/ldap.conf to > /etc/ldap.conf. I didn't > enable ssl for > ldap. > > I think the problem could be in the configuration of > ldap.conf or it doesn't > match the configuration in Active Directory. In > my AD, I > have "security > groups" OU and in this OU I have "network > services" group. > Maybe the issue also stays in nss mapping? I > searched some > articles. It > seems like nss mapping must be correct to > authenticate > through Linux box > against Active Directory. > > Another question about active directory is: Do I > need create > a separate OU > to hold the user accounts who will have rights to > login > Cisco devices? I saw > someone said the user account in tacacs server > must not be > in other groups. > If the separate OU is needed and the user must be > only in > this new OU, it > will lose the flexibility to use the current Active > Directory which is > already configured. > > Please give me some help on this. Very appreciated. > > Thanks. > > Lou > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091117/03eedad2/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > > > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > I think you're missing a few key items from your > ldap.conf: > > pam_filter objectclass=User > pam_login_attribute sAMAccountName > > These directives will tell pam pretty much two things: > > 1. pam_filter = an ldap filter that restricts who can > actually > authenticate. This is wonderfully handy as it lets > you build an > AD group that you can then look for when you auth a > user, and > not have to modify your AD structure e.g. > > pam_filter > > &(objectclass=User)(member=cn=my_group,ou=my_ou,dc=my_domain) > > This tells pam that you can only authenticate if you > are a > "User" (and not a service or other non-person account > type), and > that you are a member of the group specified. > Assuming all your > user accounts exist somewhere under the base OU you > specified > above, this lets you search them out, and use AD > groups w/o > messing w/ your AD structure. > > 2. pam_login_attribute sAMAccountName > > By default, when using openldap, logging in as 'joe' > causes > pam_ldap to look in the LDAP store for a record like > uid=joe,(+base). For you, this means pam_ldap will > ask the AD > for any object that has uid=joe anywhere under your > base ou: > ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com. > > But in Active Directory land, user accounts don't > have a 'uid' > field that gets populated with your login name, it uses a > different field, called sAMAccountName. This > directive tells pam > to look for sAMAccountName=joe when talking to the active > directory, which is what the AD is expecting. > > Also, you can subtract tac_plus from the mix and just > try to > make sure pam works. In your ldap.conf, you can put a > line like > > debug 256 > > to get lots of debug into on console and in log > files, and then > run su - , subbing in your AD user account > name. The > higher the debug number, the more debug output you'll > get. > > Adam > > > > > A user being a member of multiple groups shouldn't be a problem. > Just be sure that the account you specify for your binddn has > the ability to see the "memberof" information about your users. > Also, you'll probably need to specify the password for the > network services user in the bindpw for it to work... > > > All the nss bits shouldn't be necessary for pam to work. > > > can you 'su - ' on the tacacs server and authenticate? Strange about the debug...I know I get gobs of output... From hailumeng at gmail.com Fri Nov 20 02:56:58 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Thu, 19 Nov 2009 20:56:58 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <4B060305.60106@gmail.com> References: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> <4B03670B.8030204@gmail.com> <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> <8dabae5b0911172033i21db304fr25c8418dc8ef250d@mail.gmail.com> <4B03EF48.20706@gmail.com> <8dabae5b0911191342n2b0ece0dm745b150ff5811426@mail.gmail.com> <8dabae5b0911191712r18ec4c70p707a42d4c512ea29@mail.gmail.com> <4B060305.60106@gmail.com> Message-ID: <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> Adam, I tried the su - "userid" in my tacacs+ server but I don't have that userid in CentOS. So the CentOS just don't want me log in. I think this will not ask tacacs server to authenticate against AD. Is there any other way to test ldap authentication against AD with the userid in AD? I tried ldapsearch. It did find my user id without problem. But I haven't found any option to try with password and authenticate against AD. Do you have ldap server setup or only the openldap library and openldap client? I don't understand why the log is not turned on. There must be some debugging info in the log which can help solve this issue. If the user can authenticate, does ethereal capture some packets about password verification? Right now I only see the packets when ldap search for my user id and gets results back from AD. Maybe I need dig into ldap.conf more. If you have any idea, let me know. Thank you very much. Lou On Thu, Nov 19, 2009 at 8:46 PM, adam wrote: > Hailu Meng wrote: > >> Forgot to post to the mailing list. >> >> I'm feeling getting close to the end. After modifying the ldap.conf and >> bind a correct user in my group. Right now I can see the packets snifferred >> through ethereal shows LDAP found my userid. The packet shows out all the >> user information from Active Directory. This means LDAP did succeeded in >> finding my userid. But when I input the password. It just got denied. I'm >> sure the password is correct. So I doubt it could have some setup about >> password in ldap.conf is wrong. By the way, I added debug=256 and >> logdir=/var/log/ldap in ldap.conf, but no log is captured for ldap. Not sure >> why. Here is my current ldap.conf >> ****************************** >> >> ******** >> host 10.xx.x.15 >> base ou=User Accounts,dc=home,dc=corp,dc=myhome,dc=org >> ldap_version 3 >> scope sub >> binddn CN=test,OU=User Accounts,dc=home,dc=corp,dc=myhome,dc=org >> bindpw mypass >> rootbinddn dc=home,dc=corp,dc=myhome,dc=org >> # The port. >> # Optional: default is 389. SSL LDAP Port 636 >> port 389 >> # RFC2307bis naming contexts >> nss_base_passwd dc=home,dc=corp,dc=myhome,dc=org?sub >> nss_base_shadow dc=home,dc=corp,dc=myhome,dc=org?sub >> nss_base_group dc=home,dc=corp,dc=myhome,dc=org?sub >> # RFC 2307 (AD) mappings >> nss_map_objectclass posixAccount User >> nss_map_objectclass shadowAccount User >> nss_map_attribute uid sAMAccountName >> nss_map_attribute cn sAMAccountName >> nss_map_attribute gecos cn >> >> # PAM_LDAP options >> pam_login_attribute sAMAccountName >> pam_filter objectclass=User >> pam_password ad >> logdir /var/log/ldap >> debug 1024 >> ssl no >> timelimit 30 >> bind_timelimit 30 >> >> I'm thinking pam_password is wrong? I didn't see any packet in >> ethereal related to password authentication. So I doubt the password >> hasn't been sent out to Active Directory. Please help me. Thank you >> very much!!! >> >> Lou >> >> >> On Thu, Nov 19, 2009 at 3:42 PM, Hailu Meng > hailumeng at gmail.com>> wrote: >> >> Hi Adam, >> >> I'm feeling getting close to the end. After modifying the ldap.conf >> and bind a correct user in my group. Right now I can see the packets >> snifferred through ethereal shows LDAP found my userid. The packet >> shows out all the user information from Active Directory. This means >> LDAP did succeeded in finding my userid. But when I input the >> password. It just got denied. I'm sure the password is correct. So I >> doubt it could have some setup about password in ldap.conf is wrong. >> By the way, I added debug=256 and logdir=/var/log/ldap in ldap.conf, >> but no log is captured for ldap. Not sure why. Here is my current >> ldap.conf >> ************************************** >> host 10.xx.x.15 >> base ou=User Accounts,dc=home,dc=corp,dc=myhome,dc=org >> ldap_version 3 >> scope sub >> binddn CN=test,OU=User Accounts,dc=home,dc=corp,dc=myhome,dc=org >> bindpw mypass >> rootbinddn dc=home,dc=corp,dc=myhome,dc=org >> # The port. >> # Optional: default is 389. SSL LDAP Port 636 >> port 389 >> # RFC2307bis naming contexts >> nss_base_passwd dc=home,dc=corp,dc=myhome,dc=org?sub >> nss_base_shadow dc=home,dc=corp,dc=myhome,dc=org?sub >> nss_base_group dc=home,dc=corp,dc=myhome,dc=org?sub >> # RFC 2307 (AD) mappings >> nss_map_objectclass posixAccount User >> nss_map_objectclass shadowAccount User >> nss_map_attribute uid sAMAccountName >> nss_map_attribute cn sAMAccountName >> nss_map_attribute gecos cn >> >> # PAM_LDAP options >> pam_login_attribute sAMAccountName >> pam_filter objectclass=User >> pam_password ad >> logdir /var/log/ldap >> debug 1024 >> ssl no >> timelimit 30 >> bind_timelimit 30 >> >> I'm thinking pam_password is wrong? I didn't see any packet in >> ethereal related to password authentication. So I doubt the password >> hasn't been sent out to Active Directory. Please help me. Thank you >> very much!!! >> >> Lou >> >> On Wed, Nov 18, 2009 at 6:57 AM, adam > > wrote: >> >> Hailu Meng wrote: >> >> Hi Adam, >> >> By the way, as you said. It appears I don't need create >> another new group for this authentication purpose. I already >> have one group setup and I want every one in this group can >> be authenticated. And also these users are the members for >> other groups. Does it matter for this case? I mean one user >> in multiple groups? >> >> And how about nss mapping? Do I need do some configuration >> for them? Like, >> >> nss_schema rfc2307bis >> nss_base_passwd ou=security >> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >> nss_base_shadow ou=security >> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >> >> nss_base_group ou=security >> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >> >> Thanks. >> >> Lou >> On Tue, Nov 17, 2009 at 10:11 PM, Hailu Meng >> >> >> >> >> wrote: >> >> Hi Adam, >> >> Thank you very much for replying me so quick. This is really >> helpful. I will try it tomorrow and let you know what I >> will find >> out. Thanks a lot. >> >> Appreciated. >> >> Lou >> >> >> On Tue, Nov 17, 2009 at 9:16 PM, adam >> >> > >> >> wrote: >> >> Hailu Meng wrote: >> >> Hi all, >> >> I'm trying to set up tac_plus in CentOS 5.3. >> tac_plus has >> been compiled with >> pam and tcp_wrapper. I configured my switch as >> below: >> >> aaa new-model >> aaa authentication login default group tacacs+ >> local-case >> aaa authentication enable default group tacacs+ >> enable >> aaa authorization exec default tacacs+ >> aaa accounting exec default start-stop tacacs+ >> aaa accounting network start-stop tacacs+ >> tacacs+ host 10.0.0.11 >> tacacs+ key mykey >> >> I configured /etc/tac_plus.conf to use local setting >> firstly. It worked. >> Then I tried to use pam with ldap to authenticate >> against >> the microsoft >> active directory. I snifferred the traffic and >> saw there was >> an error when >> my tacacs server was doing query against Active >> Directory. >> The error >> is *problem >> 2001* (*NO_OBJECT*). >> >> Do you guys have similar problem when you set up >> this kind of >> authentication? I listed the main configuration >> files below: >> >> ************************************************************** >> /etc/pam.d/tac_plus >> >> #%PAM-1.0 >> auth include system-auth >> account required pam_nologin.so >> account include system-auth >> password include system-auth >> session optional pam_keyinit.so force revoke >> session include system-auth >> session required pam_loginuid.so >> >> ********************************************* >> /etc/pam.d/system-auth >> >> #%PAM-1.0 >> # This file is auto-generated. >> # User changes will be destroyed the next time >> authconfig is >> run. >> auth required pam_env.so >> auth sufficient pam_unix.so nullok >> try_first_pass >> auth requisite pam_succeed_if.so uid >> >= 500 quiet >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < >> 500 quiet >> account [default=bad success=ok >> user_unknown=ignore] >> pam_ldap.so >> account required pam_permit.so >> >> password requisite pam_cracklib.so >> try_first_pass retry=3 >> password sufficient pam_unix.so md5 shadow >> nullok >> try_first_pass >> use_authtok >> password sufficient pam_ldap.so use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session [success=1 default=ignore] >> pam_succeed_if.so >> service in >> crond quiet use_uid >> session required pam_unix.so >> session required pam_mkhomedir.so >> skel=/etc/skel/ >> umask=0077 >> session optional pam_ldap.so >> >> >> *******************************************************8 >> /etc/ldap.conf >> >> >> host 10.0.0.100 >> base ou=security >> groups,dc=hq,dc=corp,dc=myhouse,dc=com >> binddn cn=network services,ou=security >> groups,dc=hq,dc=corp,dc=myhouse,dc=com >> #bindpw ohsosecret # no secret set >> scope sub >> ssl no >> >> >> nss_schema rfc2307bis >> nss_base_passwd ou=security >> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >> nss_base_shadow ou=security >> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >> nss_base_group ou=security >> groups,dc=hq,dc=corp,dc=myhouse,dc=com?sub >> >> referrals no # otherwise it goes >> freakishly slow >> >> I linked /etc/openldap/ldap.conf to >> /etc/ldap.conf. I didn't >> enable ssl for >> ldap. >> >> I think the problem could be in the configuration of >> ldap.conf or it doesn't >> match the configuration in Active Directory. In >> my AD, I >> have "security >> groups" OU and in this OU I have "network >> services" group. >> Maybe the issue also stays in nss mapping? I >> searched some >> articles. It >> seems like nss mapping must be correct to >> authenticate >> through Linux box >> against Active Directory. >> >> Another question about active directory is: Do I >> need create >> a separate OU >> to hold the user accounts who will have rights to >> login >> Cisco devices? I saw >> someone said the user account in tacacs server >> must not be >> in other groups. >> If the separate OU is needed and the user must be >> only in >> this new OU, it >> will lose the flexibility to use the current Active >> Directory which is >> already configured. >> >> Please give me some help on this. Very appreciated. >> >> Thanks. >> >> Lou >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091117/03eedad2/attachment.html >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> >> > >> >> >> >> >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> >> >> I think you're missing a few key items from your >> ldap.conf: >> >> pam_filter objectclass=User >> pam_login_attribute sAMAccountName >> >> These directives will tell pam pretty much two things: >> >> 1. pam_filter = an ldap filter that restricts who can >> actually >> authenticate. This is wonderfully handy as it lets >> you build an >> AD group that you can then look for when you auth a >> user, and >> not have to modify your AD structure e.g. >> >> pam_filter >> >> &(objectclass=User)(member=cn=my_group,ou=my_ou,dc=my_domain) >> >> This tells pam that you can only authenticate if you >> are a >> "User" (and not a service or other non-person account >> type), and >> that you are a member of the group specified. >> Assuming all your >> user accounts exist somewhere under the base OU you >> specified >> above, this lets you search them out, and use AD >> groups w/o >> messing w/ your AD structure. >> >> 2. pam_login_attribute sAMAccountName >> >> By default, when using openldap, logging in as 'joe' >> causes >> pam_ldap to look in the LDAP store for a record like >> uid=joe,(+base). For you, this means pam_ldap will >> ask the AD >> for any object that has uid=joe anywhere under your >> base ou: >> ou=security groups,dc=hq,dc=corp,dc=myhouse,dc=com. >> >> But in Active Directory land, user accounts don't >> have a 'uid' >> field that gets populated with your login name, it uses >> a >> different field, called sAMAccountName. This >> directive tells pam >> to look for sAMAccountName=joe when talking to the >> active >> directory, which is what the AD is expecting. >> >> Also, you can subtract tac_plus from the mix and just >> try to >> make sure pam works. In your ldap.conf, you can put a >> line like >> >> debug 256 >> >> to get lots of debug into on console and in log >> files, and then >> run su - , subbing in your AD user account >> name. The >> higher the debug number, the more debug output you'll >> get. >> >> Adam >> >> >> >> >> A user being a member of multiple groups shouldn't be a problem. >> Just be sure that the account you specify for your binddn has >> the ability to see the "memberof" information about your users. >> Also, you'll probably need to specify the password for the >> network services user in the bindpw for it to work... >> >> >> All the nss bits shouldn't be necessary for pam to work. >> >> >> >> > can you 'su - ' on the tacacs server and authenticate? > > Strange about the debug...I know I get gobs of output... > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091119/a66f5e59/attachment.html From prozaconstilts at gmail.com Fri Nov 20 03:26:55 2009 From: prozaconstilts at gmail.com (adam) Date: Thu, 19 Nov 2009 22:26:55 -0500 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> References: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> <4B03670B.8030204@gmail.com> <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> <8dabae5b0911172033i21db304fr25c8418dc8ef250d@mail.gmail.com> <4B03EF48.20706@gmail.com> <8dabae5b0911191342n2b0ece0dm745b150ff5811426@mail.gmail.com> <8dabae5b0911191712r18ec4c70p707a42d4c512ea29@mail.gmail.com> <4B060305.60106@gmail.com> <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> Message-ID: <4B060C7F.6010804@gmail.com> Hailu Meng wrote: > Adam, > > I tried the su - "userid" in my tacacs+ server but I don't have that > userid in CentOS. So the CentOS just don't want me log in. I think this > will not ask tacacs server to authenticate against AD. You shouldn't need to have to define the user in CentOS, that's the point of using ldap for authentication. The user is defined in ldap, not in CentOS. Now that I think about it, su - probably wouldn't work anyway, as AD doesn't by default have the data needed by a linux box to allow login...but see below for more options. > > Is there any other way to test ldap authentication against AD with the > userid in AD? I tried ldapsearch. It did find my user id without > problem. But I haven't found any option to try with password and > authenticate against AD. Try using -D: from `man ldapsearch`: -D binddn Use the Distinguished Name binddn to bind to the LDAP directory. so -D cn=username,ou=my_ou,dc=my_dc should let you try to authenticate using whatever user you want to define. Just check and double check you get the right path in that dn. > Do you have ldap server setup or only the openldap library and openldap > client? I don't understand why the log is not turned on. There must be > some debugging info in the log which can help solve this issue. only the libs and client. You should not need the server. In the ldapsearch, you can use -d to get debugging info for that search. As before, higher number = more debug > If the user can authenticate, does ethereal capture some packets about > password verification? Right now I only see the packets when ldap search > for my user id and gets results back from AD. Ethereal should catch all data flowing between the client and server. If you can search out the user in your AD right now, then one of two things is happening: 1. You are performing anonymous searches. In this case, no username and pw is provided, and your AD is happy to hand over info to anyone who asks for it. If this is the case, you will _not_ see authentication information. The following MS KB article should probably help you determine on your AD if anonymous queries are allowed: http://support.microsoft.com/kb/320528 It has exact instructions for how to get it going, but you can follow along with it to check your current settings without making any changes. 2. Authentication is happening. It will be the _very_ first thing the client and server perform, after basic connection establishment. Look for it at the very beginning of a dump. Also, it's a bit overkill, but the following article is extremely informative about all the different ways you can plug linux into AD for authentication. It might offer some hints... > > Maybe I need dig into ldap.conf more. If you have any idea, let me know. > > Thank you very much. > > Lou From hailumeng at gmail.com Fri Nov 20 04:28:18 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Thu, 19 Nov 2009 22:28:18 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <4B060C7F.6010804@gmail.com> References: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> <4B03670B.8030204@gmail.com> <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> <8dabae5b0911172033i21db304fr25c8418dc8ef250d@mail.gmail.com> <4B03EF48.20706@gmail.com> <8dabae5b0911191342n2b0ece0dm745b150ff5811426@mail.gmail.com> <8dabae5b0911191712r18ec4c70p707a42d4c512ea29@mail.gmail.com> <4B060305.60106@gmail.com> <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <4B060C7F.6010804@gmail.com> Message-ID: <8dabae5b0911192028x4e5fa107m9929a76947fa9d67@mail.gmail.com> On Thu, Nov 19, 2009 at 9:26 PM, adam wrote: > Hailu Meng wrote: > >> Adam, >> >> I tried the su - "userid" in my tacacs+ server but I don't have that >> userid in CentOS. So the CentOS just don't want me log in. I think this will >> not ask tacacs server to authenticate against AD. >> > > You shouldn't need to have to define the user in CentOS, that's the point > of using ldap for authentication. The user is defined in ldap, not in > CentOS. Now that I think about it, su - probably wouldn't work > anyway, as AD doesn't by default have the data needed by a linux box to > allow login...but see below for more options. > > > >> Is there any other way to test ldap authentication against AD with the >> userid in AD? I tried ldapsearch. It did find my user id without problem. >> But I haven't found any option to try with password and authenticate against >> AD. >> > > Try using -D: > > from `man ldapsearch`: > > -D binddn > Use the Distinguished Name binddn to bind to the LDAP directory. > > so -D cn=username,ou=my_ou,dc=my_dc should let you try to authenticate > using whatever user you want to define. Just check and double check you get > the right path in that dn. Actually in my ldap.conf, I set bindcn to one testing user in AD. And bind is successful with user password (bindpw). I set this because lots of articles say I need a proxy user account to bind. Then the other user in the same group can be searched and authenticated. Maybe I get wrong, but the result is good. They find my user. So I guess this -D and -w does the same thing as the configuration in ldap.conf. I mean bindcn and bindpw, right? I can try some user's password tomorrow morning. To see what will happen. If there is no problem in this part, can we say the PAM/LDAP is clear? The issue then could be the interface between tacacs and pam? > > > Do you have ldap server setup or only the openldap library and openldap >> client? I don't understand why the log is not turned on. There must be some >> debugging info in the log which can help solve this issue. >> > > only the libs and client. You should not need the server. In the > ldapsearch, you can use -d to get debugging info for that search. > As before, higher number = more debug > > > If the user can authenticate, does ethereal capture some packets about >> password verification? Right now I only see the packets when ldap search for >> my user id and gets results back from AD. >> > > Ethereal should catch all data flowing between the client and server. If > you can search out the user in your AD right now, then one of two things is > happening: > > 1. You are performing anonymous searches. In this case, no username and pw > is provided, and your AD is happy to hand over info to anyone who asks for > it. If this is the case, you will _not_ see authentication information. The > following MS KB article should probably help you determine on your AD if > anonymous queries are allowed: > > http://support.microsoft.com/kb/320528 > > It has exact instructions for how to get it going, but you can follow along > with it to check your current settings without making any changes. > > I will check this out tomorrow morning. > 2. Authentication is happening. It will be the _very_ first thing the > client and server perform, after basic connection establishment. Look for it > at the very beginning of a dump. When I input Username in my cisco switch, I saw the LDAP packet sent from my tacacs server to AD server. And AD sent back a "search result" which include my user information including "sAMAountName" (Username), "description", "group name" and "cn". It seems good start. > > > Also, it's a bit overkill, but the following article is extremely > informative about all the different ways you can plug linux into AD for > authentication. It might offer some hints... What article is following? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091119/31209db3/attachment.html From hailumeng at gmail.com Fri Nov 20 13:26:10 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Fri, 20 Nov 2009 07:26:10 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <4B060C7F.6010804@gmail.com> References: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> <4B03670B.8030204@gmail.com> <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> <8dabae5b0911172033i21db304fr25c8418dc8ef250d@mail.gmail.com> <4B03EF48.20706@gmail.com> <8dabae5b0911191342n2b0ece0dm745b150ff5811426@mail.gmail.com> <8dabae5b0911191712r18ec4c70p707a42d4c512ea29@mail.gmail.com> <4B060305.60106@gmail.com> <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <4B060C7F.6010804@gmail.com> Message-ID: <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> Still no clue how to turn on the log. binding seems good. See my findings below. Thanks a lot. On Thu, Nov 19, 2009 at 9:26 PM, adam wrote: > Hailu Meng wrote: > >> Adam, >> >> I tried the su - "userid" in my tacacs+ server but I don't have that >> userid in CentOS. So the CentOS just don't want me log in. I think this will >> not ask tacacs server to authenticate against AD. >> > > You shouldn't need to have to define the user in CentOS, that's the point > of using ldap for authentication. The user is defined in ldap, not in > CentOS. Now that I think about it, su - probably wouldn't work > anyway, as AD doesn't by default have the data needed by a linux box to > allow login...but see below for more options. > > > >> Is there any other way to test ldap authentication against AD with the >> userid in AD? I tried ldapsearch. It did find my user id without problem. >> But I haven't found any option to try with password and authenticate against >> AD. >> > > Try using -D: > > from `man ldapsearch`: > > -D binddn > Use the Distinguished Name binddn to bind to the LDAP directory. > > so -D cn=username,ou=my_ou,dc=my_dc should let you try to authenticate > using whatever user you want to define. Just check and double check you get > the right path in that dn. > > > I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just returned lots of users' information. It means successful? > Do you have ldap server setup or only the openldap library and openldap >> client? I don't understand why the log is not turned on. There must be some >> debugging info in the log which can help solve this issue. >> > > only the libs and client. You should not need the server. In the > ldapsearch, you can use -d to get debugging info for that search. > As before, higher number = more debug > > > If the user can authenticate, does ethereal capture some packets about >> password verification? Right now I only see the packets when ldap search for >> my user id and gets results back from AD. >> > > Ethereal should catch all data flowing between the client and server. If > you can search out the user in your AD right now, then one of two things is > happening: > > 1. You are performing anonymous searches. In this case, no username and pw > is provided, and your AD is happy to hand over info to anyone who asks for > it. If this is the case, you will _not_ see authentication information. The > following MS KB article should probably help you determine on your AD if > anonymous queries are allowed: > > http://support.microsoft.com/kb/320528 > > It has exact instructions for how to get it going, but you can follow along > with it to check your current settings without making any changes. > I checked our setting. Permission type for normal user is "Read & Execute". I click edit to check the detail about permission. I think it only allow the user to read the attributes, permission something and can't modify the AD.There is "Everyone" setting is also set as "Read & Execute". By the way, the AD is Win2003 R2. > > 2. Authentication is happening. It will be the _very_ first thing the > client and server perform, after basic connection establishment. Look for it > at the very beginning of a dump. > > > > Also, it's a bit overkill, but the following article is extremely > informative about all the different ways you can plug linux into AD for > authentication. It might offer some hints... > > > > >> Maybe I need dig into ldap.conf more. If you have any idea, let me know. >> >> Thank you very much. >> >> Lou >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091120/72c39b31/attachment.html From heas at shrubbery.net Fri Nov 20 20:17:23 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 20 Nov 2009 20:17:23 +0000 Subject: [tac_plus] Re: PAP password in file possible? In-Reply-To: <05CC562AFB5A9446A1BC3F66AD04A3BCC74A30@che-exch-003.uplinkdata.com> References: <4B030922.2000704@gmail.com> <200911172308.37993.alan.mckinnon@gmail.com> <05CC562AFB5A9446A1BC3F66AD04A3BCC74A30@che-exch-003.uplinkdata.com> Message-ID: <20091120201723.GM21701@shrubbery.net> Tue, Nov 17, 2009 at 03:19:14PM -0700, Schmidt, Daniel: > Brought this up couple weeks ago, actually. Didn't see pap = file as > option in code. its on my list to add, but i'm amid some conflicting changes right now. > -----Original Message----- > From: tac_plus-bounces at shrubbery.net > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon > Sent: Tuesday, November 17, 2009 2:09 PM > To: tac_plus at shrubbery.net > Subject: [tac_plus] Re: PAP password in file possible? > > On Tuesday 17 November 2009 22:35:46 Stefan Watermann wrote: > > Hi all, > > > > I'm currently working on getting authentication to a Cisco NAM2 module > > using TACACS work. > > > > The box is using PAP and "login = file " > > (username:password:::::) does not work. > > > > Also using "pap = file " does not work. > > The only thing which worked was "pap = des ", which > > I'm using within a group. > > > > Is it possible to manage the passwords for all of my users in a file? > > I would like to be able to provide a PAP password for each of my > users. > > I had the same a while back, and resorted to putting "pap = des > password>" in the user section. This wasn't a big deal for me as my > tac_plus.conf is generated on the fly from a backend database which > reduces it > to a mere exercise in string manipulation in perl > > Earlier than that I also need to put other password into a file. I > determined > the only place this is supported is for the user's own login password. > If I'm > wrong in this, I'm sure John will be along shortly to correct me :-) > > -- > alan dot mckinnon at gmail dot com > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From hailumeng at gmail.com Mon Nov 23 18:12:58 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Mon, 23 Nov 2009 12:12:58 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> References: <8dabae5b0911171659s22160784s6fd6db30fa260f43@mail.gmail.com> <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> <8dabae5b0911172033i21db304fr25c8418dc8ef250d@mail.gmail.com> <4B03EF48.20706@gmail.com> <8dabae5b0911191342n2b0ece0dm745b150ff5811426@mail.gmail.com> <8dabae5b0911191712r18ec4c70p707a42d4c512ea29@mail.gmail.com> <4B060305.60106@gmail.com> <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <4B060C7F.6010804@gmail.com> <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> Message-ID: <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> Hi Adam, If the ldapsearch -D "" -w "" runs successfully, what do we suppose to get from the output? I just got all of the user information in that group. Does that means my password and username got authenticated successfully against AD? This thing drives me crazy. I need solve it through this week before the holiday... Thanks a lot for the help. Lou On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng wrote: > Still no clue how to turn on the log. binding seems good. See my findings > below. Thanks a lot. > > On Thu, Nov 19, 2009 at 9:26 PM, adam wrote: > >> Hailu Meng wrote: >> >>> Adam, >>> >>> I tried the su - "userid" in my tacacs+ server but I don't have that >>> userid in CentOS. So the CentOS just don't want me log in. I think this will >>> not ask tacacs server to authenticate against AD. >>> >> >> You shouldn't need to have to define the user in CentOS, that's the point >> of using ldap for authentication. The user is defined in ldap, not in >> CentOS. Now that I think about it, su - probably wouldn't work >> anyway, as AD doesn't by default have the data needed by a linux box to >> allow login...but see below for more options. >> >> >> >>> Is there any other way to test ldap authentication against AD with the >>> userid in AD? I tried ldapsearch. It did find my user id without problem. >>> But I haven't found any option to try with password and authenticate against >>> AD. >>> >> >> Try using -D: >> >> from `man ldapsearch`: >> >> -D binddn >> Use the Distinguished Name binddn to bind to the LDAP directory. >> >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to authenticate >> using whatever user you want to define. Just check and double check you get >> the right path in that dn. >> >> >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just returned lots of > users' information. It means successful? > > >> Do you have ldap server setup or only the openldap library and openldap >>> client? I don't understand why the log is not turned on. There must be some >>> debugging info in the log which can help solve this issue. >>> >> >> only the libs and client. You should not need the server. In the >> ldapsearch, you can use -d to get debugging info for that search. >> As before, higher number = more debug >> >> >> If the user can authenticate, does ethereal capture some packets about >>> password verification? Right now I only see the packets when ldap search for >>> my user id and gets results back from AD. >>> >> >> Ethereal should catch all data flowing between the client and server. If >> you can search out the user in your AD right now, then one of two things is >> happening: >> >> 1. You are performing anonymous searches. In this case, no username and pw >> is provided, and your AD is happy to hand over info to anyone who asks for >> it. If this is the case, you will _not_ see authentication information. The >> following MS KB article should probably help you determine on your AD if >> anonymous queries are allowed: >> >> http://support.microsoft.com/kb/320528 >> >> It has exact instructions for how to get it going, but you can follow >> along with it to check your current settings without making any changes. >> > > I checked our setting. Permission type for normal user is "Read & Execute". > I click edit to check the detail about permission. I think it only allow the > user to read the attributes, permission something and can't modify the > AD.There is "Everyone" setting is also set as "Read & Execute". By the way, > the AD is Win2003 R2. > > >> >> 2. Authentication is happening. It will be the _very_ first thing the >> client and server perform, after basic connection establishment. Look for it >> at the very beginning of a dump. >> >> >> >> Also, it's a bit overkill, but the following article is extremely >> informative about all the different ways you can plug linux into AD for >> authentication. It might offer some hints... >> >> >> >> >>> Maybe I need dig into ldap.conf more. If you have any idea, let me know. >>> >>> Thank you very much. >>> >>> Lou >>> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html From heas at shrubbery.net Mon Nov 23 18:23:51 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 23 Nov 2009 18:23:51 +0000 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> References: <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> <8dabae5b0911172033i21db304fr25c8418dc8ef250d@mail.gmail.com> <4B03EF48.20706@gmail.com> <8dabae5b0911191342n2b0ece0dm745b150ff5811426@mail.gmail.com> <8dabae5b0911191712r18ec4c70p707a42d4c512ea29@mail.gmail.com> <4B060305.60106@gmail.com> <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <4B060C7F.6010804@gmail.com> <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> Message-ID: <20091123182351.GH15357@shrubbery.net> Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > Hi Adam, > > If the ldapsearch -D "" -w "" runs successfully, what do we suppose to get > from the output? I just got all of the user information in that group. Does > that means my password and username got authenticated successfully against > AD? > > This thing drives me crazy. I need solve it through this week before the > holiday... i havent followed this thread, as i know nearly zero about ldap. but, have you enabled authentication debugging in the tacacas daemon and checked the logs to determine what is coming back from pam? it very well may be that the ldap client is working just fine, but there is a pam module bug or a bug in the tacplus daemon or that your device simply doesnt like something about the replies. > Thanks a lot for the help. > > Lou > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng wrote: > > > Still no clue how to turn on the log. binding seems good. See my findings > > below. Thanks a lot. > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam wrote: > > > >> Hailu Meng wrote: > >> > >>> Adam, > >>> > >>> I tried the su - "userid" in my tacacs+ server but I don't have that > >>> userid in CentOS. So the CentOS just don't want me log in. I think this will > >>> not ask tacacs server to authenticate against AD. > >>> > >> > >> You shouldn't need to have to define the user in CentOS, that's the point > >> of using ldap for authentication. The user is defined in ldap, not in > >> CentOS. Now that I think about it, su - probably wouldn't work > >> anyway, as AD doesn't by default have the data needed by a linux box to > >> allow login...but see below for more options. > >> > >> > >> > >>> Is there any other way to test ldap authentication against AD with the > >>> userid in AD? I tried ldapsearch. It did find my user id without problem. > >>> But I haven't found any option to try with password and authenticate against > >>> AD. > >>> > >> > >> Try using -D: > >> > >> from `man ldapsearch`: > >> > >> -D binddn > >> Use the Distinguished Name binddn to bind to the LDAP directory. > >> > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to authenticate > >> using whatever user you want to define. Just check and double check you get > >> the right path in that dn. > >> > >> > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just returned lots of > > users' information. It means successful? > > > > > >> Do you have ldap server setup or only the openldap library and openldap > >>> client? I don't understand why the log is not turned on. There must be some > >>> debugging info in the log which can help solve this issue. > >>> > >> > >> only the libs and client. You should not need the server. In the > >> ldapsearch, you can use -d to get debugging info for that search. > >> As before, higher number = more debug > >> > >> > >> If the user can authenticate, does ethereal capture some packets about > >>> password verification? Right now I only see the packets when ldap search for > >>> my user id and gets results back from AD. > >>> > >> > >> Ethereal should catch all data flowing between the client and server. If > >> you can search out the user in your AD right now, then one of two things is > >> happening: > >> > >> 1. You are performing anonymous searches. In this case, no username and pw > >> is provided, and your AD is happy to hand over info to anyone who asks for > >> it. If this is the case, you will _not_ see authentication information. The > >> following MS KB article should probably help you determine on your AD if > >> anonymous queries are allowed: > >> > >> http://support.microsoft.com/kb/320528 > >> > >> It has exact instructions for how to get it going, but you can follow > >> along with it to check your current settings without making any changes. > >> > > > > I checked our setting. Permission type for normal user is "Read & Execute". > > I click edit to check the detail about permission. I think it only allow the > > user to read the attributes, permission something and can't modify the > > AD.There is "Everyone" setting is also set as "Read & Execute". By the way, > > the AD is Win2003 R2. > > > > > >> > >> 2. Authentication is happening. It will be the _very_ first thing the > >> client and server perform, after basic connection establishment. Look for it > >> at the very beginning of a dump. > >> > >> > >> > >> Also, it's a bit overkill, but the following article is extremely > >> informative about all the different ways you can plug linux into AD for > >> authentication. It might offer some hints... > >> > >> > >> > >> > >>> Maybe I need dig into ldap.conf more. If you have any idea, let me know. > >>> > >>> Thank you very much. > >>> > >>> Lou > >>> > >> > >> > >> > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From hailumeng at gmail.com Mon Nov 23 18:43:00 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Mon, 23 Nov 2009 12:43:00 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <20091123182351.GH15357@shrubbery.net> References: <8dabae5b0911172011i3ee79a45ifb133a2cd0505fd5@mail.gmail.com> <4B03EF48.20706@gmail.com> <8dabae5b0911191342n2b0ece0dm745b150ff5811426@mail.gmail.com> <8dabae5b0911191712r18ec4c70p707a42d4c512ea29@mail.gmail.com> <4B060305.60106@gmail.com> <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <4B060C7F.6010804@gmail.com> <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> <20091123182351.GH15357@shrubbery.net> Message-ID: <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> Thanks John for helping me check this issue. I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g to see the log in stdout and in log file. I can't see any suspicious log information here. I paste the log below: Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 5, flags 0x1 Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), Data length 11 (0xb) Sat Nov 21 22:28:27 2009 [3393]: End header Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), user_data_len 0 (0x0) Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 Sat Nov 21 22:28:27 2009 [3393]: User msg: Sat Nov 21 22:28:27 2009 [3393]: myusername Sat Nov 21 22:28:27 2009 [3393]: User data: Sat Nov 21 22:28:27 2009 [3393]: End packet Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn Sat Nov 21 22:28:27 2009 [3393]: Calling authentication function Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28 Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 6, flags 0x1 Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), Data length 16 (0x10) Sat Nov 21 22:28:27 2009 [3393]: End header Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 Sat Nov 21 22:28:27 2009 [3393]: msg: Sat Nov 21 22:28:27 2009 [3393]: Password: Sat Nov 21 22:28:27 2009 [3393]: data: Sat Nov 21 22:28:27 2009 [3393]: End packet Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=metro Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, seq no 7, flags 0x1 Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 (0xc46868ce), Data length 18 (0x12) Sat Nov 21 22:28:34 2009 [3393]: End header Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), user_data_len 0 (0x0) Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 Sat Nov 21 22:28:34 2009 [3393]: User msg: Sat Nov 21 22:28:34 2009 [3393]: mypassword Sat Nov 21 22:28:34 2009 [3393]: User data: Sat Nov 21 22:28:34 2009 [3393]: End packet Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' tty0 from 10.1.69.89 r ejected Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername 10.1.69.89 (10.1.69.89) t ty0 Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, seq no 8, flags 0x1 Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 (0xc46868ce), Data length 6 (0x6) Sat Nov 21 22:28:36 2009 [3393]: End header Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 (AUTHEN/FAIL) flags=0x0 Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 Sat Nov 21 22:28:36 2009 [3393]: msg: Sat Nov 21 22:28:36 2009 [3393]: data: Sat Nov 21 22:28:36 2009 [3393]: End packet Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect On Mon, Nov 23, 2009 at 12:23 PM, john heasley wrote: > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > > Hi Adam, > > > > If the ldapsearch -D "" -w "" runs successfully, what do we suppose to > get > > from the output? I just got all of the user information in that group. > Does > > that means my password and username got authenticated successfully > against > > AD? > > > > This thing drives me crazy. I need solve it through this week before the > > holiday... > > i havent followed this thread, as i know nearly zero about ldap. but, > have you enabled authentication debugging in the tacacas daemon and > checked the logs to determine what is coming back from pam? it very > well may be that the ldap client is working just fine, but there is a > pam module bug or a bug in the tacplus daemon or that your device > simply doesnt like something about the replies. > > > Thanks a lot for the help. > > > > Lou > > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng wrote: > > > > > Still no clue how to turn on the log. binding seems good. See my > findings > > > below. Thanks a lot. > > > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam > wrote: > > > > > >> Hailu Meng wrote: > > >> > > >>> Adam, > > >>> > > >>> I tried the su - "userid" in my tacacs+ server but I don't have that > > >>> userid in CentOS. So the CentOS just don't want me log in. I think > this will > > >>> not ask tacacs server to authenticate against AD. > > >>> > > >> > > >> You shouldn't need to have to define the user in CentOS, that's the > point > > >> of using ldap for authentication. The user is defined in ldap, not in > > >> CentOS. Now that I think about it, su - probably wouldn't work > > >> anyway, as AD doesn't by default have the data needed by a linux box > to > > >> allow login...but see below for more options. > > >> > > >> > > >> > > >>> Is there any other way to test ldap authentication against AD with > the > > >>> userid in AD? I tried ldapsearch. It did find my user id without > problem. > > >>> But I haven't found any option to try with password and authenticate > against > > >>> AD. > > >>> > > >> > > >> Try using -D: > > >> > > >> from `man ldapsearch`: > > >> > > >> -D binddn > > >> Use the Distinguished Name binddn to bind to the LDAP directory. > > >> > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to authenticate > > >> using whatever user you want to define. Just check and double check > you get > > >> the right path in that dn. > > >> > > >> > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just returned lots > of > > > users' information. It means successful? > > > > > > > > >> Do you have ldap server setup or only the openldap library and > openldap > > >>> client? I don't understand why the log is not turned on. There must > be some > > >>> debugging info in the log which can help solve this issue. > > >>> > > >> > > >> only the libs and client. You should not need the server. In the > > >> ldapsearch, you can use -d to get debugging info for that > search. > > >> As before, higher number = more debug > > >> > > >> > > >> If the user can authenticate, does ethereal capture some packets > about > > >>> password verification? Right now I only see the packets when ldap > search for > > >>> my user id and gets results back from AD. > > >>> > > >> > > >> Ethereal should catch all data flowing between the client and server. > If > > >> you can search out the user in your AD right now, then one of two > things is > > >> happening: > > >> > > >> 1. You are performing anonymous searches. In this case, no username > and pw > > >> is provided, and your AD is happy to hand over info to anyone who asks > for > > >> it. If this is the case, you will _not_ see authentication > information. The > > >> following MS KB article should probably help you determine on your AD > if > > >> anonymous queries are allowed: > > >> > > >> http://support.microsoft.com/kb/320528 > > >> > > >> It has exact instructions for how to get it going, but you can follow > > >> along with it to check your current settings without making any > changes. > > >> > > > > > > I checked our setting. Permission type for normal user is "Read & > Execute". > > > I click edit to check the detail about permission. I think it only > allow the > > > user to read the attributes, permission something and can't modify the > > > AD.There is "Everyone" setting is also set as "Read & Execute". By the > way, > > > the AD is Win2003 R2. > > > > > > > > >> > > >> 2. Authentication is happening. It will be the _very_ first thing the > > >> client and server perform, after basic connection establishment. Look > for it > > >> at the very beginning of a dump. > > >> > > >> > > >> > > >> Also, it's a bit overkill, but the following article is extremely > > >> informative about all the different ways you can plug linux into AD > for > > >> authentication. It might offer some hints... > > >> > > >> > > >> > > >> > > >>> Maybe I need dig into ldap.conf more. If you have any idea, let me > know. > > >>> > > >>> Thank you very much. > > >>> > > >>> Lou > > >>> > > >> > > >> > > >> > > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/e61dd207/attachment.html From heas at shrubbery.net Mon Nov 23 20:20:54 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 23 Nov 2009 20:20:54 +0000 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> References: <4B03EF48.20706@gmail.com> <8dabae5b0911191342n2b0ece0dm745b150ff5811426@mail.gmail.com> <8dabae5b0911191712r18ec4c70p707a42d4c512ea29@mail.gmail.com> <4B060305.60106@gmail.com> <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <4B060C7F.6010804@gmail.com> <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> <20091123182351.GH15357@shrubbery.net> <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> Message-ID: <20091123202054.GB15357@shrubbery.net> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > Thanks John for helping me check this issue. > > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g to see the try -d 16 -d 256. which i think will log the pwd that pam received from the device. make its correct. the logs below do appear to be a reject/fail returned from pam. > log in stdout and in log file. I can't see any suspicious log information > here. I paste the log below: > > > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 5, flags > 0x1 > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), Data > length > 11 (0xb) > Sat Nov 21 22:28:27 2009 [3393]: End header > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), user_data_len 0 (0x0) > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > Sat Nov 21 22:28:27 2009 [3393]: User msg: > Sat Nov 21 22:28:27 2009 [3393]: myusername > Sat Nov 21 22:28:27 2009 [3393]: User data: > Sat Nov 21 22:28:27 2009 [3393]: End packet > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication function > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28 > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 6, flags > 0x1 > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), Data > length > 16 (0x10) > Sat Nov 21 22:28:27 2009 [3393]: End header > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 (AUTHEN/GETPASS) > flags=0x1 > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 > Sat Nov 21 22:28:27 2009 [3393]: msg: > Sat Nov 21 22:28:27 2009 [3393]: Password: > Sat Nov 21 22:28:27 2009 [3393]: data: > Sat Nov 21 22:28:27 2009 [3393]: End packet > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=metro > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, seq no 7, flags > 0x1 > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 (0xc46868ce), Data > length > 18 (0x12) > Sat Nov 21 22:28:34 2009 [3393]: End header > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), user_data_len 0 > (0x0) > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > Sat Nov 21 22:28:34 2009 [3393]: User msg: > Sat Nov 21 22:28:34 2009 [3393]: mypassword > Sat Nov 21 22:28:34 2009 [3393]: User data: > Sat Nov 21 22:28:34 2009 [3393]: End packet > Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' tty0 from > 10.1.69.89 r > ejected > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername 10.1.69.89 > (10.1.69.89) t > ty0 > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, seq no 8, flags > 0x1 > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 (0xc46868ce), Data > length > 6 (0x6) > Sat Nov 21 22:28:36 2009 [3393]: End header > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 (AUTHEN/FAIL) > flags=0x0 > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > Sat Nov 21 22:28:36 2009 [3393]: msg: > Sat Nov 21 22:28:36 2009 [3393]: data: > Sat Nov 21 22:28:36 2009 [3393]: End packet > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect > > > > On Mon, Nov 23, 2009 at 12:23 PM, john heasley wrote: > > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > > > Hi Adam, > > > > > > If the ldapsearch -D "" -w "" runs successfully, what do we suppose to > > get > > > from the output? I just got all of the user information in that group. > > Does > > > that means my password and username got authenticated successfully > > against > > > AD? > > > > > > This thing drives me crazy. I need solve it through this week before the > > > holiday... > > > > i havent followed this thread, as i know nearly zero about ldap. but, > > have you enabled authentication debugging in the tacacas daemon and > > checked the logs to determine what is coming back from pam? it very > > well may be that the ldap client is working just fine, but there is a > > pam module bug or a bug in the tacplus daemon or that your device > > simply doesnt like something about the replies. > > > > > Thanks a lot for the help. > > > > > > Lou > > > > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng wrote: > > > > > > > Still no clue how to turn on the log. binding seems good. See my > > findings > > > > below. Thanks a lot. > > > > > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam > > wrote: > > > > > > > >> Hailu Meng wrote: > > > >> > > > >>> Adam, > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server but I don't have that > > > >>> userid in CentOS. So the CentOS just don't want me log in. I think > > this will > > > >>> not ask tacacs server to authenticate against AD. > > > >>> > > > >> > > > >> You shouldn't need to have to define the user in CentOS, that's the > > point > > > >> of using ldap for authentication. The user is defined in ldap, not in > > > >> CentOS. Now that I think about it, su - probably wouldn't work > > > >> anyway, as AD doesn't by default have the data needed by a linux box > > to > > > >> allow login...but see below for more options. > > > >> > > > >> > > > >> > > > >>> Is there any other way to test ldap authentication against AD with > > the > > > >>> userid in AD? I tried ldapsearch. It did find my user id without > > problem. > > > >>> But I haven't found any option to try with password and authenticate > > against > > > >>> AD. > > > >>> > > > >> > > > >> Try using -D: > > > >> > > > >> from `man ldapsearch`: > > > >> > > > >> -D binddn > > > >> Use the Distinguished Name binddn to bind to the LDAP directory. > > > >> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to authenticate > > > >> using whatever user you want to define. Just check and double check > > you get > > > >> the right path in that dn. > > > >> > > > >> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just returned lots > > of > > > > users' information. It means successful? > > > > > > > > > > > >> Do you have ldap server setup or only the openldap library and > > openldap > > > >>> client? I don't understand why the log is not turned on. There must > > be some > > > >>> debugging info in the log which can help solve this issue. > > > >>> > > > >> > > > >> only the libs and client. You should not need the server. In the > > > >> ldapsearch, you can use -d to get debugging info for that > > search. > > > >> As before, higher number = more debug > > > >> > > > >> > > > >> If the user can authenticate, does ethereal capture some packets > > about > > > >>> password verification? Right now I only see the packets when ldap > > search for > > > >>> my user id and gets results back from AD. > > > >>> > > > >> > > > >> Ethereal should catch all data flowing between the client and server. > > If > > > >> you can search out the user in your AD right now, then one of two > > things is > > > >> happening: > > > >> > > > >> 1. You are performing anonymous searches. In this case, no username > > and pw > > > >> is provided, and your AD is happy to hand over info to anyone who asks > > for > > > >> it. If this is the case, you will _not_ see authentication > > information. The > > > >> following MS KB article should probably help you determine on your AD > > if > > > >> anonymous queries are allowed: > > > >> > > > >> http://support.microsoft.com/kb/320528 > > > >> > > > >> It has exact instructions for how to get it going, but you can follow > > > >> along with it to check your current settings without making any > > changes. > > > >> > > > > > > > > I checked our setting. Permission type for normal user is "Read & > > Execute". > > > > I click edit to check the detail about permission. I think it only > > allow the > > > > user to read the attributes, permission something and can't modify the > > > > AD.There is "Everyone" setting is also set as "Read & Execute". By the > > way, > > > > the AD is Win2003 R2. > > > > > > > > > > > >> > > > >> 2. Authentication is happening. It will be the _very_ first thing the > > > >> client and server perform, after basic connection establishment. Look > > for it > > > >> at the very beginning of a dump. > > > >> > > > >> > > > >> > > > >> Also, it's a bit overkill, but the following article is extremely > > > >> informative about all the different ways you can plug linux into AD > > for > > > >> authentication. It might offer some hints... > > > >> > > > >> > > > >> > > > >> > > > >>> Maybe I need dig into ldap.conf more. If you have any idea, let me > > know. > > > >>> > > > >>> Thank you very much. > > > >>> > > > >>> Lou > > > >>> > > > >> > > > >> > > > >> > > > > > > > -------------- next part -------------- > > > An HTML attachment was scrubbed... > > > URL: > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > > _______________________________________________ > > > tac_plus mailing list > > > tac_plus at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > From hailumeng at gmail.com Mon Nov 23 20:33:23 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Mon, 23 Nov 2009 14:33:23 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <20091123202054.GB15357@shrubbery.net> References: <4B03EF48.20706@gmail.com> <8dabae5b0911191712r18ec4c70p707a42d4c512ea29@mail.gmail.com> <4B060305.60106@gmail.com> <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <4B060C7F.6010804@gmail.com> <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> <20091123182351.GH15357@shrubbery.net> <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> <20091123202054.GB15357@shrubbery.net> Message-ID: <8dabae5b0911231233n82044b2w529c3f19b99fdf13@mail.gmail.com> Hi John, You mean issue commands like tac_plus -C /etct/tac_plus.conf -L -p 49 -d 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any change. I got same log info. By the way, I also saw the log info in /var/log/message: Nov 23 14:24:25 NMS tac_plus[3676]: Reading config Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 Initialized 1 Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 [10.1.69.89] Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' tty0 from 10.1.69.89 rejected Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser 10.1.69.89 (10.1.69.89) tty0 Do we have option to see the log about PAM? I haven't found where it is. if we can check the log of PAM, then we could find something useful. Right now the log of tac_plus didn't tell too much about why login got failure. Lou On Mon, Nov 23, 2009 at 2:20 PM, john heasley wrote: > Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > > Thanks John for helping me check this issue. > > > > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g to see > the > > try -d 16 -d 256. which i think will log the pwd that pam received from > the device. make its correct. the logs below do appear to be a > reject/fail > returned from pam. > > > log in stdout and in log file. I can't see any suspicious log information > > here. I paste the log below: > > > > > > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 > > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 5, > flags > > 0x1 > > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), Data > > length > > 11 (0xb) > > Sat Nov 21 22:28:27 2009 [3393]: End header > > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), user_data_len 0 > (0x0) > > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > > Sat Nov 21 22:28:27 2009 [3393]: User msg: > > Sat Nov 21 22:28:27 2009 [3393]: myusername > > Sat Nov 21 22:28:27 2009 [3393]: User data: > > Sat Nov 21 22:28:27 2009 [3393]: End packet > > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn > > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication function > > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28 > > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 6, > flags > > 0x1 > > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), Data > > length > > 16 (0x10) > > Sat Nov 21 22:28:27 2009 [3393]: End header > > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 (AUTHEN/GETPASS) > > flags=0x1 > > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 > > Sat Nov 21 22:28:27 2009 [3393]: msg: > > Sat Nov 21 22:28:27 2009 [3393]: Password: > > Sat Nov 21 22:28:27 2009 [3393]: data: > > Sat Nov 21 22:28:27 2009 [3393]: End packet > > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 > > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, seq no 7, > flags > > 0x1 > > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 (0xc46868ce), Data > > length > > 18 (0x12) > > Sat Nov 21 22:28:34 2009 [3393]: End header > > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), user_data_len 0 > > (0x0) > > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > > Sat Nov 21 22:28:34 2009 [3393]: User msg: > > Sat Nov 21 22:28:34 2009 [3393]: mypassword > > Sat Nov 21 22:28:34 2009 [3393]: User data: > > Sat Nov 21 22:28:34 2009 [3393]: End packet > > Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' tty0 from > > 10.1.69.89 r > > ejected > > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername 10.1.69.89 > > (10.1.69.89) t > > ty0 > > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 > > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, seq no 8, > flags > > 0x1 > > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 (0xc46868ce), Data > > length > > 6 (0x6) > > Sat Nov 21 22:28:36 2009 [3393]: End header > > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 (AUTHEN/FAIL) > > flags=0x0 > > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > > Sat Nov 21 22:28:36 2009 [3393]: msg: > > Sat Nov 21 22:28:36 2009 [3393]: data: > > Sat Nov 21 22:28:36 2009 [3393]: End packet > > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect > > > > > > > > On Mon, Nov 23, 2009 at 12:23 PM, john heasley > wrote: > > > > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > > > > Hi Adam, > > > > > > > > If the ldapsearch -D "" -w "" runs successfully, what do we suppose > to > > > get > > > > from the output? I just got all of the user information in that > group. > > > Does > > > > that means my password and username got authenticated successfully > > > against > > > > AD? > > > > > > > > This thing drives me crazy. I need solve it through this week before > the > > > > holiday... > > > > > > i havent followed this thread, as i know nearly zero about ldap. but, > > > have you enabled authentication debugging in the tacacas daemon and > > > checked the logs to determine what is coming back from pam? it very > > > well may be that the ldap client is working just fine, but there is a > > > pam module bug or a bug in the tacplus daemon or that your device > > > simply doesnt like something about the replies. > > > > > > > Thanks a lot for the help. > > > > > > > > Lou > > > > > > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng > wrote: > > > > > > > > > Still no clue how to turn on the log. binding seems good. See my > > > findings > > > > > below. Thanks a lot. > > > > > > > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam > > > wrote: > > > > > > > > > >> Hailu Meng wrote: > > > > >> > > > > >>> Adam, > > > > >>> > > > > >>> I tried the su - "userid" in my tacacs+ server but I don't have > that > > > > >>> userid in CentOS. So the CentOS just don't want me log in. I > think > > > this will > > > > >>> not ask tacacs server to authenticate against AD. > > > > >>> > > > > >> > > > > >> You shouldn't need to have to define the user in CentOS, that's > the > > > point > > > > >> of using ldap for authentication. The user is defined in ldap, not > in > > > > >> CentOS. Now that I think about it, su - probably wouldn't > work > > > > >> anyway, as AD doesn't by default have the data needed by a linux > box > > > to > > > > >> allow login...but see below for more options. > > > > >> > > > > >> > > > > >> > > > > >>> Is there any other way to test ldap authentication against AD > with > > > the > > > > >>> userid in AD? I tried ldapsearch. It did find my user id without > > > problem. > > > > >>> But I haven't found any option to try with password and > authenticate > > > against > > > > >>> AD. > > > > >>> > > > > >> > > > > >> Try using -D: > > > > >> > > > > >> from `man ldapsearch`: > > > > >> > > > > >> -D binddn > > > > >> Use the Distinguished Name binddn to bind to the LDAP directory. > > > > >> > > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to > authenticate > > > > >> using whatever user you want to define. Just check and double > check > > > you get > > > > >> the right path in that dn. > > > > >> > > > > >> > > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just returned > lots > > > of > > > > > users' information. It means successful? > > > > > > > > > > > > > > >> Do you have ldap server setup or only the openldap library and > > > openldap > > > > >>> client? I don't understand why the log is not turned on. There > must > > > be some > > > > >>> debugging info in the log which can help solve this issue. > > > > >>> > > > > >> > > > > >> only the libs and client. You should not need the server. In the > > > > >> ldapsearch, you can use -d to get debugging info for > that > > > search. > > > > >> As before, higher number = more debug > > > > >> > > > > >> > > > > >> If the user can authenticate, does ethereal capture some packets > > > about > > > > >>> password verification? Right now I only see the packets when ldap > > > search for > > > > >>> my user id and gets results back from AD. > > > > >>> > > > > >> > > > > >> Ethereal should catch all data flowing between the client and > server. > > > If > > > > >> you can search out the user in your AD right now, then one of two > > > things is > > > > >> happening: > > > > >> > > > > >> 1. You are performing anonymous searches. In this case, no > username > > > and pw > > > > >> is provided, and your AD is happy to hand over info to anyone who > asks > > > for > > > > >> it. If this is the case, you will _not_ see authentication > > > information. The > > > > >> following MS KB article should probably help you determine on your > AD > > > if > > > > >> anonymous queries are allowed: > > > > >> > > > > >> http://support.microsoft.com/kb/320528 > > > > >> > > > > >> It has exact instructions for how to get it going, but you can > follow > > > > >> along with it to check your current settings without making any > > > changes. > > > > >> > > > > > > > > > > I checked our setting. Permission type for normal user is "Read & > > > Execute". > > > > > I click edit to check the detail about permission. I think it only > > > allow the > > > > > user to read the attributes, permission something and can't modify > the > > > > > AD.There is "Everyone" setting is also set as "Read & Execute". By > the > > > way, > > > > > the AD is Win2003 R2. > > > > > > > > > > > > > > >> > > > > >> 2. Authentication is happening. It will be the _very_ first thing > the > > > > >> client and server perform, after basic connection establishment. > Look > > > for it > > > > >> at the very beginning of a dump. > > > > >> > > > > >> > > > > >> > > > > >> Also, it's a bit overkill, but the following article is extremely > > > > >> informative about all the different ways you can plug linux into > AD > > > for > > > > >> authentication. It might offer some hints... > > > > >> > > > > >> > > > > >> > > > > >> > > > > >>> Maybe I need dig into ldap.conf more. If you have any idea, let > me > > > know. > > > > >>> > > > > >>> Thank you very much. > > > > >>> > > > > >>> Lou > > > > >>> > > > > >> > > > > >> > > > > >> > > > > > > > > > -------------- next part -------------- > > > > An HTML attachment was scrubbed... > > > > URL: > > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > > > _______________________________________________ > > > > tac_plus mailing list > > > > tac_plus at shrubbery.net > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/d7e5f9b6/attachment.html From hailumeng at gmail.com Mon Nov 23 20:49:07 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Mon, 23 Nov 2009 14:49:07 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911231233n82044b2w529c3f19b99fdf13@mail.gmail.com> References: <4B03EF48.20706@gmail.com> <4B060305.60106@gmail.com> <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <4B060C7F.6010804@gmail.com> <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> <20091123182351.GH15357@shrubbery.net> <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> <20091123202054.GB15357@shrubbery.net> <8dabae5b0911231233n82044b2w529c3f19b99fdf13@mail.gmail.com> Message-ID: <8dabae5b0911231249n5caf23e3nf0b53d2d3826cad1@mail.gmail.com> I think I need put my pam configuration here: I followed this post http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html to configure my pam module: /etc/pam.d/tacacs auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng wrote: > Hi John, > > You mean issue commands like tac_plus -C /etct/tac_plus.conf -L -p 49 -d 16 > -d 256 -g ? -d 16 -d 256 side by side? It didn't make any change. I got same > log info. By the way, I also saw the log info in /var/log/message: > Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 Initialized 1 > Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 [10.1.69.89] > Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' tty0 from > 10.1.69.89 rejected > Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser 10.1.69.89 > (10.1.69.89) tty0 > > Do we have option to see the log about PAM? I haven't found where it is. if > we can check the log of PAM, then we could find something useful. Right now > the log of tac_plus didn't tell too much about why login got failure. > > Lou > > On Mon, Nov 23, 2009 at 2:20 PM, john heasley wrote: > >> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: >> > Thanks John for helping me check this issue. >> > >> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g to see >> the >> >> try -d 16 -d 256. which i think will log the pwd that pam received from >> the device. make its correct. the logs below do appear to be a >> reject/fail >> returned from pam. >> >> > log in stdout and in log file. I can't see any suspicious log >> information >> > here. I paste the log below: >> > >> > >> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet >> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 >> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey >> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 5, >> flags >> > 0x1 >> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), >> Data >> > length >> > 11 (0xb) >> > Sat Nov 21 22:28:27 2009 [3393]: End header >> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT >> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), user_data_len 0 >> (0x0) >> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 >> > Sat Nov 21 22:28:27 2009 [3393]: User msg: >> > Sat Nov 21 22:28:27 2009 [3393]: myusername >> > Sat Nov 21 22:28:27 2009 [3393]: User data: >> > Sat Nov 21 22:28:27 2009 [3393]: End packet >> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn >> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication function >> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28 >> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey >> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 6, >> flags >> > 0x1 >> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), >> Data >> > length >> > 16 (0x10) >> > Sat Nov 21 22:28:27 2009 [3393]: End header >> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 (AUTHEN/GETPASS) >> > flags=0x1 >> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 >> > Sat Nov 21 22:28:27 2009 [3393]: msg: >> > Sat Nov 21 22:28:27 2009 [3393]: Password: >> > Sat Nov 21 22:28:27 2009 [3393]: data: >> > Sat Nov 21 22:28:27 2009 [3393]: End packet >> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet >> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 >> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey >> >> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, seq no 7, >> flags >> > 0x1 >> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 (0xc46868ce), >> Data >> > length >> > 18 (0x12) >> > Sat Nov 21 22:28:34 2009 [3393]: End header >> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT >> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), user_data_len 0 >> > (0x0) >> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 >> > Sat Nov 21 22:28:34 2009 [3393]: User msg: >> > Sat Nov 21 22:28:34 2009 [3393]: mypassword >> > Sat Nov 21 22:28:34 2009 [3393]: User data: >> > Sat Nov 21 22:28:34 2009 [3393]: End packet >> > Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' tty0 from >> > 10.1.69.89 r >> > ejected >> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername 10.1.69.89 >> > (10.1.69.89) t >> > ty0 >> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 >> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey >> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, seq no 8, >> flags >> > 0x1 >> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 (0xc46868ce), >> Data >> > length >> > 6 (0x6) >> > Sat Nov 21 22:28:36 2009 [3393]: End header >> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 (AUTHEN/FAIL) >> > flags=0x0 >> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 >> > Sat Nov 21 22:28:36 2009 [3393]: msg: >> > Sat Nov 21 22:28:36 2009 [3393]: data: >> > Sat Nov 21 22:28:36 2009 [3393]: End packet >> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect >> > >> > >> > >> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley >> wrote: >> > >> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: >> > > > Hi Adam, >> > > > >> > > > If the ldapsearch -D "" -w "" runs successfully, what do we suppose >> to >> > > get >> > > > from the output? I just got all of the user information in that >> group. >> > > Does >> > > > that means my password and username got authenticated successfully >> > > against >> > > > AD? >> > > > >> > > > This thing drives me crazy. I need solve it through this week before >> the >> > > > holiday... >> > > >> > > i havent followed this thread, as i know nearly zero about ldap. but, >> > > have you enabled authentication debugging in the tacacas daemon and >> > > checked the logs to determine what is coming back from pam? it very >> > > well may be that the ldap client is working just fine, but there is a >> > > pam module bug or a bug in the tacplus daemon or that your device >> > > simply doesnt like something about the replies. >> > > >> > > > Thanks a lot for the help. >> > > > >> > > > Lou >> > > > >> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng >> wrote: >> > > > >> > > > > Still no clue how to turn on the log. binding seems good. See my >> > > findings >> > > > > below. Thanks a lot. >> > > > > >> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam >> > > wrote: >> > > > > >> > > > >> Hailu Meng wrote: >> > > > >> >> > > > >>> Adam, >> > > > >>> >> > > > >>> I tried the su - "userid" in my tacacs+ server but I don't have >> that >> > > > >>> userid in CentOS. So the CentOS just don't want me log in. I >> think >> > > this will >> > > > >>> not ask tacacs server to authenticate against AD. >> > > > >>> >> > > > >> >> > > > >> You shouldn't need to have to define the user in CentOS, that's >> the >> > > point >> > > > >> of using ldap for authentication. The user is defined in ldap, >> not in >> > > > >> CentOS. Now that I think about it, su - probably wouldn't >> work >> > > > >> anyway, as AD doesn't by default have the data needed by a linux >> box >> > > to >> > > > >> allow login...but see below for more options. >> > > > >> >> > > > >> >> > > > >> >> > > > >>> Is there any other way to test ldap authentication against AD >> with >> > > the >> > > > >>> userid in AD? I tried ldapsearch. It did find my user id without >> > > problem. >> > > > >>> But I haven't found any option to try with password and >> authenticate >> > > against >> > > > >>> AD. >> > > > >>> >> > > > >> >> > > > >> Try using -D: >> > > > >> >> > > > >> from `man ldapsearch`: >> > > > >> >> > > > >> -D binddn >> > > > >> Use the Distinguished Name binddn to bind to the LDAP directory. >> > > > >> >> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to >> authenticate >> > > > >> using whatever user you want to define. Just check and double >> check >> > > you get >> > > > >> the right path in that dn. >> > > > >> >> > > > >> >> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just returned >> lots >> > > of >> > > > > users' information. It means successful? >> > > > > >> > > > > >> > > > >> Do you have ldap server setup or only the openldap library and >> > > openldap >> > > > >>> client? I don't understand why the log is not turned on. There >> must >> > > be some >> > > > >>> debugging info in the log which can help solve this issue. >> > > > >>> >> > > > >> >> > > > >> only the libs and client. You should not need the server. In the >> > > > >> ldapsearch, you can use -d to get debugging info for >> that >> > > search. >> > > > >> As before, higher number = more debug >> > > > >> >> > > > >> >> > > > >> If the user can authenticate, does ethereal capture some packets >> > > about >> > > > >>> password verification? Right now I only see the packets when >> ldap >> > > search for >> > > > >>> my user id and gets results back from AD. >> > > > >>> >> > > > >> >> > > > >> Ethereal should catch all data flowing between the client and >> server. >> > > If >> > > > >> you can search out the user in your AD right now, then one of two >> > > things is >> > > > >> happening: >> > > > >> >> > > > >> 1. You are performing anonymous searches. In this case, no >> username >> > > and pw >> > > > >> is provided, and your AD is happy to hand over info to anyone who >> asks >> > > for >> > > > >> it. If this is the case, you will _not_ see authentication >> > > information. The >> > > > >> following MS KB article should probably help you determine on >> your AD >> > > if >> > > > >> anonymous queries are allowed: >> > > > >> >> > > > >> http://support.microsoft.com/kb/320528 >> > > > >> >> > > > >> It has exact instructions for how to get it going, but you can >> follow >> > > > >> along with it to check your current settings without making any >> > > changes. >> > > > >> >> > > > > >> > > > > I checked our setting. Permission type for normal user is "Read & >> > > Execute". >> > > > > I click edit to check the detail about permission. I think it only >> > > allow the >> > > > > user to read the attributes, permission something and can't modify >> the >> > > > > AD.There is "Everyone" setting is also set as "Read & Execute". By >> the >> > > way, >> > > > > the AD is Win2003 R2. >> > > > > >> > > > > >> > > > >> >> > > > >> 2. Authentication is happening. It will be the _very_ first thing >> the >> > > > >> client and server perform, after basic connection establishment. >> Look >> > > for it >> > > > >> at the very beginning of a dump. >> > > > >> >> > > > >> >> > > > >> >> > > > >> Also, it's a bit overkill, but the following article is extremely >> > > > >> informative about all the different ways you can plug linux into >> AD >> > > for >> > > > >> authentication. It might offer some hints... >> > > > >> >> > > > >> >> > > > >> >> > > > >> >> > > > >>> Maybe I need dig into ldap.conf more. If you have any idea, let >> me >> > > know. >> > > > >>> >> > > > >>> Thank you very much. >> > > > >>> >> > > > >>> Lou >> > > > >>> >> > > > >> >> > > > >> >> > > > >> >> > > > > >> > > > -------------- next part -------------- >> > > > An HTML attachment was scrubbed... >> > > > URL: >> > > >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html >> > > > _______________________________________________ >> > > > tac_plus mailing list >> > > > tac_plus at shrubbery.net >> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> > > >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/9bc5af89/attachment.html From hailumeng at gmail.com Mon Nov 23 21:12:53 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Mon, 23 Nov 2009 15:12:53 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911231249n5caf23e3nf0b53d2d3826cad1@mail.gmail.com> References: <4B03EF48.20706@gmail.com> <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <4B060C7F.6010804@gmail.com> <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> <20091123182351.GH15357@shrubbery.net> <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> <20091123202054.GB15357@shrubbery.net> <8dabae5b0911231233n82044b2w529c3f19b99fdf13@mail.gmail.com> <8dabae5b0911231249n5caf23e3nf0b53d2d3826cad1@mail.gmail.com> Message-ID: <8dabae5b0911231312v2122ff0fs32c91e4391edfc8d@mail.gmail.com> I just saw some posts saying pam_krb winbind could be needed to get pam work against active directory. Is this true? The post I was following actually is for a LDAP server not Active Directory. On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng wrote: > I think I need put my pam configuration here: > > I followed this post > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html to > configure my pam module: > > /etc/pam.d/tacacs > > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > session required pam_loginuid.so > > /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 500 quiet > > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng wrote: > >> Hi John, >> >> You mean issue commands like tac_plus -C /etct/tac_plus.conf -L -p 49 -d >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any change. I got >> same log info. By the way, I also saw the log info in /var/log/message: >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 Initialized 1 >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 [10.1.69.89] >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' tty0 from >> 10.1.69.89 rejected >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser 10.1.69.89 >> (10.1.69.89) tty0 >> >> Do we have option to see the log about PAM? I haven't found where it is. >> if we can check the log of PAM, then we could find something useful. Right >> now the log of tac_plus didn't tell too much about why login got failure. >> >> Lou >> >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley wrote: >> >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: >>> > Thanks John for helping me check this issue. >>> > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g to see >>> the >>> >>> try -d 16 -d 256. which i think will log the pwd that pam received from >>> the device. make its correct. the logs below do appear to be a >>> reject/fail >>> returned from pam. >>> >>> > log in stdout and in log file. I can't see any suspicious log >>> information >>> > here. I paste the log below: >>> > >>> > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 5, >>> flags >>> > 0x1 >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), >>> Data >>> > length >>> > 11 (0xb) >>> > Sat Nov 21 22:28:27 2009 [3393]: End header >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), user_data_len 0 >>> (0x0) >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication function >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28 >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 6, >>> flags >>> > 0x1 >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), >>> Data >>> > length >>> > 16 (0x10) >>> > Sat Nov 21 22:28:27 2009 [3393]: End header >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 (AUTHEN/GETPASS) >>> > flags=0x1 >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: >>> > Sat Nov 21 22:28:27 2009 [3393]: data: >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey >>> >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, seq no 7, >>> flags >>> > 0x1 >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 (0xc46868ce), >>> Data >>> > length >>> > 18 (0x12) >>> > Sat Nov 21 22:28:34 2009 [3393]: End header >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), user_data_len 0 >>> > (0x0) >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' tty0 from >>> > 10.1.69.89 r >>> > ejected >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername 10.1.69.89 >>> > (10.1.69.89) t >>> > ty0 >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, seq no 8, >>> flags >>> > 0x1 >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 (0xc46868ce), >>> Data >>> > length >>> > 6 (0x6) >>> > Sat Nov 21 22:28:36 2009 [3393]: End header >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 (AUTHEN/FAIL) >>> > flags=0x0 >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: >>> > Sat Nov 21 22:28:36 2009 [3393]: data: >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect >>> > >>> > >>> > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley >>> wrote: >>> > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: >>> > > > Hi Adam, >>> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what do we suppose >>> to >>> > > get >>> > > > from the output? I just got all of the user information in that >>> group. >>> > > Does >>> > > > that means my password and username got authenticated successfully >>> > > against >>> > > > AD? >>> > > > >>> > > > This thing drives me crazy. I need solve it through this week >>> before the >>> > > > holiday... >>> > > >>> > > i havent followed this thread, as i know nearly zero about ldap. >>> but, >>> > > have you enabled authentication debugging in the tacacas daemon and >>> > > checked the logs to determine what is coming back from pam? it very >>> > > well may be that the ldap client is working just fine, but there is a >>> > > pam module bug or a bug in the tacplus daemon or that your device >>> > > simply doesnt like something about the replies. >>> > > >>> > > > Thanks a lot for the help. >>> > > > >>> > > > Lou >>> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng >>> wrote: >>> > > > >>> > > > > Still no clue how to turn on the log. binding seems good. See my >>> > > findings >>> > > > > below. Thanks a lot. >>> > > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam >>> > > wrote: >>> > > > > >>> > > > >> Hailu Meng wrote: >>> > > > >> >>> > > > >>> Adam, >>> > > > >>> >>> > > > >>> I tried the su - "userid" in my tacacs+ server but I don't have >>> that >>> > > > >>> userid in CentOS. So the CentOS just don't want me log in. I >>> think >>> > > this will >>> > > > >>> not ask tacacs server to authenticate against AD. >>> > > > >>> >>> > > > >> >>> > > > >> You shouldn't need to have to define the user in CentOS, that's >>> the >>> > > point >>> > > > >> of using ldap for authentication. The user is defined in ldap, >>> not in >>> > > > >> CentOS. Now that I think about it, su - probably wouldn't >>> work >>> > > > >> anyway, as AD doesn't by default have the data needed by a linux >>> box >>> > > to >>> > > > >> allow login...but see below for more options. >>> > > > >> >>> > > > >> >>> > > > >> >>> > > > >>> Is there any other way to test ldap authentication against AD >>> with >>> > > the >>> > > > >>> userid in AD? I tried ldapsearch. It did find my user id >>> without >>> > > problem. >>> > > > >>> But I haven't found any option to try with password and >>> authenticate >>> > > against >>> > > > >>> AD. >>> > > > >>> >>> > > > >> >>> > > > >> Try using -D: >>> > > > >> >>> > > > >> from `man ldapsearch`: >>> > > > >> >>> > > > >> -D binddn >>> > > > >> Use the Distinguished Name binddn to bind to the LDAP >>> directory. >>> > > > >> >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to >>> authenticate >>> > > > >> using whatever user you want to define. Just check and double >>> check >>> > > you get >>> > > > >> the right path in that dn. >>> > > > >> >>> > > > >> >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just >>> returned lots >>> > > of >>> > > > > users' information. It means successful? >>> > > > > >>> > > > > >>> > > > >> Do you have ldap server setup or only the openldap library and >>> > > openldap >>> > > > >>> client? I don't understand why the log is not turned on. There >>> must >>> > > be some >>> > > > >>> debugging info in the log which can help solve this issue. >>> > > > >>> >>> > > > >> >>> > > > >> only the libs and client. You should not need the server. In the >>> > > > >> ldapsearch, you can use -d to get debugging info for >>> that >>> > > search. >>> > > > >> As before, higher number = more debug >>> > > > >> >>> > > > >> >>> > > > >> If the user can authenticate, does ethereal capture some >>> packets >>> > > about >>> > > > >>> password verification? Right now I only see the packets when >>> ldap >>> > > search for >>> > > > >>> my user id and gets results back from AD. >>> > > > >>> >>> > > > >> >>> > > > >> Ethereal should catch all data flowing between the client and >>> server. >>> > > If >>> > > > >> you can search out the user in your AD right now, then one of >>> two >>> > > things is >>> > > > >> happening: >>> > > > >> >>> > > > >> 1. You are performing anonymous searches. In this case, no >>> username >>> > > and pw >>> > > > >> is provided, and your AD is happy to hand over info to anyone >>> who asks >>> > > for >>> > > > >> it. If this is the case, you will _not_ see authentication >>> > > information. The >>> > > > >> following MS KB article should probably help you determine on >>> your AD >>> > > if >>> > > > >> anonymous queries are allowed: >>> > > > >> >>> > > > >> http://support.microsoft.com/kb/320528 >>> > > > >> >>> > > > >> It has exact instructions for how to get it going, but you can >>> follow >>> > > > >> along with it to check your current settings without making any >>> > > changes. >>> > > > >> >>> > > > > >>> > > > > I checked our setting. Permission type for normal user is "Read & >>> > > Execute". >>> > > > > I click edit to check the detail about permission. I think it >>> only >>> > > allow the >>> > > > > user to read the attributes, permission something and can't >>> modify the >>> > > > > AD.There is "Everyone" setting is also set as "Read & Execute". >>> By the >>> > > way, >>> > > > > the AD is Win2003 R2. >>> > > > > >>> > > > > >>> > > > >> >>> > > > >> 2. Authentication is happening. It will be the _very_ first >>> thing the >>> > > > >> client and server perform, after basic connection establishment. >>> Look >>> > > for it >>> > > > >> at the very beginning of a dump. >>> > > > >> >>> > > > >> >>> > > > >> >>> > > > >> Also, it's a bit overkill, but the following article is >>> extremely >>> > > > >> informative about all the different ways you can plug linux into >>> AD >>> > > for >>> > > > >> authentication. It might offer some hints... >>> > > > >> >>> > > > >> >>> > > > >> >>> > > > >> >>> > > > >>> Maybe I need dig into ldap.conf more. If you have any idea, let >>> me >>> > > know. >>> > > > >>> >>> > > > >>> Thank you very much. >>> > > > >>> >>> > > > >>> Lou >>> > > > >>> >>> > > > >> >>> > > > >> >>> > > > >> >>> > > > > >>> > > > -------------- next part -------------- >>> > > > An HTML attachment was scrubbed... >>> > > > URL: >>> > > >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html >>> > > > _______________________________________________ >>> > > > tac_plus mailing list >>> > > > tac_plus at shrubbery.net >>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>> > > >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/1d5db6ba/attachment.html From heas at shrubbery.net Mon Nov 23 21:16:11 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 23 Nov 2009 21:16:11 +0000 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911231312v2122ff0fs32c91e4391edfc8d@mail.gmail.com> References: <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <4B060C7F.6010804@gmail.com> <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> <20091123182351.GH15357@shrubbery.net> <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> <20091123202054.GB15357@shrubbery.net> <8dabae5b0911231233n82044b2w529c3f19b99fdf13@mail.gmail.com> <8dabae5b0911231249n5caf23e3nf0b53d2d3826cad1@mail.gmail.com> <8dabae5b0911231312v2122ff0fs32c91e4391edfc8d@mail.gmail.com> Message-ID: <20091123211611.GC15357@shrubbery.net> Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > I just saw some posts saying pam_krb winbind could be needed to get pam work > against active directory. Is this true? The post I was following actually is > for a LDAP server not Active Directory. i dont know; each pam implementation seems to be [at least] slightly different. seems silly to need kerberos for ldap. > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng wrote: > > > I think I need put my pam configuration here: > > > > I followed this post > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.html to > > configure my pam module: > > > > /etc/pam.d/tacacs > > > > auth include system-auth > > account required pam_nologin.so > > account include system-auth > > password include system-auth > > session optional pam_keyinit.so force revoke > > session include system-auth > > session required pam_loginuid.so > > > > /etc/pam.d/system-auth > > #%PAM-1.0 > > # This file is auto-generated. > > # User changes will be destroyed the next time authconfig is run. > > auth required pam_env.so > > auth sufficient pam_unix.so nullok try_first_pass > > auth requisite pam_succeed_if.so uid >= 500 quiet > > auth sufficient pam_ldap.so use_first_pass > > auth required pam_deny.so > > > > account required pam_unix.so broken_shadow > > account sufficient pam_succeed_if.so uid < 500 quiet > > > > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > account required pam_permit.so > > > > password requisite pam_cracklib.so try_first_pass retry=3 > > password sufficient pam_unix.so md5 shadow nullok try_first_pass > > use_authtok > > password sufficient pam_ldap.so use_authtok > > password required pam_deny.so > > > > session optional pam_keyinit.so revoke > > session required pam_limits.so > > session [success=1 default=ignore] pam_succeed_if.so service in crond > > quiet use_uid > > session required pam_unix.so > > session optional pam_ldap.so > > > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng wrote: > > > >> Hi John, > >> > >> You mean issue commands like tac_plus -C /etct/tac_plus.conf -L -p 49 -d > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any change. I got > >> same log info. By the way, I also saw the log info in /var/log/message: > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 Initialized 1 > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 [10.1.69.89] > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' tty0 from > >> 10.1.69.89 rejected > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser 10.1.69.89 > >> (10.1.69.89) tty0 > >> > >> Do we have option to see the log about PAM? I haven't found where it is. > >> if we can check the log of PAM, then we could find something useful. Right > >> now the log of tac_plus didn't tell too much about why login got failure. add -d 32. -d x -d y ... will be logically OR'd together. > >> Lou > >> > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley wrote: > >> > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > >>> > Thanks John for helping me check this issue. > >>> > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g to see > >>> the > >>> > >>> try -d 16 -d 256. which i think will log the pwd that pam received from > >>> the device. make its correct. the logs below do appear to be a > >>> reject/fail > >>> returned from pam. > >>> > >>> > log in stdout and in log file. I can't see any suspicious log > >>> information > >>> > here. I paste the log below: > >>> > > >>> > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 5, > >>> flags > >>> > 0x1 > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), > >>> Data > >>> > length > >>> > 11 (0xb) > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), user_data_len 0 > >>> (0x0) > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication function > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28 > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no 6, > >>> flags > >>> > 0x1 > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 (0xc46868ce), > >>> Data > >>> > length > >>> > 16 (0x10) > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 (AUTHEN/GETPASS) > >>> > flags=0x1 > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > >>> > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, seq no 7, > >>> flags > >>> > 0x1 > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 (0xc46868ce), > >>> Data > >>> > length > >>> > 18 (0x12) > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), user_data_len 0 > >>> > (0x0) > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' tty0 from > >>> > 10.1.69.89 r > >>> > ejected > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername 10.1.69.89 > >>> > (10.1.69.89) t > >>> > ty0 > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, seq no 8, > >>> flags > >>> > 0x1 > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 (0xc46868ce), > >>> Data > >>> > length > >>> > 6 (0x6) > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 (AUTHEN/FAIL) > >>> > flags=0x0 > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect > >>> > > >>> > > >>> > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley > >>> wrote: > >>> > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > >>> > > > Hi Adam, > >>> > > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what do we suppose > >>> to > >>> > > get > >>> > > > from the output? I just got all of the user information in that > >>> group. > >>> > > Does > >>> > > > that means my password and username got authenticated successfully > >>> > > against > >>> > > > AD? > >>> > > > > >>> > > > This thing drives me crazy. I need solve it through this week > >>> before the > >>> > > > holiday... > >>> > > > >>> > > i havent followed this thread, as i know nearly zero about ldap. > >>> but, > >>> > > have you enabled authentication debugging in the tacacas daemon and > >>> > > checked the logs to determine what is coming back from pam? it very > >>> > > well may be that the ldap client is working just fine, but there is a > >>> > > pam module bug or a bug in the tacplus daemon or that your device > >>> > > simply doesnt like something about the replies. > >>> > > > >>> > > > Thanks a lot for the help. > >>> > > > > >>> > > > Lou > >>> > > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng > >>> wrote: > >>> > > > > >>> > > > > Still no clue how to turn on the log. binding seems good. See my > >>> > > findings > >>> > > > > below. Thanks a lot. > >>> > > > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam > >>> > > wrote: > >>> > > > > > >>> > > > >> Hailu Meng wrote: > >>> > > > >> > >>> > > > >>> Adam, > >>> > > > >>> > >>> > > > >>> I tried the su - "userid" in my tacacs+ server but I don't have > >>> that > >>> > > > >>> userid in CentOS. So the CentOS just don't want me log in. I > >>> think > >>> > > this will > >>> > > > >>> not ask tacacs server to authenticate against AD. > >>> > > > >>> > >>> > > > >> > >>> > > > >> You shouldn't need to have to define the user in CentOS, that's > >>> the > >>> > > point > >>> > > > >> of using ldap for authentication. The user is defined in ldap, > >>> not in > >>> > > > >> CentOS. Now that I think about it, su - probably wouldn't > >>> work > >>> > > > >> anyway, as AD doesn't by default have the data needed by a linux > >>> box > >>> > > to > >>> > > > >> allow login...but see below for more options. > >>> > > > >> > >>> > > > >> > >>> > > > >> > >>> > > > >>> Is there any other way to test ldap authentication against AD > >>> with > >>> > > the > >>> > > > >>> userid in AD? I tried ldapsearch. It did find my user id > >>> without > >>> > > problem. > >>> > > > >>> But I haven't found any option to try with password and > >>> authenticate > >>> > > against > >>> > > > >>> AD. > >>> > > > >>> > >>> > > > >> > >>> > > > >> Try using -D: > >>> > > > >> > >>> > > > >> from `man ldapsearch`: > >>> > > > >> > >>> > > > >> -D binddn > >>> > > > >> Use the Distinguished Name binddn to bind to the LDAP > >>> directory. > >>> > > > >> > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to > >>> authenticate > >>> > > > >> using whatever user you want to define. Just check and double > >>> check > >>> > > you get > >>> > > > >> the right path in that dn. > >>> > > > >> > >>> > > > >> > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just > >>> returned lots > >>> > > of > >>> > > > > users' information. It means successful? > >>> > > > > > >>> > > > > > >>> > > > >> Do you have ldap server setup or only the openldap library and > >>> > > openldap > >>> > > > >>> client? I don't understand why the log is not turned on. There > >>> must > >>> > > be some > >>> > > > >>> debugging info in the log which can help solve this issue. > >>> > > > >>> > >>> > > > >> > >>> > > > >> only the libs and client. You should not need the server. In the > >>> > > > >> ldapsearch, you can use -d to get debugging info for > >>> that > >>> > > search. > >>> > > > >> As before, higher number = more debug > >>> > > > >> > >>> > > > >> > >>> > > > >> If the user can authenticate, does ethereal capture some > >>> packets > >>> > > about > >>> > > > >>> password verification? Right now I only see the packets when > >>> ldap > >>> > > search for > >>> > > > >>> my user id and gets results back from AD. > >>> > > > >>> > >>> > > > >> > >>> > > > >> Ethereal should catch all data flowing between the client and > >>> server. > >>> > > If > >>> > > > >> you can search out the user in your AD right now, then one of > >>> two > >>> > > things is > >>> > > > >> happening: > >>> > > > >> > >>> > > > >> 1. You are performing anonymous searches. In this case, no > >>> username > >>> > > and pw > >>> > > > >> is provided, and your AD is happy to hand over info to anyone > >>> who asks > >>> > > for > >>> > > > >> it. If this is the case, you will _not_ see authentication > >>> > > information. The > >>> > > > >> following MS KB article should probably help you determine on > >>> your AD > >>> > > if > >>> > > > >> anonymous queries are allowed: > >>> > > > >> > >>> > > > >> http://support.microsoft.com/kb/320528 > >>> > > > >> > >>> > > > >> It has exact instructions for how to get it going, but you can > >>> follow > >>> > > > >> along with it to check your current settings without making any > >>> > > changes. > >>> > > > >> > >>> > > > > > >>> > > > > I checked our setting. Permission type for normal user is "Read & > >>> > > Execute". > >>> > > > > I click edit to check the detail about permission. I think it > >>> only > >>> > > allow the > >>> > > > > user to read the attributes, permission something and can't > >>> modify the > >>> > > > > AD.There is "Everyone" setting is also set as "Read & Execute". > >>> By the > >>> > > way, > >>> > > > > the AD is Win2003 R2. > >>> > > > > > >>> > > > > > >>> > > > >> > >>> > > > >> 2. Authentication is happening. It will be the _very_ first > >>> thing the > >>> > > > >> client and server perform, after basic connection establishment. > >>> Look > >>> > > for it > >>> > > > >> at the very beginning of a dump. > >>> > > > >> > >>> > > > >> > >>> > > > >> > >>> > > > >> Also, it's a bit overkill, but the following article is > >>> extremely > >>> > > > >> informative about all the different ways you can plug linux into > >>> AD > >>> > > for > >>> > > > >> authentication. It might offer some hints... > >>> > > > >> > >>> > > > >> > >>> > > > >> > >>> > > > >> > >>> > > > >>> Maybe I need dig into ldap.conf more. If you have any idea, let > >>> me > >>> > > know. > >>> > > > >>> > >>> > > > >>> Thank you very much. > >>> > > > >>> > >>> > > > >>> Lou > >>> > > > >>> > >>> > > > >> > >>> > > > >> > >>> > > > >> > >>> > > > > > >>> > > > -------------- next part -------------- > >>> > > > An HTML attachment was scrubbed... > >>> > > > URL: > >>> > > > >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > >>> > > > _______________________________________________ > >>> > > > tac_plus mailing list > >>> > > > tac_plus at shrubbery.net > >>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > >>> > > > >>> > >> > >> > > From hailumeng at gmail.com Mon Nov 23 21:28:56 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Mon, 23 Nov 2009 15:28:56 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <20091123211611.GC15357@shrubbery.net> References: <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> <20091123182351.GH15357@shrubbery.net> <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> <20091123202054.GB15357@shrubbery.net> <8dabae5b0911231233n82044b2w529c3f19b99fdf13@mail.gmail.com> <8dabae5b0911231249n5caf23e3nf0b53d2d3826cad1@mail.gmail.com> <8dabae5b0911231312v2122ff0fs32c91e4391edfc8d@mail.gmail.com> <20091123211611.GC15357@shrubbery.net> Message-ID: <8dabae5b0911231328i417db7d8k455fab37caa87bc5@mail.gmail.com> Ok. With -d 32, I got some more info about pam as red color log. There is "Unknown user" log info following the input of my user password. Feel confused since ldap is able to get user info from Active directory, why it turns out "Unknown user" here. Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 3, flags 0x1 Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data length 11 (0xb) Mon Nov 23 15:21:16 2009 [3806]: End header Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), user_data_len 0 (0x0) Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 Mon Nov 23 15:21:16 2009 [3806]: User msg: Mon Nov 23 15:21:16 2009 [3806]: myusername Mon Nov 23 15:21:16 2009 [3806]: User data: Mon Nov 23 15:21:16 2009 [3806]: End packet Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 pam_messages Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: PAM_PROMPT_ECHO_OFF Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 4, flags 0x1 Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data length 16 (0x10) Mon Nov 23 15:21:16 2009 [3806]: End header Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 (AUTHEN/GETPASS) flags=0x1 Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 Mon Nov 23 15:21:16 2009 [3806]: msg: Mon Nov 23 15:21:16 2009 [3806]: Password: Mon Nov 23 15:21:16 2009 [3806]: data: Mon Nov 23 15:21:16 2009 [3806]: End packet Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq no 5, flags 0x1 Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 (0xbe977644), Data length 18 (0x12) Mon Nov 23 15:21:21 2009 [3806]: End header Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), user_data_len 0 (0x0) Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 Mon Nov 23 15:21:21 2009 [3806]: User msg: Mon Nov 23 15:21:21 2009 [3806]: mypassword Mon Nov 23 15:21:21 2009 [3806]: User data: Mon Nov 23 15:21:21 2009 [3806]: End packet Mon Nov 23 15:21:22 2009 [3806]: Unknown user Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' tty0 from 10.1.69.89 rejected Mon Nov 23 15:21:22 2009 [3806]: login failure: myusername10.1.69.89 (10.1.69.89) tty0 Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq no 6, flags 0x1 Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 (0xbe977644), Data length 6 (0x6) Mon Nov 23 15:21:22 2009 [3806]: End header Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 (AUTHEN/FAIL) flags=0x0 Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 Mon Nov 23 15:21:22 2009 [3806]: msg: Mon Nov 23 15:21:22 2009 [3806]: data: Mon Nov 23 15:21:22 2009 [3806]: End packet Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect On Mon, Nov 23, 2009 at 3:16 PM, john heasley wrote: > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > > I just saw some posts saying pam_krb winbind could be needed to get pam > work > > against active directory. Is this true? The post I was following actually > is > > for a LDAP server not Active Directory. > > i dont know; each pam implementation seems to be [at least] slightly > different. seems silly to need kerberos for ldap. > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng wrote: > > > > > I think I need put my pam configuration here: > > > > > > I followed this post > > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > > > configure my pam module: > > > > > > /etc/pam.d/tacacs > > > > > > auth include system-auth > > > account required pam_nologin.so > > > account include system-auth > > > password include system-auth > > > session optional pam_keyinit.so force revoke > > > session include system-auth > > > session required pam_loginuid.so > > > > > > /etc/pam.d/system-auth > > > #%PAM-1.0 > > > # This file is auto-generated. > > > # User changes will be destroyed the next time authconfig is run. > > > auth required pam_env.so > > > auth sufficient pam_unix.so nullok try_first_pass > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > auth sufficient pam_ldap.so use_first_pass > > > auth required pam_deny.so > > > > > > account required pam_unix.so broken_shadow > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > > > > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > > account required pam_permit.so > > > > > > password requisite pam_cracklib.so try_first_pass retry=3 > > > password sufficient pam_unix.so md5 shadow nullok try_first_pass > > > use_authtok > > > password sufficient pam_ldap.so use_authtok > > > password required pam_deny.so > > > > > > session optional pam_keyinit.so revoke > > > session required pam_limits.so > > > session [success=1 default=ignore] pam_succeed_if.so service in > crond > > > quiet use_uid > > > session required pam_unix.so > > > session optional pam_ldap.so > > > > > > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng > wrote: > > > > > >> Hi John, > > >> > > >> You mean issue commands like tac_plus -C /etct/tac_plus.conf -L -p 49 > -d > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any change. I > got > > >> same log info. By the way, I also saw the log info in > /var/log/message: > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 Initialized 1 > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 > [10.1.69.89] > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' tty0 from > > >> 10.1.69.89 rejected > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser 10.1.69.89 > > >> (10.1.69.89) tty0 > > >> > > >> Do we have option to see the log about PAM? I haven't found where it > is. > > >> if we can check the log of PAM, then we could find something useful. > Right > > >> now the log of tac_plus didn't tell too much about why login got > failure. > > add -d 32. -d x -d y ... will be logically OR'd together. > > > >> Lou > > >> > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley > wrote: > > >> > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > > >>> > Thanks John for helping me check this issue. > > >>> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g to > see > > >>> the > > >>> > > >>> try -d 16 -d 256. which i think will log the pwd that pam received > from > > >>> the device. make its correct. the logs below do appear to be a > > >>> reject/fail > > >>> returned from pam. > > >>> > > >>> > log in stdout and in log file. I can't see any suspicious log > > >>> information > > >>> > here. I paste the log below: > > >>> > > > >>> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no > 5, > > >>> flags > > >>> > 0x1 > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > (0xc46868ce), > > >>> Data > > >>> > length > > >>> > 11 (0xb) > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), > user_data_len 0 > > >>> (0x0) > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication function > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28 > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no > 6, > > >>> flags > > >>> > 0x1 > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > (0xc46868ce), > > >>> Data > > >>> > length > > >>> > 16 (0x10) > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 > (AUTHEN/GETPASS) > > >>> > flags=0x1 > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > > >>> > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, seq no > 7, > > >>> flags > > >>> > 0x1 > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 > (0xc46868ce), > > >>> Data > > >>> > length > > >>> > 18 (0x12) > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), > user_data_len 0 > > >>> > (0x0) > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' tty0 > from > > >>> > 10.1.69.89 r > > >>> > ejected > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername > 10.1.69.89 > > >>> > (10.1.69.89) t > > >>> > ty0 > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, seq no > 8, > > >>> flags > > >>> > 0x1 > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 > (0xc46868ce), > > >>> Data > > >>> > length > > >>> > 6 (0x6) > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 (AUTHEN/FAIL) > > >>> > flags=0x0 > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect > > >>> > > > >>> > > > >>> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley > > > >>> wrote: > > >>> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > > >>> > > > Hi Adam, > > >>> > > > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what do we > suppose > > >>> to > > >>> > > get > > >>> > > > from the output? I just got all of the user information in that > > >>> group. > > >>> > > Does > > >>> > > > that means my password and username got authenticated > successfully > > >>> > > against > > >>> > > > AD? > > >>> > > > > > >>> > > > This thing drives me crazy. I need solve it through this week > > >>> before the > > >>> > > > holiday... > > >>> > > > > >>> > > i havent followed this thread, as i know nearly zero about ldap. > > >>> but, > > >>> > > have you enabled authentication debugging in the tacacas daemon > and > > >>> > > checked the logs to determine what is coming back from pam? it > very > > >>> > > well may be that the ldap client is working just fine, but there > is a > > >>> > > pam module bug or a bug in the tacplus daemon or that your device > > >>> > > simply doesnt like something about the replies. > > >>> > > > > >>> > > > Thanks a lot for the help. > > >>> > > > > > >>> > > > Lou > > >>> > > > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < > hailumeng at gmail.com> > > >>> wrote: > > >>> > > > > > >>> > > > > Still no clue how to turn on the log. binding seems good. See > my > > >>> > > findings > > >>> > > > > below. Thanks a lot. > > >>> > > > > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < > prozaconstilts at gmail.com> > > >>> > > wrote: > > >>> > > > > > > >>> > > > >> Hailu Meng wrote: > > >>> > > > >> > > >>> > > > >>> Adam, > > >>> > > > >>> > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server but I don't > have > > >>> that > > >>> > > > >>> userid in CentOS. So the CentOS just don't want me log in. > I > > >>> think > > >>> > > this will > > >>> > > > >>> not ask tacacs server to authenticate against AD. > > >>> > > > >>> > > >>> > > > >> > > >>> > > > >> You shouldn't need to have to define the user in CentOS, > that's > > >>> the > > >>> > > point > > >>> > > > >> of using ldap for authentication. The user is defined in > ldap, > > >>> not in > > >>> > > > >> CentOS. Now that I think about it, su - probably > wouldn't > > >>> work > > >>> > > > >> anyway, as AD doesn't by default have the data needed by a > linux > > >>> box > > >>> > > to > > >>> > > > >> allow login...but see below for more options. > > >>> > > > >> > > >>> > > > >> > > >>> > > > >> > > >>> > > > >>> Is there any other way to test ldap authentication against > AD > > >>> with > > >>> > > the > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find my user id > > >>> without > > >>> > > problem. > > >>> > > > >>> But I haven't found any option to try with password and > > >>> authenticate > > >>> > > against > > >>> > > > >>> AD. > > >>> > > > >>> > > >>> > > > >> > > >>> > > > >> Try using -D: > > >>> > > > >> > > >>> > > > >> from `man ldapsearch`: > > >>> > > > >> > > >>> > > > >> -D binddn > > >>> > > > >> Use the Distinguished Name binddn to bind to the LDAP > > >>> directory. > > >>> > > > >> > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to > > >>> authenticate > > >>> > > > >> using whatever user you want to define. Just check and > double > > >>> check > > >>> > > you get > > >>> > > > >> the right path in that dn. > > >>> > > > >> > > >>> > > > >> > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just > > >>> returned lots > > >>> > > of > > >>> > > > > users' information. It means successful? > > >>> > > > > > > >>> > > > > > > >>> > > > >> Do you have ldap server setup or only the openldap library > and > > >>> > > openldap > > >>> > > > >>> client? I don't understand why the log is not turned on. > There > > >>> must > > >>> > > be some > > >>> > > > >>> debugging info in the log which can help solve this issue. > > >>> > > > >>> > > >>> > > > >> > > >>> > > > >> only the libs and client. You should not need the server. In > the > > >>> > > > >> ldapsearch, you can use -d to get debugging info > for > > >>> that > > >>> > > search. > > >>> > > > >> As before, higher number = more debug > > >>> > > > >> > > >>> > > > >> > > >>> > > > >> If the user can authenticate, does ethereal capture some > > >>> packets > > >>> > > about > > >>> > > > >>> password verification? Right now I only see the packets > when > > >>> ldap > > >>> > > search for > > >>> > > > >>> my user id and gets results back from AD. > > >>> > > > >>> > > >>> > > > >> > > >>> > > > >> Ethereal should catch all data flowing between the client > and > > >>> server. > > >>> > > If > > >>> > > > >> you can search out the user in your AD right now, then one > of > > >>> two > > >>> > > things is > > >>> > > > >> happening: > > >>> > > > >> > > >>> > > > >> 1. You are performing anonymous searches. In this case, no > > >>> username > > >>> > > and pw > > >>> > > > >> is provided, and your AD is happy to hand over info to > anyone > > >>> who asks > > >>> > > for > > >>> > > > >> it. If this is the case, you will _not_ see authentication > > >>> > > information. The > > >>> > > > >> following MS KB article should probably help you determine > on > > >>> your AD > > >>> > > if > > >>> > > > >> anonymous queries are allowed: > > >>> > > > >> > > >>> > > > >> http://support.microsoft.com/kb/320528 > > >>> > > > >> > > >>> > > > >> It has exact instructions for how to get it going, but you > can > > >>> follow > > >>> > > > >> along with it to check your current settings without making > any > > >>> > > changes. > > >>> > > > >> > > >>> > > > > > > >>> > > > > I checked our setting. Permission type for normal user is > "Read & > > >>> > > Execute". > > >>> > > > > I click edit to check the detail about permission. I think it > > >>> only > > >>> > > allow the > > >>> > > > > user to read the attributes, permission something and can't > > >>> modify the > > >>> > > > > AD.There is "Everyone" setting is also set as "Read & > Execute". > > >>> By the > > >>> > > way, > > >>> > > > > the AD is Win2003 R2. > > >>> > > > > > > >>> > > > > > > >>> > > > >> > > >>> > > > >> 2. Authentication is happening. It will be the _very_ first > > >>> thing the > > >>> > > > >> client and server perform, after basic connection > establishment. > > >>> Look > > >>> > > for it > > >>> > > > >> at the very beginning of a dump. > > >>> > > > >> > > >>> > > > >> > > >>> > > > >> > > >>> > > > >> Also, it's a bit overkill, but the following article is > > >>> extremely > > >>> > > > >> informative about all the different ways you can plug linux > into > > >>> AD > > >>> > > for > > >>> > > > >> authentication. It might offer some hints... > > >>> > > > >> > > >>> > > > >> > > >>> > > > >> > > >>> > > > >> > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you have any idea, > let > > >>> me > > >>> > > know. > > >>> > > > >>> > > >>> > > > >>> Thank you very much. > > >>> > > > >>> > > >>> > > > >>> Lou > > >>> > > > >>> > > >>> > > > >> > > >>> > > > >> > > >>> > > > >> > > >>> > > > > > > >>> > > > -------------- next part -------------- > > >>> > > > An HTML attachment was scrubbed... > > >>> > > > URL: > > >>> > > > > >>> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > >>> > > > _______________________________________________ > > >>> > > > tac_plus mailing list > > >>> > > > tac_plus at shrubbery.net > > >>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > >>> > > > > >>> > > >> > > >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html From heas at shrubbery.net Mon Nov 23 21:56:25 2009 From: heas at shrubbery.net (john heasley) Date: Mon, 23 Nov 2009 21:56:25 +0000 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911231328i417db7d8k455fab37caa87bc5@mail.gmail.com> References: <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> <20091123182351.GH15357@shrubbery.net> <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> <20091123202054.GB15357@shrubbery.net> <8dabae5b0911231233n82044b2w529c3f19b99fdf13@mail.gmail.com> <8dabae5b0911231249n5caf23e3nf0b53d2d3826cad1@mail.gmail.com> <8dabae5b0911231312v2122ff0fs32c91e4391edfc8d@mail.gmail.com> <20091123211611.GC15357@shrubbery.net> <8dabae5b0911231328i417db7d8k455fab37caa87bc5@mail.gmail.com> Message-ID: <20091123215624.GL15357@shrubbery.net> Mon, Nov 23, 2009 at 03:28:56PM -0600, Hailu Meng: > Ok. With -d 32, I got some more info about pam as red color log. > > There is "Unknown user" log info following the input of my user password. > Feel confused since ldap is able to get user info from Active directory, why > it turns out "Unknown user" here. thats what pam returned; aka PAM_USER_UNKNOWN. see your pam and pam_ldap module manual for specifics about that. > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 3, flags > 0x1 > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data > length 11 (0xb) > Mon Nov 23 15:21:16 2009 [3806]: End header > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), user_data_len 0 (0x0) > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > Mon Nov 23 15:21:16 2009 [3806]: User msg: > Mon Nov 23 15:21:16 2009 [3806]: myusername > Mon Nov 23 15:21:16 2009 [3806]: User data: > Mon Nov 23 15:21:16 2009 [3806]: End packet > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 pam_messages > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: PAM_PROMPT_ECHO_OFF > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 4, flags > 0x1 > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data > length 16 (0x10) > Mon Nov 23 15:21:16 2009 [3806]: End header > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 (AUTHEN/GETPASS) > flags=0x1 > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 > Mon Nov 23 15:21:16 2009 [3806]: msg: > Mon Nov 23 15:21:16 2009 [3806]: Password: > Mon Nov 23 15:21:16 2009 [3806]: data: > Mon Nov 23 15:21:16 2009 [3806]: End packet > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq no 5, flags > 0x1 > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 (0xbe977644), Data > length 18 (0x12) > Mon Nov 23 15:21:21 2009 [3806]: End header > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), user_data_len 0 > (0x0) > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > Mon Nov 23 15:21:21 2009 [3806]: User msg: > Mon Nov 23 15:21:21 2009 [3806]: mypassword > Mon Nov 23 15:21:21 2009 [3806]: User data: > Mon Nov 23 15:21:21 2009 [3806]: End packet > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' tty0 from > 10.1.69.89 rejected > Mon Nov 23 15:21:22 2009 [3806]: login failure: myusername10.1.69.89 > (10.1.69.89) tty0 > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq no 6, flags > 0x1 > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 (0xbe977644), Data > length 6 (0x6) > Mon Nov 23 15:21:22 2009 [3806]: End header > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 (AUTHEN/FAIL) > flags=0x0 > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > Mon Nov 23 15:21:22 2009 [3806]: msg: > Mon Nov 23 15:21:22 2009 [3806]: data: > Mon Nov 23 15:21:22 2009 [3806]: End packet > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect > > > On Mon, Nov 23, 2009 at 3:16 PM, john heasley wrote: > > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > > > I just saw some posts saying pam_krb winbind could be needed to get pam > > work > > > against active directory. Is this true? The post I was following actually > > is > > > for a LDAP server not Active Directory. > > > > i dont know; each pam implementation seems to be [at least] slightly > > different. seems silly to need kerberos for ldap. > > > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng wrote: > > > > > > > I think I need put my pam configuration here: > > > > > > > > I followed this post > > > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > > > > configure my pam module: > > > > > > > > /etc/pam.d/tacacs > > > > > > > > auth include system-auth > > > > account required pam_nologin.so > > > > account include system-auth > > > > password include system-auth > > > > session optional pam_keyinit.so force revoke > > > > session include system-auth > > > > session required pam_loginuid.so > > > > > > > > /etc/pam.d/system-auth > > > > #%PAM-1.0 > > > > # This file is auto-generated. > > > > # User changes will be destroyed the next time authconfig is run. > > > > auth required pam_env.so > > > > auth sufficient pam_unix.so nullok try_first_pass > > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > > auth sufficient pam_ldap.so use_first_pass > > > > auth required pam_deny.so > > > > > > > > account required pam_unix.so broken_shadow > > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > > > > > > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > > > account required pam_permit.so > > > > > > > > password requisite pam_cracklib.so try_first_pass retry=3 > > > > password sufficient pam_unix.so md5 shadow nullok try_first_pass > > > > use_authtok > > > > password sufficient pam_ldap.so use_authtok > > > > password required pam_deny.so > > > > > > > > session optional pam_keyinit.so revoke > > > > session required pam_limits.so > > > > session [success=1 default=ignore] pam_succeed_if.so service in > > crond > > > > quiet use_uid > > > > session required pam_unix.so > > > > session optional pam_ldap.so > > > > > > > > > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng > > wrote: > > > > > > > >> Hi John, > > > >> > > > >> You mean issue commands like tac_plus -C /etct/tac_plus.conf -L -p 49 > > -d > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any change. I > > got > > > >> same log info. By the way, I also saw the log info in > > /var/log/message: > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 Initialized 1 > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 > > [10.1.69.89] > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' tty0 from > > > >> 10.1.69.89 rejected > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser 10.1.69.89 > > > >> (10.1.69.89) tty0 > > > >> > > > >> Do we have option to see the log about PAM? I haven't found where it > > is. > > > >> if we can check the log of PAM, then we could find something useful. > > Right > > > >> now the log of tac_plus didn't tell too much about why login got > > failure. > > > > add -d 32. -d x -d y ... will be logically OR'd together. > > > > > >> Lou > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley > > wrote: > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > > > >>> > Thanks John for helping me check this issue. > > > >>> > > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g to > > see > > > >>> the > > > >>> > > > >>> try -d 16 -d 256. which i think will log the pwd that pam received > > from > > > >>> the device. make its correct. the logs below do appear to be a > > > >>> reject/fail > > > >>> returned from pam. > > > >>> > > > >>> > log in stdout and in log file. I can't see any suspicious log > > > >>> information > > > >>> > here. I paste the log below: > > > >>> > > > > >>> > > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no > > 5, > > > >>> flags > > > >>> > 0x1 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > (0xc46868ce), > > > >>> Data > > > >>> > length > > > >>> > 11 (0xb) > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), > > user_data_len 0 > > > >>> (0x0) > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication function > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no > > 6, > > > >>> flags > > > >>> > 0x1 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > (0xc46868ce), > > > >>> Data > > > >>> > length > > > >>> > 16 (0x10) > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 > > (AUTHEN/GETPASS) > > > >>> > flags=0x1 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > > > >>> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, seq no > > 7, > > > >>> flags > > > >>> > 0x1 > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 > > (0xc46868ce), > > > >>> Data > > > >>> > length > > > >>> > 18 (0x12) > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), > > user_data_len 0 > > > >>> > (0x0) > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' tty0 > > from > > > >>> > 10.1.69.89 r > > > >>> > ejected > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername > > 10.1.69.89 > > > >>> > (10.1.69.89) t > > > >>> > ty0 > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, seq no > > 8, > > > >>> flags > > > >>> > 0x1 > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 > > (0xc46868ce), > > > >>> Data > > > >>> > length > > > >>> > 6 (0x6) > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 (AUTHEN/FAIL) > > > >>> > flags=0x0 > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect > > > >>> > > > > >>> > > > > >>> > > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley > > > > > >>> wrote: > > > >>> > > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > > > >>> > > > Hi Adam, > > > >>> > > > > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what do we > > suppose > > > >>> to > > > >>> > > get > > > >>> > > > from the output? I just got all of the user information in that > > > >>> group. > > > >>> > > Does > > > >>> > > > that means my password and username got authenticated > > successfully > > > >>> > > against > > > >>> > > > AD? > > > >>> > > > > > > >>> > > > This thing drives me crazy. I need solve it through this week > > > >>> before the > > > >>> > > > holiday... > > > >>> > > > > > >>> > > i havent followed this thread, as i know nearly zero about ldap. > > > >>> but, > > > >>> > > have you enabled authentication debugging in the tacacas daemon > > and > > > >>> > > checked the logs to determine what is coming back from pam? it > > very > > > >>> > > well may be that the ldap client is working just fine, but there > > is a > > > >>> > > pam module bug or a bug in the tacplus daemon or that your device > > > >>> > > simply doesnt like something about the replies. > > > >>> > > > > > >>> > > > Thanks a lot for the help. > > > >>> > > > > > > >>> > > > Lou > > > >>> > > > > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < > > hailumeng at gmail.com> > > > >>> wrote: > > > >>> > > > > > > >>> > > > > Still no clue how to turn on the log. binding seems good. See > > my > > > >>> > > findings > > > >>> > > > > below. Thanks a lot. > > > >>> > > > > > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < > > prozaconstilts at gmail.com> > > > >>> > > wrote: > > > >>> > > > > > > > >>> > > > >> Hailu Meng wrote: > > > >>> > > > >> > > > >>> > > > >>> Adam, > > > >>> > > > >>> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server but I don't > > have > > > >>> that > > > >>> > > > >>> userid in CentOS. So the CentOS just don't want me log in. > > I > > > >>> think > > > >>> > > this will > > > >>> > > > >>> not ask tacacs server to authenticate against AD. > > > >>> > > > >>> > > > >>> > > > >> > > > >>> > > > >> You shouldn't need to have to define the user in CentOS, > > that's > > > >>> the > > > >>> > > point > > > >>> > > > >> of using ldap for authentication. The user is defined in > > ldap, > > > >>> not in > > > >>> > > > >> CentOS. Now that I think about it, su - probably > > wouldn't > > > >>> work > > > >>> > > > >> anyway, as AD doesn't by default have the data needed by a > > linux > > > >>> box > > > >>> > > to > > > >>> > > > >> allow login...but see below for more options. > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >>> Is there any other way to test ldap authentication against > > AD > > > >>> with > > > >>> > > the > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find my user id > > > >>> without > > > >>> > > problem. > > > >>> > > > >>> But I haven't found any option to try with password and > > > >>> authenticate > > > >>> > > against > > > >>> > > > >>> AD. > > > >>> > > > >>> > > > >>> > > > >> > > > >>> > > > >> Try using -D: > > > >>> > > > >> > > > >>> > > > >> from `man ldapsearch`: > > > >>> > > > >> > > > >>> > > > >> -D binddn > > > >>> > > > >> Use the Distinguished Name binddn to bind to the LDAP > > > >>> directory. > > > >>> > > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to > > > >>> authenticate > > > >>> > > > >> using whatever user you want to define. Just check and > > double > > > >>> check > > > >>> > > you get > > > >>> > > > >> the right path in that dn. > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just > > > >>> returned lots > > > >>> > > of > > > >>> > > > > users' information. It means successful? > > > >>> > > > > > > > >>> > > > > > > > >>> > > > >> Do you have ldap server setup or only the openldap library > > and > > > >>> > > openldap > > > >>> > > > >>> client? I don't understand why the log is not turned on. > > There > > > >>> must > > > >>> > > be some > > > >>> > > > >>> debugging info in the log which can help solve this issue. > > > >>> > > > >>> > > > >>> > > > >> > > > >>> > > > >> only the libs and client. You should not need the server. In > > the > > > >>> > > > >> ldapsearch, you can use -d to get debugging info > > for > > > >>> that > > > >>> > > search. > > > >>> > > > >> As before, higher number = more debug > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> If the user can authenticate, does ethereal capture some > > > >>> packets > > > >>> > > about > > > >>> > > > >>> password verification? Right now I only see the packets > > when > > > >>> ldap > > > >>> > > search for > > > >>> > > > >>> my user id and gets results back from AD. > > > >>> > > > >>> > > > >>> > > > >> > > > >>> > > > >> Ethereal should catch all data flowing between the client > > and > > > >>> server. > > > >>> > > If > > > >>> > > > >> you can search out the user in your AD right now, then one > > of > > > >>> two > > > >>> > > things is > > > >>> > > > >> happening: > > > >>> > > > >> > > > >>> > > > >> 1. You are performing anonymous searches. In this case, no > > > >>> username > > > >>> > > and pw > > > >>> > > > >> is provided, and your AD is happy to hand over info to > > anyone > > > >>> who asks > > > >>> > > for > > > >>> > > > >> it. If this is the case, you will _not_ see authentication > > > >>> > > information. The > > > >>> > > > >> following MS KB article should probably help you determine > > on > > > >>> your AD > > > >>> > > if > > > >>> > > > >> anonymous queries are allowed: > > > >>> > > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 > > > >>> > > > >> > > > >>> > > > >> It has exact instructions for how to get it going, but you > > can > > > >>> follow > > > >>> > > > >> along with it to check your current settings without making > > any > > > >>> > > changes. > > > >>> > > > >> > > > >>> > > > > > > > >>> > > > > I checked our setting. Permission type for normal user is > > "Read & > > > >>> > > Execute". > > > >>> > > > > I click edit to check the detail about permission. I think it > > > >>> only > > > >>> > > allow the > > > >>> > > > > user to read the attributes, permission something and can't > > > >>> modify the > > > >>> > > > > AD.There is "Everyone" setting is also set as "Read & > > Execute". > > > >>> By the > > > >>> > > way, > > > >>> > > > > the AD is Win2003 R2. > > > >>> > > > > > > > >>> > > > > > > > >>> > > > >> > > > >>> > > > >> 2. Authentication is happening. It will be the _very_ first > > > >>> thing the > > > >>> > > > >> client and server perform, after basic connection > > establishment. > > > >>> Look > > > >>> > > for it > > > >>> > > > >> at the very beginning of a dump. > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the following article is > > > >>> extremely > > > >>> > > > >> informative about all the different ways you can plug linux > > into > > > >>> AD > > > >>> > > for > > > >>> > > > >> authentication. It might offer some hints... > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you have any idea, > > let > > > >>> me > > > >>> > > know. > > > >>> > > > >>> > > > >>> > > > >>> Thank you very much. > > > >>> > > > >>> > > > >>> > > > >>> Lou > > > >>> > > > >>> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > > > > > >>> > > > -------------- next part -------------- > > > >>> > > > An HTML attachment was scrubbed... > > > >>> > > > URL: > > > >>> > > > > > >>> > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > > >>> > > > _______________________________________________ > > > >>> > > > tac_plus mailing list > > > >>> > > > tac_plus at shrubbery.net > > > >>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > >>> > > > > > >>> > > > >> > > > >> > > > > > > From jeroen at nijhofnet.nl Mon Nov 23 22:45:12 2009 From: jeroen at nijhofnet.nl (Jeroen Nijhof) Date: Mon, 23 Nov 2009 23:45:12 +0100 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911231328i417db7d8k455fab37caa87bc5@mail.gmail.com> References: <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> <20091123182351.GH15357@shrubbery.net> <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> <20091123202054.GB15357@shrubbery.net> <8dabae5b0911231233n82044b2w529c3f19b99fdf13@mail.gmail.com> <8dabae5b0911231249n5caf23e3nf0b53d2d3826cad1@mail.gmail.com> <8dabae5b0911231312v2122ff0fs32c91e4391edfc8d@mail.gmail.com> <20091123211611.GC15357@shrubbery.net> <8dabae5b0911231328i417db7d8k455fab37caa87bc5@mail.gmail.com> Message-ID: <1259016312.3711.51.camel@tux> Hi, Did you setup the nsswitch.conf as well on your tac_plus server? Your tac_plus server needs to lookup the user attributes like homedir etc, otherwise pam will fail. Regards, Jeroen Nijhof On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > Ok. With -d 32, I got some more info about pam as red color log. > > There is "Unknown user" log info following the input of my user password. > Feel confused since ldap is able to get user info from Active directory, why > it turns out "Unknown user" here. > > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 3, flags > 0x1 > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data > length 11 (0xb) > Mon Nov 23 15:21:16 2009 [3806]: End header > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), user_data_len 0 (0x0) > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > Mon Nov 23 15:21:16 2009 [3806]: User msg: > Mon Nov 23 15:21:16 2009 [3806]: myusername > Mon Nov 23 15:21:16 2009 [3806]: User data: > Mon Nov 23 15:21:16 2009 [3806]: End packet > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 pam_messages > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: PAM_PROMPT_ECHO_OFF > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 4, flags > 0x1 > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data > length 16 (0x10) > Mon Nov 23 15:21:16 2009 [3806]: End header > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 (AUTHEN/GETPASS) > flags=0x1 > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 > Mon Nov 23 15:21:16 2009 [3806]: msg: > Mon Nov 23 15:21:16 2009 [3806]: Password: > Mon Nov 23 15:21:16 2009 [3806]: data: > Mon Nov 23 15:21:16 2009 [3806]: End packet > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq no 5, flags > 0x1 > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 (0xbe977644), Data > length 18 (0x12) > Mon Nov 23 15:21:21 2009 [3806]: End header > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), user_data_len 0 > (0x0) > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > Mon Nov 23 15:21:21 2009 [3806]: User msg: > Mon Nov 23 15:21:21 2009 [3806]: mypassword > Mon Nov 23 15:21:21 2009 [3806]: User data: > Mon Nov 23 15:21:21 2009 [3806]: End packet > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' tty0 from > 10.1.69.89 rejected > Mon Nov 23 15:21:22 2009 [3806]: login failure: myusername10.1.69.89 > (10.1.69.89) tty0 > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq no 6, flags > 0x1 > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 (0xbe977644), Data > length 6 (0x6) > Mon Nov 23 15:21:22 2009 [3806]: End header > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 (AUTHEN/FAIL) > flags=0x0 > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > Mon Nov 23 15:21:22 2009 [3806]: msg: > Mon Nov 23 15:21:22 2009 [3806]: data: > Mon Nov 23 15:21:22 2009 [3806]: End packet > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect > > > On Mon, Nov 23, 2009 at 3:16 PM, john heasley wrote: > > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > > > I just saw some posts saying pam_krb winbind could be needed to get pam > > work > > > against active directory. Is this true? The post I was following actually > > is > > > for a LDAP server not Active Directory. > > > > i dont know; each pam implementation seems to be [at least] slightly > > different. seems silly to need kerberos for ldap. > > > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng wrote: > > > > > > > I think I need put my pam configuration here: > > > > > > > > I followed this post > > > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > > > > configure my pam module: > > > > > > > > /etc/pam.d/tacacs > > > > > > > > auth include system-auth > > > > account required pam_nologin.so > > > > account include system-auth > > > > password include system-auth > > > > session optional pam_keyinit.so force revoke > > > > session include system-auth > > > > session required pam_loginuid.so > > > > > > > > /etc/pam.d/system-auth > > > > #%PAM-1.0 > > > > # This file is auto-generated. > > > > # User changes will be destroyed the next time authconfig is run. > > > > auth required pam_env.so > > > > auth sufficient pam_unix.so nullok try_first_pass > > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > > auth sufficient pam_ldap.so use_first_pass > > > > auth required pam_deny.so > > > > > > > > account required pam_unix.so broken_shadow > > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > > > > > > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > > > account required pam_permit.so > > > > > > > > password requisite pam_cracklib.so try_first_pass retry=3 > > > > password sufficient pam_unix.so md5 shadow nullok try_first_pass > > > > use_authtok > > > > password sufficient pam_ldap.so use_authtok > > > > password required pam_deny.so > > > > > > > > session optional pam_keyinit.so revoke > > > > session required pam_limits.so > > > > session [success=1 default=ignore] pam_succeed_if.so service in > > crond > > > > quiet use_uid > > > > session required pam_unix.so > > > > session optional pam_ldap.so > > > > > > > > > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng > > wrote: > > > > > > > >> Hi John, > > > >> > > > >> You mean issue commands like tac_plus -C /etct/tac_plus.conf -L -p 49 > > -d > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any change. I > > got > > > >> same log info. By the way, I also saw the log info in > > /var/log/message: > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 Initialized 1 > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 > > [10.1.69.89] > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' tty0 from > > > >> 10.1.69.89 rejected > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser 10.1.69.89 > > > >> (10.1.69.89) tty0 > > > >> > > > >> Do we have option to see the log about PAM? I haven't found where it > > is. > > > >> if we can check the log of PAM, then we could find something useful. > > Right > > > >> now the log of tac_plus didn't tell too much about why login got > > failure. > > > > add -d 32. -d x -d y ... will be logically OR'd together. > > > > > >> Lou > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley > > wrote: > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > > > >>> > Thanks John for helping me check this issue. > > > >>> > > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g to > > see > > > >>> the > > > >>> > > > >>> try -d 16 -d 256. which i think will log the pwd that pam received > > from > > > >>> the device. make its correct. the logs below do appear to be a > > > >>> reject/fail > > > >>> returned from pam. > > > >>> > > > >>> > log in stdout and in log file. I can't see any suspicious log > > > >>> information > > > >>> > here. I paste the log below: > > > >>> > > > > >>> > > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no > > 5, > > > >>> flags > > > >>> > 0x1 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > (0xc46868ce), > > > >>> Data > > > >>> > length > > > >>> > 11 (0xb) > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), > > user_data_len 0 > > > >>> (0x0) > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication function > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, seq no > > 6, > > > >>> flags > > > >>> > 0x1 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > (0xc46868ce), > > > >>> Data > > > >>> > length > > > >>> > 16 (0x10) > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 > > (AUTHEN/GETPASS) > > > >>> > flags=0x1 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > > > >>> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, seq no > > 7, > > > >>> flags > > > >>> > 0x1 > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 > > (0xc46868ce), > > > >>> Data > > > >>> > length > > > >>> > 18 (0x12) > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), > > user_data_len 0 > > > >>> > (0x0) > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' tty0 > > from > > > >>> > 10.1.69.89 r > > > >>> > ejected > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername > > 10.1.69.89 > > > >>> > (10.1.69.89) t > > > >>> > ty0 > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, seq no > > 8, > > > >>> flags > > > >>> > 0x1 > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 > > (0xc46868ce), > > > >>> Data > > > >>> > length > > > >>> > 6 (0x6) > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 (AUTHEN/FAIL) > > > >>> > flags=0x0 > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect > > > >>> > > > > >>> > > > > >>> > > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley > > > > > >>> wrote: > > > >>> > > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > > > >>> > > > Hi Adam, > > > >>> > > > > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what do we > > suppose > > > >>> to > > > >>> > > get > > > >>> > > > from the output? I just got all of the user information in that > > > >>> group. > > > >>> > > Does > > > >>> > > > that means my password and username got authenticated > > successfully > > > >>> > > against > > > >>> > > > AD? > > > >>> > > > > > > >>> > > > This thing drives me crazy. I need solve it through this week > > > >>> before the > > > >>> > > > holiday... > > > >>> > > > > > >>> > > i havent followed this thread, as i know nearly zero about ldap. > > > >>> but, > > > >>> > > have you enabled authentication debugging in the tacacas daemon > > and > > > >>> > > checked the logs to determine what is coming back from pam? it > > very > > > >>> > > well may be that the ldap client is working just fine, but there > > is a > > > >>> > > pam module bug or a bug in the tacplus daemon or that your device > > > >>> > > simply doesnt like something about the replies. > > > >>> > > > > > >>> > > > Thanks a lot for the help. > > > >>> > > > > > > >>> > > > Lou > > > >>> > > > > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < > > hailumeng at gmail.com> > > > >>> wrote: > > > >>> > > > > > > >>> > > > > Still no clue how to turn on the log. binding seems good. See > > my > > > >>> > > findings > > > >>> > > > > below. Thanks a lot. > > > >>> > > > > > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < > > prozaconstilts at gmail.com> > > > >>> > > wrote: > > > >>> > > > > > > > >>> > > > >> Hailu Meng wrote: > > > >>> > > > >> > > > >>> > > > >>> Adam, > > > >>> > > > >>> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server but I don't > > have > > > >>> that > > > >>> > > > >>> userid in CentOS. So the CentOS just don't want me log in. > > I > > > >>> think > > > >>> > > this will > > > >>> > > > >>> not ask tacacs server to authenticate against AD. > > > >>> > > > >>> > > > >>> > > > >> > > > >>> > > > >> You shouldn't need to have to define the user in CentOS, > > that's > > > >>> the > > > >>> > > point > > > >>> > > > >> of using ldap for authentication. The user is defined in > > ldap, > > > >>> not in > > > >>> > > > >> CentOS. Now that I think about it, su - probably > > wouldn't > > > >>> work > > > >>> > > > >> anyway, as AD doesn't by default have the data needed by a > > linux > > > >>> box > > > >>> > > to > > > >>> > > > >> allow login...but see below for more options. > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >>> Is there any other way to test ldap authentication against > > AD > > > >>> with > > > >>> > > the > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find my user id > > > >>> without > > > >>> > > problem. > > > >>> > > > >>> But I haven't found any option to try with password and > > > >>> authenticate > > > >>> > > against > > > >>> > > > >>> AD. > > > >>> > > > >>> > > > >>> > > > >> > > > >>> > > > >> Try using -D: > > > >>> > > > >> > > > >>> > > > >> from `man ldapsearch`: > > > >>> > > > >> > > > >>> > > > >> -D binddn > > > >>> > > > >> Use the Distinguished Name binddn to bind to the LDAP > > > >>> directory. > > > >>> > > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try to > > > >>> authenticate > > > >>> > > > >> using whatever user you want to define. Just check and > > double > > > >>> check > > > >>> > > you get > > > >>> > > > >> the right path in that dn. > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just > > > >>> returned lots > > > >>> > > of > > > >>> > > > > users' information. It means successful? > > > >>> > > > > > > > >>> > > > > > > > >>> > > > >> Do you have ldap server setup or only the openldap library > > and > > > >>> > > openldap > > > >>> > > > >>> client? I don't understand why the log is not turned on. > > There > > > >>> must > > > >>> > > be some > > > >>> > > > >>> debugging info in the log which can help solve this issue. > > > >>> > > > >>> > > > >>> > > > >> > > > >>> > > > >> only the libs and client. You should not need the server. In > > the > > > >>> > > > >> ldapsearch, you can use -d to get debugging info > > for > > > >>> that > > > >>> > > search. > > > >>> > > > >> As before, higher number = more debug > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> If the user can authenticate, does ethereal capture some > > > >>> packets > > > >>> > > about > > > >>> > > > >>> password verification? Right now I only see the packets > > when > > > >>> ldap > > > >>> > > search for > > > >>> > > > >>> my user id and gets results back from AD. > > > >>> > > > >>> > > > >>> > > > >> > > > >>> > > > >> Ethereal should catch all data flowing between the client > > and > > > >>> server. > > > >>> > > If > > > >>> > > > >> you can search out the user in your AD right now, then one > > of > > > >>> two > > > >>> > > things is > > > >>> > > > >> happening: > > > >>> > > > >> > > > >>> > > > >> 1. You are performing anonymous searches. In this case, no > > > >>> username > > > >>> > > and pw > > > >>> > > > >> is provided, and your AD is happy to hand over info to > > anyone > > > >>> who asks > > > >>> > > for > > > >>> > > > >> it. If this is the case, you will _not_ see authentication > > > >>> > > information. The > > > >>> > > > >> following MS KB article should probably help you determine > > on > > > >>> your AD > > > >>> > > if > > > >>> > > > >> anonymous queries are allowed: > > > >>> > > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 > > > >>> > > > >> > > > >>> > > > >> It has exact instructions for how to get it going, but you > > can > > > >>> follow > > > >>> > > > >> along with it to check your current settings without making > > any > > > >>> > > changes. > > > >>> > > > >> > > > >>> > > > > > > > >>> > > > > I checked our setting. Permission type for normal user is > > "Read & > > > >>> > > Execute". > > > >>> > > > > I click edit to check the detail about permission. I think it > > > >>> only > > > >>> > > allow the > > > >>> > > > > user to read the attributes, permission something and can't > > > >>> modify the > > > >>> > > > > AD.There is "Everyone" setting is also set as "Read & > > Execute". > > > >>> By the > > > >>> > > way, > > > >>> > > > > the AD is Win2003 R2. > > > >>> > > > > > > > >>> > > > > > > > >>> > > > >> > > > >>> > > > >> 2. Authentication is happening. It will be the _very_ first > > > >>> thing the > > > >>> > > > >> client and server perform, after basic connection > > establishment. > > > >>> Look > > > >>> > > for it > > > >>> > > > >> at the very beginning of a dump. > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the following article is > > > >>> extremely > > > >>> > > > >> informative about all the different ways you can plug linux > > into > > > >>> AD > > > >>> > > for > > > >>> > > > >> authentication. It might offer some hints... > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you have any idea, > > let > > > >>> me > > > >>> > > know. > > > >>> > > > >>> > > > >>> > > > >>> Thank you very much. > > > >>> > > > >>> > > > >>> > > > >>> Lou > > > >>> > > > >>> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > > > > > >>> > > > -------------- next part -------------- > > > >>> > > > An HTML attachment was scrubbed... > > > >>> > > > URL: > > > >>> > > > > > >>> > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > > >>> > > > _______________________________________________ > > > >>> > > > tac_plus mailing list > > > >>> > > > tac_plus at shrubbery.net > > > >>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > >>> > > > > > >>> > > > >> > > > >> > > > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From prozaconstilts at gmail.com Mon Nov 23 23:07:16 2009 From: prozaconstilts at gmail.com (adam) Date: Mon, 23 Nov 2009 18:07:16 -0500 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <20091123211611.GC15357@shrubbery.net> References: <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <4B060C7F.6010804@gmail.com> <8dabae5b0911200526y1917bfd2la80c5f6173ce38f8@mail.gmail.com> <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> <20091123182351.GH15357@shrubbery.net> <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> <20091123202054.GB15357@shrubbery.net> <8dabae5b0911231233n82044b2w529c3f19b99fdf13@mail.gmail.com> <8dabae5b0911231249n5caf23e3nf0b53d2d3826cad1@mail.gmail.com> <8dabae5b0911231312v2122ff0fs32c91e4391edfc8d@mail.gmail.com> <20091123211611.GC15357@shrubbery.net> Message-ID: <4B0B15A4.5020904@gmail.com> john heasley wrote: > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: >> I just saw some posts saying pam_krb winbind could be needed to get pam work >> against active directory. Is this true? The post I was following actually is >> for a LDAP server not Active Directory. > > i dont know; each pam implementation seems to be [at least] slightly > different. seems silly to need kerberos for ldap. > I too, am stumped. I've never really messed with kerberos, and I don't know if it's required for AD... Adam From hailumeng at gmail.com Mon Nov 23 23:49:37 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Mon, 23 Nov 2009 17:49:37 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <4B0B15A4.5020904@gmail.com> References: <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <8dabae5b0911231012l43cb60c4r418ad93e6ff475e2@mail.gmail.com> <20091123182351.GH15357@shrubbery.net> <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> <20091123202054.GB15357@shrubbery.net> <8dabae5b0911231233n82044b2w529c3f19b99fdf13@mail.gmail.com> <8dabae5b0911231249n5caf23e3nf0b53d2d3826cad1@mail.gmail.com> <8dabae5b0911231312v2122ff0fs32c91e4391edfc8d@mail.gmail.com> <20091123211611.GC15357@shrubbery.net> <4B0B15A4.5020904@gmail.com> Message-ID: <8dabae5b0911231549x154c61ddlb534ad98f2c7b660@mail.gmail.com> Thanks a lot Adam. This thing just defeat me. I'm so upset that I haven't solved this issue for one week. I'm trying hard. :) Lou On Mon, Nov 23, 2009 at 5:07 PM, adam wrote: > john heasley wrote: > >> Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: >> >>> I just saw some posts saying pam_krb winbind could be needed to get pam >>> work >>> against active directory. Is this true? The post I was following actually >>> is >>> for a LDAP server not Active Directory. >>> >> >> i dont know; each pam implementation seems to be [at least] slightly >> different. seems silly to need kerberos for ldap. >> >> > I too, am stumped. I've never really messed with kerberos, and I don't know > if it's required for AD... > > Adam > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/879121a3/attachment.html From hailumeng at gmail.com Mon Nov 23 23:48:37 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Mon, 23 Nov 2009 17:48:37 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <1259016312.3711.51.camel@tux> References: <8dabae5b0911191856v4c15bba9h6117e28d456ed9ad@mail.gmail.com> <20091123182351.GH15357@shrubbery.net> <8dabae5b0911231043p42cfcddav850ffb8936decaae@mail.gmail.com> <20091123202054.GB15357@shrubbery.net> <8dabae5b0911231233n82044b2w529c3f19b99fdf13@mail.gmail.com> <8dabae5b0911231249n5caf23e3nf0b53d2d3826cad1@mail.gmail.com> <8dabae5b0911231312v2122ff0fs32c91e4391edfc8d@mail.gmail.com> <20091123211611.GC15357@shrubbery.net> <8dabae5b0911231328i417db7d8k455fab37caa87bc5@mail.gmail.com> <1259016312.3711.51.camel@tux> Message-ID: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> Hi Jeroen, Thanks for helping. I modified the nssswitch.conf as below: passwd: files ldap shadow: files ldap group: files ldap And leave the other settings as default. the user attributes you are talking about are the attributes retrieving from AD? I do see the packets from AD server told my tacacs+ server the user attributes including homedir. Thanks. Lou On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof wrote: > Hi, > > Did you setup the nsswitch.conf as well on your tac_plus server? > Your tac_plus server needs to lookup the user attributes like homedir > etc, otherwise pam will fail. > > Regards, > Jeroen Nijhof > > On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > > Ok. With -d 32, I got some more info about pam as red color log. > > > > There is "Unknown user" log info following the input of my user password. > > Feel confused since ldap is able to get user info from Active directory, > why > > it turns out "Unknown user" here. > > > > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 > > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 3, > flags > > 0x1 > > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data > > length 11 (0xb) > > Mon Nov 23 15:21:16 2009 [3806]: End header > > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), user_data_len 0 > (0x0) > > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > > Mon Nov 23 15:21:16 2009 [3806]: User msg: > > Mon Nov 23 15:21:16 2009 [3806]: myusername > > Mon Nov 23 15:21:16 2009 [3806]: User data: > > Mon Nov 23 15:21:16 2009 [3806]: End packet > > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn > > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function > > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 pam_messages > > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: > PAM_PROMPT_ECHO_OFF > > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 > > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 4, > flags > > 0x1 > > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data > > length 16 (0x10) > > Mon Nov 23 15:21:16 2009 [3806]: End header > > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 (AUTHEN/GETPASS) > > flags=0x1 > > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 > > Mon Nov 23 15:21:16 2009 [3806]: msg: > > Mon Nov 23 15:21:16 2009 [3806]: Password: > > Mon Nov 23 15:21:16 2009 [3806]: data: > > Mon Nov 23 15:21:16 2009 [3806]: End packet > > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 > > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq no 5, > flags > > 0x1 > > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 (0xbe977644), Data > > length 18 (0x12) > > Mon Nov 23 15:21:21 2009 [3806]: End header > > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), user_data_len 0 > > (0x0) > > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > > Mon Nov 23 15:21:21 2009 [3806]: User msg: > > Mon Nov 23 15:21:21 2009 [3806]: mypassword > > Mon Nov 23 15:21:21 2009 [3806]: User data: > > Mon Nov 23 15:21:21 2009 [3806]: End packet > > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' tty0 from > > 10.1.69.89 rejected > > Mon Nov 23 15:21:22 2009 [3806]: login failure: myusername10.1.69.89 > > (10.1.69.89) tty0 > > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 > > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq no 6, > flags > > 0x1 > > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 (0xbe977644), Data > > length 6 (0x6) > > Mon Nov 23 15:21:22 2009 [3806]: End header > > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 (AUTHEN/FAIL) > > flags=0x0 > > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > > Mon Nov 23 15:21:22 2009 [3806]: msg: > > Mon Nov 23 15:21:22 2009 [3806]: data: > > Mon Nov 23 15:21:22 2009 [3806]: End packet > > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect > > > > > > On Mon, Nov 23, 2009 at 3:16 PM, john heasley > wrote: > > > > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > > > > I just saw some posts saying pam_krb winbind could be needed to get > pam > > > work > > > > against active directory. Is this true? The post I was following > actually > > > is > > > > for a LDAP server not Active Directory. > > > > > > i dont know; each pam implementation seems to be [at least] slightly > > > different. seems silly to need kerberos for ldap. > > > > > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng > wrote: > > > > > > > > > I think I need put my pam configuration here: > > > > > > > > > > I followed this post > > > > > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > > > > > configure my pam module: > > > > > > > > > > /etc/pam.d/tacacs > > > > > > > > > > auth include system-auth > > > > > account required pam_nologin.so > > > > > account include system-auth > > > > > password include system-auth > > > > > session optional pam_keyinit.so force revoke > > > > > session include system-auth > > > > > session required pam_loginuid.so > > > > > > > > > > /etc/pam.d/system-auth > > > > > #%PAM-1.0 > > > > > # This file is auto-generated. > > > > > # User changes will be destroyed the next time authconfig is run. > > > > > auth required pam_env.so > > > > > auth sufficient pam_unix.so nullok try_first_pass > > > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > > > auth sufficient pam_ldap.so use_first_pass > > > > > auth required pam_deny.so > > > > > > > > > > account required pam_unix.so broken_shadow > > > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > > > > > > > > account [default=bad success=ok user_unknown=ignore] > pam_ldap.so > > > > > account required pam_permit.so > > > > > > > > > > password requisite pam_cracklib.so try_first_pass retry=3 > > > > > password sufficient pam_unix.so md5 shadow nullok > try_first_pass > > > > > use_authtok > > > > > password sufficient pam_ldap.so use_authtok > > > > > password required pam_deny.so > > > > > > > > > > session optional pam_keyinit.so revoke > > > > > session required pam_limits.so > > > > > session [success=1 default=ignore] pam_succeed_if.so service in > > > crond > > > > > quiet use_uid > > > > > session required pam_unix.so > > > > > session optional pam_ldap.so > > > > > > > > > > > > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng > > > wrote: > > > > > > > > > >> Hi John, > > > > >> > > > > >> You mean issue commands like tac_plus -C /etct/tac_plus.conf -L -p > 49 > > > -d > > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any > change. I > > > got > > > > >> same log info. By the way, I also saw the log info in > > > /var/log/message: > > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 Initialized > 1 > > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 > > > [10.1.69.89] > > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' tty0 > from > > > > >> 10.1.69.89 rejected > > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser > 10.1.69.89 > > > > >> (10.1.69.89) tty0 > > > > >> > > > > >> Do we have option to see the log about PAM? I haven't found where > it > > > is. > > > > >> if we can check the log of PAM, then we could find something > useful. > > > Right > > > > >> now the log of tac_plus didn't tell too much about why login got > > > failure. > > > > > > add -d 32. -d x -d y ... will be logically OR'd together. > > > > > > > >> Lou > > > > >> > > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley > > > > wrote: > > > > >> > > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > > > > >>> > Thanks John for helping me check this issue. > > > > >>> > > > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g > to > > > see > > > > >>> the > > > > >>> > > > > >>> try -d 16 -d 256. which i think will log the pwd that pam > received > > > from > > > > >>> the device. make its correct. the logs below do appear to be a > > > > >>> reject/fail > > > > >>> returned from pam. > > > > >>> > > > > >>> > log in stdout and in log file. I can't see any suspicious log > > > > >>> information > > > > >>> > here. I paste the log below: > > > > >>> > > > > > >>> > > > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, > seq no > > > 5, > > > > >>> flags > > > > >>> > 0x1 > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > > (0xc46868ce), > > > > >>> Data > > > > >>> > length > > > > >>> > 11 (0xb) > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), > > > user_data_len 0 > > > > >>> (0x0) > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication > function > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28 > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, > seq no > > > 6, > > > > >>> flags > > > > >>> > 0x1 > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > > (0xc46868ce), > > > > >>> Data > > > > >>> > length > > > > >>> > 16 (0x10) > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 > > > (AUTHEN/GETPASS) > > > > >>> > flags=0x1 > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 > > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > > > > >>> > > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, > seq no > > > 7, > > > > >>> flags > > > > >>> > 0x1 > > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 > > > (0xc46868ce), > > > > >>> Data > > > > >>> > length > > > > >>> > 18 (0x12) > > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), > > > user_data_len 0 > > > > >>> > (0x0) > > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' > tty0 > > > from > > > > >>> > 10.1.69.89 r > > > > >>> > ejected > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername > > > 10.1.69.89 > > > > >>> > (10.1.69.89) t > > > > >>> > ty0 > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, > seq no > > > 8, > > > > >>> flags > > > > >>> > 0x1 > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 > > > (0xc46868ce), > > > > >>> Data > > > > >>> > length > > > > >>> > 6 (0x6) > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 > (AUTHEN/FAIL) > > > > >>> > flags=0x0 > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect > > > > >>> > > > > > >>> > > > > > >>> > > > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < > heas at shrubbery.net > > > > > > > > >>> wrote: > > > > >>> > > > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > > > > >>> > > > Hi Adam, > > > > >>> > > > > > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what do we > > > suppose > > > > >>> to > > > > >>> > > get > > > > >>> > > > from the output? I just got all of the user information in > that > > > > >>> group. > > > > >>> > > Does > > > > >>> > > > that means my password and username got authenticated > > > successfully > > > > >>> > > against > > > > >>> > > > AD? > > > > >>> > > > > > > > >>> > > > This thing drives me crazy. I need solve it through this > week > > > > >>> before the > > > > >>> > > > holiday... > > > > >>> > > > > > > >>> > > i havent followed this thread, as i know nearly zero about > ldap. > > > > >>> but, > > > > >>> > > have you enabled authentication debugging in the tacacas > daemon > > > and > > > > >>> > > checked the logs to determine what is coming back from pam? > it > > > very > > > > >>> > > well may be that the ldap client is working just fine, but > there > > > is a > > > > >>> > > pam module bug or a bug in the tacplus daemon or that your > device > > > > >>> > > simply doesnt like something about the replies. > > > > >>> > > > > > > >>> > > > Thanks a lot for the help. > > > > >>> > > > > > > > >>> > > > Lou > > > > >>> > > > > > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < > > > hailumeng at gmail.com> > > > > >>> wrote: > > > > >>> > > > > > > > >>> > > > > Still no clue how to turn on the log. binding seems good. > See > > > my > > > > >>> > > findings > > > > >>> > > > > below. Thanks a lot. > > > > >>> > > > > > > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < > > > prozaconstilts at gmail.com> > > > > >>> > > wrote: > > > > >>> > > > > > > > > >>> > > > >> Hailu Meng wrote: > > > > >>> > > > >> > > > > >>> > > > >>> Adam, > > > > >>> > > > >>> > > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server but I > don't > > > have > > > > >>> that > > > > >>> > > > >>> userid in CentOS. So the CentOS just don't want me log > in. > > > I > > > > >>> think > > > > >>> > > this will > > > > >>> > > > >>> not ask tacacs server to authenticate against AD. > > > > >>> > > > >>> > > > > >>> > > > >> > > > > >>> > > > >> You shouldn't need to have to define the user in CentOS, > > > that's > > > > >>> the > > > > >>> > > point > > > > >>> > > > >> of using ldap for authentication. The user is defined in > > > ldap, > > > > >>> not in > > > > >>> > > > >> CentOS. Now that I think about it, su - probably > > > wouldn't > > > > >>> work > > > > >>> > > > >> anyway, as AD doesn't by default have the data needed by > a > > > linux > > > > >>> box > > > > >>> > > to > > > > >>> > > > >> allow login...but see below for more options. > > > > >>> > > > >> > > > > >>> > > > >> > > > > >>> > > > >> > > > > >>> > > > >>> Is there any other way to test ldap authentication > against > > > AD > > > > >>> with > > > > >>> > > the > > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find my user > id > > > > >>> without > > > > >>> > > problem. > > > > >>> > > > >>> But I haven't found any option to try with password and > > > > >>> authenticate > > > > >>> > > against > > > > >>> > > > >>> AD. > > > > >>> > > > >>> > > > > >>> > > > >> > > > > >>> > > > >> Try using -D: > > > > >>> > > > >> > > > > >>> > > > >> from `man ldapsearch`: > > > > >>> > > > >> > > > > >>> > > > >> -D binddn > > > > >>> > > > >> Use the Distinguished Name binddn to bind to the LDAP > > > > >>> directory. > > > > >>> > > > >> > > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try > to > > > > >>> authenticate > > > > >>> > > > >> using whatever user you want to define. Just check and > > > double > > > > >>> check > > > > >>> > > you get > > > > >>> > > > >> the right path in that dn. > > > > >>> > > > >> > > > > >>> > > > >> > > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just > > > > >>> returned lots > > > > >>> > > of > > > > >>> > > > > users' information. It means successful? > > > > >>> > > > > > > > > >>> > > > > > > > > >>> > > > >> Do you have ldap server setup or only the openldap > library > > > and > > > > >>> > > openldap > > > > >>> > > > >>> client? I don't understand why the log is not turned > on. > > > There > > > > >>> must > > > > >>> > > be some > > > > >>> > > > >>> debugging info in the log which can help solve this > issue. > > > > >>> > > > >>> > > > > >>> > > > >> > > > > >>> > > > >> only the libs and client. You should not need the > server. In > > > the > > > > >>> > > > >> ldapsearch, you can use -d to get debugging > info > > > for > > > > >>> that > > > > >>> > > search. > > > > >>> > > > >> As before, higher number = more debug > > > > >>> > > > >> > > > > >>> > > > >> > > > > >>> > > > >> If the user can authenticate, does ethereal capture > some > > > > >>> packets > > > > >>> > > about > > > > >>> > > > >>> password verification? Right now I only see the packets > > > when > > > > >>> ldap > > > > >>> > > search for > > > > >>> > > > >>> my user id and gets results back from AD. > > > > >>> > > > >>> > > > > >>> > > > >> > > > > >>> > > > >> Ethereal should catch all data flowing between the > client > > > and > > > > >>> server. > > > > >>> > > If > > > > >>> > > > >> you can search out the user in your AD right now, then > one > > > of > > > > >>> two > > > > >>> > > things is > > > > >>> > > > >> happening: > > > > >>> > > > >> > > > > >>> > > > >> 1. You are performing anonymous searches. In this case, > no > > > > >>> username > > > > >>> > > and pw > > > > >>> > > > >> is provided, and your AD is happy to hand over info to > > > anyone > > > > >>> who asks > > > > >>> > > for > > > > >>> > > > >> it. If this is the case, you will _not_ see > authentication > > > > >>> > > information. The > > > > >>> > > > >> following MS KB article should probably help you > determine > > > on > > > > >>> your AD > > > > >>> > > if > > > > >>> > > > >> anonymous queries are allowed: > > > > >>> > > > >> > > > > >>> > > > >> http://support.microsoft.com/kb/320528 > > > > >>> > > > >> > > > > >>> > > > >> It has exact instructions for how to get it going, but > you > > > can > > > > >>> follow > > > > >>> > > > >> along with it to check your current settings without > making > > > any > > > > >>> > > changes. > > > > >>> > > > >> > > > > >>> > > > > > > > > >>> > > > > I checked our setting. Permission type for normal user is > > > "Read & > > > > >>> > > Execute". > > > > >>> > > > > I click edit to check the detail about permission. I > think it > > > > >>> only > > > > >>> > > allow the > > > > >>> > > > > user to read the attributes, permission something and > can't > > > > >>> modify the > > > > >>> > > > > AD.There is "Everyone" setting is also set as "Read & > > > Execute". > > > > >>> By the > > > > >>> > > way, > > > > >>> > > > > the AD is Win2003 R2. > > > > >>> > > > > > > > > >>> > > > > > > > > >>> > > > >> > > > > >>> > > > >> 2. Authentication is happening. It will be the _very_ > first > > > > >>> thing the > > > > >>> > > > >> client and server perform, after basic connection > > > establishment. > > > > >>> Look > > > > >>> > > for it > > > > >>> > > > >> at the very beginning of a dump. > > > > >>> > > > >> > > > > >>> > > > >> > > > > >>> > > > >> > > > > >>> > > > >> Also, it's a bit overkill, but the following article is > > > > >>> extremely > > > > >>> > > > >> informative about all the different ways you can plug > linux > > > into > > > > >>> AD > > > > >>> > > for > > > > >>> > > > >> authentication. It might offer some hints... > > > > >>> > > > >> > > > > >>> > > > >> > > > > >>> > > > >> > > > > >>> > > > >> > > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you have any > idea, > > > let > > > > >>> me > > > > >>> > > know. > > > > >>> > > > >>> > > > > >>> > > > >>> Thank you very much. > > > > >>> > > > >>> > > > > >>> > > > >>> Lou > > > > >>> > > > >>> > > > > >>> > > > >> > > > > >>> > > > >> > > > > >>> > > > >> > > > > >>> > > > > > > > > >>> > > > -------------- next part -------------- > > > > >>> > > > An HTML attachment was scrubbed... > > > > >>> > > > URL: > > > > >>> > > > > > > >>> > > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > > > >>> > > > _______________________________________________ > > > > >>> > > > tac_plus mailing list > > > > >>> > > > tac_plus at shrubbery.net > > > > >>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > >>> > > > > > > >>> > > > > >> > > > > >> > > > > > > > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/74e7f636/attachment.html From asaykao at gmail.com Tue Nov 24 06:51:30 2009 From: asaykao at gmail.com (Andy Saykao) Date: Tue, 24 Nov 2009 17:51:30 +1100 Subject: [tac_plus] webgui and log files Message-ID: <964ee8e00911232251h56cb4aecs5d1763e239525f23@mail.gmail.com> Hi All, New to the list and have a few simple questions to ask. 1/ For reporting purposes, is there any webgui for this or have people developed their own reporting too? I'm sure I could get our developers to do something as well but was just wondering what's out there before re-inventing the wheel. 2/ Do people use text files to log everything or is it advisable to try and move the logging to a mysql db? We have under 50 cisco devices we're trying to move to tacacs+. Thanks. Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/069ce1bb/attachment.html From jeroen at nijhofnet.nl Tue Nov 24 10:11:57 2009 From: jeroen at nijhofnet.nl (Jeroen Nijhof) Date: Tue, 24 Nov 2009 11:11:57 +0100 (CET) Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> Message-ID: Hi Lou, Yes, most server application's check if a user exist by looking up the uid via nss before doing any authentication (i.e. sshd). Regards, Jeroen Op 23/11/2009 schreef "Hailu Meng" : >Hi Jeroen, > >Thanks for helping. I modified the nssswitch.conf as below: >passwd: files ldap >shadow: files ldap >group: files ldap > >And leave the other settings as default. > >the user attributes you are talking about are the attributes retrieving from >AD? I do see the packets from AD server told my tacacs+ server the user >attributes including homedir. > >Thanks. > >Lou > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof wrote: > >> Hi, >> >> Did you setup the nsswitch.conf as well on your tac_plus server? >> Your tac_plus server needs to lookup the user attributes like homedir >> etc, otherwise pam will fail. >> >> Regards, >> Jeroen Nijhof >> >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: >> > Ok. With -d 32, I got some more info about pam as red color log. >> > >> > There is "Unknown user" log info following the input of my user password. >> > Feel confused since ldap is able to get user info from Active directory, >> why >> > it turns out "Unknown user" here. >> > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 3, >> flags >> > 0x1 >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data >> > length 11 (0xb) >> > Mon Nov 23 15:21:16 2009 [3806]: End header >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), user_data_len 0 >> (0x0) >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: >> > Mon Nov 23 15:21:16 2009 [3806]: myusername >> > Mon Nov 23 15:21:16 2009 [3806]: User data: >> > Mon Nov 23 15:21:16 2009 [3806]: End packet >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 pam_messages >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: >> PAM_PROMPT_ECHO_OFF >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 4, >> flags >> > 0x1 >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data >> > length 16 (0x10) >> > Mon Nov 23 15:21:16 2009 [3806]: End header >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 (AUTHEN/GETPASS) >> > flags=0x1 >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 >> > Mon Nov 23 15:21:16 2009 [3806]: msg: >> > Mon Nov 23 15:21:16 2009 [3806]: Password: >> > Mon Nov 23 15:21:16 2009 [3806]: data: >> > Mon Nov 23 15:21:16 2009 [3806]: End packet >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq no 5, >> flags >> > 0x1 >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 (0xbe977644), Data >> > length 18 (0x12) >> > Mon Nov 23 15:21:21 2009 [3806]: End header >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), user_data_len 0 >> > (0x0) >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword >> > Mon Nov 23 15:21:21 2009 [3806]: User data: >> > Mon Nov 23 15:21:21 2009 [3806]: End packet >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' tty0 from >> > 10.1.69.89 rejected >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: myusername10.1.69.89 >> > (10.1.69.89) tty0 >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq no 6, >> flags >> > 0x1 >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 (0xbe977644), Data >> > length 6 (0x6) >> > Mon Nov 23 15:21:22 2009 [3806]: End header >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 (AUTHEN/FAIL) >> > flags=0x0 >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 >> > Mon Nov 23 15:21:22 2009 [3806]: msg: >> > Mon Nov 23 15:21:22 2009 [3806]: data: >> > Mon Nov 23 15:21:22 2009 [3806]: End packet >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect >> > >> > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley >> wrote: >> > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: >> > > > I just saw some posts saying pam_krb winbind could be needed to get >> pam >> > > work >> > > > against active directory. Is this true? The post I was following >> actually >> > > is >> > > > for a LDAP server not Active Directory. >> > > >> > > i dont know; each pam implementation seems to be [at least] slightly >> > > different. seems silly to need kerberos for ldap. >> > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng >> wrote: >> > > > >> > > > > I think I need put my pam configuration here: >> > > > > >> > > > > I followed this post >> > > > > >> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto >> > > > > configure my pam module: >> > > > > >> > > > > /etc/pam.d/tacacs >> > > > > >> > > > > auth include system-auth >> > > > > account required pam_nologin.so >> > > > > account include system-auth >> > > > > password include system-auth >> > > > > session optional pam_keyinit.so force revoke >> > > > > session include system-auth >> > > > > session required pam_loginuid.so >> > > > > >> > > > > /etc/pam.d/system-auth >> > > > > #%PAM-1.0 >> > > > > # This file is auto-generated. >> > > > > # User changes will be destroyed the next time authconfig is run. >> > > > > auth required pam_env.so >> > > > > auth sufficient pam_unix.so nullok try_first_pass >> > > > > auth requisite pam_succeed_if.so uid >= 500 quiet >> > > > > auth sufficient pam_ldap.so use_first_pass >> > > > > auth required pam_deny.so >> > > > > >> > > > > account required pam_unix.so broken_shadow >> > > > > account sufficient pam_succeed_if.so uid < 500 quiet >> > > > > >> > > > > account [default=bad success=ok user_unknown=ignore] >> pam_ldap.so >> > > > > account required pam_permit.so >> > > > > >> > > > > password requisite pam_cracklib.so try_first_pass retry=3 >> > > > > password sufficient pam_unix.so md5 shadow nullok >> try_first_pass >> > > > > use_authtok >> > > > > password sufficient pam_ldap.so use_authtok >> > > > > password required pam_deny.so >> > > > > >> > > > > session optional pam_keyinit.so revoke >> > > > > session required pam_limits.so >> > > > > session [success=1 default=ignore] pam_succeed_if.so service in >> > > crond >> > > > > quiet use_uid >> > > > > session required pam_unix.so >> > > > > session optional pam_ldap.so >> > > > > >> > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng >> > > wrote: >> > > > > >> > > > >> Hi John, >> > > > >> >> > > > >> You mean issue commands like tac_plus -C /etct/tac_plus.conf -L -p >> 49 >> > > -d >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any >> change. I >> > > got >> > > > >> same log info. By the way, I also saw the log info in >> > > /var/log/message: >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 Initialized >> 1 >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 >> > > [10.1.69.89] >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' tty0 >> from >> > > > >> 10.1.69.89 rejected >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser >> 10.1.69.89 >> > > > >> (10.1.69.89) tty0 >> > > > >> >> > > > >> Do we have option to see the log about PAM? I haven't found where >> it >> > > is. >> > > > >> if we can check the log of PAM, then we could find something >> useful. >> > > Right >> > > > >> now the log of tac_plus didn't tell too much about why login got >> > > failure. >> > > >> > > add -d 32. -d x -d y ... will be logically OR'd together. >> > > >> > > > >> Lou >> > > > >> >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley > > >> > > wrote: >> > > > >> >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: >> > > > >>> > Thanks John for helping me check this issue. >> > > > >>> > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g >> to >> > > see >> > > > >>> the >> > > > >>> >> > > > >>> try -d 16 -d 256. which i think will log the pwd that pam >> received >> > > from >> > > > >>> the device. make its correct. the logs below do appear to be a >> > > > >>> reject/fail >> > > > >>> returned from pam. >> > > > >>> >> > > > >>> > log in stdout and in log file. I can't see any suspicious log >> > > > >>> information >> > > > >>> > here. I paste the log below: >> > > > >>> > >> > > > >>> > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, >> seq no >> > > 5, >> > > > >>> flags >> > > > >>> > 0x1 >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 >> > > (0xc46868ce), >> > > > >>> Data >> > > > >>> > length >> > > > >>> > 11 (0xb) >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), >> > > user_data_len 0 >> > > > >>> (0x0) >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication >> function >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28 >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, >> seq no >> > > 6, >> > > > >>> flags >> > > > >>> > 0x1 >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 >> > > (0xc46868ce), >> > > > >>> Data >> > > > >>> > length >> > > > >>> > 16 (0x10) >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 >> > > (AUTHEN/GETPASS) >> > > > >>> > flags=0x1 >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey >> > > > >>> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, >> seq no >> > > 7, >> > > > >>> flags >> > > > >>> > 0x1 >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 >> > > (0xc46868ce), >> > > > >>> Data >> > > > >>> > length >> > > > >>> > 18 (0x12) >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), >> > > user_data_len 0 >> > > > >>> > (0x0) >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' >> tty0 >> > > from >> > > > >>> > 10.1.69.89 r >> > > > >>> > ejected >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername >> > > 10.1.69.89 >> > > > >>> > (10.1.69.89) t >> > > > >>> > ty0 >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, >> seq no >> > > 8, >> > > > >>> flags >> > > > >>> > 0x1 >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 >> > > (0xc46868ce), >> > > > >>> Data >> > > > >>> > length >> > > > >>> > 6 (0x6) >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 >> (AUTHEN/FAIL) >> > > > >>> > flags=0x0 >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect >> > > > >>> > >> > > > >>> > >> > > > >>> > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < >> heas at shrubbery.net >> > > > >> > > > >>> wrote: >> > > > >>> > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: >> > > > >>> > > > Hi Adam, >> > > > >>> > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what do we >> > > suppose >> > > > >>> to >> > > > >>> > > get >> > > > >>> > > > from the output? I just got all of the user information in >> that >> > > > >>> group. >> > > > >>> > > Does >> > > > >>> > > > that means my password and username got authenticated >> > > successfully >> > > > >>> > > against >> > > > >>> > > > AD? >> > > > >>> > > > >> > > > >>> > > > This thing drives me crazy. I need solve it through this >> week >> > > > >>> before the >> > > > >>> > > > holiday... >> > > > >>> > > >> > > > >>> > > i havent followed this thread, as i know nearly zero about >> ldap. >> > > > >>> but, >> > > > >>> > > have you enabled authentication debugging in the tacacas >> daemon >> > > and >> > > > >>> > > checked the logs to determine what is coming back from pam? >> it >> > > very >> > > > >>> > > well may be that the ldap client is working just fine, but >> there >> > > is a >> > > > >>> > > pam module bug or a bug in the tacplus daemon or that your >> device >> > > > >>> > > simply doesnt like something about the replies. >> > > > >>> > > >> > > > >>> > > > Thanks a lot for the help. >> > > > >>> > > > >> > > > >>> > > > Lou >> > > > >>> > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < >> > > hailumeng at gmail.com> >> > > > >>> wrote: >> > > > >>> > > > >> > > > >>> > > > > Still no clue how to turn on the log. binding seems good. >> See >> > > my >> > > > >>> > > findings >> > > > >>> > > > > below. Thanks a lot. >> > > > >>> > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < >> > > prozaconstilts at gmail.com> >> > > > >>> > > wrote: >> > > > >>> > > > > >> > > > >>> > > > >> Hailu Meng wrote: >> > > > >>> > > > >> >> > > > >>> > > > >>> Adam, >> > > > >>> > > > >>> >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server but I >> don't >> > > have >> > > > >>> that >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't want me log >> in. >> > > I >> > > > >>> think >> > > > >>> > > this will >> > > > >>> > > > >>> not ask tacacs server to authenticate against AD. >> > > > >>> > > > >>> >> > > > >>> > > > >> >> > > > >>> > > > >> You shouldn't need to have to define the user in CentOS, >> > > that's >> > > > >>> the >> > > > >>> > > point >> > > > >>> > > > >> of using ldap for authentication. The user is defined in >> > > ldap, >> > > > >>> not in >> > > > >>> > > > >> CentOS. Now that I think about it, su - probably >> > > wouldn't >> > > > >>> work >> > > > >>> > > > >> anyway, as AD doesn't by default have the data needed by >> a >> > > linux >> > > > >>> box >> > > > >>> > > to >> > > > >>> > > > >> allow login...but see below for more options. >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > >>> Is there any other way to test ldap authentication >> against >> > > AD >> > > > >>> with >> > > > >>> > > the >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find my user >> id >> > > > >>> without >> > > > >>> > > problem. >> > > > >>> > > > >>> But I haven't found any option to try with password and >> > > > >>> authenticate >> > > > >>> > > against >> > > > >>> > > > >>> AD. >> > > > >>> > > > >>> >> > > > >>> > > > >> >> > > > >>> > > > >> Try using -D: >> > > > >>> > > > >> >> > > > >>> > > > >> from `man ldapsearch`: >> > > > >>> > > > >> >> > > > >>> > > > >> -D binddn >> > > > >>> > > > >> Use the Distinguished Name binddn to bind to the LDAP >> > > > >>> directory. >> > > > >>> > > > >> >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try >> to >> > > > >>> authenticate >> > > > >>> > > > >> using whatever user you want to define. Just check and >> > > double >> > > > >>> check >> > > > >>> > > you get >> > > > >>> > > > >> the right path in that dn. >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just >> > > > >>> returned lots >> > > > >>> > > of >> > > > >>> > > > > users' information. It means successful? >> > > > >>> > > > > >> > > > >>> > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the openldap >> library >> > > and >> > > > >>> > > openldap >> > > > >>> > > > >>> client? I don't understand why the log is not turned >> on. >> > > There >> > > > >>> must >> > > > >>> > > be some >> > > > >>> > > > >>> debugging info in the log which can help solve this >> issue. >> > > > >>> > > > >>> >> > > > >>> > > > >> >> > > > >>> > > > >> only the libs and client. You should not need the >> server. In >> > > the >> > > > >>> > > > >> ldapsearch, you can use -d to get debugging >> info >> > > for >> > > > >>> that >> > > > >>> > > search. >> > > > >>> > > > >> As before, higher number = more debug >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> If the user can authenticate, does ethereal capture >> some >> > > > >>> packets >> > > > >>> > > about >> > > > >>> > > > >>> password verification? Right now I only see the packets >> > > when >> > > > >>> ldap >> > > > >>> > > search for >> > > > >>> > > > >>> my user id and gets results back from AD. >> > > > >>> > > > >>> >> > > > >>> > > > >> >> > > > >>> > > > >> Ethereal should catch all data flowing between the >> client >> > > and >> > > > >>> server. >> > > > >>> > > If >> > > > >>> > > > >> you can search out the user in your AD right now, then >> one >> > > of >> > > > >>> two >> > > > >>> > > things is >> > > > >>> > > > >> happening: >> > > > >>> > > > >> >> > > > >>> > > > >> 1. You are performing anonymous searches. In this case, >> no >> > > > >>> username >> > > > >>> > > and pw >> > > > >>> > > > >> is provided, and your AD is happy to hand over info to >> > > anyone >> > > > >>> who asks >> > > > >>> > > for >> > > > >>> > > > >> it. If this is the case, you will _not_ see >> authentication >> > > > >>> > > information. The >> > > > >>> > > > >> following MS KB article should probably help you >> determine >> > > on >> > > > >>> your AD >> > > > >>> > > if >> > > > >>> > > > >> anonymous queries are allowed: >> > > > >>> > > > >> >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 >> > > > >>> > > > >> >> > > > >>> > > > >> It has exact instructions for how to get it going, but >> you >> > > can >> > > > >>> follow >> > > > >>> > > > >> along with it to check your current settings without >> making >> > > any >> > > > >>> > > changes. >> > > > >>> > > > >> >> > > > >>> > > > > >> > > > >>> > > > > I checked our setting. Permission type for normal user is >> > > "Read & >> > > > >>> > > Execute". >> > > > >>> > > > > I click edit to check the detail about permission. I >> think it >> > > > >>> only >> > > > >>> > > allow the >> > > > >>> > > > > user to read the attributes, permission something and >> can't >> > > > >>> modify the >> > > > >>> > > > > AD.There is "Everyone" setting is also set as "Read & >> > > Execute". >> > > > >>> By the >> > > > >>> > > way, >> > > > >>> > > > > the AD is Win2003 R2. >> > > > >>> > > > > >> > > > >>> > > > > >> > > > >>> > > > >> >> > > > >>> > > > >> 2. Authentication is happening. It will be the _very_ >> first >> > > > >>> thing the >> > > > >>> > > > >> client and server perform, after basic connection >> > > establishment. >> > > > >>> Look >> > > > >>> > > for it >> > > > >>> > > > >> at the very beginning of a dump. >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> Also, it's a bit overkill, but the following article is >> > > > >>> extremely >> > > > >>> > > > >> informative about all the different ways you can plug >> linux >> > > into >> > > > >>> AD >> > > > >>> > > for >> > > > >>> > > > >> authentication. It might offer some hints... >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you have any >> idea, >> > > let >> > > > >>> me >> > > > >>> > > know. >> > > > >>> > > > >>> >> > > > >>> > > > >>> Thank you very much. >> > > > >>> > > > >>> >> > > > >>> > > > >>> Lou >> > > > >>> > > > >>> >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > > >> > > > >>> > > > -------------- next part -------------- >> > > > >>> > > > An HTML attachment was scrubbed... >> > > > >>> > > > URL: >> > > > >>> > > >> > > > >>> >> > > >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html >> > > > >>> > > > _______________________________________________ >> > > > >>> > > > tac_plus mailing list >> > > > >>> > > > tac_plus at shrubbery.net >> > > > >>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> > > > >>> > > >> > > > >>> >> > > > >> >> > > > >> >> > > > > >> > > >> > -------------- next part -------------- >> > An HTML attachment was scrubbed... >> > URL: >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html >> > _______________________________________________ >> > tac_plus mailing list >> > tac_plus at shrubbery.net >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> >> >> From hailumeng at gmail.com Tue Nov 24 13:22:11 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Tue, 24 Nov 2009 07:22:11 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: References: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> Message-ID: <8dabae5b0911240522r18c4d9vc65096295522be5d@mail.gmail.com> Hi Jeroen, I see the packets sent back from AD for the search request have 4 attributes included: objectclass cn description sAMAccountName And these attributes values are correct. sAMAccountName is my login user id. cn is my Full Name, objectclass is 4 items (top, person, organizationalperson , user) I'm not sure is it enough for PAM to go to the next step? But it did give us error message "Unknown User". I observed that when I input the password in my router and hit ENTER, my wireshark captured two search requests from TACACS and two responses from AD. Same contents as the previous one when I input my user name in the router. I'm not sure is that possible that TACACS didn't find the information it wants from AD although AD respond something (4 attributes values) By the way, I can't find any log information about PAM. I think it should be in /var/log/secure. But nothing in this file. Do you know how to find these log or turn it on? Thanks for the help. Lou On Tue, Nov 24, 2009 at 4:11 AM, Jeroen Nijhof wrote: > > Hi Lou, > > Yes, most server application's check if a user exist by looking up the > uid via nss before doing any authentication (i.e. sshd). > > Regards, > Jeroen > > Op 23/11/2009 schreef "Hailu Meng" : > > >Hi Jeroen, > > > >Thanks for helping. I modified the nssswitch.conf as below: > >passwd: files ldap > >shadow: files ldap > >group: files ldap > > > >And leave the other settings as default. > > > >the user attributes you are talking about are the attributes retrieving > from > >AD? I do see the packets from AD server told my tacacs+ server the user > >attributes including homedir. > > > >Thanks. > > > >Lou > > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof > wrote: > > > >> Hi, > >> > >> Did you setup the nsswitch.conf as well on your tac_plus server? > >> Your tac_plus server needs to lookup the user attributes like homedir > >> etc, otherwise pam will fail. > >> > >> Regards, > >> Jeroen Nijhof > >> > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > >> > Ok. With -d 32, I got some more info about pam as red color log. > >> > > >> > There is "Unknown user" log info following the input of my user > password. > >> > Feel confused since ldap is able to get user info from Active > directory, > >> why > >> > it turns out "Unknown user" here. > >> > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 3, > >> flags > >> > 0x1 > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), > Data > >> > length 11 (0xb) > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), user_data_len 0 > >> (0x0) > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername > >> > Mon Nov 23 15:21:16 2009 [3806]: User data: > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 pam_messages > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: > >> PAM_PROMPT_ECHO_OFF > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 4, > >> flags > >> > 0x1 > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), > Data > >> > length 16 (0x10) > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 (AUTHEN/GETPASS) > >> > flags=0x1 > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 > >> > Mon Nov 23 15:21:16 2009 [3806]: msg: > >> > Mon Nov 23 15:21:16 2009 [3806]: Password: > >> > Mon Nov 23 15:21:16 2009 [3806]: data: > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq no 5, > >> flags > >> > 0x1 > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 (0xbe977644), > Data > >> > length 18 (0x12) > >> > Mon Nov 23 15:21:21 2009 [3806]: End header > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), user_data_len > 0 > >> > (0x0) > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword > >> > Mon Nov 23 15:21:21 2009 [3806]: User data: > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' tty0 > from > >> > 10.1.69.89 rejected > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: myusername10.1.69.89 > >> > (10.1.69.89) tty0 > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq no 6, > >> flags > >> > 0x1 > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 (0xbe977644), > Data > >> > length 6 (0x6) > >> > Mon Nov 23 15:21:22 2009 [3806]: End header > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 (AUTHEN/FAIL) > >> > flags=0x0 > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > >> > Mon Nov 23 15:21:22 2009 [3806]: msg: > >> > Mon Nov 23 15:21:22 2009 [3806]: data: > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect > >> > > >> > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley > >> wrote: > >> > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > >> > > > I just saw some posts saying pam_krb winbind could be needed to > get > >> pam > >> > > work > >> > > > against active directory. Is this true? The post I was following > >> actually > >> > > is > >> > > > for a LDAP server not Active Directory. > >> > > > >> > > i dont know; each pam implementation seems to be [at least] slightly > >> > > different. seems silly to need kerberos for ldap. > >> > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng > >> wrote: > >> > > > > >> > > > > I think I need put my pam configuration here: > >> > > > > > >> > > > > I followed this post > >> > > > > > >> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > >> > > > > configure my pam module: > >> > > > > > >> > > > > /etc/pam.d/tacacs > >> > > > > > >> > > > > auth include system-auth > >> > > > > account required pam_nologin.so > >> > > > > account include system-auth > >> > > > > password include system-auth > >> > > > > session optional pam_keyinit.so force revoke > >> > > > > session include system-auth > >> > > > > session required pam_loginuid.so > >> > > > > > >> > > > > /etc/pam.d/system-auth > >> > > > > #%PAM-1.0 > >> > > > > # This file is auto-generated. > >> > > > > # User changes will be destroyed the next time authconfig is > run. > >> > > > > auth required pam_env.so > >> > > > > auth sufficient pam_unix.so nullok try_first_pass > >> > > > > auth requisite pam_succeed_if.so uid >= 500 quiet > >> > > > > auth sufficient pam_ldap.so use_first_pass > >> > > > > auth required pam_deny.so > >> > > > > > >> > > > > account required pam_unix.so broken_shadow > >> > > > > account sufficient pam_succeed_if.so uid < 500 quiet > >> > > > > > >> > > > > account [default=bad success=ok user_unknown=ignore] > >> pam_ldap.so > >> > > > > account required pam_permit.so > >> > > > > > >> > > > > password requisite pam_cracklib.so try_first_pass retry=3 > >> > > > > password sufficient pam_unix.so md5 shadow nullok > >> try_first_pass > >> > > > > use_authtok > >> > > > > password sufficient pam_ldap.so use_authtok > >> > > > > password required pam_deny.so > >> > > > > > >> > > > > session optional pam_keyinit.so revoke > >> > > > > session required pam_limits.so > >> > > > > session [success=1 default=ignore] pam_succeed_if.so service > in > >> > > crond > >> > > > > quiet use_uid > >> > > > > session required pam_unix.so > >> > > > > session optional pam_ldap.so > >> > > > > > >> > > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < > hailumeng at gmail.com> > >> > > wrote: > >> > > > > > >> > > > >> Hi John, > >> > > > >> > >> > > > >> You mean issue commands like tac_plus -C /etct/tac_plus.conf -L > -p > >> 49 > >> > > -d > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any > >> change. I > >> > > got > >> > > > >> same log info. By the way, I also saw the log info in > >> > > /var/log/message: > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 > Initialized > >> 1 > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 > >> > > [10.1.69.89] > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' > tty0 > >> from > >> > > > >> 10.1.69.89 rejected > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser > >> 10.1.69.89 > >> > > > >> (10.1.69.89) tty0 > >> > > > >> > >> > > > >> Do we have option to see the log about PAM? I haven't found > where > >> it > >> > > is. > >> > > > >> if we can check the log of PAM, then we could find something > >> useful. > >> > > Right > >> > > > >> now the log of tac_plus didn't tell too much about why login > got > >> > > failure. > >> > > > >> > > add -d 32. -d x -d y ... will be logically OR'd together. > >> > > > >> > > > >> Lou > >> > > > >> > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < > heas at shrubbery.net > >> > > >> > > wrote: > >> > > > >> > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > >> > > > >>> > Thanks John for helping me check this issue. > >> > > > >>> > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 > -g > >> to > >> > > see > >> > > > >>> the > >> > > > >>> > >> > > > >>> try -d 16 -d 256. which i think will log the pwd that pam > >> received > >> > > from > >> > > > >>> the device. make its correct. the logs below do appear to be > a > >> > > > >>> reject/fail > >> > > > >>> returned from pam. > >> > > > >>> > >> > > > >>> > log in stdout and in log file. I can't see any suspicious > log > >> > > > >>> information > >> > > > >>> > here. I paste the log below: > >> > > > >>> > > >> > > > >>> > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, > >> seq no > >> > > 5, > >> > > > >>> flags > >> > > > >>> > 0x1 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > >> > > (0xc46868ce), > >> > > > >>> Data > >> > > > >>> > length > >> > > > >>> > 11 (0xb) > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), > >> > > user_data_len 0 > >> > > > >>> (0x0) > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose > default_fn > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication > >> function > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS > size=28 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, > >> seq no > >> > > 6, > >> > > > >>> flags > >> > > > >>> > 0x1 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > >> > > (0xc46868ce), > >> > > > >>> Data > >> > > > >>> > length > >> > > > >>> > 16 (0x10) > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 > >> > > (AUTHEN/GETPASS) > >> > > > >>> > flags=0x1 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > >> > > > >>> > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, > >> seq no > >> > > 7, > >> > > > >>> flags > >> > > > >>> > 0x1 > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 > >> > > (0xc46868ce), > >> > > > >>> Data > >> > > > >>> > length > >> > > > >>> > 18 (0x12) > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), > >> > > user_data_len 0 > >> > > > >>> > (0x0) > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for > 'myusername' > >> tty0 > >> > > from > >> > > > >>> > 10.1.69.89 r > >> > > > >>> > ejected > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername > >> > > 10.1.69.89 > >> > > > >>> > (10.1.69.89) t > >> > > > >>> > ty0 > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, > >> seq no > >> > > 8, > >> > > > >>> flags > >> > > > >>> > 0x1 > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 > >> > > (0xc46868ce), > >> > > > >>> Data > >> > > > >>> > length > >> > > > >>> > 6 (0x6) > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 > >> (AUTHEN/FAIL) > >> > > > >>> > flags=0x0 > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect > >> > > > >>> > > >> > > > >>> > > >> > > > >>> > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < > >> heas at shrubbery.net > >> > > > > >> > > > >>> wrote: > >> > > > >>> > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > >> > > > >>> > > > Hi Adam, > >> > > > >>> > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what do > we > >> > > suppose > >> > > > >>> to > >> > > > >>> > > get > >> > > > >>> > > > from the output? I just got all of the user information > in > >> that > >> > > > >>> group. > >> > > > >>> > > Does > >> > > > >>> > > > that means my password and username got authenticated > >> > > successfully > >> > > > >>> > > against > >> > > > >>> > > > AD? > >> > > > >>> > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it through this > >> week > >> > > > >>> before the > >> > > > >>> > > > holiday... > >> > > > >>> > > > >> > > > >>> > > i havent followed this thread, as i know nearly zero about > >> ldap. > >> > > > >>> but, > >> > > > >>> > > have you enabled authentication debugging in the tacacas > >> daemon > >> > > and > >> > > > >>> > > checked the logs to determine what is coming back from > pam? > >> it > >> > > very > >> > > > >>> > > well may be that the ldap client is working just fine, but > >> there > >> > > is a > >> > > > >>> > > pam module bug or a bug in the tacplus daemon or that your > >> device > >> > > > >>> > > simply doesnt like something about the replies. > >> > > > >>> > > > >> > > > >>> > > > Thanks a lot for the help. > >> > > > >>> > > > > >> > > > >>> > > > Lou > >> > > > >>> > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < > >> > > hailumeng at gmail.com> > >> > > > >>> wrote: > >> > > > >>> > > > > >> > > > >>> > > > > Still no clue how to turn on the log. binding seems > good. > >> See > >> > > my > >> > > > >>> > > findings > >> > > > >>> > > > > below. Thanks a lot. > >> > > > >>> > > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < > >> > > prozaconstilts at gmail.com> > >> > > > >>> > > wrote: > >> > > > >>> > > > > > >> > > > >>> > > > >> Hailu Meng wrote: > >> > > > >>> > > > >> > >> > > > >>> > > > >>> Adam, > >> > > > >>> > > > >>> > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server but I > >> don't > >> > > have > >> > > > >>> that > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't want me > log > >> in. > >> > > I > >> > > > >>> think > >> > > > >>> > > this will > >> > > > >>> > > > >>> not ask tacacs server to authenticate against AD. > >> > > > >>> > > > >>> > >> > > > >>> > > > >> > >> > > > >>> > > > >> You shouldn't need to have to define the user in > CentOS, > >> > > that's > >> > > > >>> the > >> > > > >>> > > point > >> > > > >>> > > > >> of using ldap for authentication. The user is defined > in > >> > > ldap, > >> > > > >>> not in > >> > > > >>> > > > >> CentOS. Now that I think about it, su - > probably > >> > > wouldn't > >> > > > >>> work > >> > > > >>> > > > >> anyway, as AD doesn't by default have the data needed > by > >> a > >> > > linux > >> > > > >>> box > >> > > > >>> > > to > >> > > > >>> > > > >> allow login...but see below for more options. > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >>> Is there any other way to test ldap authentication > >> against > >> > > AD > >> > > > >>> with > >> > > > >>> > > the > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find my > user > >> id > >> > > > >>> without > >> > > > >>> > > problem. > >> > > > >>> > > > >>> But I haven't found any option to try with password > and > >> > > > >>> authenticate > >> > > > >>> > > against > >> > > > >>> > > > >>> AD. > >> > > > >>> > > > >>> > >> > > > >>> > > > >> > >> > > > >>> > > > >> Try using -D: > >> > > > >>> > > > >> > >> > > > >>> > > > >> from `man ldapsearch`: > >> > > > >>> > > > >> > >> > > > >>> > > > >> -D binddn > >> > > > >>> > > > >> Use the Distinguished Name binddn to bind to the > LDAP > >> > > > >>> directory. > >> > > > >>> > > > >> > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you > try > >> to > >> > > > >>> authenticate > >> > > > >>> > > > >> using whatever user you want to define. Just check > and > >> > > double > >> > > > >>> check > >> > > > >>> > > you get > >> > > > >>> > > > >> the right path in that dn. > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it > just > >> > > > >>> returned lots > >> > > > >>> > > of > >> > > > >>> > > > > users' information. It means successful? > >> > > > >>> > > > > > >> > > > >>> > > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the openldap > >> library > >> > > and > >> > > > >>> > > openldap > >> > > > >>> > > > >>> client? I don't understand why the log is not turned > >> on. > >> > > There > >> > > > >>> must > >> > > > >>> > > be some > >> > > > >>> > > > >>> debugging info in the log which can help solve this > >> issue. > >> > > > >>> > > > >>> > >> > > > >>> > > > >> > >> > > > >>> > > > >> only the libs and client. You should not need the > >> server. In > >> > > the > >> > > > >>> > > > >> ldapsearch, you can use -d to get debugging > >> info > >> > > for > >> > > > >>> that > >> > > > >>> > > search. > >> > > > >>> > > > >> As before, higher number = more debug > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> If the user can authenticate, does ethereal capture > >> some > >> > > > >>> packets > >> > > > >>> > > about > >> > > > >>> > > > >>> password verification? Right now I only see the > packets > >> > > when > >> > > > >>> ldap > >> > > > >>> > > search for > >> > > > >>> > > > >>> my user id and gets results back from AD. > >> > > > >>> > > > >>> > >> > > > >>> > > > >> > >> > > > >>> > > > >> Ethereal should catch all data flowing between the > >> client > >> > > and > >> > > > >>> server. > >> > > > >>> > > If > >> > > > >>> > > > >> you can search out the user in your AD right now, > then > >> one > >> > > of > >> > > > >>> two > >> > > > >>> > > things is > >> > > > >>> > > > >> happening: > >> > > > >>> > > > >> > >> > > > >>> > > > >> 1. You are performing anonymous searches. In this > case, > >> no > >> > > > >>> username > >> > > > >>> > > and pw > >> > > > >>> > > > >> is provided, and your AD is happy to hand over info > to > >> > > anyone > >> > > > >>> who asks > >> > > > >>> > > for > >> > > > >>> > > > >> it. If this is the case, you will _not_ see > >> authentication > >> > > > >>> > > information. The > >> > > > >>> > > > >> following MS KB article should probably help you > >> determine > >> > > on > >> > > > >>> your AD > >> > > > >>> > > if > >> > > > >>> > > > >> anonymous queries are allowed: > >> > > > >>> > > > >> > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 > >> > > > >>> > > > >> > >> > > > >>> > > > >> It has exact instructions for how to get it going, > but > >> you > >> > > can > >> > > > >>> follow > >> > > > >>> > > > >> along with it to check your current settings without > >> making > >> > > any > >> > > > >>> > > changes. > >> > > > >>> > > > >> > >> > > > >>> > > > > > >> > > > >>> > > > > I checked our setting. Permission type for normal user > is > >> > > "Read & > >> > > > >>> > > Execute". > >> > > > >>> > > > > I click edit to check the detail about permission. I > >> think it > >> > > > >>> only > >> > > > >>> > > allow the > >> > > > >>> > > > > user to read the attributes, permission something and > >> can't > >> > > > >>> modify the > >> > > > >>> > > > > AD.There is "Everyone" setting is also set as "Read & > >> > > Execute". > >> > > > >>> By the > >> > > > >>> > > way, > >> > > > >>> > > > > the AD is Win2003 R2. > >> > > > >>> > > > > > >> > > > >>> > > > > > >> > > > >>> > > > >> > >> > > > >>> > > > >> 2. Authentication is happening. It will be the _very_ > >> first > >> > > > >>> thing the > >> > > > >>> > > > >> client and server perform, after basic connection > >> > > establishment. > >> > > > >>> Look > >> > > > >>> > > for it > >> > > > >>> > > > >> at the very beginning of a dump. > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> Also, it's a bit overkill, but the following article > is > >> > > > >>> extremely > >> > > > >>> > > > >> informative about all the different ways you can plug > >> linux > >> > > into > >> > > > >>> AD > >> > > > >>> > > for > >> > > > >>> > > > >> authentication. It might offer some hints... > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you have > any > >> idea, > >> > > let > >> > > > >>> me > >> > > > >>> > > know. > >> > > > >>> > > > >>> > >> > > > >>> > > > >>> Thank you very much. > >> > > > >>> > > > >>> > >> > > > >>> > > > >>> Lou > >> > > > >>> > > > >>> > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > > > >> > > > >>> > > > -------------- next part -------------- > >> > > > >>> > > > An HTML attachment was scrubbed... > >> > > > >>> > > > URL: > >> > > > >>> > > > >> > > > >>> > >> > > > >> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > >> > > > >>> > > > _______________________________________________ > >> > > > >>> > > > tac_plus mailing list > >> > > > >>> > > > tac_plus at shrubbery.net > >> > > > >>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > >> > > > >>> > > > >> > > > >>> > >> > > > >> > >> > > > >> > >> > > > > > >> > > > >> > -------------- next part -------------- > >> > An HTML attachment was scrubbed... > >> > URL: > >> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > >> > _______________________________________________ > >> > tac_plus mailing list > >> > tac_plus at shrubbery.net > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > >> > >> > >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/731c29b6/attachment.html From jeroen at nijhofnet.nl Tue Nov 24 15:19:37 2009 From: jeroen at nijhofnet.nl (Jeroen Nijhof) Date: Tue, 24 Nov 2009 16:19:37 +0100 (CET) Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911240522r18c4d9vc65096295522be5d@mail.gmail.com> Message-ID: <0y7wwr4C.1259075977.4075310.jeroen@nijhofnet.nl> Hi Lou, Check with 'getent passwd ' if you get the right user with the right information from your AD via ldap. If not then you should probably check your /etc/ldap.conf for the right search scope and atrribute mappings. Nss_ldap and pam_ldap uses the /etc/ldap.conf file so if it works with a nss lookup via getent it should work for pam_ldap as well. You can define a debug level as well in the /etc/ldap.conf file for logging. It's logging to /var/log/auth.log for me.. Regards, Jeroen Op 24/11/2009 schreef "Hailu Meng" : >Hi Jeroen, > >I see the packets sent back from AD for the search request have 4 attributes >included: >objectclass >cn >description >sAMAccountName > >And these attributes values are correct. sAMAccountName is my login user id. >cn is my Full Name, objectclass is 4 items (top, person, >organizationalperson , user) > >I'm not sure is it enough for PAM to go to the next step? But it did give us >error message "Unknown User". I observed that when I input the password in >my router and hit ENTER, my wireshark captured two search requests from >TACACS and two responses from AD. Same contents as the previous one when I >input my user name in the router. I'm not sure is that possible that TACACS >didn't find the information it wants from AD although AD respond something >(4 attributes values) > >By the way, I can't find any log information about PAM. I think it should be >in /var/log/secure. But nothing in this file. Do you know how to find these >log or turn it on? > >Thanks for the help. > >Lou > >On Tue, Nov 24, 2009 at 4:11 AM, Jeroen Nijhof wrote: > >> >> Hi Lou, >> >> Yes, most server application's check if a user exist by looking up the >> uid via nss before doing any authentication (i.e. sshd). >> >> Regards, >> Jeroen >> >> Op 23/11/2009 schreef "Hailu Meng" : >> >> >Hi Jeroen, >> > >> >Thanks for helping. I modified the nssswitch.conf as below: >> >passwd: files ldap >> >shadow: files ldap >> >group: files ldap >> > >> >And leave the other settings as default. >> > >> >the user attributes you are talking about are the attributes retrieving >> from >> >AD? I do see the packets from AD server told my tacacs+ server the user >> >attributes including homedir. >> > >> >Thanks. >> > >> >Lou >> > >> > >> >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof >> wrote: >> > >> >> Hi, >> >> >> >> Did you setup the nsswitch.conf as well on your tac_plus server? >> >> Your tac_plus server needs to lookup the user attributes like homedir >> >> etc, otherwise pam will fail. >> >> >> >> Regards, >> >> Jeroen Nijhof >> >> >> >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: >> >> > Ok. With -d 32, I got some more info about pam as red color log. >> >> > >> >> > There is "Unknown user" log info following the input of my user >> password. >> >> > Feel confused since ldap is able to get user info from Active >> directory, >> >> why >> >> > it turns out "Unknown user" here. >> >> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 3, >> >> flags >> >> > 0x1 >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), >> Data >> >> > length 11 (0xb) >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT >> >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), user_data_len 0 >> >> (0x0) >> >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 >> >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: >> >> > Mon Nov 23 15:21:16 2009 [3806]: myusername >> >> > Mon Nov 23 15:21:16 2009 [3806]: User data: >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet >> >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn >> >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 pam_messages >> >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: >> >> PAM_PROMPT_ECHO_OFF >> >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 4, >> >> flags >> >> > 0x1 >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), >> Data >> >> > length 16 (0x10) >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 (AUTHEN/GETPASS) >> >> > flags=0x1 >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg: >> >> > Mon Nov 23 15:21:16 2009 [3806]: Password: >> >> > Mon Nov 23 15:21:16 2009 [3806]: data: >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet >> >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet >> >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 >> >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey >> >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq no 5, >> >> flags >> >> > 0x1 >> >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 (0xbe977644), >> Data >> >> > length 18 (0x12) >> >> > Mon Nov 23 15:21:21 2009 [3806]: End header >> >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT >> >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), user_data_len >> 0 >> >> > (0x0) >> >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 >> >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: >> >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword >> >> > Mon Nov 23 15:21:21 2009 [3806]: User data: >> >> > Mon Nov 23 15:21:21 2009 [3806]: End packet >> >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user >> >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' tty0 >> from >> >> > 10.1.69.89 rejected >> >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: myusername10.1.69.89 >> >> > (10.1.69.89) tty0 >> >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 >> >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey >> >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq no 6, >> >> flags >> >> > 0x1 >> >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 (0xbe977644), >> Data >> >> > length 6 (0x6) >> >> > Mon Nov 23 15:21:22 2009 [3806]: End header >> >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 (AUTHEN/FAIL) >> >> > flags=0x0 >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg: >> >> > Mon Nov 23 15:21:22 2009 [3806]: data: >> >> > Mon Nov 23 15:21:22 2009 [3806]: End packet >> >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect >> >> > >> >> > >> >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley >> >> wrote: >> >> > >> >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: >> >> > > > I just saw some posts saying pam_krb winbind could be needed to >> get >> >> pam >> >> > > work >> >> > > > against active directory. Is this true? The post I was following >> >> actually >> >> > > is >> >> > > > for a LDAP server not Active Directory. >> >> > > >> >> > > i dont know; each pam implementation seems to be [at least] slightly >> >> > > different. seems silly to need kerberos for ldap. >> >> > > >> >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng >> >> wrote: >> >> > > > >> >> > > > > I think I need put my pam configuration here: >> >> > > > > >> >> > > > > I followed this post >> >> > > > > >> >> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto >> >> > > > > configure my pam module: >> >> > > > > >> >> > > > > /etc/pam.d/tacacs >> >> > > > > >> >> > > > > auth include system-auth >> >> > > > > account required pam_nologin.so >> >> > > > > account include system-auth >> >> > > > > password include system-auth >> >> > > > > session optional pam_keyinit.so force revoke >> >> > > > > session include system-auth >> >> > > > > session required pam_loginuid.so >> >> > > > > >> >> > > > > /etc/pam.d/system-auth >> >> > > > > #%PAM-1.0 >> >> > > > > # This file is auto-generated. >> >> > > > > # User changes will be destroyed the next time authconfig is >> run. >> >> > > > > auth required pam_env.so >> >> > > > > auth sufficient pam_unix.so nullok try_first_pass >> >> > > > > auth requisite pam_succeed_if.so uid >= 500 quiet >> >> > > > > auth sufficient pam_ldap.so use_first_pass >> >> > > > > auth required pam_deny.so >> >> > > > > >> >> > > > > account required pam_unix.so broken_shadow >> >> > > > > account sufficient pam_succeed_if.so uid < 500 quiet >> >> > > > > >> >> > > > > account [default=bad success=ok user_unknown=ignore] >> >> pam_ldap.so >> >> > > > > account required pam_permit.so >> >> > > > > >> >> > > > > password requisite pam_cracklib.so try_first_pass retry=3 >> >> > > > > password sufficient pam_unix.so md5 shadow nullok >> >> try_first_pass >> >> > > > > use_authtok >> >> > > > > password sufficient pam_ldap.so use_authtok >> >> > > > > password required pam_deny.so >> >> > > > > >> >> > > > > session optional pam_keyinit.so revoke >> >> > > > > session required pam_limits.so >> >> > > > > session [success=1 default=ignore] pam_succeed_if.so service >> in >> >> > > crond >> >> > > > > quiet use_uid >> >> > > > > session required pam_unix.so >> >> > > > > session optional pam_ldap.so >> >> > > > > >> >> > > > > >> >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < >> hailumeng at gmail.com> >> >> > > wrote: >> >> > > > > >> >> > > > >> Hi John, >> >> > > > >> >> >> > > > >> You mean issue commands like tac_plus -C /etct/tac_plus.conf -L >> -p >> >> 49 >> >> > > -d >> >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any >> >> change. I >> >> > > got >> >> > > > >> same log info. By the way, I also saw the log info in >> >> > > /var/log/message: >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 >> Initialized >> >> 1 >> >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 >> >> > > [10.1.69.89] >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' >> tty0 >> >> from >> >> > > > >> 10.1.69.89 rejected >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser >> >> 10.1.69.89 >> >> > > > >> (10.1.69.89) tty0 >> >> > > > >> >> >> > > > >> Do we have option to see the log about PAM? I haven't found >> where >> >> it >> >> > > is. >> >> > > > >> if we can check the log of PAM, then we could find something >> >> useful. >> >> > > Right >> >> > > > >> now the log of tac_plus didn't tell too much about why login >> got >> >> > > failure. >> >> > > >> >> > > add -d 32. -d x -d y ... will be logically OR'd together. >> >> > > >> >> > > > >> Lou >> >> > > > >> >> >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < >> heas at shrubbery.net >> >> > >> >> > > wrote: >> >> > > > >> >> >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: >> >> > > > >>> > Thanks John for helping me check this issue. >> >> > > > >>> > >> >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 >> -g >> >> to >> >> > > see >> >> > > > >>> the >> >> > > > >>> >> >> > > > >>> try -d 16 -d 256. which i think will log the pwd that pam >> >> received >> >> > > from >> >> > > > >>> the device. make its correct. the logs below do appear to be >> a >> >> > > > >>> reject/fail >> >> > > > >>> returned from pam. >> >> > > > >>> >> >> > > > >>> > log in stdout and in log file. I can't see any suspicious >> log >> >> > > > >>> information >> >> > > > >>> > here. I paste the log below: >> >> > > > >>> > >> >> > > > >>> > >> >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, >> >> seq no >> >> > > 5, >> >> > > > >>> flags >> >> > > > >>> > 0x1 >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 >> >> > > (0xc46868ce), >> >> > > > >>> Data >> >> > > > >>> > length >> >> > > > >>> > 11 (0xb) >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), >> >> > > user_data_len 0 >> >> > > > >>> (0x0) >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose >> default_fn >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication >> >> function >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS >> size=28 >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, >> >> seq no >> >> > > 6, >> >> > > > >>> flags >> >> > > > >>> > 0x1 >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 >> >> > > (0xc46868ce), >> >> > > > >>> Data >> >> > > > >>> > length >> >> > > > >>> > 16 (0x10) >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 >> >> > > (AUTHEN/GETPASS) >> >> > > > >>> > flags=0x1 >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey >> >> > > > >>> >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, >> >> seq no >> >> > > 7, >> >> > > > >>> flags >> >> > > > >>> > 0x1 >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 >> >> > > (0xc46868ce), >> >> > > > >>> Data >> >> > > > >>> > length >> >> > > > >>> > 18 (0x12) >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), >> >> > > user_data_len 0 >> >> > > > >>> > (0x0) >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for >> 'myusername' >> >> tty0 >> >> > > from >> >> > > > >>> > 10.1.69.89 r >> >> > > > >>> > ejected >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername >> >> > > 10.1.69.89 >> >> > > > >>> > (10.1.69.89) t >> >> > > > >>> > ty0 >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, >> >> seq no >> >> > > 8, >> >> > > > >>> flags >> >> > > > >>> > 0x1 >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 >> >> > > (0xc46868ce), >> >> > > > >>> Data >> >> > > > >>> > length >> >> > > > >>> > 6 (0x6) >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 >> >> (AUTHEN/FAIL) >> >> > > > >>> > flags=0x0 >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect >> >> > > > >>> > >> >> > > > >>> > >> >> > > > >>> > >> >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < >> >> heas at shrubbery.net >> >> > > > >> >> > > > >>> wrote: >> >> > > > >>> > >> >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: >> >> > > > >>> > > > Hi Adam, >> >> > > > >>> > > > >> >> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what do >> we >> >> > > suppose >> >> > > > >>> to >> >> > > > >>> > > get >> >> > > > >>> > > > from the output? I just got all of the user information >> in >> >> that >> >> > > > >>> group. >> >> > > > >>> > > Does >> >> > > > >>> > > > that means my password and username got authenticated >> >> > > successfully >> >> > > > >>> > > against >> >> > > > >>> > > > AD? >> >> > > > >>> > > > >> >> > > > >>> > > > This thing drives me crazy. I need solve it through this >> >> week >> >> > > > >>> before the >> >> > > > >>> > > > holiday... >> >> > > > >>> > > >> >> > > > >>> > > i havent followed this thread, as i know nearly zero about >> >> ldap. >> >> > > > >>> but, >> >> > > > >>> > > have you enabled authentication debugging in the tacacas >> >> daemon >> >> > > and >> >> > > > >>> > > checked the logs to determine what is coming back from >> pam? >> >> it >> >> > > very >> >> > > > >>> > > well may be that the ldap client is working just fine, but >> >> there >> >> > > is a >> >> > > > >>> > > pam module bug or a bug in the tacplus daemon or that your >> >> device >> >> > > > >>> > > simply doesnt like something about the replies. >> >> > > > >>> > > >> >> > > > >>> > > > Thanks a lot for the help. >> >> > > > >>> > > > >> >> > > > >>> > > > Lou >> >> > > > >>> > > > >> >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < >> >> > > hailumeng at gmail.com> >> >> > > > >>> wrote: >> >> > > > >>> > > > >> >> > > > >>> > > > > Still no clue how to turn on the log. binding seems >> good. >> >> See >> >> > > my >> >> > > > >>> > > findings >> >> > > > >>> > > > > below. Thanks a lot. >> >> > > > >>> > > > > >> >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < >> >> > > prozaconstilts at gmail.com> >> >> > > > >>> > > wrote: >> >> > > > >>> > > > > >> >> > > > >>> > > > >> Hailu Meng wrote: >> >> > > > >>> > > > >> >> >> > > > >>> > > > >>> Adam, >> >> > > > >>> > > > >>> >> >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server but I >> >> don't >> >> > > have >> >> > > > >>> that >> >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't want me >> log >> >> in. >> >> > > I >> >> > > > >>> think >> >> > > > >>> > > this will >> >> > > > >>> > > > >>> not ask tacacs server to authenticate against AD. >> >> > > > >>> > > > >>> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> You shouldn't need to have to define the user in >> CentOS, >> >> > > that's >> >> > > > >>> the >> >> > > > >>> > > point >> >> > > > >>> > > > >> of using ldap for authentication. The user is defined >> in >> >> > > ldap, >> >> > > > >>> not in >> >> > > > >>> > > > >> CentOS. Now that I think about it, su - >> probably >> >> > > wouldn't >> >> > > > >>> work >> >> > > > >>> > > > >> anyway, as AD doesn't by default have the data needed >> by >> >> a >> >> > > linux >> >> > > > >>> box >> >> > > > >>> > > to >> >> > > > >>> > > > >> allow login...but see below for more options. >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >>> Is there any other way to test ldap authentication >> >> against >> >> > > AD >> >> > > > >>> with >> >> > > > >>> > > the >> >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find my >> user >> >> id >> >> > > > >>> without >> >> > > > >>> > > problem. >> >> > > > >>> > > > >>> But I haven't found any option to try with password >> and >> >> > > > >>> authenticate >> >> > > > >>> > > against >> >> > > > >>> > > > >>> AD. >> >> > > > >>> > > > >>> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> Try using -D: >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> from `man ldapsearch`: >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> -D binddn >> >> > > > >>> > > > >> Use the Distinguished Name binddn to bind to the >> LDAP >> >> > > > >>> directory. >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you >> try >> >> to >> >> > > > >>> authenticate >> >> > > > >>> > > > >> using whatever user you want to define. Just check >> and >> >> > > double >> >> > > > >>> check >> >> > > > >>> > > you get >> >> > > > >>> > > > >> the right path in that dn. >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it >> just >> >> > > > >>> returned lots >> >> > > > >>> > > of >> >> > > > >>> > > > > users' information. It means successful? >> >> > > > >>> > > > > >> >> > > > >>> > > > > >> >> > > > >>> > > > >> Do you have ldap server setup or only the openldap >> >> library >> >> > > and >> >> > > > >>> > > openldap >> >> > > > >>> > > > >>> client? I don't understand why the log is not turned >> >> on. >> >> > > There >> >> > > > >>> must >> >> > > > >>> > > be some >> >> > > > >>> > > > >>> debugging info in the log which can help solve this >> >> issue. >> >> > > > >>> > > > >>> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> only the libs and client. You should not need the >> >> server. In >> >> > > the >> >> > > > >>> > > > >> ldapsearch, you can use -d to get debugging >> >> info >> >> > > for >> >> > > > >>> that >> >> > > > >>> > > search. >> >> > > > >>> > > > >> As before, higher number = more debug >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> If the user can authenticate, does ethereal capture >> >> some >> >> > > > >>> packets >> >> > > > >>> > > about >> >> > > > >>> > > > >>> password verification? Right now I only see the >> packets >> >> > > when >> >> > > > >>> ldap >> >> > > > >>> > > search for >> >> > > > >>> > > > >>> my user id and gets results back from AD. >> >> > > > >>> > > > >>> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> Ethereal should catch all data flowing between the >> >> client >> >> > > and >> >> > > > >>> server. >> >> > > > >>> > > If >> >> > > > >>> > > > >> you can search out the user in your AD right now, >> then >> >> one >> >> > > of >> >> > > > >>> two >> >> > > > >>> > > things is >> >> > > > >>> > > > >> happening: >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> 1. You are performing anonymous searches. In this >> case, >> >> no >> >> > > > >>> username >> >> > > > >>> > > and pw >> >> > > > >>> > > > >> is provided, and your AD is happy to hand over info >> to >> >> > > anyone >> >> > > > >>> who asks >> >> > > > >>> > > for >> >> > > > >>> > > > >> it. If this is the case, you will _not_ see >> >> authentication >> >> > > > >>> > > information. The >> >> > > > >>> > > > >> following MS KB article should probably help you >> >> determine >> >> > > on >> >> > > > >>> your AD >> >> > > > >>> > > if >> >> > > > >>> > > > >> anonymous queries are allowed: >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> It has exact instructions for how to get it going, >> but >> >> you >> >> > > can >> >> > > > >>> follow >> >> > > > >>> > > > >> along with it to check your current settings without >> >> making >> >> > > any >> >> > > > >>> > > changes. >> >> > > > >>> > > > >> >> >> > > > >>> > > > > >> >> > > > >>> > > > > I checked our setting. Permission type for normal user >> is >> >> > > "Read & >> >> > > > >>> > > Execute". >> >> > > > >>> > > > > I click edit to check the detail about permission. I >> >> think it >> >> > > > >>> only >> >> > > > >>> > > allow the >> >> > > > >>> > > > > user to read the attributes, permission something and >> >> can't >> >> > > > >>> modify the >> >> > > > >>> > > > > AD.There is "Everyone" setting is also set as "Read & >> >> > > Execute". >> >> > > > >>> By the >> >> > > > >>> > > way, >> >> > > > >>> > > > > the AD is Win2003 R2. >> >> > > > >>> > > > > >> >> > > > >>> > > > > >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> 2. Authentication is happening. It will be the _very_ >> >> first >> >> > > > >>> thing the >> >> > > > >>> > > > >> client and server perform, after basic connection >> >> > > establishment. >> >> > > > >>> Look >> >> > > > >>> > > for it >> >> > > > >>> > > > >> at the very beginning of a dump. >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> Also, it's a bit overkill, but the following article >> is >> >> > > > >>> extremely >> >> > > > >>> > > > >> informative about all the different ways you can plug >> >> linux >> >> > > into >> >> > > > >>> AD >> >> > > > >>> > > for >> >> > > > >>> > > > >> authentication. It might offer some hints... >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you have >> any >> >> idea, >> >> > > let >> >> > > > >>> me >> >> > > > >>> > > know. >> >> > > > >>> > > > >>> >> >> > > > >>> > > > >>> Thank you very much. >> >> > > > >>> > > > >>> >> >> > > > >>> > > > >>> Lou >> >> > > > >>> > > > >>> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> >> >> > > > >>> > > > >> >> >> > > > >>> > > > > >> >> > > > >>> > > > -------------- next part -------------- >> >> > > > >>> > > > An HTML attachment was scrubbed... >> >> > > > >>> > > > URL: >> >> > > > >>> > > >> >> > > > >>> >> >> > > >> >> >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html >> >> > > > >>> > > > _______________________________________________ >> >> > > > >>> > > > tac_plus mailing list >> >> > > > >>> > > > tac_plus at shrubbery.net >> >> > > > >>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> >> > > > >>> > > >> >> > > > >>> >> >> > > > >> >> >> > > > >> >> >> > > > > >> >> > > >> >> > -------------- next part -------------- >> >> > An HTML attachment was scrubbed... >> >> > URL: >> >> >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html >> >> > _______________________________________________ >> >> > tac_plus mailing list >> >> > tac_plus at shrubbery.net >> >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> >> >> >> >> >> >> From heas at shrubbery.net Tue Nov 24 16:24:19 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 24 Nov 2009 08:24:19 -0800 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: References: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> Message-ID: <20091124162419.GD7044@shrubbery.net> Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof: > > Hi Lou, > > Yes, most server application's check if a user exist by looking up the > uid via nss before doing any authentication (i.e. sshd). > > Regards, > Jeroen > > Op 23/11/2009 schreef "Hailu Meng" : > > >Hi Jeroen, > > > >Thanks for helping. I modified the nssswitch.conf as below: > >passwd: files ldap > >shadow: files ldap > >group: files ldap > > > >And leave the other settings as default. > > > >the user attributes you are talking about are the attributes retrieving from > >AD? I do see the packets from AD server told my tacacs+ server the user > >attributes including homedir. i would not expect this to affect tacacs, unless you have something in your pam config that requires it. ie: nsswitch.conf should control auth for the host (eg: /sbin/login), tacacs is separate. > >Thanks. > > > >Lou > > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof wrote: > > > >> Hi, > >> > >> Did you setup the nsswitch.conf as well on your tac_plus server? > >> Your tac_plus server needs to lookup the user attributes like homedir > >> etc, otherwise pam will fail. > >> > >> Regards, > >> Jeroen Nijhof > >> > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > >> > Ok. With -d 32, I got some more info about pam as red color log. > >> > > >> > There is "Unknown user" log info following the input of my user password. > >> > Feel confused since ldap is able to get user info from Active directory, > >> why > >> > it turns out "Unknown user" here. > >> > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 3, > >> flags > >> > 0x1 > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data > >> > length 11 (0xb) > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), user_data_len 0 > >> (0x0) > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername > >> > Mon Nov 23 15:21:16 2009 [3806]: User data: > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 pam_messages > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: > >> PAM_PROMPT_ECHO_OFF > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no 4, > >> flags > >> > 0x1 > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), Data > >> > length 16 (0x10) > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 (AUTHEN/GETPASS) > >> > flags=0x1 > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 > >> > Mon Nov 23 15:21:16 2009 [3806]: msg: > >> > Mon Nov 23 15:21:16 2009 [3806]: Password: > >> > Mon Nov 23 15:21:16 2009 [3806]: data: > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq no 5, > >> flags > >> > 0x1 > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 (0xbe977644), Data > >> > length 18 (0x12) > >> > Mon Nov 23 15:21:21 2009 [3806]: End header > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), user_data_len 0 > >> > (0x0) > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword > >> > Mon Nov 23 15:21:21 2009 [3806]: User data: > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' tty0 from > >> > 10.1.69.89 rejected > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: myusername10.1.69.89 > >> > (10.1.69.89) tty0 > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq no 6, > >> flags > >> > 0x1 > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 (0xbe977644), Data > >> > length 6 (0x6) > >> > Mon Nov 23 15:21:22 2009 [3806]: End header > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 (AUTHEN/FAIL) > >> > flags=0x0 > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > >> > Mon Nov 23 15:21:22 2009 [3806]: msg: > >> > Mon Nov 23 15:21:22 2009 [3806]: data: > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect > >> > > >> > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley > >> wrote: > >> > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > >> > > > I just saw some posts saying pam_krb winbind could be needed to get > >> pam > >> > > work > >> > > > against active directory. Is this true? The post I was following > >> actually > >> > > is > >> > > > for a LDAP server not Active Directory. > >> > > > >> > > i dont know; each pam implementation seems to be [at least] slightly > >> > > different. seems silly to need kerberos for ldap. > >> > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng > >> wrote: > >> > > > > >> > > > > I think I need put my pam configuration here: > >> > > > > > >> > > > > I followed this post > >> > > > > > >> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > >> > > > > configure my pam module: > >> > > > > > >> > > > > /etc/pam.d/tacacs > >> > > > > > >> > > > > auth include system-auth > >> > > > > account required pam_nologin.so > >> > > > > account include system-auth > >> > > > > password include system-auth > >> > > > > session optional pam_keyinit.so force revoke > >> > > > > session include system-auth > >> > > > > session required pam_loginuid.so > >> > > > > > >> > > > > /etc/pam.d/system-auth > >> > > > > #%PAM-1.0 > >> > > > > # This file is auto-generated. > >> > > > > # User changes will be destroyed the next time authconfig is run. > >> > > > > auth required pam_env.so > >> > > > > auth sufficient pam_unix.so nullok try_first_pass > >> > > > > auth requisite pam_succeed_if.so uid >= 500 quiet > >> > > > > auth sufficient pam_ldap.so use_first_pass > >> > > > > auth required pam_deny.so > >> > > > > > >> > > > > account required pam_unix.so broken_shadow > >> > > > > account sufficient pam_succeed_if.so uid < 500 quiet > >> > > > > > >> > > > > account [default=bad success=ok user_unknown=ignore] > >> pam_ldap.so > >> > > > > account required pam_permit.so > >> > > > > > >> > > > > password requisite pam_cracklib.so try_first_pass retry=3 > >> > > > > password sufficient pam_unix.so md5 shadow nullok > >> try_first_pass > >> > > > > use_authtok > >> > > > > password sufficient pam_ldap.so use_authtok > >> > > > > password required pam_deny.so > >> > > > > > >> > > > > session optional pam_keyinit.so revoke > >> > > > > session required pam_limits.so > >> > > > > session [success=1 default=ignore] pam_succeed_if.so service in > >> > > crond > >> > > > > quiet use_uid > >> > > > > session required pam_unix.so > >> > > > > session optional pam_ldap.so > >> > > > > > >> > > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng > >> > > wrote: > >> > > > > > >> > > > >> Hi John, > >> > > > >> > >> > > > >> You mean issue commands like tac_plus -C /etct/tac_plus.conf -L -p > >> 49 > >> > > -d > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any > >> change. I > >> > > got > >> > > > >> same log info. By the way, I also saw the log info in > >> > > /var/log/message: > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 Initialized > >> 1 > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 > >> > > [10.1.69.89] > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' tty0 > >> from > >> > > > >> 10.1.69.89 rejected > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser > >> 10.1.69.89 > >> > > > >> (10.1.69.89) tty0 > >> > > > >> > >> > > > >> Do we have option to see the log about PAM? I haven't found where > >> it > >> > > is. > >> > > > >> if we can check the log of PAM, then we could find something > >> useful. > >> > > Right > >> > > > >> now the log of tac_plus didn't tell too much about why login got > >> > > failure. > >> > > > >> > > add -d 32. -d x -d y ... will be logically OR'd together. > >> > > > >> > > > >> Lou > >> > > > >> > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley >> > > >> > > wrote: > >> > > > >> > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > >> > > > >>> > Thanks John for helping me check this issue. > >> > > > >>> > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 -d256 -g > >> to > >> > > see > >> > > > >>> the > >> > > > >>> > >> > > > >>> try -d 16 -d 256. which i think will log the pwd that pam > >> received > >> > > from > >> > > > >>> the device. make its correct. the logs below do appear to be a > >> > > > >>> reject/fail > >> > > > >>> returned from pam. > >> > > > >>> > >> > > > >>> > log in stdout and in log file. I can't see any suspicious log > >> > > > >>> information > >> > > > >>> > here. I paste the log below: > >> > > > >>> > > >> > > > >>> > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, > >> seq no > >> > > 5, > >> > > > >>> flags > >> > > > >>> > 0x1 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > >> > > (0xc46868ce), > >> > > > >>> Data > >> > > > >>> > length > >> > > > >>> > 11 (0xb) > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), > >> > > user_data_len 0 > >> > > > >>> (0x0) > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose default_fn > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication > >> function > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS size=28 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type 1, > >> seq no > >> > > 6, > >> > > > >>> flags > >> > > > >>> > 0x1 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > >> > > (0xc46868ce), > >> > > > >>> Data > >> > > > >>> > length > >> > > > >>> > 16 (0x10) > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 > >> > > (AUTHEN/GETPASS) > >> > > > >>> > flags=0x1 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > >> > > > >>> > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type 1, > >> seq no > >> > > 7, > >> > > > >>> flags > >> > > > >>> > 0x1 > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 > >> > > (0xc46868ce), > >> > > > >>> Data > >> > > > >>> > length > >> > > > >>> > 18 (0x12) > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), > >> > > user_data_len 0 > >> > > > >>> > (0x0) > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for 'myusername' > >> tty0 > >> > > from > >> > > > >>> > 10.1.69.89 r > >> > > > >>> > ejected > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername > >> > > 10.1.69.89 > >> > > > >>> > (10.1.69.89) t > >> > > > >>> > ty0 > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL size=18 > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type 1, > >> seq no > >> > > 8, > >> > > > >>> flags > >> > > > >>> > 0x1 > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 > >> > > (0xc46868ce), > >> > > > >>> Data > >> > > > >>> > length > >> > > > >>> > 6 (0x6) > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 > >> (AUTHEN/FAIL) > >> > > > >>> > flags=0x0 > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect > >> > > > >>> > > >> > > > >>> > > >> > > > >>> > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < > >> heas at shrubbery.net > >> > > > > >> > > > >>> wrote: > >> > > > >>> > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > >> > > > >>> > > > Hi Adam, > >> > > > >>> > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what do we > >> > > suppose > >> > > > >>> to > >> > > > >>> > > get > >> > > > >>> > > > from the output? I just got all of the user information in > >> that > >> > > > >>> group. > >> > > > >>> > > Does > >> > > > >>> > > > that means my password and username got authenticated > >> > > successfully > >> > > > >>> > > against > >> > > > >>> > > > AD? > >> > > > >>> > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it through this > >> week > >> > > > >>> before the > >> > > > >>> > > > holiday... > >> > > > >>> > > > >> > > > >>> > > i havent followed this thread, as i know nearly zero about > >> ldap. > >> > > > >>> but, > >> > > > >>> > > have you enabled authentication debugging in the tacacas > >> daemon > >> > > and > >> > > > >>> > > checked the logs to determine what is coming back from pam? > >> it > >> > > very > >> > > > >>> > > well may be that the ldap client is working just fine, but > >> there > >> > > is a > >> > > > >>> > > pam module bug or a bug in the tacplus daemon or that your > >> device > >> > > > >>> > > simply doesnt like something about the replies. > >> > > > >>> > > > >> > > > >>> > > > Thanks a lot for the help. > >> > > > >>> > > > > >> > > > >>> > > > Lou > >> > > > >>> > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < > >> > > hailumeng at gmail.com> > >> > > > >>> wrote: > >> > > > >>> > > > > >> > > > >>> > > > > Still no clue how to turn on the log. binding seems good. > >> See > >> > > my > >> > > > >>> > > findings > >> > > > >>> > > > > below. Thanks a lot. > >> > > > >>> > > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < > >> > > prozaconstilts at gmail.com> > >> > > > >>> > > wrote: > >> > > > >>> > > > > > >> > > > >>> > > > >> Hailu Meng wrote: > >> > > > >>> > > > >> > >> > > > >>> > > > >>> Adam, > >> > > > >>> > > > >>> > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server but I > >> don't > >> > > have > >> > > > >>> that > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't want me log > >> in. > >> > > I > >> > > > >>> think > >> > > > >>> > > this will > >> > > > >>> > > > >>> not ask tacacs server to authenticate against AD. > >> > > > >>> > > > >>> > >> > > > >>> > > > >> > >> > > > >>> > > > >> You shouldn't need to have to define the user in CentOS, > >> > > that's > >> > > > >>> the > >> > > > >>> > > point > >> > > > >>> > > > >> of using ldap for authentication. The user is defined in > >> > > ldap, > >> > > > >>> not in > >> > > > >>> > > > >> CentOS. Now that I think about it, su - probably > >> > > wouldn't > >> > > > >>> work > >> > > > >>> > > > >> anyway, as AD doesn't by default have the data needed by > >> a > >> > > linux > >> > > > >>> box > >> > > > >>> > > to > >> > > > >>> > > > >> allow login...but see below for more options. > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >>> Is there any other way to test ldap authentication > >> against > >> > > AD > >> > > > >>> with > >> > > > >>> > > the > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find my user > >> id > >> > > > >>> without > >> > > > >>> > > problem. > >> > > > >>> > > > >>> But I haven't found any option to try with password and > >> > > > >>> authenticate > >> > > > >>> > > against > >> > > > >>> > > > >>> AD. > >> > > > >>> > > > >>> > >> > > > >>> > > > >> > >> > > > >>> > > > >> Try using -D: > >> > > > >>> > > > >> > >> > > > >>> > > > >> from `man ldapsearch`: > >> > > > >>> > > > >> > >> > > > >>> > > > >> -D binddn > >> > > > >>> > > > >> Use the Distinguished Name binddn to bind to the LDAP > >> > > > >>> directory. > >> > > > >>> > > > >> > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you try > >> to > >> > > > >>> authenticate > >> > > > >>> > > > >> using whatever user you want to define. Just check and > >> > > double > >> > > > >>> check > >> > > > >>> > > you get > >> > > > >>> > > > >> the right path in that dn. > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it just > >> > > > >>> returned lots > >> > > > >>> > > of > >> > > > >>> > > > > users' information. It means successful? > >> > > > >>> > > > > > >> > > > >>> > > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the openldap > >> library > >> > > and > >> > > > >>> > > openldap > >> > > > >>> > > > >>> client? I don't understand why the log is not turned > >> on. > >> > > There > >> > > > >>> must > >> > > > >>> > > be some > >> > > > >>> > > > >>> debugging info in the log which can help solve this > >> issue. > >> > > > >>> > > > >>> > >> > > > >>> > > > >> > >> > > > >>> > > > >> only the libs and client. You should not need the > >> server. In > >> > > the > >> > > > >>> > > > >> ldapsearch, you can use -d to get debugging > >> info > >> > > for > >> > > > >>> that > >> > > > >>> > > search. > >> > > > >>> > > > >> As before, higher number = more debug > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> If the user can authenticate, does ethereal capture > >> some > >> > > > >>> packets > >> > > > >>> > > about > >> > > > >>> > > > >>> password verification? Right now I only see the packets > >> > > when > >> > > > >>> ldap > >> > > > >>> > > search for > >> > > > >>> > > > >>> my user id and gets results back from AD. > >> > > > >>> > > > >>> > >> > > > >>> > > > >> > >> > > > >>> > > > >> Ethereal should catch all data flowing between the > >> client > >> > > and > >> > > > >>> server. > >> > > > >>> > > If > >> > > > >>> > > > >> you can search out the user in your AD right now, then > >> one > >> > > of > >> > > > >>> two > >> > > > >>> > > things is > >> > > > >>> > > > >> happening: > >> > > > >>> > > > >> > >> > > > >>> > > > >> 1. You are performing anonymous searches. In this case, > >> no > >> > > > >>> username > >> > > > >>> > > and pw > >> > > > >>> > > > >> is provided, and your AD is happy to hand over info to > >> > > anyone > >> > > > >>> who asks > >> > > > >>> > > for > >> > > > >>> > > > >> it. If this is the case, you will _not_ see > >> authentication > >> > > > >>> > > information. The > >> > > > >>> > > > >> following MS KB article should probably help you > >> determine > >> > > on > >> > > > >>> your AD > >> > > > >>> > > if > >> > > > >>> > > > >> anonymous queries are allowed: > >> > > > >>> > > > >> > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 > >> > > > >>> > > > >> > >> > > > >>> > > > >> It has exact instructions for how to get it going, but > >> you > >> > > can > >> > > > >>> follow > >> > > > >>> > > > >> along with it to check your current settings without > >> making > >> > > any > >> > > > >>> > > changes. > >> > > > >>> > > > >> > >> > > > >>> > > > > > >> > > > >>> > > > > I checked our setting. Permission type for normal user is > >> > > "Read & > >> > > > >>> > > Execute". > >> > > > >>> > > > > I click edit to check the detail about permission. I > >> think it > >> > > > >>> only > >> > > > >>> > > allow the > >> > > > >>> > > > > user to read the attributes, permission something and > >> can't > >> > > > >>> modify the > >> > > > >>> > > > > AD.There is "Everyone" setting is also set as "Read & > >> > > Execute". > >> > > > >>> By the > >> > > > >>> > > way, > >> > > > >>> > > > > the AD is Win2003 R2. > >> > > > >>> > > > > > >> > > > >>> > > > > > >> > > > >>> > > > >> > >> > > > >>> > > > >> 2. Authentication is happening. It will be the _very_ > >> first > >> > > > >>> thing the > >> > > > >>> > > > >> client and server perform, after basic connection > >> > > establishment. > >> > > > >>> Look > >> > > > >>> > > for it > >> > > > >>> > > > >> at the very beginning of a dump. > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> Also, it's a bit overkill, but the following article is > >> > > > >>> extremely > >> > > > >>> > > > >> informative about all the different ways you can plug > >> linux > >> > > into > >> > > > >>> AD > >> > > > >>> > > for > >> > > > >>> > > > >> authentication. It might offer some hints... > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you have any > >> idea, > >> > > let > >> > > > >>> me > >> > > > >>> > > know. > >> > > > >>> > > > >>> > >> > > > >>> > > > >>> Thank you very much. > >> > > > >>> > > > >>> > >> > > > >>> > > > >>> Lou > >> > > > >>> > > > >>> > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > >> > >> > > > >>> > > > > > >> > > > >>> > > > -------------- next part -------------- > >> > > > >>> > > > An HTML attachment was scrubbed... > >> > > > >>> > > > URL: > >> > > > >>> > > > >> > > > >>> > >> > > > >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > >> > > > >>> > > > _______________________________________________ > >> > > > >>> > > > tac_plus mailing list > >> > > > >>> > > > tac_plus at shrubbery.net > >> > > > >>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > >> > > > >>> > > > >> > > > >>> > >> > > > >> > >> > > > >> > >> > > > > > >> > > > >> > -------------- next part -------------- > >> > An HTML attachment was scrubbed... > >> > URL: > >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > >> > _______________________________________________ > >> > tac_plus mailing list > >> > tac_plus at shrubbery.net > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > >> > >> > >> From hailumeng at gmail.com Tue Nov 24 17:05:59 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Tue, 24 Nov 2009 11:05:59 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <20091124162419.GD7044@shrubbery.net> References: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> <20091124162419.GD7044@shrubbery.net> Message-ID: <8dabae5b0911240905h7b2f3bd8g99c0ca98918c2c3@mail.gmail.com> It makes sense. nsswitch.conf should be for like local login not for tacacs. Thanks John to point it out. I'm such a rookie to these things. Just followed some guides and combine them here. Need study more. Lou On Tue, Nov 24, 2009 at 10:24 AM, john heasley wrote: > Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof: > > > > Hi Lou, > > > > Yes, most server application's check if a user exist by looking up the > > uid via nss before doing any authentication (i.e. sshd). > > > > Regards, > > Jeroen > > > > Op 23/11/2009 schreef "Hailu Meng" : > > > > >Hi Jeroen, > > > > > >Thanks for helping. I modified the nssswitch.conf as below: > > >passwd: files ldap > > >shadow: files ldap > > >group: files ldap > > > > > >And leave the other settings as default. > > > > > >the user attributes you are talking about are the attributes retrieving > from > > >AD? I do see the packets from AD server told my tacacs+ server the user > > >attributes including homedir. > > i would not expect this to affect tacacs, unless you have something in your > pam config that requires it. ie: nsswitch.conf should control auth for the > host (eg: /sbin/login), tacacs is separate. > > > >Thanks. > > > > > >Lou > > > > > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof > wrote: > > > > > >> Hi, > > >> > > >> Did you setup the nsswitch.conf as well on your tac_plus server? > > >> Your tac_plus server needs to lookup the user attributes like homedir > > >> etc, otherwise pam will fail. > > >> > > >> Regards, > > >> Jeroen Nijhof > > >> > > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > > >> > Ok. With -d 32, I got some more info about pam as red color log. > > >> > > > >> > There is "Unknown user" log info following the input of my user > password. > > >> > Feel confused since ldap is able to get user info from Active > directory, > > >> why > > >> > it turns out "Unknown user" here. > > >> > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no > 3, > > >> flags > > >> > 0x1 > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), > Data > > >> > length 11 (0xb) > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), user_data_len > 0 > > >> (0x0) > > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: > > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername > > >> > Mon Nov 23 15:21:16 2009 [3806]: User data: > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn > > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 pam_messages > > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: > > >> PAM_PROMPT_ECHO_OFF > > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no > 4, > > >> flags > > >> > 0x1 > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), > Data > > >> > length 16 (0x10) > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 > (AUTHEN/GETPASS) > > >> > flags=0x1 > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg: > > >> > Mon Nov 23 15:21:16 2009 [3806]: Password: > > >> > Mon Nov 23 15:21:16 2009 [3806]: data: > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 > > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq no > 5, > > >> flags > > >> > 0x1 > > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 (0xbe977644), > Data > > >> > length 18 (0x12) > > >> > Mon Nov 23 15:21:21 2009 [3806]: End header > > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), > user_data_len 0 > > >> > (0x0) > > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: > > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword > > >> > Mon Nov 23 15:21:21 2009 [3806]: User data: > > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet > > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' tty0 > from > > >> > 10.1.69.89 rejected > > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: myusername10.1.69.89 > > >> > (10.1.69.89) tty0 > > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 > > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq no > 6, > > >> flags > > >> > 0x1 > > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 (0xbe977644), > Data > > >> > length 6 (0x6) > > >> > Mon Nov 23 15:21:22 2009 [3806]: End header > > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 (AUTHEN/FAIL) > > >> > flags=0x0 > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg: > > >> > Mon Nov 23 15:21:22 2009 [3806]: data: > > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet > > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect > > >> > > > >> > > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley > > >> wrote: > > >> > > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > > >> > > > I just saw some posts saying pam_krb winbind could be needed to > get > > >> pam > > >> > > work > > >> > > > against active directory. Is this true? The post I was following > > >> actually > > >> > > is > > >> > > > for a LDAP server not Active Directory. > > >> > > > > >> > > i dont know; each pam implementation seems to be [at least] > slightly > > >> > > different. seems silly to need kerberos for ldap. > > >> > > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng < > hailumeng at gmail.com> > > >> wrote: > > >> > > > > > >> > > > > I think I need put my pam configuration here: > > >> > > > > > > >> > > > > I followed this post > > >> > > > > > > >> > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > > >> > > > > configure my pam module: > > >> > > > > > > >> > > > > /etc/pam.d/tacacs > > >> > > > > > > >> > > > > auth include system-auth > > >> > > > > account required pam_nologin.so > > >> > > > > account include system-auth > > >> > > > > password include system-auth > > >> > > > > session optional pam_keyinit.so force revoke > > >> > > > > session include system-auth > > >> > > > > session required pam_loginuid.so > > >> > > > > > > >> > > > > /etc/pam.d/system-auth > > >> > > > > #%PAM-1.0 > > >> > > > > # This file is auto-generated. > > >> > > > > # User changes will be destroyed the next time authconfig is > run. > > >> > > > > auth required pam_env.so > > >> > > > > auth sufficient pam_unix.so nullok try_first_pass > > >> > > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > >> > > > > auth sufficient pam_ldap.so use_first_pass > > >> > > > > auth required pam_deny.so > > >> > > > > > > >> > > > > account required pam_unix.so broken_shadow > > >> > > > > account sufficient pam_succeed_if.so uid < 500 quiet > > >> > > > > > > >> > > > > account [default=bad success=ok user_unknown=ignore] > > >> pam_ldap.so > > >> > > > > account required pam_permit.so > > >> > > > > > > >> > > > > password requisite pam_cracklib.so try_first_pass > retry=3 > > >> > > > > password sufficient pam_unix.so md5 shadow nullok > > >> try_first_pass > > >> > > > > use_authtok > > >> > > > > password sufficient pam_ldap.so use_authtok > > >> > > > > password required pam_deny.so > > >> > > > > > > >> > > > > session optional pam_keyinit.so revoke > > >> > > > > session required pam_limits.so > > >> > > > > session [success=1 default=ignore] pam_succeed_if.so > service in > > >> > > crond > > >> > > > > quiet use_uid > > >> > > > > session required pam_unix.so > > >> > > > > session optional pam_ldap.so > > >> > > > > > > >> > > > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < > hailumeng at gmail.com> > > >> > > wrote: > > >> > > > > > > >> > > > >> Hi John, > > >> > > > >> > > >> > > > >> You mean issue commands like tac_plus -C /etct/tac_plus.conf > -L -p > > >> 49 > > >> > > -d > > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any > > >> change. I > > >> > > got > > >> > > > >> same log info. By the way, I also saw the log info in > > >> > > /var/log/message: > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 > Initialized > > >> 1 > > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 > > >> > > [10.1.69.89] > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' > tty0 > > >> from > > >> > > > >> 10.1.69.89 rejected > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser > > >> 10.1.69.89 > > >> > > > >> (10.1.69.89) tty0 > > >> > > > >> > > >> > > > >> Do we have option to see the log about PAM? I haven't found > where > > >> it > > >> > > is. > > >> > > > >> if we can check the log of PAM, then we could find something > > >> useful. > > >> > > Right > > >> > > > >> now the log of tac_plus didn't tell too much about why login > got > > >> > > failure. > > >> > > > > >> > > add -d 32. -d x -d y ... will be logically OR'd together. > > >> > > > > >> > > > >> Lou > > >> > > > >> > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < > heas at shrubbery.net > > >> > > > >> > > wrote: > > >> > > > >> > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > > >> > > > >>> > Thanks John for helping me check this issue. > > >> > > > >>> > > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 > -d256 -g > > >> to > > >> > > see > > >> > > > >>> the > > >> > > > >>> > > >> > > > >>> try -d 16 -d 256. which i think will log the pwd that pam > > >> received > > >> > > from > > >> > > > >>> the device. make its correct. the logs below do appear to > be a > > >> > > > >>> reject/fail > > >> > > > >>> returned from pam. > > >> > > > >>> > > >> > > > >>> > log in stdout and in log file. I can't see any suspicious > log > > >> > > > >>> information > > >> > > > >>> > here. I paste the log below: > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type > 1, > > >> seq no > > >> > > 5, > > >> > > > >>> flags > > >> > > > >>> > 0x1 > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > >> > > (0xc46868ce), > > >> > > > >>> Data > > >> > > > >>> > length > > >> > > > >>> > 11 (0xb) > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), > > >> > > user_data_len 0 > > >> > > > >>> (0x0) > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose > default_fn > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication > > >> function > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS > size=28 > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type > 1, > > >> seq no > > >> > > 6, > > >> > > > >>> flags > > >> > > > >>> > 0x1 > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > >> > > (0xc46868ce), > > >> > > > >>> Data > > >> > > > >>> > length > > >> > > > >>> > 16 (0x10) > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 > > >> > > (AUTHEN/GETPASS) > > >> > > > >>> > flags=0x1 > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > > >> > > > >>> > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type > 1, > > >> seq no > > >> > > 7, > > >> > > > >>> flags > > >> > > > >>> > 0x1 > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 > > >> > > (0xc46868ce), > > >> > > > >>> Data > > >> > > > >>> > length > > >> > > > >>> > 18 (0x12) > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), > > >> > > user_data_len 0 > > >> > > > >>> > (0x0) > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for > 'myusername' > > >> tty0 > > >> > > from > > >> > > > >>> > 10.1.69.89 r > > >> > > > >>> > ejected > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername > > >> > > 10.1.69.89 > > >> > > > >>> > (10.1.69.89) t > > >> > > > >>> > ty0 > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL > size=18 > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type > 1, > > >> seq no > > >> > > 8, > > >> > > > >>> flags > > >> > > > >>> > 0x1 > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 > > >> > > (0xc46868ce), > > >> > > > >>> Data > > >> > > > >>> > length > > >> > > > >>> > 6 (0x6) > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 > > >> (AUTHEN/FAIL) > > >> > > > >>> > flags=0x0 > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < > > >> heas at shrubbery.net > > >> > > > > > >> > > > >>> wrote: > > >> > > > >>> > > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > > >> > > > >>> > > > Hi Adam, > > >> > > > >>> > > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what > do we > > >> > > suppose > > >> > > > >>> to > > >> > > > >>> > > get > > >> > > > >>> > > > from the output? I just got all of the user > information in > > >> that > > >> > > > >>> group. > > >> > > > >>> > > Does > > >> > > > >>> > > > that means my password and username got authenticated > > >> > > successfully > > >> > > > >>> > > against > > >> > > > >>> > > > AD? > > >> > > > >>> > > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it through > this > > >> week > > >> > > > >>> before the > > >> > > > >>> > > > holiday... > > >> > > > >>> > > > > >> > > > >>> > > i havent followed this thread, as i know nearly zero > about > > >> ldap. > > >> > > > >>> but, > > >> > > > >>> > > have you enabled authentication debugging in the tacacas > > >> daemon > > >> > > and > > >> > > > >>> > > checked the logs to determine what is coming back from > pam? > > >> it > > >> > > very > > >> > > > >>> > > well may be that the ldap client is working just fine, > but > > >> there > > >> > > is a > > >> > > > >>> > > pam module bug or a bug in the tacplus daemon or that > your > > >> device > > >> > > > >>> > > simply doesnt like something about the replies. > > >> > > > >>> > > > > >> > > > >>> > > > Thanks a lot for the help. > > >> > > > >>> > > > > > >> > > > >>> > > > Lou > > >> > > > >>> > > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < > > >> > > hailumeng at gmail.com> > > >> > > > >>> wrote: > > >> > > > >>> > > > > > >> > > > >>> > > > > Still no clue how to turn on the log. binding seems > good. > > >> See > > >> > > my > > >> > > > >>> > > findings > > >> > > > >>> > > > > below. Thanks a lot. > > >> > > > >>> > > > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < > > >> > > prozaconstilts at gmail.com> > > >> > > > >>> > > wrote: > > >> > > > >>> > > > > > > >> > > > >>> > > > >> Hailu Meng wrote: > > >> > > > >>> > > > >> > > >> > > > >>> > > > >>> Adam, > > >> > > > >>> > > > >>> > > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server but > I > > >> don't > > >> > > have > > >> > > > >>> that > > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't want me > log > > >> in. > > >> > > I > > >> > > > >>> think > > >> > > > >>> > > this will > > >> > > > >>> > > > >>> not ask tacacs server to authenticate against AD. > > >> > > > >>> > > > >>> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> You shouldn't need to have to define the user in > CentOS, > > >> > > that's > > >> > > > >>> the > > >> > > > >>> > > point > > >> > > > >>> > > > >> of using ldap for authentication. The user is > defined in > > >> > > ldap, > > >> > > > >>> not in > > >> > > > >>> > > > >> CentOS. Now that I think about it, su - > probably > > >> > > wouldn't > > >> > > > >>> work > > >> > > > >>> > > > >> anyway, as AD doesn't by default have the data > needed by > > >> a > > >> > > linux > > >> > > > >>> box > > >> > > > >>> > > to > > >> > > > >>> > > > >> allow login...but see below for more options. > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >>> Is there any other way to test ldap authentication > > >> against > > >> > > AD > > >> > > > >>> with > > >> > > > >>> > > the > > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find my > user > > >> id > > >> > > > >>> without > > >> > > > >>> > > problem. > > >> > > > >>> > > > >>> But I haven't found any option to try with > password and > > >> > > > >>> authenticate > > >> > > > >>> > > against > > >> > > > >>> > > > >>> AD. > > >> > > > >>> > > > >>> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> Try using -D: > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> from `man ldapsearch`: > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> -D binddn > > >> > > > >>> > > > >> Use the Distinguished Name binddn to bind to the > LDAP > > >> > > > >>> directory. > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you > try > > >> to > > >> > > > >>> authenticate > > >> > > > >>> > > > >> using whatever user you want to define. Just check > and > > >> > > double > > >> > > > >>> check > > >> > > > >>> > > you get > > >> > > > >>> > > > >> the right path in that dn. > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it > just > > >> > > > >>> returned lots > > >> > > > >>> > > of > > >> > > > >>> > > > > users' information. It means successful? > > >> > > > >>> > > > > > > >> > > > >>> > > > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the openldap > > >> library > > >> > > and > > >> > > > >>> > > openldap > > >> > > > >>> > > > >>> client? I don't understand why the log is not > turned > > >> on. > > >> > > There > > >> > > > >>> must > > >> > > > >>> > > be some > > >> > > > >>> > > > >>> debugging info in the log which can help solve > this > > >> issue. > > >> > > > >>> > > > >>> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> only the libs and client. You should not need the > > >> server. In > > >> > > the > > >> > > > >>> > > > >> ldapsearch, you can use -d to get > debugging > > >> info > > >> > > for > > >> > > > >>> that > > >> > > > >>> > > search. > > >> > > > >>> > > > >> As before, higher number = more debug > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> If the user can authenticate, does ethereal > capture > > >> some > > >> > > > >>> packets > > >> > > > >>> > > about > > >> > > > >>> > > > >>> password verification? Right now I only see the > packets > > >> > > when > > >> > > > >>> ldap > > >> > > > >>> > > search for > > >> > > > >>> > > > >>> my user id and gets results back from AD. > > >> > > > >>> > > > >>> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> Ethereal should catch all data flowing between the > > >> client > > >> > > and > > >> > > > >>> server. > > >> > > > >>> > > If > > >> > > > >>> > > > >> you can search out the user in your AD right now, > then > > >> one > > >> > > of > > >> > > > >>> two > > >> > > > >>> > > things is > > >> > > > >>> > > > >> happening: > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> 1. You are performing anonymous searches. In this > case, > > >> no > > >> > > > >>> username > > >> > > > >>> > > and pw > > >> > > > >>> > > > >> is provided, and your AD is happy to hand over info > to > > >> > > anyone > > >> > > > >>> who asks > > >> > > > >>> > > for > > >> > > > >>> > > > >> it. If this is the case, you will _not_ see > > >> authentication > > >> > > > >>> > > information. The > > >> > > > >>> > > > >> following MS KB article should probably help you > > >> determine > > >> > > on > > >> > > > >>> your AD > > >> > > > >>> > > if > > >> > > > >>> > > > >> anonymous queries are allowed: > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> It has exact instructions for how to get it going, > but > > >> you > > >> > > can > > >> > > > >>> follow > > >> > > > >>> > > > >> along with it to check your current settings > without > > >> making > > >> > > any > > >> > > > >>> > > changes. > > >> > > > >>> > > > >> > > >> > > > >>> > > > > > > >> > > > >>> > > > > I checked our setting. Permission type for normal > user is > > >> > > "Read & > > >> > > > >>> > > Execute". > > >> > > > >>> > > > > I click edit to check the detail about permission. I > > >> think it > > >> > > > >>> only > > >> > > > >>> > > allow the > > >> > > > >>> > > > > user to read the attributes, permission something > and > > >> can't > > >> > > > >>> modify the > > >> > > > >>> > > > > AD.There is "Everyone" setting is also set as "Read > & > > >> > > Execute". > > >> > > > >>> By the > > >> > > > >>> > > way, > > >> > > > >>> > > > > the AD is Win2003 R2. > > >> > > > >>> > > > > > > >> > > > >>> > > > > > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> 2. Authentication is happening. It will be the > _very_ > > >> first > > >> > > > >>> thing the > > >> > > > >>> > > > >> client and server perform, after basic connection > > >> > > establishment. > > >> > > > >>> Look > > >> > > > >>> > > for it > > >> > > > >>> > > > >> at the very beginning of a dump. > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> Also, it's a bit overkill, but the following > article is > > >> > > > >>> extremely > > >> > > > >>> > > > >> informative about all the different ways you can > plug > > >> linux > > >> > > into > > >> > > > >>> AD > > >> > > > >>> > > for > > >> > > > >>> > > > >> authentication. It might offer some hints... > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you have > any > > >> idea, > > >> > > let > > >> > > > >>> me > > >> > > > >>> > > know. > > >> > > > >>> > > > >>> > > >> > > > >>> > > > >>> Thank you very much. > > >> > > > >>> > > > >>> > > >> > > > >>> > > > >>> Lou > > >> > > > >>> > > > >>> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> > > >> > > > >>> > > > >> > > >> > > > >>> > > > > > > >> > > > >>> > > > -------------- next part -------------- > > >> > > > >>> > > > An HTML attachment was scrubbed... > > >> > > > >>> > > > URL: > > >> > > > >>> > > > > >> > > > >>> > > >> > > > > >> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > >> > > > >>> > > > _______________________________________________ > > >> > > > >>> > > > tac_plus mailing list > > >> > > > >>> > > > tac_plus at shrubbery.net > > >> > > > >>> > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > >> > > > >>> > > > > >> > > > >>> > > >> > > > >> > > >> > > > >> > > >> > > > > > > >> > > > > >> > -------------- next part -------------- > > >> > An HTML attachment was scrubbed... > > >> > URL: > > >> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > > >> > _______________________________________________ > > >> > tac_plus mailing list > > >> > tac_plus at shrubbery.net > > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > >> > > >> > > >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/977dbac7/attachment.html From heas at shrubbery.net Tue Nov 24 17:36:48 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 24 Nov 2009 09:36:48 -0800 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911240905h7b2f3bd8g99c0ca98918c2c3@mail.gmail.com> References: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> <20091124162419.GD7044@shrubbery.net> <8dabae5b0911240905h7b2f3bd8g99c0ca98918c2c3@mail.gmail.com> Message-ID: <20091124173648.GF7044@shrubbery.net> Tue, Nov 24, 2009 at 11:05:59AM -0600, Hailu Meng: > It makes sense. nsswitch.conf should be for like local login not for tacacs. > Thanks John to point it out. I'm such a rookie to these things. Just > followed some guides and combine them here. Need study more. well, it depends upon what modules you use in your tacacs PAM config; ie: if you have something like 'require unix_account' (WAG) that requires that the login exist in /etc/passwd (or more precisely get_pwent(3) or similar), then /etc/nsswitch.conf might affect it. BUT, that means that for you, 'require unix_account' is a misconfiguration of the tacacs PAM config. that is should be something like 'require ldap_account'. > Lou > > On Tue, Nov 24, 2009 at 10:24 AM, john heasley wrote: > > > Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof: > > > > > > Hi Lou, > > > > > > Yes, most server application's check if a user exist by looking up the > > > uid via nss before doing any authentication (i.e. sshd). > > > > > > Regards, > > > Jeroen > > > > > > Op 23/11/2009 schreef "Hailu Meng" : > > > > > > >Hi Jeroen, > > > > > > > >Thanks for helping. I modified the nssswitch.conf as below: > > > >passwd: files ldap > > > >shadow: files ldap > > > >group: files ldap > > > > > > > >And leave the other settings as default. > > > > > > > >the user attributes you are talking about are the attributes retrieving > > from > > > >AD? I do see the packets from AD server told my tacacs+ server the user > > > >attributes including homedir. > > > > i would not expect this to affect tacacs, unless you have something in your > > pam config that requires it. ie: nsswitch.conf should control auth for the > > host (eg: /sbin/login), tacacs is separate. > > > > > >Thanks. > > > > > > > >Lou > > > > > > > > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof > > wrote: > > > > > > > >> Hi, > > > >> > > > >> Did you setup the nsswitch.conf as well on your tac_plus server? > > > >> Your tac_plus server needs to lookup the user attributes like homedir > > > >> etc, otherwise pam will fail. > > > >> > > > >> Regards, > > > >> Jeroen Nijhof > > > >> > > > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > > > >> > Ok. With -d 32, I got some more info about pam as red color log. > > > >> > > > > >> > There is "Unknown user" log info following the input of my user > > password. > > > >> > Feel confused since ldap is able to get user info from Active > > directory, > > > >> why > > > >> > it turns out "Unknown user" here. > > > >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no > > 3, > > > >> flags > > > >> > 0x1 > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), > > Data > > > >> > length 11 (0xb) > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > > > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), user_data_len > > 0 > > > >> (0x0) > > > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: > > > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User data: > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 pam_messages > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: > > > >> PAM_PROMPT_ECHO_OFF > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no > > 4, > > > >> flags > > > >> > 0x1 > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 (0xbe977644), > > Data > > > >> > length 16 (0x10) > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 > > (AUTHEN/GETPASS) > > > >> > flags=0x1 > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg: > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Password: > > > >> > Mon Nov 23 15:21:16 2009 [3806]: data: > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > > > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 > > > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > > > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq no > > 5, > > > >> flags > > > >> > 0x1 > > > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 (0xbe977644), > > Data > > > >> > length 18 (0x12) > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End header > > > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > > > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), > > user_data_len 0 > > > >> > (0x0) > > > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: > > > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User data: > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' tty0 > > from > > > >> > 10.1.69.89 rejected > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: myusername10.1.69.89 > > > >> > (10.1.69.89) tty0 > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 > > > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > > > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq no > > 6, > > > >> flags > > > >> > 0x1 > > > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 (0xbe977644), > > Data > > > >> > length 6 (0x6) > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End header > > > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 (AUTHEN/FAIL) > > > >> > flags=0x0 > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg: > > > >> > Mon Nov 23 15:21:22 2009 [3806]: data: > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet > > > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect > > > >> > > > > >> > > > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley > > > >> wrote: > > > >> > > > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > > > >> > > > I just saw some posts saying pam_krb winbind could be needed to > > get > > > >> pam > > > >> > > work > > > >> > > > against active directory. Is this true? The post I was following > > > >> actually > > > >> > > is > > > >> > > > for a LDAP server not Active Directory. > > > >> > > > > > >> > > i dont know; each pam implementation seems to be [at least] > > slightly > > > >> > > different. seems silly to need kerberos for ldap. > > > >> > > > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng < > > hailumeng at gmail.com> > > > >> wrote: > > > >> > > > > > > >> > > > > I think I need put my pam configuration here: > > > >> > > > > > > > >> > > > > I followed this post > > > >> > > > > > > > >> > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > > > >> > > > > configure my pam module: > > > >> > > > > > > > >> > > > > /etc/pam.d/tacacs > > > >> > > > > > > > >> > > > > auth include system-auth > > > >> > > > > account required pam_nologin.so > > > >> > > > > account include system-auth > > > >> > > > > password include system-auth > > > >> > > > > session optional pam_keyinit.so force revoke > > > >> > > > > session include system-auth > > > >> > > > > session required pam_loginuid.so > > > >> > > > > > > > >> > > > > /etc/pam.d/system-auth > > > >> > > > > #%PAM-1.0 > > > >> > > > > # This file is auto-generated. > > > >> > > > > # User changes will be destroyed the next time authconfig is > > run. > > > >> > > > > auth required pam_env.so > > > >> > > > > auth sufficient pam_unix.so nullok try_first_pass > > > >> > > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > >> > > > > auth sufficient pam_ldap.so use_first_pass > > > >> > > > > auth required pam_deny.so > > > >> > > > > > > > >> > > > > account required pam_unix.so broken_shadow > > > >> > > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > >> > > > > > > > >> > > > > account [default=bad success=ok user_unknown=ignore] > > > >> pam_ldap.so > > > >> > > > > account required pam_permit.so > > > >> > > > > > > > >> > > > > password requisite pam_cracklib.so try_first_pass > > retry=3 > > > >> > > > > password sufficient pam_unix.so md5 shadow nullok > > > >> try_first_pass > > > >> > > > > use_authtok > > > >> > > > > password sufficient pam_ldap.so use_authtok > > > >> > > > > password required pam_deny.so > > > >> > > > > > > > >> > > > > session optional pam_keyinit.so revoke > > > >> > > > > session required pam_limits.so > > > >> > > > > session [success=1 default=ignore] pam_succeed_if.so > > service in > > > >> > > crond > > > >> > > > > quiet use_uid > > > >> > > > > session required pam_unix.so > > > >> > > > > session optional pam_ldap.so > > > >> > > > > > > > >> > > > > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < > > hailumeng at gmail.com> > > > >> > > wrote: > > > >> > > > > > > > >> > > > >> Hi John, > > > >> > > > >> > > > >> > > > >> You mean issue commands like tac_plus -C /etct/tac_plus.conf > > -L -p > > > >> 49 > > > >> > > -d > > > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any > > > >> change. I > > > >> > > got > > > >> > > > >> same log info. By the way, I also saw the log info in > > > >> > > /var/log/message: > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 > > Initialized > > > >> 1 > > > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 > > > >> > > [10.1.69.89] > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' > > tty0 > > > >> from > > > >> > > > >> 10.1.69.89 rejected > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser > > > >> 10.1.69.89 > > > >> > > > >> (10.1.69.89) tty0 > > > >> > > > >> > > > >> > > > >> Do we have option to see the log about PAM? I haven't found > > where > > > >> it > > > >> > > is. > > > >> > > > >> if we can check the log of PAM, then we could find something > > > >> useful. > > > >> > > Right > > > >> > > > >> now the log of tac_plus didn't tell too much about why login > > got > > > >> > > failure. > > > >> > > > > > >> > > add -d 32. -d x -d y ... will be logically OR'd together. > > > >> > > > > > >> > > > >> Lou > > > >> > > > >> > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < > > heas at shrubbery.net > > > >> > > > > >> > > wrote: > > > >> > > > >> > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > > > >> > > > >>> > Thanks John for helping me check this issue. > > > >> > > > >>> > > > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 > > -d256 -g > > > >> to > > > >> > > see > > > >> > > > >>> the > > > >> > > > >>> > > > >> > > > >>> try -d 16 -d 256. which i think will log the pwd that pam > > > >> received > > > >> > > from > > > >> > > > >>> the device. make its correct. the logs below do appear to > > be a > > > >> > > > >>> reject/fail > > > >> > > > >>> returned from pam. > > > >> > > > >>> > > > >> > > > >>> > log in stdout and in log file. I can't see any suspicious > > log > > > >> > > > >>> information > > > >> > > > >>> > here. I paste the log below: > > > >> > > > >>> > > > > >> > > > >>> > > > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type > > 1, > > > >> seq no > > > >> > > 5, > > > >> > > > >>> flags > > > >> > > > >>> > 0x1 > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > > >> > > (0xc46868ce), > > > >> > > > >>> Data > > > >> > > > >>> > length > > > >> > > > >>> > 11 (0xb) > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), > > > >> > > user_data_len 0 > > > >> > > > >>> (0x0) > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose > > default_fn > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication > > > >> function > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS > > size=28 > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type > > 1, > > > >> seq no > > > >> > > 6, > > > >> > > > >>> flags > > > >> > > > >>> > 0x1 > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > > >> > > (0xc46868ce), > > > >> > > > >>> Data > > > >> > > > >>> > length > > > >> > > > >>> > 16 (0x10) > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 > > > >> > > (AUTHEN/GETPASS) > > > >> > > > >>> > flags=0x1 > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > > > >> > > > >>> > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type > > 1, > > > >> seq no > > > >> > > 7, > > > >> > > > >>> flags > > > >> > > > >>> > 0x1 > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 > > > >> > > (0xc46868ce), > > > >> > > > >>> Data > > > >> > > > >>> > length > > > >> > > > >>> > 18 (0x12) > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), > > > >> > > user_data_len 0 > > > >> > > > >>> > (0x0) > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for > > 'myusername' > > > >> tty0 > > > >> > > from > > > >> > > > >>> > 10.1.69.89 r > > > >> > > > >>> > ejected > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: myusername > > > >> > > 10.1.69.89 > > > >> > > > >>> > (10.1.69.89) t > > > >> > > > >>> > ty0 > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL > > size=18 > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type > > 1, > > > >> seq no > > > >> > > 8, > > > >> > > > >>> flags > > > >> > > > >>> > 0x1 > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 > > > >> > > (0xc46868ce), > > > >> > > > >>> Data > > > >> > > > >>> > length > > > >> > > > >>> > 6 (0x6) > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 > > > >> (AUTHEN/FAIL) > > > >> > > > >>> > flags=0x0 > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect > > > >> > > > >>> > > > > >> > > > >>> > > > > >> > > > >>> > > > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < > > > >> heas at shrubbery.net > > > >> > > > > > > >> > > > >>> wrote: > > > >> > > > >>> > > > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > > > >> > > > >>> > > > Hi Adam, > > > >> > > > >>> > > > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what > > do we > > > >> > > suppose > > > >> > > > >>> to > > > >> > > > >>> > > get > > > >> > > > >>> > > > from the output? I just got all of the user > > information in > > > >> that > > > >> > > > >>> group. > > > >> > > > >>> > > Does > > > >> > > > >>> > > > that means my password and username got authenticated > > > >> > > successfully > > > >> > > > >>> > > against > > > >> > > > >>> > > > AD? > > > >> > > > >>> > > > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it through > > this > > > >> week > > > >> > > > >>> before the > > > >> > > > >>> > > > holiday... > > > >> > > > >>> > > > > > >> > > > >>> > > i havent followed this thread, as i know nearly zero > > about > > > >> ldap. > > > >> > > > >>> but, > > > >> > > > >>> > > have you enabled authentication debugging in the tacacas > > > >> daemon > > > >> > > and > > > >> > > > >>> > > checked the logs to determine what is coming back from > > pam? > > > >> it > > > >> > > very > > > >> > > > >>> > > well may be that the ldap client is working just fine, > > but > > > >> there > > > >> > > is a > > > >> > > > >>> > > pam module bug or a bug in the tacplus daemon or that > > your > > > >> device > > > >> > > > >>> > > simply doesnt like something about the replies. > > > >> > > > >>> > > > > > >> > > > >>> > > > Thanks a lot for the help. > > > >> > > > >>> > > > > > > >> > > > >>> > > > Lou > > > >> > > > >>> > > > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < > > > >> > > hailumeng at gmail.com> > > > >> > > > >>> wrote: > > > >> > > > >>> > > > > > > >> > > > >>> > > > > Still no clue how to turn on the log. binding seems > > good. > > > >> See > > > >> > > my > > > >> > > > >>> > > findings > > > >> > > > >>> > > > > below. Thanks a lot. > > > >> > > > >>> > > > > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < > > > >> > > prozaconstilts at gmail.com> > > > >> > > > >>> > > wrote: > > > >> > > > >>> > > > > > > > >> > > > >>> > > > >> Hailu Meng wrote: > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >>> Adam, > > > >> > > > >>> > > > >>> > > > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server but > > I > > > >> don't > > > >> > > have > > > >> > > > >>> that > > > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't want me > > log > > > >> in. > > > >> > > I > > > >> > > > >>> think > > > >> > > > >>> > > this will > > > >> > > > >>> > > > >>> not ask tacacs server to authenticate against AD. > > > >> > > > >>> > > > >>> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> You shouldn't need to have to define the user in > > CentOS, > > > >> > > that's > > > >> > > > >>> the > > > >> > > > >>> > > point > > > >> > > > >>> > > > >> of using ldap for authentication. The user is > > defined in > > > >> > > ldap, > > > >> > > > >>> not in > > > >> > > > >>> > > > >> CentOS. Now that I think about it, su - > > probably > > > >> > > wouldn't > > > >> > > > >>> work > > > >> > > > >>> > > > >> anyway, as AD doesn't by default have the data > > needed by > > > >> a > > > >> > > linux > > > >> > > > >>> box > > > >> > > > >>> > > to > > > >> > > > >>> > > > >> allow login...but see below for more options. > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >>> Is there any other way to test ldap authentication > > > >> against > > > >> > > AD > > > >> > > > >>> with > > > >> > > > >>> > > the > > > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find my > > user > > > >> id > > > >> > > > >>> without > > > >> > > > >>> > > problem. > > > >> > > > >>> > > > >>> But I haven't found any option to try with > > password and > > > >> > > > >>> authenticate > > > >> > > > >>> > > against > > > >> > > > >>> > > > >>> AD. > > > >> > > > >>> > > > >>> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> Try using -D: > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> from `man ldapsearch`: > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> -D binddn > > > >> > > > >>> > > > >> Use the Distinguished Name binddn to bind to the > > LDAP > > > >> > > > >>> directory. > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you > > try > > > >> to > > > >> > > > >>> authenticate > > > >> > > > >>> > > > >> using whatever user you want to define. Just check > > and > > > >> > > double > > > >> > > > >>> check > > > >> > > > >>> > > you get > > > >> > > > >>> > > > >> the right path in that dn. > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but it > > just > > > >> > > > >>> returned lots > > > >> > > > >>> > > of > > > >> > > > >>> > > > > users' information. It means successful? > > > >> > > > >>> > > > > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the openldap > > > >> library > > > >> > > and > > > >> > > > >>> > > openldap > > > >> > > > >>> > > > >>> client? I don't understand why the log is not > > turned > > > >> on. > > > >> > > There > > > >> > > > >>> must > > > >> > > > >>> > > be some > > > >> > > > >>> > > > >>> debugging info in the log which can help solve > > this > > > >> issue. > > > >> > > > >>> > > > >>> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> only the libs and client. You should not need the > > > >> server. In > > > >> > > the > > > >> > > > >>> > > > >> ldapsearch, you can use -d to get > > debugging > > > >> info > > > >> > > for > > > >> > > > >>> that > > > >> > > > >>> > > search. > > > >> > > > >>> > > > >> As before, higher number = more debug > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> If the user can authenticate, does ethereal > > capture > > > >> some > > > >> > > > >>> packets > > > >> > > > >>> > > about > > > >> > > > >>> > > > >>> password verification? Right now I only see the > > packets > > > >> > > when > > > >> > > > >>> ldap > > > >> > > > >>> > > search for > > > >> > > > >>> > > > >>> my user id and gets results back from AD. > > > >> > > > >>> > > > >>> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> Ethereal should catch all data flowing between the > > > >> client > > > >> > > and > > > >> > > > >>> server. > > > >> > > > >>> > > If > > > >> > > > >>> > > > >> you can search out the user in your AD right now, > > then > > > >> one > > > >> > > of > > > >> > > > >>> two > > > >> > > > >>> > > things is > > > >> > > > >>> > > > >> happening: > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> 1. You are performing anonymous searches. In this > > case, > > > >> no > > > >> > > > >>> username > > > >> > > > >>> > > and pw > > > >> > > > >>> > > > >> is provided, and your AD is happy to hand over info > > to > > > >> > > anyone > > > >> > > > >>> who asks > > > >> > > > >>> > > for > > > >> > > > >>> > > > >> it. If this is the case, you will _not_ see > > > >> authentication > > > >> > > > >>> > > information. The > > > >> > > > >>> > > > >> following MS KB article should probably help you > > > >> determine > > > >> > > on > > > >> > > > >>> your AD > > > >> > > > >>> > > if > > > >> > > > >>> > > > >> anonymous queries are allowed: > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> It has exact instructions for how to get it going, > > but > > > >> you > > > >> > > can > > > >> > > > >>> follow > > > >> > > > >>> > > > >> along with it to check your current settings > > without > > > >> making > > > >> > > any > > > >> > > > >>> > > changes. > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > > > > > >> > > > >>> > > > > I checked our setting. Permission type for normal > > user is > > > >> > > "Read & > > > >> > > > >>> > > Execute". > > > >> > > > >>> > > > > I click edit to check the detail about permission. I > > > >> think it > > > >> > > > >>> only > > > >> > > > >>> > > allow the > > > >> > > > >>> > > > > user to read the attributes, permission something > > and > > > >> can't > > > >> > > > >>> modify the > > > >> > > > >>> > > > > AD.There is "Everyone" setting is also set as "Read > > & > > > >> > > Execute". > > > >> > > > >>> By the > > > >> > > > >>> > > way, > > > >> > > > >>> > > > > the AD is Win2003 R2. > > > >> > > > >>> > > > > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> 2. Authentication is happening. It will be the > > _very_ > > > >> first > > > >> > > > >>> thing the > > > >> > > > >>> > > > >> client and server perform, after basic connection > > > >> > > establishment. > > > >> > > > >>> Look > > > >> > > > >>> > > for it > > > >> > > > >>> > > > >> at the very beginning of a dump. > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the following > > article is > > > >> > > > >>> extremely > > > >> > > > >>> > > > >> informative about all the different ways you can > > plug > > > >> linux > > > >> > > into > > > >> > > > >>> AD > > > >> > > > >>> > > for > > > >> > > > >>> > > > >> authentication. It might offer some hints... > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you have > > any > > > >> idea, > > > >> > > let > > > >> > > > >>> me > > > >> > > > >>> > > know. > > > >> > > > >>> > > > >>> > > > >> > > > >>> > > > >>> Thank you very much. > > > >> > > > >>> > > > >>> > > > >> > > > >>> > > > >>> Lou > > > >> > > > >>> > > > >>> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > >> > > > >> > > > >>> > > > > > > > >> > > > >>> > > > -------------- next part -------------- > > > >> > > > >>> > > > An HTML attachment was scrubbed... > > > >> > > > >>> > > > URL: > > > >> > > > >>> > > > > > >> > > > >>> > > > >> > > > > > >> > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > > >> > > > >>> > > > _______________________________________________ > > > >> > > > >>> > > > tac_plus mailing list > > > >> > > > >>> > > > tac_plus at shrubbery.net > > > >> > > > >>> > > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > >> > > > >>> > > > > > >> > > > >>> > > > >> > > > >> > > > >> > > > >> > > > >> > > > > > > > >> > > > > > >> > -------------- next part -------------- > > > >> > An HTML attachment was scrubbed... > > > >> > URL: > > > >> > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > > > >> > _______________________________________________ > > > >> > tac_plus mailing list > > > >> > tac_plus at shrubbery.net > > > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > >> > > > >> > > > >> > > From hailumeng at gmail.com Tue Nov 24 17:38:25 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Tue, 24 Nov 2009 11:38:25 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <0y7wwr4C.1259075977.4075310.jeroen@nijhofnet.nl> References: <8dabae5b0911240522r18c4d9vc65096295522be5d@mail.gmail.com> <0y7wwr4C.1259075977.4075310.jeroen@nijhofnet.nl> Message-ID: <8dabae5b0911240938v4901c2f9ub622737d084f6c90@mail.gmail.com> Hi Jeroen, I issued the command "getent passwd myusername". It just came back with request done: ld 0x8e124f8 msgid 1 request done: ld 0x8e124f8 msgid 2 I think this is not right. I did see this kind of message in tacacs log when I tried to log in my router. So I guess something is still wrong with my /etc/ldap.conf here is my current configuration for ldap.conf, the other file /etc/openldap/ldap.conf will point to this file too. I think I have all needed configuration here. Even I put the debug and log configuration here, I still can't get my log show up in the specified directory. Weird. Please help me check this setting. Is there anything wrong with nss mapping? I think that part could be something wrong. Thanks a lot. *********************************************************** host myadserverIP base ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org ldap_version 3 scope sub binddn CN=testuser,OU=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org bindpw passwdfortest rootbinddn dc=hq,dc=corp,dc=mycompany,dc=org # The port. # Optional: default is 389. SSL LDAP Port 636 port 389 # RFC2307bis naming contexts nss_base_passwd ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub nss_base_shadow ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub nss_base_group ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub # RFC 2307 (AD) mappings nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid sAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute gecos cn nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member # Disable SASL security layers. This is needed for AD. sasl_secprops maxssf=0 # PAM_LDAP options pam_login_attribute sAMAccountName pam_filter objectclass=User pam_password ad logdir /var/log/ldap debug 1024 ssl no timelimit 30 bind_timelimit 30 On Tue, Nov 24, 2009 at 9:19 AM, Jeroen Nijhof wrote: > > Hi Lou, > > Check with 'getent passwd ' if you get the right user with > the right information from your AD via ldap. > If not then you should probably check your /etc/ldap.conf for the right > search scope and atrribute mappings. > Nss_ldap and pam_ldap uses the /etc/ldap.conf file so if it works with a > nss lookup via getent it should work for pam_ldap as well. > You can define a debug level as well in the /etc/ldap.conf file for > logging. > It's logging to /var/log/auth.log for me.. > > > Regards, > Jeroen > > Op 24/11/2009 schreef "Hailu Meng" : > > >Hi Jeroen, > > > >I see the packets sent back from AD for the search request have 4 > attributes > >included: > >objectclass > >cn > >description > >sAMAccountName > > > >And these attributes values are correct. sAMAccountName is my login user > id. > >cn is my Full Name, objectclass is 4 items (top, person, > >organizationalperson , user) > > > >I'm not sure is it enough for PAM to go to the next step? But it did give > us > >error message "Unknown User". I observed that when I input the password in > >my router and hit ENTER, my wireshark captured two search requests from > >TACACS and two responses from AD. Same contents as the previous one when I > >input my user name in the router. I'm not sure is that possible that > TACACS > >didn't find the information it wants from AD although AD respond something > >(4 attributes values) > > > >By the way, I can't find any log information about PAM. I think it should > be > >in /var/log/secure. But nothing in this file. Do you know how to find > these > >log or turn it on? > > > >Thanks for the help. > > > >Lou > > > >On Tue, Nov 24, 2009 at 4:11 AM, Jeroen Nijhof > wrote: > > > >> > >> Hi Lou, > >> > >> Yes, most server application's check if a user exist by looking up the > >> uid via nss before doing any authentication (i.e. sshd). > >> > >> Regards, > >> Jeroen > >> > >> Op 23/11/2009 schreef "Hailu Meng" : > >> > >> >Hi Jeroen, > >> > > >> >Thanks for helping. I modified the nssswitch.conf as below: > >> >passwd: files ldap > >> >shadow: files ldap > >> >group: files ldap > >> > > >> >And leave the other settings as default. > >> > > >> >the user attributes you are talking about are the attributes retrieving > >> from > >> >AD? I do see the packets from AD server told my tacacs+ server the user > >> >attributes including homedir. > >> > > >> >Thanks. > >> > > >> >Lou > >> > > >> > > >> >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof > >> wrote: > >> > > >> >> Hi, > >> >> > >> >> Did you setup the nsswitch.conf as well on your tac_plus server? > >> >> Your tac_plus server needs to lookup the user attributes like homedir > >> >> etc, otherwise pam will fail. > >> >> > >> >> Regards, > >> >> Jeroen Nijhof > >> >> > >> >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > >> >> > Ok. With -d 32, I got some more info about pam as red color log. > >> >> > > >> >> > There is "Unknown user" log info following the input of my user > >> password. > >> >> > Feel confused since ldap is able to get user info from Active > >> directory, > >> >> why > >> >> > it turns out "Unknown user" here. > >> >> > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no > 3, > >> >> flags > >> >> > 0x1 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > (0xbe977644), > >> Data > >> >> > length 11 (0xb) > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header > >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > >> >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), > user_data_len 0 > >> >> (0x0) > >> >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: > >> >> > Mon Nov 23 15:21:16 2009 [3806]: myusername > >> >> > Mon Nov 23 15:21:16 2009 [3806]: User data: > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > >> >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function > >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 pam_messages > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: > >> >> PAM_PROMPT_ECHO_OFF > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq no > 4, > >> >> flags > >> >> > 0x1 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > (0xbe977644), > >> Data > >> >> > length 16 (0x10) > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header > >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 > (AUTHEN/GETPASS) > >> >> > flags=0x1 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg: > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Password: > >> >> > Mon Nov 23 15:21:16 2009 [3806]: data: > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > >> >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 > >> >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > >> >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq no > 5, > >> >> flags > >> >> > 0x1 > >> >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 > (0xbe977644), > >> Data > >> >> > length 18 (0x12) > >> >> > Mon Nov 23 15:21:21 2009 [3806]: End header > >> >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > >> >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), > user_data_len > >> 0 > >> >> > (0x0) > >> >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > >> >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: > >> >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword > >> >> > Mon Nov 23 15:21:21 2009 [3806]: User data: > >> >> > Mon Nov 23 15:21:21 2009 [3806]: End packet > >> >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > >> >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' tty0 > >> from > >> >> > 10.1.69.89 rejected > >> >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: > myusername10.1.69.89 > >> >> > (10.1.69.89) tty0 > >> >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 > >> >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > >> >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq no > 6, > >> >> flags > >> >> > 0x1 > >> >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 > (0xbe977644), > >> Data > >> >> > length 6 (0x6) > >> >> > Mon Nov 23 15:21:22 2009 [3806]: End header > >> >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 (AUTHEN/FAIL) > >> >> > flags=0x0 > >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg: > >> >> > Mon Nov 23 15:21:22 2009 [3806]: data: > >> >> > Mon Nov 23 15:21:22 2009 [3806]: End packet > >> >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect > >> >> > > >> >> > > >> >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley > >> >> wrote: > >> >> > > >> >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > >> >> > > > I just saw some posts saying pam_krb winbind could be needed to > >> get > >> >> pam > >> >> > > work > >> >> > > > against active directory. Is this true? The post I was > following > >> >> actually > >> >> > > is > >> >> > > > for a LDAP server not Active Directory. > >> >> > > > >> >> > > i dont know; each pam implementation seems to be [at least] > slightly > >> >> > > different. seems silly to need kerberos for ldap. > >> >> > > > >> >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng < > hailumeng at gmail.com> > >> >> wrote: > >> >> > > > > >> >> > > > > I think I need put my pam configuration here: > >> >> > > > > > >> >> > > > > I followed this post > >> >> > > > > > >> >> > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > >> >> > > > > configure my pam module: > >> >> > > > > > >> >> > > > > /etc/pam.d/tacacs > >> >> > > > > > >> >> > > > > auth include system-auth > >> >> > > > > account required pam_nologin.so > >> >> > > > > account include system-auth > >> >> > > > > password include system-auth > >> >> > > > > session optional pam_keyinit.so force revoke > >> >> > > > > session include system-auth > >> >> > > > > session required pam_loginuid.so > >> >> > > > > > >> >> > > > > /etc/pam.d/system-auth > >> >> > > > > #%PAM-1.0 > >> >> > > > > # This file is auto-generated. > >> >> > > > > # User changes will be destroyed the next time authconfig is > >> run. > >> >> > > > > auth required pam_env.so > >> >> > > > > auth sufficient pam_unix.so nullok try_first_pass > >> >> > > > > auth requisite pam_succeed_if.so uid >= 500 quiet > >> >> > > > > auth sufficient pam_ldap.so use_first_pass > >> >> > > > > auth required pam_deny.so > >> >> > > > > > >> >> > > > > account required pam_unix.so broken_shadow > >> >> > > > > account sufficient pam_succeed_if.so uid < 500 quiet > >> >> > > > > > >> >> > > > > account [default=bad success=ok user_unknown=ignore] > >> >> pam_ldap.so > >> >> > > > > account required pam_permit.so > >> >> > > > > > >> >> > > > > password requisite pam_cracklib.so try_first_pass > retry=3 > >> >> > > > > password sufficient pam_unix.so md5 shadow nullok > >> >> try_first_pass > >> >> > > > > use_authtok > >> >> > > > > password sufficient pam_ldap.so use_authtok > >> >> > > > > password required pam_deny.so > >> >> > > > > > >> >> > > > > session optional pam_keyinit.so revoke > >> >> > > > > session required pam_limits.so > >> >> > > > > session [success=1 default=ignore] pam_succeed_if.so > service > >> in > >> >> > > crond > >> >> > > > > quiet use_uid > >> >> > > > > session required pam_unix.so > >> >> > > > > session optional pam_ldap.so > >> >> > > > > > >> >> > > > > > >> >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < > >> hailumeng at gmail.com> > >> >> > > wrote: > >> >> > > > > > >> >> > > > >> Hi John, > >> >> > > > >> > >> >> > > > >> You mean issue commands like tac_plus -C /etct/tac_plus.conf > -L > >> -p > >> >> 49 > >> >> > > -d > >> >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make any > >> >> change. I > >> >> > > got > >> >> > > > >> same log info. By the way, I also saw the log info in > >> >> > > /var/log/message: > >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 > >> Initialized > >> >> 1 > >> >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from 10.1.69.89 > >> >> > > [10.1.69.89] > >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for 'myuser' > >> tty0 > >> >> from > >> >> > > > >> 10.1.69.89 rejected > >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser > >> >> 10.1.69.89 > >> >> > > > >> (10.1.69.89) tty0 > >> >> > > > >> > >> >> > > > >> Do we have option to see the log about PAM? I haven't found > >> where > >> >> it > >> >> > > is. > >> >> > > > >> if we can check the log of PAM, then we could find something > >> >> useful. > >> >> > > Right > >> >> > > > >> now the log of tac_plus didn't tell too much about why login > >> got > >> >> > > failure. > >> >> > > > >> >> > > add -d 32. -d x -d y ... will be logically OR'd together. > >> >> > > > >> >> > > > >> Lou > >> >> > > > >> > >> >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < > >> heas at shrubbery.net > >> >> > > >> >> > > wrote: > >> >> > > > >> > >> >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > >> >> > > > >>> > Thanks John for helping me check this issue. > >> >> > > > >>> > > >> >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 > -d256 > >> -g > >> >> to > >> >> > > see > >> >> > > > >>> the > >> >> > > > >>> > >> >> > > > >>> try -d 16 -d 256. which i think will log the pwd that pam > >> >> received > >> >> > > from > >> >> > > > >>> the device. make its correct. the logs below do appear to > be > >> a > >> >> > > > >>> reject/fail > >> >> > > > >>> returned from pam. > >> >> > > > >>> > >> >> > > > >>> > log in stdout and in log file. I can't see any suspicious > >> log > >> >> > > > >>> information > >> >> > > > >>> > here. I paste the log below: > >> >> > > > >>> > > >> >> > > > >>> > > >> >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT size=23 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type > 1, > >> >> seq no > >> >> > > 5, > >> >> > > > >>> flags > >> >> > > > >>> > 0x1 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > >> >> > > (0xc46868ce), > >> >> > > > >>> Data > >> >> > > > >>> > length > >> >> > > > >>> > 11 (0xb) > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), > >> >> > > user_data_len 0 > >> >> > > > >>> (0x0) > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose > >> default_fn > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling authentication > >> >> function > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing AUTHEN/GETPASS > >> size=28 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), type > 1, > >> >> seq no > >> >> > > 6, > >> >> > > > >>> flags > >> >> > > > >>> > 0x1 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > >> >> > > (0xc46868ce), > >> >> > > > >>> Data > >> >> > > > >>> > length > >> >> > > > >>> > 16 (0x10) > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 > >> >> > > (AUTHEN/GETPASS) > >> >> > > > >>> > flags=0x1 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, data_len=0 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT size=30 > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > >> >> > > > >>> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), type > 1, > >> >> seq no > >> >> > > 7, > >> >> > > > >>> flags > >> >> > > > >>> > 0x1 > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 > >> >> > > (0xc46868ce), > >> >> > > > >>> Data > >> >> > > > >>> > length > >> >> > > > >>> > 18 (0x12) > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 (0xd), > >> >> > > user_data_len 0 > >> >> > > > >>> > (0x0) > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for > >> 'myusername' > >> >> tty0 > >> >> > > from > >> >> > > > >>> > 10.1.69.89 r > >> >> > > > >>> > ejected > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: > myusername > >> >> > > 10.1.69.89 > >> >> > > > >>> > (10.1.69.89) t > >> >> > > > >>> > ty0 > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL > size=18 > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), type > 1, > >> >> seq no > >> >> > > 8, > >> >> > > > >>> flags > >> >> > > > >>> > 0x1 > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 > >> >> > > (0xc46868ce), > >> >> > > > >>> Data > >> >> > > > >>> > length > >> >> > > > >>> > 6 (0x6) > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 > >> >> (AUTHEN/FAIL) > >> >> > > > >>> > flags=0x0 > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: disconnect > >> >> > > > >>> > > >> >> > > > >>> > > >> >> > > > >>> > > >> >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < > >> >> heas at shrubbery.net > >> >> > > > > >> >> > > > >>> wrote: > >> >> > > > >>> > > >> >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > >> >> > > > >>> > > > Hi Adam, > >> >> > > > >>> > > > > >> >> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, what > do > >> we > >> >> > > suppose > >> >> > > > >>> to > >> >> > > > >>> > > get > >> >> > > > >>> > > > from the output? I just got all of the user > information > >> in > >> >> that > >> >> > > > >>> group. > >> >> > > > >>> > > Does > >> >> > > > >>> > > > that means my password and username got authenticated > >> >> > > successfully > >> >> > > > >>> > > against > >> >> > > > >>> > > > AD? > >> >> > > > >>> > > > > >> >> > > > >>> > > > This thing drives me crazy. I need solve it through > this > >> >> week > >> >> > > > >>> before the > >> >> > > > >>> > > > holiday... > >> >> > > > >>> > > > >> >> > > > >>> > > i havent followed this thread, as i know nearly zero > about > >> >> ldap. > >> >> > > > >>> but, > >> >> > > > >>> > > have you enabled authentication debugging in the > tacacas > >> >> daemon > >> >> > > and > >> >> > > > >>> > > checked the logs to determine what is coming back from > >> pam? > >> >> it > >> >> > > very > >> >> > > > >>> > > well may be that the ldap client is working just fine, > but > >> >> there > >> >> > > is a > >> >> > > > >>> > > pam module bug or a bug in the tacplus daemon or that > your > >> >> device > >> >> > > > >>> > > simply doesnt like something about the replies. > >> >> > > > >>> > > > >> >> > > > >>> > > > Thanks a lot for the help. > >> >> > > > >>> > > > > >> >> > > > >>> > > > Lou > >> >> > > > >>> > > > > >> >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < > >> >> > > hailumeng at gmail.com> > >> >> > > > >>> wrote: > >> >> > > > >>> > > > > >> >> > > > >>> > > > > Still no clue how to turn on the log. binding seems > >> good. > >> >> See > >> >> > > my > >> >> > > > >>> > > findings > >> >> > > > >>> > > > > below. Thanks a lot. > >> >> > > > >>> > > > > > >> >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < > >> >> > > prozaconstilts at gmail.com> > >> >> > > > >>> > > wrote: > >> >> > > > >>> > > > > > >> >> > > > >>> > > > >> Hailu Meng wrote: > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >>> Adam, > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server > but I > >> >> don't > >> >> > > have > >> >> > > > >>> that > >> >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't want > me > >> log > >> >> in. > >> >> > > I > >> >> > > > >>> think > >> >> > > > >>> > > this will > >> >> > > > >>> > > > >>> not ask tacacs server to authenticate against AD. > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> You shouldn't need to have to define the user in > >> CentOS, > >> >> > > that's > >> >> > > > >>> the > >> >> > > > >>> > > point > >> >> > > > >>> > > > >> of using ldap for authentication. The user is > defined > >> in > >> >> > > ldap, > >> >> > > > >>> not in > >> >> > > > >>> > > > >> CentOS. Now that I think about it, su - > >> probably > >> >> > > wouldn't > >> >> > > > >>> work > >> >> > > > >>> > > > >> anyway, as AD doesn't by default have the data > needed > >> by > >> >> a > >> >> > > linux > >> >> > > > >>> box > >> >> > > > >>> > > to > >> >> > > > >>> > > > >> allow login...but see below for more options. > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >>> Is there any other way to test ldap > authentication > >> >> against > >> >> > > AD > >> >> > > > >>> with > >> >> > > > >>> > > the > >> >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find my > >> user > >> >> id > >> >> > > > >>> without > >> >> > > > >>> > > problem. > >> >> > > > >>> > > > >>> But I haven't found any option to try with > password > >> and > >> >> > > > >>> authenticate > >> >> > > > >>> > > against > >> >> > > > >>> > > > >>> AD. > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> Try using -D: > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> from `man ldapsearch`: > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> -D binddn > >> >> > > > >>> > > > >> Use the Distinguished Name binddn to bind to the > >> LDAP > >> >> > > > >>> directory. > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let you > >> try > >> >> to > >> >> > > > >>> authenticate > >> >> > > > >>> > > > >> using whatever user you want to define. Just check > >> and > >> >> > > double > >> >> > > > >>> check > >> >> > > > >>> > > you get > >> >> > > > >>> > > > >> the right path in that dn. > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " but > it > >> just > >> >> > > > >>> returned lots > >> >> > > > >>> > > of > >> >> > > > >>> > > > > users' information. It means successful? > >> >> > > > >>> > > > > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > >> Do you have ldap server setup or only the > openldap > >> >> library > >> >> > > and > >> >> > > > >>> > > openldap > >> >> > > > >>> > > > >>> client? I don't understand why the log is not > turned > >> >> on. > >> >> > > There > >> >> > > > >>> must > >> >> > > > >>> > > be some > >> >> > > > >>> > > > >>> debugging info in the log which can help solve > this > >> >> issue. > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> only the libs and client. You should not need the > >> >> server. In > >> >> > > the > >> >> > > > >>> > > > >> ldapsearch, you can use -d to get > debugging > >> >> info > >> >> > > for > >> >> > > > >>> that > >> >> > > > >>> > > search. > >> >> > > > >>> > > > >> As before, higher number = more debug > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> If the user can authenticate, does ethereal > capture > >> >> some > >> >> > > > >>> packets > >> >> > > > >>> > > about > >> >> > > > >>> > > > >>> password verification? Right now I only see the > >> packets > >> >> > > when > >> >> > > > >>> ldap > >> >> > > > >>> > > search for > >> >> > > > >>> > > > >>> my user id and gets results back from AD. > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> Ethereal should catch all data flowing between the > >> >> client > >> >> > > and > >> >> > > > >>> server. > >> >> > > > >>> > > If > >> >> > > > >>> > > > >> you can search out the user in your AD right now, > >> then > >> >> one > >> >> > > of > >> >> > > > >>> two > >> >> > > > >>> > > things is > >> >> > > > >>> > > > >> happening: > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> 1. You are performing anonymous searches. In this > >> case, > >> >> no > >> >> > > > >>> username > >> >> > > > >>> > > and pw > >> >> > > > >>> > > > >> is provided, and your AD is happy to hand over > info > >> to > >> >> > > anyone > >> >> > > > >>> who asks > >> >> > > > >>> > > for > >> >> > > > >>> > > > >> it. If this is the case, you will _not_ see > >> >> authentication > >> >> > > > >>> > > information. The > >> >> > > > >>> > > > >> following MS KB article should probably help you > >> >> determine > >> >> > > on > >> >> > > > >>> your AD > >> >> > > > >>> > > if > >> >> > > > >>> > > > >> anonymous queries are allowed: > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> It has exact instructions for how to get it going, > >> but > >> >> you > >> >> > > can > >> >> > > > >>> follow > >> >> > > > >>> > > > >> along with it to check your current settings > without > >> >> making > >> >> > > any > >> >> > > > >>> > > changes. > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > > > >> >> > > > >>> > > > > I checked our setting. Permission type for normal > user > >> is > >> >> > > "Read & > >> >> > > > >>> > > Execute". > >> >> > > > >>> > > > > I click edit to check the detail about permission. > I > >> >> think it > >> >> > > > >>> only > >> >> > > > >>> > > allow the > >> >> > > > >>> > > > > user to read the attributes, permission something > and > >> >> can't > >> >> > > > >>> modify the > >> >> > > > >>> > > > > AD.There is "Everyone" setting is also set as "Read > & > >> >> > > Execute". > >> >> > > > >>> By the > >> >> > > > >>> > > way, > >> >> > > > >>> > > > > the AD is Win2003 R2. > >> >> > > > >>> > > > > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> 2. Authentication is happening. It will be the > _very_ > >> >> first > >> >> > > > >>> thing the > >> >> > > > >>> > > > >> client and server perform, after basic connection > >> >> > > establishment. > >> >> > > > >>> Look > >> >> > > > >>> > > for it > >> >> > > > >>> > > > >> at the very beginning of a dump. > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> Also, it's a bit overkill, but the following > article > >> is > >> >> > > > >>> extremely > >> >> > > > >>> > > > >> informative about all the different ways you can > plug > >> >> linux > >> >> > > into > >> >> > > > >>> AD > >> >> > > > >>> > > for > >> >> > > > >>> > > > >> authentication. It might offer some hints... > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you have > >> any > >> >> idea, > >> >> > > let > >> >> > > > >>> me > >> >> > > > >>> > > know. > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >>> Thank you very much. > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >>> Lou > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > > > >> >> > > > >>> > > > -------------- next part -------------- > >> >> > > > >>> > > > An HTML attachment was scrubbed... > >> >> > > > >>> > > > URL: > >> >> > > > >>> > > > >> >> > > > >>> > >> >> > > > >> >> > >> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > >> >> > > > >>> > > > _______________________________________________ > >> >> > > > >>> > > > tac_plus mailing list > >> >> > > > >>> > > > tac_plus at shrubbery.net > >> >> > > > >>> > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > >> >> > > > >>> > > > >> >> > > > >>> > >> >> > > > >> > >> >> > > > >> > >> >> > > > > > >> >> > > > >> >> > -------------- next part -------------- > >> >> > An HTML attachment was scrubbed... > >> >> > URL: > >> >> > >> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > >> >> > _______________________________________________ > >> >> > tac_plus mailing list > >> >> > tac_plus at shrubbery.net > >> >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > >> >> > >> >> > >> >> > >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/60a3f7be/attachment.html From hailumeng at gmail.com Tue Nov 24 17:56:23 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Tue, 24 Nov 2009 11:56:23 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <20091124173648.GF7044@shrubbery.net> References: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> <20091124162419.GD7044@shrubbery.net> <8dabae5b0911240905h7b2f3bd8g99c0ca98918c2c3@mail.gmail.com> <20091124173648.GF7044@shrubbery.net> Message-ID: <8dabae5b0911240956p523827fcjf20d33f32b15d4d6@mail.gmail.com> John, I checked my tac_plus configuration for PAM module. the file /etc/pam.d/tac_plus. The current configuration is shown below: As you suggest I need put pam_ldap.so on the first row for every auth,account,password and session, right? ******************************************************************* auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so On Tue, Nov 24, 2009 at 11:36 AM, john heasley wrote: > Tue, Nov 24, 2009 at 11:05:59AM -0600, Hailu Meng: > > It makes sense. nsswitch.conf should be for like local login not for > tacacs. > > Thanks John to point it out. I'm such a rookie to these things. Just > > followed some guides and combine them here. Need study more. > > well, it depends upon what modules you use in your tacacs PAM config; ie: > if you have something like 'require unix_account' (WAG) that requires that > the login exist in /etc/passwd (or more precisely get_pwent(3) or similar), > then /etc/nsswitch.conf might affect it. BUT, that means that for you, > 'require unix_account' is a misconfiguration of the tacacs PAM config. > that > is should be something like 'require ldap_account'. > > > > Lou > > > > On Tue, Nov 24, 2009 at 10:24 AM, john heasley > wrote: > > > > > Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof: > > > > > > > > Hi Lou, > > > > > > > > Yes, most server application's check if a user exist by looking up > the > > > > uid via nss before doing any authentication (i.e. sshd). > > > > > > > > Regards, > > > > Jeroen > > > > > > > > Op 23/11/2009 schreef "Hailu Meng" : > > > > > > > > >Hi Jeroen, > > > > > > > > > >Thanks for helping. I modified the nssswitch.conf as below: > > > > >passwd: files ldap > > > > >shadow: files ldap > > > > >group: files ldap > > > > > > > > > >And leave the other settings as default. > > > > > > > > > >the user attributes you are talking about are the attributes > retrieving > > > from > > > > >AD? I do see the packets from AD server told my tacacs+ server the > user > > > > >attributes including homedir. > > > > > > i would not expect this to affect tacacs, unless you have something in > your > > > pam config that requires it. ie: nsswitch.conf should control auth for > the > > > host (eg: /sbin/login), tacacs is separate. > > > > > > > >Thanks. > > > > > > > > > >Lou > > > > > > > > > > > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof > > > > wrote: > > > > > > > > > >> Hi, > > > > >> > > > > >> Did you setup the nsswitch.conf as well on your tac_plus server? > > > > >> Your tac_plus server needs to lookup the user attributes like > homedir > > > > >> etc, otherwise pam will fail. > > > > >> > > > > >> Regards, > > > > >> Jeroen Nijhof > > > > >> > > > > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > > > > >> > Ok. With -d 32, I got some more info about pam as red color log. > > > > >> > > > > > >> > There is "Unknown user" log info following the input of my user > > > password. > > > > >> > Feel confused since ldap is able to get user info from Active > > > directory, > > > > >> why > > > > >> > it turns out "Unknown user" here. > > > > >> > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq > no > > > 3, > > > > >> flags > > > > >> > 0x1 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > (0xbe977644), > > > Data > > > > >> > length 11 (0xb) > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), > user_data_len > > > 0 > > > > >> (0x0) > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User data: > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 > pam_messages > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: > > > > >> PAM_PROMPT_ECHO_OFF > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq > no > > > 4, > > > > >> flags > > > > >> > 0x1 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > (0xbe977644), > > > Data > > > > >> > length 16 (0x10) > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 > > > (AUTHEN/GETPASS) > > > > >> > flags=0x1 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg: > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Password: > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: data: > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq > no > > > 5, > > > > >> flags > > > > >> > 0x1 > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 > (0xbe977644), > > > Data > > > > >> > length 18 (0x12) > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End header > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), > > > user_data_len 0 > > > > >> > (0x0) > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User data: > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' > tty0 > > > from > > > > >> > 10.1.69.89 rejected > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: > myusername10.1.69.89 > > > > >> > (10.1.69.89) tty0 > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq > no > > > 6, > > > > >> flags > > > > >> > 0x1 > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 > (0xbe977644), > > > Data > > > > >> > length 6 (0x6) > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End header > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 > (AUTHEN/FAIL) > > > > >> > flags=0x0 > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg: > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: data: > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect > > > > >> > > > > > >> > > > > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley < > heas at shrubbery.net> > > > > >> wrote: > > > > >> > > > > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > > > > >> > > > I just saw some posts saying pam_krb winbind could be needed > to > > > get > > > > >> pam > > > > >> > > work > > > > >> > > > against active directory. Is this true? The post I was > following > > > > >> actually > > > > >> > > is > > > > >> > > > for a LDAP server not Active Directory. > > > > >> > > > > > > >> > > i dont know; each pam implementation seems to be [at least] > > > slightly > > > > >> > > different. seems silly to need kerberos for ldap. > > > > >> > > > > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng < > > > hailumeng at gmail.com> > > > > >> wrote: > > > > >> > > > > > > > >> > > > > I think I need put my pam configuration here: > > > > >> > > > > > > > > >> > > > > I followed this post > > > > >> > > > > > > > > >> > > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > > > > >> > > > > configure my pam module: > > > > >> > > > > > > > > >> > > > > /etc/pam.d/tacacs > > > > >> > > > > > > > > >> > > > > auth include system-auth > > > > >> > > > > account required pam_nologin.so > > > > >> > > > > account include system-auth > > > > >> > > > > password include system-auth > > > > >> > > > > session optional pam_keyinit.so force revoke > > > > >> > > > > session include system-auth > > > > >> > > > > session required pam_loginuid.so > > > > >> > > > > > > > > >> > > > > /etc/pam.d/system-auth > > > > >> > > > > #%PAM-1.0 > > > > >> > > > > # This file is auto-generated. > > > > >> > > > > # User changes will be destroyed the next time authconfig > is > > > run. > > > > >> > > > > auth required pam_env.so > > > > >> > > > > auth sufficient pam_unix.so nullok > try_first_pass > > > > >> > > > > auth requisite pam_succeed_if.so uid >= 500 > quiet > > > > >> > > > > auth sufficient pam_ldap.so use_first_pass > > > > >> > > > > auth required pam_deny.so > > > > >> > > > > > > > > >> > > > > account required pam_unix.so broken_shadow > > > > >> > > > > account sufficient pam_succeed_if.so uid < 500 > quiet > > > > >> > > > > > > > > >> > > > > account [default=bad success=ok user_unknown=ignore] > > > > >> pam_ldap.so > > > > >> > > > > account required pam_permit.so > > > > >> > > > > > > > > >> > > > > password requisite pam_cracklib.so try_first_pass > > > retry=3 > > > > >> > > > > password sufficient pam_unix.so md5 shadow nullok > > > > >> try_first_pass > > > > >> > > > > use_authtok > > > > >> > > > > password sufficient pam_ldap.so use_authtok > > > > >> > > > > password required pam_deny.so > > > > >> > > > > > > > > >> > > > > session optional pam_keyinit.so revoke > > > > >> > > > > session required pam_limits.so > > > > >> > > > > session [success=1 default=ignore] pam_succeed_if.so > > > service in > > > > >> > > crond > > > > >> > > > > quiet use_uid > > > > >> > > > > session required pam_unix.so > > > > >> > > > > session optional pam_ldap.so > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < > > > hailumeng at gmail.com> > > > > >> > > wrote: > > > > >> > > > > > > > > >> > > > >> Hi John, > > > > >> > > > >> > > > > >> > > > >> You mean issue commands like tac_plus -C > /etct/tac_plus.conf > > > -L -p > > > > >> 49 > > > > >> > > -d > > > > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make > any > > > > >> change. I > > > > >> > > got > > > > >> > > > >> same log info. By the way, I also saw the log info in > > > > >> > > /var/log/message: > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 > > > Initialized > > > > >> 1 > > > > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from > 10.1.69.89 > > > > >> > > [10.1.69.89] > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for > 'myuser' > > > tty0 > > > > >> from > > > > >> > > > >> 10.1.69.89 rejected > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser > > > > >> 10.1.69.89 > > > > >> > > > >> (10.1.69.89) tty0 > > > > >> > > > >> > > > > >> > > > >> Do we have option to see the log about PAM? I haven't > found > > > where > > > > >> it > > > > >> > > is. > > > > >> > > > >> if we can check the log of PAM, then we could find > something > > > > >> useful. > > > > >> > > Right > > > > >> > > > >> now the log of tac_plus didn't tell too much about why > login > > > got > > > > >> > > failure. > > > > >> > > > > > > >> > > add -d 32. -d x -d y ... will be logically OR'd together. > > > > >> > > > > > > >> > > > >> Lou > > > > >> > > > >> > > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < > > > heas at shrubbery.net > > > > >> > > > > > >> > > wrote: > > > > >> > > > >> > > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > > > > >> > > > >>> > Thanks John for helping me check this issue. > > > > >> > > > >>> > > > > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 > > > -d256 -g > > > > >> to > > > > >> > > see > > > > >> > > > >>> the > > > > >> > > > >>> > > > > >> > > > >>> try -d 16 -d 256. which i think will log the pwd that > pam > > > > >> received > > > > >> > > from > > > > >> > > > >>> the device. make its correct. the logs below do appear > to > > > be a > > > > >> > > > >>> reject/fail > > > > >> > > > >>> returned from pam. > > > > >> > > > >>> > > > > >> > > > >>> > log in stdout and in log file. I can't see any > suspicious > > > log > > > > >> > > > >>> information > > > > >> > > > >>> > here. I paste the log below: > > > > >> > > > >>> > > > > > >> > > > >>> > > > > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT > size=23 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), > type > > > 1, > > > > >> seq no > > > > >> > > 5, > > > > >> > > > >>> flags > > > > >> > > > >>> > 0x1 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > > > >> > > (0xc46868ce), > > > > >> > > > >>> Data > > > > >> > > > >>> > length > > > > >> > > > >>> > 11 (0xb) > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), > > > > >> > > user_data_len 0 > > > > >> > > > >>> (0x0) > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose > > > default_fn > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling > authentication > > > > >> function > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing > AUTHEN/GETPASS > > > size=28 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), > type > > > 1, > > > > >> seq no > > > > >> > > 6, > > > > >> > > > >>> flags > > > > >> > > > >>> > 0x1 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > > > >> > > (0xc46868ce), > > > > >> > > > >>> Data > > > > >> > > > >>> > length > > > > >> > > > >>> > 16 (0x10) > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 > > > > >> > > (AUTHEN/GETPASS) > > > > >> > > > >>> > flags=0x1 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, > data_len=0 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT > size=30 > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > > > > >> > > > >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), > type > > > 1, > > > > >> seq no > > > > >> > > 7, > > > > >> > > > >>> flags > > > > >> > > > >>> > 0x1 > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 > > > > >> > > (0xc46868ce), > > > > >> > > > >>> Data > > > > >> > > > >>> > length > > > > >> > > > >>> > 18 (0x12) > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 > (0xd), > > > > >> > > user_data_len 0 > > > > >> > > > >>> > (0x0) > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for > > > 'myusername' > > > > >> tty0 > > > > >> > > from > > > > >> > > > >>> > 10.1.69.89 r > > > > >> > > > >>> > ejected > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: > myusername > > > > >> > > 10.1.69.89 > > > > >> > > > >>> > (10.1.69.89) t > > > > >> > > > >>> > ty0 > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL > > > size=18 > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), > type > > > 1, > > > > >> seq no > > > > >> > > 8, > > > > >> > > > >>> flags > > > > >> > > > >>> > 0x1 > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 > > > > >> > > (0xc46868ce), > > > > >> > > > >>> Data > > > > >> > > > >>> > length > > > > >> > > > >>> > 6 (0x6) > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 > > > > >> (AUTHEN/FAIL) > > > > >> > > > >>> > flags=0x0 > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: > disconnect > > > > >> > > > >>> > > > > > >> > > > >>> > > > > > >> > > > >>> > > > > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < > > > > >> heas at shrubbery.net > > > > >> > > > > > > > >> > > > >>> wrote: > > > > >> > > > >>> > > > > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > > > > >> > > > >>> > > > Hi Adam, > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, > what > > > do we > > > > >> > > suppose > > > > >> > > > >>> to > > > > >> > > > >>> > > get > > > > >> > > > >>> > > > from the output? I just got all of the user > > > information in > > > > >> that > > > > >> > > > >>> group. > > > > >> > > > >>> > > Does > > > > >> > > > >>> > > > that means my password and username got > authenticated > > > > >> > > successfully > > > > >> > > > >>> > > against > > > > >> > > > >>> > > > AD? > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it > through > > > this > > > > >> week > > > > >> > > > >>> before the > > > > >> > > > >>> > > > holiday... > > > > >> > > > >>> > > > > > > >> > > > >>> > > i havent followed this thread, as i know nearly zero > > > about > > > > >> ldap. > > > > >> > > > >>> but, > > > > >> > > > >>> > > have you enabled authentication debugging in the > tacacas > > > > >> daemon > > > > >> > > and > > > > >> > > > >>> > > checked the logs to determine what is coming back > from > > > pam? > > > > >> it > > > > >> > > very > > > > >> > > > >>> > > well may be that the ldap client is working just > fine, > > > but > > > > >> there > > > > >> > > is a > > > > >> > > > >>> > > pam module bug or a bug in the tacplus daemon or > that > > > your > > > > >> device > > > > >> > > > >>> > > simply doesnt like something about the replies. > > > > >> > > > >>> > > > > > > >> > > > >>> > > > Thanks a lot for the help. > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > Lou > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < > > > > >> > > hailumeng at gmail.com> > > > > >> > > > >>> wrote: > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > > Still no clue how to turn on the log. binding > seems > > > good. > > > > >> See > > > > >> > > my > > > > >> > > > >>> > > findings > > > > >> > > > >>> > > > > below. Thanks a lot. > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < > > > > >> > > prozaconstilts at gmail.com> > > > > >> > > > >>> > > wrote: > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > >> Hailu Meng wrote: > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >>> Adam, > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server > but > > > I > > > > >> don't > > > > >> > > have > > > > >> > > > >>> that > > > > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't > want me > > > log > > > > >> in. > > > > >> > > I > > > > >> > > > >>> think > > > > >> > > > >>> > > this will > > > > >> > > > >>> > > > >>> not ask tacacs server to authenticate against > AD. > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> You shouldn't need to have to define the user > in > > > CentOS, > > > > >> > > that's > > > > >> > > > >>> the > > > > >> > > > >>> > > point > > > > >> > > > >>> > > > >> of using ldap for authentication. The user is > > > defined in > > > > >> > > ldap, > > > > >> > > > >>> not in > > > > >> > > > >>> > > > >> CentOS. Now that I think about it, su - > > > probably > > > > >> > > wouldn't > > > > >> > > > >>> work > > > > >> > > > >>> > > > >> anyway, as AD doesn't by default have the data > > > needed by > > > > >> a > > > > >> > > linux > > > > >> > > > >>> box > > > > >> > > > >>> > > to > > > > >> > > > >>> > > > >> allow login...but see below for more options. > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >>> Is there any other way to test ldap > authentication > > > > >> against > > > > >> > > AD > > > > >> > > > >>> with > > > > >> > > > >>> > > the > > > > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find > my > > > user > > > > >> id > > > > >> > > > >>> without > > > > >> > > > >>> > > problem. > > > > >> > > > >>> > > > >>> But I haven't found any option to try with > > > password and > > > > >> > > > >>> authenticate > > > > >> > > > >>> > > against > > > > >> > > > >>> > > > >>> AD. > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> Try using -D: > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> from `man ldapsearch`: > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> -D binddn > > > > >> > > > >>> > > > >> Use the Distinguished Name binddn to bind to > the > > > LDAP > > > > >> > > > >>> directory. > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let > you > > > try > > > > >> to > > > > >> > > > >>> authenticate > > > > >> > > > >>> > > > >> using whatever user you want to define. Just > check > > > and > > > > >> > > double > > > > >> > > > >>> check > > > > >> > > > >>> > > you get > > > > >> > > > >>> > > > >> the right path in that dn. > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " > but it > > > just > > > > >> > > > >>> returned lots > > > > >> > > > >>> > > of > > > > >> > > > >>> > > > > users' information. It means successful? > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the > openldap > > > > >> library > > > > >> > > and > > > > >> > > > >>> > > openldap > > > > >> > > > >>> > > > >>> client? I don't understand why the log is not > > > turned > > > > >> on. > > > > >> > > There > > > > >> > > > >>> must > > > > >> > > > >>> > > be some > > > > >> > > > >>> > > > >>> debugging info in the log which can help solve > > > this > > > > >> issue. > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> only the libs and client. You should not need > the > > > > >> server. In > > > > >> > > the > > > > >> > > > >>> > > > >> ldapsearch, you can use -d to get > > > debugging > > > > >> info > > > > >> > > for > > > > >> > > > >>> that > > > > >> > > > >>> > > search. > > > > >> > > > >>> > > > >> As before, higher number = more debug > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> If the user can authenticate, does ethereal > > > capture > > > > >> some > > > > >> > > > >>> packets > > > > >> > > > >>> > > about > > > > >> > > > >>> > > > >>> password verification? Right now I only see > the > > > packets > > > > >> > > when > > > > >> > > > >>> ldap > > > > >> > > > >>> > > search for > > > > >> > > > >>> > > > >>> my user id and gets results back from AD. > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> Ethereal should catch all data flowing between > the > > > > >> client > > > > >> > > and > > > > >> > > > >>> server. > > > > >> > > > >>> > > If > > > > >> > > > >>> > > > >> you can search out the user in your AD right > now, > > > then > > > > >> one > > > > >> > > of > > > > >> > > > >>> two > > > > >> > > > >>> > > things is > > > > >> > > > >>> > > > >> happening: > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> 1. You are performing anonymous searches. In > this > > > case, > > > > >> no > > > > >> > > > >>> username > > > > >> > > > >>> > > and pw > > > > >> > > > >>> > > > >> is provided, and your AD is happy to hand over > info > > > to > > > > >> > > anyone > > > > >> > > > >>> who asks > > > > >> > > > >>> > > for > > > > >> > > > >>> > > > >> it. If this is the case, you will _not_ see > > > > >> authentication > > > > >> > > > >>> > > information. The > > > > >> > > > >>> > > > >> following MS KB article should probably help > you > > > > >> determine > > > > >> > > on > > > > >> > > > >>> your AD > > > > >> > > > >>> > > if > > > > >> > > > >>> > > > >> anonymous queries are allowed: > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> It has exact instructions for how to get it > going, > > > but > > > > >> you > > > > >> > > can > > > > >> > > > >>> follow > > > > >> > > > >>> > > > >> along with it to check your current settings > > > without > > > > >> making > > > > >> > > any > > > > >> > > > >>> > > changes. > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > > I checked our setting. Permission type for > normal > > > user is > > > > >> > > "Read & > > > > >> > > > >>> > > Execute". > > > > >> > > > >>> > > > > I click edit to check the detail about > permission. I > > > > >> think it > > > > >> > > > >>> only > > > > >> > > > >>> > > allow the > > > > >> > > > >>> > > > > user to read the attributes, permission > something > > > and > > > > >> can't > > > > >> > > > >>> modify the > > > > >> > > > >>> > > > > AD.There is "Everyone" setting is also set as > "Read > > > & > > > > >> > > Execute". > > > > >> > > > >>> By the > > > > >> > > > >>> > > way, > > > > >> > > > >>> > > > > the AD is Win2003 R2. > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> 2. Authentication is happening. It will be the > > > _very_ > > > > >> first > > > > >> > > > >>> thing the > > > > >> > > > >>> > > > >> client and server perform, after basic > connection > > > > >> > > establishment. > > > > >> > > > >>> Look > > > > >> > > > >>> > > for it > > > > >> > > > >>> > > > >> at the very beginning of a dump. > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the following > > > article is > > > > >> > > > >>> extremely > > > > >> > > > >>> > > > >> informative about all the different ways you > can > > > plug > > > > >> linux > > > > >> > > into > > > > >> > > > >>> AD > > > > >> > > > >>> > > for > > > > >> > > > >>> > > > >> authentication. It might offer some hints... > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you > have > > > any > > > > >> idea, > > > > >> > > let > > > > >> > > > >>> me > > > > >> > > > >>> > > know. > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >>> Thank you very much. > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >>> Lou > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > -------------- next part -------------- > > > > >> > > > >>> > > > An HTML attachment was scrubbed... > > > > >> > > > >>> > > > URL: > > > > >> > > > >>> > > > > > > >> > > > >>> > > > > >> > > > > > > >> > > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > > > >> > > > >>> > > > _______________________________________________ > > > > >> > > > >>> > > > tac_plus mailing list > > > > >> > > > >>> > > > tac_plus at shrubbery.net > > > > >> > > > >>> > > > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > >> > > > >>> > > > > > > >> > > > >>> > > > > >> > > > >> > > > > >> > > > >> > > > > >> > > > > > > > > >> > > > > > > >> > -------------- next part -------------- > > > > >> > An HTML attachment was scrubbed... > > > > >> > URL: > > > > >> > > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > > > > >> > _______________________________________________ > > > > >> > tac_plus mailing list > > > > >> > tac_plus at shrubbery.net > > > > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > >> > > > > >> > > > > >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/a877fda6/attachment.html From heas at shrubbery.net Tue Nov 24 18:15:24 2009 From: heas at shrubbery.net (john heasley) Date: Tue, 24 Nov 2009 10:15:24 -0800 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911240956p523827fcjf20d33f32b15d4d6@mail.gmail.com> References: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> <20091124162419.GD7044@shrubbery.net> <8dabae5b0911240905h7b2f3bd8g99c0ca98918c2c3@mail.gmail.com> <20091124173648.GF7044@shrubbery.net> <8dabae5b0911240956p523827fcjf20d33f32b15d4d6@mail.gmail.com> Message-ID: <20091124181523.GI7044@shrubbery.net> Tue, Nov 24, 2009 at 11:56:23AM -0600, Hailu Meng: > John, > > I checked my tac_plus configuration for PAM module. the file > /etc/pam.d/tac_plus. The current configuration is shown below: > As you suggest I need put pam_ldap.so on the first row for every > auth,account,password and session, right? i don't know; i'm not that familiar with pam. read the manual for pam and each of the modules. for example, pam_unix on my machine seems to check passwd(5) entries for authentication, which you probably do not want. > ******************************************************************* > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > > > On Tue, Nov 24, 2009 at 11:36 AM, john heasley wrote: > > > Tue, Nov 24, 2009 at 11:05:59AM -0600, Hailu Meng: > > > It makes sense. nsswitch.conf should be for like local login not for > > tacacs. > > > Thanks John to point it out. I'm such a rookie to these things. Just > > > followed some guides and combine them here. Need study more. > > > > well, it depends upon what modules you use in your tacacs PAM config; ie: > > if you have something like 'require unix_account' (WAG) that requires that > > the login exist in /etc/passwd (or more precisely get_pwent(3) or similar), > > then /etc/nsswitch.conf might affect it. BUT, that means that for you, > > 'require unix_account' is a misconfiguration of the tacacs PAM config. > > that > > is should be something like 'require ldap_account'. > > > > > > > Lou > > > > > > On Tue, Nov 24, 2009 at 10:24 AM, john heasley > > wrote: > > > > > > > Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof: > > > > > > > > > > Hi Lou, > > > > > > > > > > Yes, most server application's check if a user exist by looking up > > the > > > > > uid via nss before doing any authentication (i.e. sshd). > > > > > > > > > > Regards, > > > > > Jeroen > > > > > > > > > > Op 23/11/2009 schreef "Hailu Meng" : > > > > > > > > > > >Hi Jeroen, > > > > > > > > > > > >Thanks for helping. I modified the nssswitch.conf as below: > > > > > >passwd: files ldap > > > > > >shadow: files ldap > > > > > >group: files ldap > > > > > > > > > > > >And leave the other settings as default. > > > > > > > > > > > >the user attributes you are talking about are the attributes > > retrieving > > > > from > > > > > >AD? I do see the packets from AD server told my tacacs+ server the > > user > > > > > >attributes including homedir. > > > > > > > > i would not expect this to affect tacacs, unless you have something in > > your > > > > pam config that requires it. ie: nsswitch.conf should control auth for > > the > > > > host (eg: /sbin/login), tacacs is separate. > > > > > > > > > >Thanks. > > > > > > > > > > > >Lou > > > > > > > > > > > > > > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof > > > > > > wrote: > > > > > > > > > > > >> Hi, > > > > > >> > > > > > >> Did you setup the nsswitch.conf as well on your tac_plus server? > > > > > >> Your tac_plus server needs to lookup the user attributes like > > homedir > > > > > >> etc, otherwise pam will fail. > > > > > >> > > > > > >> Regards, > > > > > >> Jeroen Nijhof > > > > > >> > > > > > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > > > > > >> > Ok. With -d 32, I got some more info about pam as red color log. > > > > > >> > > > > > > >> > There is "Unknown user" log info following the input of my user > > > > password. > > > > > >> > Feel confused since ldap is able to get user info from Active > > > > directory, > > > > > >> why > > > > > >> > it turns out "Unknown user" here. > > > > > >> > > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq > > no > > > > 3, > > > > > >> flags > > > > > >> > 0x1 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > > > Data > > > > > >> > length 11 (0xb) > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), > > user_data_len > > > > 0 > > > > > >> (0x0) > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User data: > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 > > pam_messages > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: > > > > > >> PAM_PROMPT_ECHO_OFF > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq > > no > > > > 4, > > > > > >> flags > > > > > >> > 0x1 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > > > Data > > > > > >> > length 16 (0x10) > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 > > > > (AUTHEN/GETPASS) > > > > > >> > flags=0x1 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg: > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Password: > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: data: > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq > > no > > > > 5, > > > > > >> flags > > > > > >> > 0x1 > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > > > Data > > > > > >> > length 18 (0x12) > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End header > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), > > > > user_data_len 0 > > > > > >> > (0x0) > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User data: > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' > > tty0 > > > > from > > > > > >> > 10.1.69.89 rejected > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: > > myusername10.1.69.89 > > > > > >> > (10.1.69.89) tty0 > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq > > no > > > > 6, > > > > > >> flags > > > > > >> > 0x1 > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > > > Data > > > > > >> > length 6 (0x6) > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End header > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 > > (AUTHEN/FAIL) > > > > > >> > flags=0x0 > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg: > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: data: > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect > > > > > >> > > > > > > >> > > > > > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley < > > heas at shrubbery.net> > > > > > >> wrote: > > > > > >> > > > > > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > > > > > >> > > > I just saw some posts saying pam_krb winbind could be needed > > to > > > > get > > > > > >> pam > > > > > >> > > work > > > > > >> > > > against active directory. Is this true? The post I was > > following > > > > > >> actually > > > > > >> > > is > > > > > >> > > > for a LDAP server not Active Directory. > > > > > >> > > > > > > > >> > > i dont know; each pam implementation seems to be [at least] > > > > slightly > > > > > >> > > different. seems silly to need kerberos for ldap. > > > > > >> > > > > > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng < > > > > hailumeng at gmail.com> > > > > > >> wrote: > > > > > >> > > > > > > > > >> > > > > I think I need put my pam configuration here: > > > > > >> > > > > > > > > > >> > > > > I followed this post > > > > > >> > > > > > > > > > >> > > > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > > > > > >> > > > > configure my pam module: > > > > > >> > > > > > > > > > >> > > > > /etc/pam.d/tacacs > > > > > >> > > > > > > > > > >> > > > > auth include system-auth > > > > > >> > > > > account required pam_nologin.so > > > > > >> > > > > account include system-auth > > > > > >> > > > > password include system-auth > > > > > >> > > > > session optional pam_keyinit.so force revoke > > > > > >> > > > > session include system-auth > > > > > >> > > > > session required pam_loginuid.so > > > > > >> > > > > > > > > > >> > > > > /etc/pam.d/system-auth > > > > > >> > > > > #%PAM-1.0 > > > > > >> > > > > # This file is auto-generated. > > > > > >> > > > > # User changes will be destroyed the next time authconfig > > is > > > > run. > > > > > >> > > > > auth required pam_env.so > > > > > >> > > > > auth sufficient pam_unix.so nullok > > try_first_pass > > > > > >> > > > > auth requisite pam_succeed_if.so uid >= 500 > > quiet > > > > > >> > > > > auth sufficient pam_ldap.so use_first_pass > > > > > >> > > > > auth required pam_deny.so > > > > > >> > > > > > > > > > >> > > > > account required pam_unix.so broken_shadow > > > > > >> > > > > account sufficient pam_succeed_if.so uid < 500 > > quiet > > > > > >> > > > > > > > > > >> > > > > account [default=bad success=ok user_unknown=ignore] > > > > > >> pam_ldap.so > > > > > >> > > > > account required pam_permit.so > > > > > >> > > > > > > > > > >> > > > > password requisite pam_cracklib.so try_first_pass > > > > retry=3 > > > > > >> > > > > password sufficient pam_unix.so md5 shadow nullok > > > > > >> try_first_pass > > > > > >> > > > > use_authtok > > > > > >> > > > > password sufficient pam_ldap.so use_authtok > > > > > >> > > > > password required pam_deny.so > > > > > >> > > > > > > > > > >> > > > > session optional pam_keyinit.so revoke > > > > > >> > > > > session required pam_limits.so > > > > > >> > > > > session [success=1 default=ignore] pam_succeed_if.so > > > > service in > > > > > >> > > crond > > > > > >> > > > > quiet use_uid > > > > > >> > > > > session required pam_unix.so > > > > > >> > > > > session optional pam_ldap.so > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < > > > > hailumeng at gmail.com> > > > > > >> > > wrote: > > > > > >> > > > > > > > > > >> > > > >> Hi John, > > > > > >> > > > >> > > > > > >> > > > >> You mean issue commands like tac_plus -C > > /etct/tac_plus.conf > > > > -L -p > > > > > >> 49 > > > > > >> > > -d > > > > > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make > > any > > > > > >> change. I > > > > > >> > > got > > > > > >> > > > >> same log info. By the way, I also saw the log info in > > > > > >> > > /var/log/message: > > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 > > > > Initialized > > > > > >> 1 > > > > > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from > > 10.1.69.89 > > > > > >> > > [10.1.69.89] > > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for > > 'myuser' > > > > tty0 > > > > > >> from > > > > > >> > > > >> 10.1.69.89 rejected > > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser > > > > > >> 10.1.69.89 > > > > > >> > > > >> (10.1.69.89) tty0 > > > > > >> > > > >> > > > > > >> > > > >> Do we have option to see the log about PAM? I haven't > > found > > > > where > > > > > >> it > > > > > >> > > is. > > > > > >> > > > >> if we can check the log of PAM, then we could find > > something > > > > > >> useful. > > > > > >> > > Right > > > > > >> > > > >> now the log of tac_plus didn't tell too much about why > > login > > > > got > > > > > >> > > failure. > > > > > >> > > > > > > > >> > > add -d 32. -d x -d y ... will be logically OR'd together. > > > > > >> > > > > > > > >> > > > >> Lou > > > > > >> > > > >> > > > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < > > > > heas at shrubbery.net > > > > > >> > > > > > > >> > > wrote: > > > > > >> > > > >> > > > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > > > > > >> > > > >>> > Thanks John for helping me check this issue. > > > > > >> > > > >>> > > > > > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49 > > > > -d256 -g > > > > > >> to > > > > > >> > > see > > > > > >> > > > >>> the > > > > > >> > > > >>> > > > > > >> > > > >>> try -d 16 -d 256. which i think will log the pwd that > > pam > > > > > >> received > > > > > >> > > from > > > > > >> > > > >>> the device. make its correct. the logs below do appear > > to > > > > be a > > > > > >> > > > >>> reject/fail > > > > > >> > > > >>> returned from pam. > > > > > >> > > > >>> > > > > > >> > > > >>> > log in stdout and in log file. I can't see any > > suspicious > > > > log > > > > > >> > > > >>> information > > > > > >> > > > >>> > here. I paste the log below: > > > > > >> > > > >>> > > > > > > >> > > > >>> > > > > > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT > > size=23 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), > > type > > > > 1, > > > > > >> seq no > > > > > >> > > 5, > > > > > >> > > > >>> flags > > > > > >> > > > >>> > 0x1 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > > > > >> > > (0xc46868ce), > > > > > >> > > > >>> Data > > > > > >> > > > >>> > length > > > > > >> > > > >>> > 11 (0xb) > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6), > > > > > >> > > user_data_len 0 > > > > > >> > > > >>> (0x0) > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose > > > > default_fn > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling > > authentication > > > > > >> function > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing > > AUTHEN/GETPASS > > > > size=28 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), > > type > > > > 1, > > > > > >> seq no > > > > > >> > > 6, > > > > > >> > > > >>> flags > > > > > >> > > > >>> > 0x1 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910 > > > > > >> > > (0xc46868ce), > > > > > >> > > > >>> Data > > > > > >> > > > >>> > length > > > > > >> > > > >>> > 16 (0x10) > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5 > > > > > >> > > (AUTHEN/GETPASS) > > > > > >> > > > >>> > flags=0x1 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, > > data_len=0 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT > > size=30 > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > > > > > >> > > > >>> > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), > > type > > > > 1, > > > > > >> seq no > > > > > >> > > 7, > > > > > >> > > > >>> flags > > > > > >> > > > >>> > 0x1 > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910 > > > > > >> > > (0xc46868ce), > > > > > >> > > > >>> Data > > > > > >> > > > >>> > length > > > > > >> > > > >>> > 18 (0x12) > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 > > (0xd), > > > > > >> > > user_data_len 0 > > > > > >> > > > >>> > (0x0) > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for > > > > 'myusername' > > > > > >> tty0 > > > > > >> > > from > > > > > >> > > > >>> > 10.1.69.89 r > > > > > >> > > > >>> > ejected > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: > > myusername > > > > > >> > > 10.1.69.89 > > > > > >> > > > >>> > (10.1.69.89) t > > > > > >> > > > >>> > ty0 > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL > > > > size=18 > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), > > type > > > > 1, > > > > > >> seq no > > > > > >> > > 8, > > > > > >> > > > >>> flags > > > > > >> > > > >>> > 0x1 > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910 > > > > > >> > > (0xc46868ce), > > > > > >> > > > >>> Data > > > > > >> > > > >>> > length > > > > > >> > > > >>> > 6 (0x6) > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2 > > > > > >> (AUTHEN/FAIL) > > > > > >> > > > >>> > flags=0x0 > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0 > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: > > disconnect > > > > > >> > > > >>> > > > > > > >> > > > >>> > > > > > > >> > > > >>> > > > > > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < > > > > > >> heas at shrubbery.net > > > > > >> > > > > > > > > >> > > > >>> wrote: > > > > > >> > > > >>> > > > > > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > > > > > >> > > > >>> > > > Hi Adam, > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, > > what > > > > do we > > > > > >> > > suppose > > > > > >> > > > >>> to > > > > > >> > > > >>> > > get > > > > > >> > > > >>> > > > from the output? I just got all of the user > > > > information in > > > > > >> that > > > > > >> > > > >>> group. > > > > > >> > > > >>> > > Does > > > > > >> > > > >>> > > > that means my password and username got > > authenticated > > > > > >> > > successfully > > > > > >> > > > >>> > > against > > > > > >> > > > >>> > > > AD? > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it > > through > > > > this > > > > > >> week > > > > > >> > > > >>> before the > > > > > >> > > > >>> > > > holiday... > > > > > >> > > > >>> > > > > > > > >> > > > >>> > > i havent followed this thread, as i know nearly zero > > > > about > > > > > >> ldap. > > > > > >> > > > >>> but, > > > > > >> > > > >>> > > have you enabled authentication debugging in the > > tacacas > > > > > >> daemon > > > > > >> > > and > > > > > >> > > > >>> > > checked the logs to determine what is coming back > > from > > > > pam? > > > > > >> it > > > > > >> > > very > > > > > >> > > > >>> > > well may be that the ldap client is working just > > fine, > > > > but > > > > > >> there > > > > > >> > > is a > > > > > >> > > > >>> > > pam module bug or a bug in the tacplus daemon or > > that > > > > your > > > > > >> device > > > > > >> > > > >>> > > simply doesnt like something about the replies. > > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > Thanks a lot for the help. > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > Lou > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < > > > > > >> > > hailumeng at gmail.com> > > > > > >> > > > >>> wrote: > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > > Still no clue how to turn on the log. binding > > seems > > > > good. > > > > > >> See > > > > > >> > > my > > > > > >> > > > >>> > > findings > > > > > >> > > > >>> > > > > below. Thanks a lot. > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < > > > > > >> > > prozaconstilts at gmail.com> > > > > > >> > > > >>> > > wrote: > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > >> Hailu Meng wrote: > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >>> Adam, > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server > > but > > > > I > > > > > >> don't > > > > > >> > > have > > > > > >> > > > >>> that > > > > > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't > > want me > > > > log > > > > > >> in. > > > > > >> > > I > > > > > >> > > > >>> think > > > > > >> > > > >>> > > this will > > > > > >> > > > >>> > > > >>> not ask tacacs server to authenticate against > > AD. > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> You shouldn't need to have to define the user > > in > > > > CentOS, > > > > > >> > > that's > > > > > >> > > > >>> the > > > > > >> > > > >>> > > point > > > > > >> > > > >>> > > > >> of using ldap for authentication. The user is > > > > defined in > > > > > >> > > ldap, > > > > > >> > > > >>> not in > > > > > >> > > > >>> > > > >> CentOS. Now that I think about it, su - > > > > probably > > > > > >> > > wouldn't > > > > > >> > > > >>> work > > > > > >> > > > >>> > > > >> anyway, as AD doesn't by default have the data > > > > needed by > > > > > >> a > > > > > >> > > linux > > > > > >> > > > >>> box > > > > > >> > > > >>> > > to > > > > > >> > > > >>> > > > >> allow login...but see below for more options. > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >>> Is there any other way to test ldap > > authentication > > > > > >> against > > > > > >> > > AD > > > > > >> > > > >>> with > > > > > >> > > > >>> > > the > > > > > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find > > my > > > > user > > > > > >> id > > > > > >> > > > >>> without > > > > > >> > > > >>> > > problem. > > > > > >> > > > >>> > > > >>> But I haven't found any option to try with > > > > password and > > > > > >> > > > >>> authenticate > > > > > >> > > > >>> > > against > > > > > >> > > > >>> > > > >>> AD. > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> Try using -D: > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> from `man ldapsearch`: > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> -D binddn > > > > > >> > > > >>> > > > >> Use the Distinguished Name binddn to bind to > > the > > > > LDAP > > > > > >> > > > >>> directory. > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let > > you > > > > try > > > > > >> to > > > > > >> > > > >>> authenticate > > > > > >> > > > >>> > > > >> using whatever user you want to define. Just > > check > > > > and > > > > > >> > > double > > > > > >> > > > >>> check > > > > > >> > > > >>> > > you get > > > > > >> > > > >>> > > > >> the right path in that dn. > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " > > but it > > > > just > > > > > >> > > > >>> returned lots > > > > > >> > > > >>> > > of > > > > > >> > > > >>> > > > > users' information. It means successful? > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the > > openldap > > > > > >> library > > > > > >> > > and > > > > > >> > > > >>> > > openldap > > > > > >> > > > >>> > > > >>> client? I don't understand why the log is not > > > > turned > > > > > >> on. > > > > > >> > > There > > > > > >> > > > >>> must > > > > > >> > > > >>> > > be some > > > > > >> > > > >>> > > > >>> debugging info in the log which can help solve > > > > this > > > > > >> issue. > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> only the libs and client. You should not need > > the > > > > > >> server. In > > > > > >> > > the > > > > > >> > > > >>> > > > >> ldapsearch, you can use -d to get > > > > debugging > > > > > >> info > > > > > >> > > for > > > > > >> > > > >>> that > > > > > >> > > > >>> > > search. > > > > > >> > > > >>> > > > >> As before, higher number = more debug > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> If the user can authenticate, does ethereal > > > > capture > > > > > >> some > > > > > >> > > > >>> packets > > > > > >> > > > >>> > > about > > > > > >> > > > >>> > > > >>> password verification? Right now I only see > > the > > > > packets > > > > > >> > > when > > > > > >> > > > >>> ldap > > > > > >> > > > >>> > > search for > > > > > >> > > > >>> > > > >>> my user id and gets results back from AD. > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> Ethereal should catch all data flowing between > > the > > > > > >> client > > > > > >> > > and > > > > > >> > > > >>> server. > > > > > >> > > > >>> > > If > > > > > >> > > > >>> > > > >> you can search out the user in your AD right > > now, > > > > then > > > > > >> one > > > > > >> > > of > > > > > >> > > > >>> two > > > > > >> > > > >>> > > things is > > > > > >> > > > >>> > > > >> happening: > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> 1. You are performing anonymous searches. In > > this > > > > case, > > > > > >> no > > > > > >> > > > >>> username > > > > > >> > > > >>> > > and pw > > > > > >> > > > >>> > > > >> is provided, and your AD is happy to hand over > > info > > > > to > > > > > >> > > anyone > > > > > >> > > > >>> who asks > > > > > >> > > > >>> > > for > > > > > >> > > > >>> > > > >> it. If this is the case, you will _not_ see > > > > > >> authentication > > > > > >> > > > >>> > > information. The > > > > > >> > > > >>> > > > >> following MS KB article should probably help > > you > > > > > >> determine > > > > > >> > > on > > > > > >> > > > >>> your AD > > > > > >> > > > >>> > > if > > > > > >> > > > >>> > > > >> anonymous queries are allowed: > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> It has exact instructions for how to get it > > going, > > > > but > > > > > >> you > > > > > >> > > can > > > > > >> > > > >>> follow > > > > > >> > > > >>> > > > >> along with it to check your current settings > > > > without > > > > > >> making > > > > > >> > > any > > > > > >> > > > >>> > > changes. > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > > I checked our setting. Permission type for > > normal > > > > user is > > > > > >> > > "Read & > > > > > >> > > > >>> > > Execute". > > > > > >> > > > >>> > > > > I click edit to check the detail about > > permission. I > > > > > >> think it > > > > > >> > > > >>> only > > > > > >> > > > >>> > > allow the > > > > > >> > > > >>> > > > > user to read the attributes, permission > > something > > > > and > > > > > >> can't > > > > > >> > > > >>> modify the > > > > > >> > > > >>> > > > > AD.There is "Everyone" setting is also set as > > "Read > > > > & > > > > > >> > > Execute". > > > > > >> > > > >>> By the > > > > > >> > > > >>> > > way, > > > > > >> > > > >>> > > > > the AD is Win2003 R2. > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> 2. Authentication is happening. It will be the > > > > _very_ > > > > > >> first > > > > > >> > > > >>> thing the > > > > > >> > > > >>> > > > >> client and server perform, after basic > > connection > > > > > >> > > establishment. > > > > > >> > > > >>> Look > > > > > >> > > > >>> > > for it > > > > > >> > > > >>> > > > >> at the very beginning of a dump. > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the following > > > > article is > > > > > >> > > > >>> extremely > > > > > >> > > > >>> > > > >> informative about all the different ways you > > can > > > > plug > > > > > >> linux > > > > > >> > > into > > > > > >> > > > >>> AD > > > > > >> > > > >>> > > for > > > > > >> > > > >>> > > > >> authentication. It might offer some hints... > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you > > have > > > > any > > > > > >> idea, > > > > > >> > > let > > > > > >> > > > >>> me > > > > > >> > > > >>> > > know. > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >>> Thank you very much. > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >>> Lou > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > -------------- next part -------------- > > > > > >> > > > >>> > > > An HTML attachment was scrubbed... > > > > > >> > > > >>> > > > URL: > > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > > > >> > > > > > > > >> > > > > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > > > > >> > > > >>> > > > _______________________________________________ > > > > > >> > > > >>> > > > tac_plus mailing list > > > > > >> > > > >>> > > > tac_plus at shrubbery.net > > > > > >> > > > >>> > > > > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > > > > > > > >> > > > > > > > >> > -------------- next part -------------- > > > > > >> > An HTML attachment was scrubbed... > > > > > >> > URL: > > > > > >> > > > > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > > > > > >> > _______________________________________________ > > > > > >> > tac_plus mailing list > > > > > >> > tac_plus at shrubbery.net > > > > > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > > >> > > > > > >> > > > > > >> > > > > > > From tmurch at toniccomputers.com Tue Nov 24 18:08:36 2009 From: tmurch at toniccomputers.com (Tom Murch) Date: Tue, 24 Nov 2009 13:08:36 -0500 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911240956p523827fcjf20d33f32b15d4d6@mail.gmail.com> References: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> <20091124162419.GD7044@shrubbery.net> <8dabae5b0911240905h7b2f3bd8g99c0ca98918c2c3@mail.gmail.com> <20091124173648.GF7044@shrubbery.net> <8dabae5b0911240956p523827fcjf20d33f32b15d4d6@mail.gmail.com> Message-ID: now im not an expert on this however I do run a samba server which pulls the user names from my AD controller. Have you tried using winbind plus pam for the AD authentication ?? http://wiki.samba.org/index.php/Samba_&_Active_Directory I used this for my samba install but you could get the idea of how winbind and Kerberos would work. It might give you more luck On Tue, Nov 24, 2009 at 12:56 PM, Hailu Meng wrote: > John, > > I checked my tac_plus configuration for PAM module. the file > /etc/pam.d/tac_plus. The current configuration is shown below: > As you suggest I need put pam_ldap.so on the first row for every > auth,account,password and session, right? > > ******************************************************************* > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > > > On Tue, Nov 24, 2009 at 11:36 AM, john heasley wrote: > > > Tue, Nov 24, 2009 at 11:05:59AM -0600, Hailu Meng: > > > It makes sense. nsswitch.conf should be for like local login not for > > tacacs. > > > Thanks John to point it out. I'm such a rookie to these things. Just > > > followed some guides and combine them here. Need study more. > > > > well, it depends upon what modules you use in your tacacs PAM config; ie: > > if you have something like 'require unix_account' (WAG) that requires > that > > the login exist in /etc/passwd (or more precisely get_pwent(3) or > similar), > > then /etc/nsswitch.conf might affect it. BUT, that means that for you, > > 'require unix_account' is a misconfiguration of the tacacs PAM config. > > that > > is should be something like 'require ldap_account'. > > > > > > > Lou > > > > > > On Tue, Nov 24, 2009 at 10:24 AM, john heasley > > wrote: > > > > > > > Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof: > > > > > > > > > > Hi Lou, > > > > > > > > > > Yes, most server application's check if a user exist by looking up > > the > > > > > uid via nss before doing any authentication (i.e. sshd). > > > > > > > > > > Regards, > > > > > Jeroen > > > > > > > > > > Op 23/11/2009 schreef "Hailu Meng" : > > > > > > > > > > >Hi Jeroen, > > > > > > > > > > > >Thanks for helping. I modified the nssswitch.conf as below: > > > > > >passwd: files ldap > > > > > >shadow: files ldap > > > > > >group: files ldap > > > > > > > > > > > >And leave the other settings as default. > > > > > > > > > > > >the user attributes you are talking about are the attributes > > retrieving > > > > from > > > > > >AD? I do see the packets from AD server told my tacacs+ server the > > user > > > > > >attributes including homedir. > > > > > > > > i would not expect this to affect tacacs, unless you have something > in > > your > > > > pam config that requires it. ie: nsswitch.conf should control auth > for > > the > > > > host (eg: /sbin/login), tacacs is separate. > > > > > > > > > >Thanks. > > > > > > > > > > > >Lou > > > > > > > > > > > > > > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof < > jeroen at nijhofnet.nl > > > > > > > wrote: > > > > > > > > > > > >> Hi, > > > > > >> > > > > > >> Did you setup the nsswitch.conf as well on your tac_plus server? > > > > > >> Your tac_plus server needs to lookup the user attributes like > > homedir > > > > > >> etc, otherwise pam will fail. > > > > > >> > > > > > >> Regards, > > > > > >> Jeroen Nijhof > > > > > >> > > > > > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > > > > > >> > Ok. With -d 32, I got some more info about pam as red color > log. > > > > > >> > > > > > > >> > There is "Unknown user" log info following the input of my > user > > > > password. > > > > > >> > Feel confused since ldap is able to get user info from Active > > > > directory, > > > > > >> why > > > > > >> > it turns out "Unknown user" here. > > > > > >> > > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, > seq > > no > > > > 3, > > > > > >> flags > > > > > >> > 0x1 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > > > Data > > > > > >> > length 11 (0xb) > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), > > user_data_len > > > > 0 > > > > > >> (0x0) > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User data: > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose > default_fn > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication > function > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 > > pam_messages > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: > > > > > >> PAM_PROMPT_ECHO_OFF > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS > size=28 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, > seq > > no > > > > 4, > > > > > >> flags > > > > > >> > 0x1 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > > > Data > > > > > >> > length 16 (0x10) > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 > > > > (AUTHEN/GETPASS) > > > > > >> > flags=0x1 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg: > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Password: > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: data: > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, > seq > > no > > > > 5, > > > > > >> flags > > > > > >> > 0x1 > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > > > Data > > > > > >> > length 18 (0x12) > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End header > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), > > > > user_data_len 0 > > > > > >> > (0x0) > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User data: > > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' > > tty0 > > > > from > > > > > >> > 10.1.69.89 rejected > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: > > myusername10.1.69.89 > > > > > >> > (10.1.69.89) tty0 > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, > seq > > no > > > > 6, > > > > > >> flags > > > > > >> > 0x1 > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > > > Data > > > > > >> > length 6 (0x6) > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End header > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 > > (AUTHEN/FAIL) > > > > > >> > flags=0x0 > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg: > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: data: > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet > > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect > > > > > >> > > > > > > >> > > > > > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley < > > heas at shrubbery.net> > > > > > >> wrote: > > > > > >> > > > > > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > > > > > >> > > > I just saw some posts saying pam_krb winbind could be > needed > > to > > > > get > > > > > >> pam > > > > > >> > > work > > > > > >> > > > against active directory. Is this true? The post I was > > following > > > > > >> actually > > > > > >> > > is > > > > > >> > > > for a LDAP server not Active Directory. > > > > > >> > > > > > > > >> > > i dont know; each pam implementation seems to be [at least] > > > > slightly > > > > > >> > > different. seems silly to need kerberos for ldap. > > > > > >> > > > > > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng < > > > > hailumeng at gmail.com> > > > > > >> wrote: > > > > > >> > > > > > > > > >> > > > > I think I need put my pam configuration here: > > > > > >> > > > > > > > > > >> > > > > I followed this post > > > > > >> > > > > > > > > > >> > > > > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > > > > > >> > > > > configure my pam module: > > > > > >> > > > > > > > > > >> > > > > /etc/pam.d/tacacs > > > > > >> > > > > > > > > > >> > > > > auth include system-auth > > > > > >> > > > > account required pam_nologin.so > > > > > >> > > > > account include system-auth > > > > > >> > > > > password include system-auth > > > > > >> > > > > session optional pam_keyinit.so force revoke > > > > > >> > > > > session include system-auth > > > > > >> > > > > session required pam_loginuid.so > > > > > >> > > > > > > > > > >> > > > > /etc/pam.d/system-auth > > > > > >> > > > > #%PAM-1.0 > > > > > >> > > > > # This file is auto-generated. > > > > > >> > > > > # User changes will be destroyed the next time > authconfig > > is > > > > run. > > > > > >> > > > > auth required pam_env.so > > > > > >> > > > > auth sufficient pam_unix.so nullok > > try_first_pass > > > > > >> > > > > auth requisite pam_succeed_if.so uid >= 500 > > quiet > > > > > >> > > > > auth sufficient pam_ldap.so use_first_pass > > > > > >> > > > > auth required pam_deny.so > > > > > >> > > > > > > > > > >> > > > > account required pam_unix.so broken_shadow > > > > > >> > > > > account sufficient pam_succeed_if.so uid < 500 > > quiet > > > > > >> > > > > > > > > > >> > > > > account [default=bad success=ok user_unknown=ignore] > > > > > >> pam_ldap.so > > > > > >> > > > > account required pam_permit.so > > > > > >> > > > > > > > > > >> > > > > password requisite pam_cracklib.so try_first_pass > > > > retry=3 > > > > > >> > > > > password sufficient pam_unix.so md5 shadow nullok > > > > > >> try_first_pass > > > > > >> > > > > use_authtok > > > > > >> > > > > password sufficient pam_ldap.so use_authtok > > > > > >> > > > > password required pam_deny.so > > > > > >> > > > > > > > > > >> > > > > session optional pam_keyinit.so revoke > > > > > >> > > > > session required pam_limits.so > > > > > >> > > > > session [success=1 default=ignore] pam_succeed_if.so > > > > service in > > > > > >> > > crond > > > > > >> > > > > quiet use_uid > > > > > >> > > > > session required pam_unix.so > > > > > >> > > > > session optional pam_ldap.so > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < > > > > hailumeng at gmail.com> > > > > > >> > > wrote: > > > > > >> > > > > > > > > > >> > > > >> Hi John, > > > > > >> > > > >> > > > > > >> > > > >> You mean issue commands like tac_plus -C > > /etct/tac_plus.conf > > > > -L -p > > > > > >> 49 > > > > > >> > > -d > > > > > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't > make > > any > > > > > >> change. I > > > > > >> > > got > > > > > >> > > > >> same log info. By the way, I also saw the log info in > > > > > >> > > /var/log/message: > > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config > > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 > > > > Initialized > > > > > >> 1 > > > > > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from > > 10.1.69.89 > > > > > >> > > [10.1.69.89] > > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for > > 'myuser' > > > > tty0 > > > > > >> from > > > > > >> > > > >> 10.1.69.89 rejected > > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: > myuser > > > > > >> 10.1.69.89 > > > > > >> > > > >> (10.1.69.89) tty0 > > > > > >> > > > >> > > > > > >> > > > >> Do we have option to see the log about PAM? I haven't > > found > > > > where > > > > > >> it > > > > > >> > > is. > > > > > >> > > > >> if we can check the log of PAM, then we could find > > something > > > > > >> useful. > > > > > >> > > Right > > > > > >> > > > >> now the log of tac_plus didn't tell too much about why > > login > > > > got > > > > > >> > > failure. > > > > > >> > > > > > > > >> > > add -d 32. -d x -d y ... will be logically OR'd together. > > > > > >> > > > > > > > >> > > > >> Lou > > > > > >> > > > >> > > > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < > > > > heas at shrubbery.net > > > > > >> > > > > > > >> > > wrote: > > > > > >> > > > >> > > > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: > > > > > >> > > > >>> > Thanks John for helping me check this issue. > > > > > >> > > > >>> > > > > > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p > 49 > > > > -d256 -g > > > > > >> to > > > > > >> > > see > > > > > >> > > > >>> the > > > > > >> > > > >>> > > > > > >> > > > >>> try -d 16 -d 256. which i think will log the pwd that > > pam > > > > > >> received > > > > > >> > > from > > > > > >> > > > >>> the device. make its correct. the logs below do > appear > > to > > > > be a > > > > > >> > > > >>> reject/fail > > > > > >> > > > >>> returned from pam. > > > > > >> > > > >>> > > > > > >> > > > >>> > log in stdout and in log file. I can't see any > > suspicious > > > > log > > > > > >> > > > >>> information > > > > > >> > > > >>> > here. I paste the log below: > > > > > >> > > > >>> > > > > > > >> > > > >>> > > > > > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT > > size=23 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), > > type > > > > 1, > > > > > >> seq no > > > > > >> > > 5, > > > > > >> > > > >>> flags > > > > > >> > > > >>> > 0x1 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id > 3295176910 > > > > > >> > > (0xc46868ce), > > > > > >> > > > >>> Data > > > > > >> > > > >>> > length > > > > > >> > > > >>> > 11 (0xb) > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 > (0x6), > > > > > >> > > user_data_len 0 > > > > > >> > > > >>> (0x0) > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose > > > > default_fn > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling > > authentication > > > > > >> function > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing > > AUTHEN/GETPASS > > > > size=28 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0), > > type > > > > 1, > > > > > >> seq no > > > > > >> > > 6, > > > > > >> > > > >>> flags > > > > > >> > > > >>> > 0x1 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id > 3295176910 > > > > > >> > > (0xc46868ce), > > > > > >> > > > >>> Data > > > > > >> > > > >>> > length > > > > > >> > > > >>> > 16 (0x10) > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN > status=5 > > > > > >> > > (AUTHEN/GETPASS) > > > > > >> > > > >>> > flags=0x1 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, > > data_len=0 > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT > > size=30 > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey > > > > > >> > > > >>> > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0), > > type > > > > 1, > > > > > >> seq no > > > > > >> > > 7, > > > > > >> > > > >>> flags > > > > > >> > > > >>> > 0x1 > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id > 3295176910 > > > > > >> > > (0xc46868ce), > > > > > >> > > > >>> Data > > > > > >> > > > >>> > length > > > > > >> > > > >>> > 18 (0x12) > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 > > (0xd), > > > > > >> > > user_data_len 0 > > > > > >> > > > >>> > (0x0) > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for > > > > 'myusername' > > > > > >> tty0 > > > > > >> > > from > > > > > >> > > > >>> > 10.1.69.89 r > > > > > >> > > > >>> > ejected > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: > > myusername > > > > > >> > > 10.1.69.89 > > > > > >> > > > >>> > (10.1.69.89) t > > > > > >> > > > >>> > ty0 > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL > > > > size=18 > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0), > > type > > > > 1, > > > > > >> seq no > > > > > >> > > 8, > > > > > >> > > > >>> flags > > > > > >> > > > >>> > 0x1 > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id > 3295176910 > > > > > >> > > (0xc46868ce), > > > > > >> > > > >>> Data > > > > > >> > > > >>> > length > > > > > >> > > > >>> > 6 (0x6) > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN > status=2 > > > > > >> (AUTHEN/FAIL) > > > > > >> > > > >>> > flags=0x0 > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, > data_len=0 > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: > > disconnect > > > > > >> > > > >>> > > > > > > >> > > > >>> > > > > > > >> > > > >>> > > > > > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < > > > > > >> heas at shrubbery.net > > > > > >> > > > > > > > > >> > > > >>> wrote: > > > > > >> > > > >>> > > > > > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng: > > > > > >> > > > >>> > > > Hi Adam, > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully, > > what > > > > do we > > > > > >> > > suppose > > > > > >> > > > >>> to > > > > > >> > > > >>> > > get > > > > > >> > > > >>> > > > from the output? I just got all of the user > > > > information in > > > > > >> that > > > > > >> > > > >>> group. > > > > > >> > > > >>> > > Does > > > > > >> > > > >>> > > > that means my password and username got > > authenticated > > > > > >> > > successfully > > > > > >> > > > >>> > > against > > > > > >> > > > >>> > > > AD? > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it > > through > > > > this > > > > > >> week > > > > > >> > > > >>> before the > > > > > >> > > > >>> > > > holiday... > > > > > >> > > > >>> > > > > > > > >> > > > >>> > > i havent followed this thread, as i know nearly > zero > > > > about > > > > > >> ldap. > > > > > >> > > > >>> but, > > > > > >> > > > >>> > > have you enabled authentication debugging in the > > tacacas > > > > > >> daemon > > > > > >> > > and > > > > > >> > > > >>> > > checked the logs to determine what is coming back > > from > > > > pam? > > > > > >> it > > > > > >> > > very > > > > > >> > > > >>> > > well may be that the ldap client is working just > > fine, > > > > but > > > > > >> there > > > > > >> > > is a > > > > > >> > > > >>> > > pam module bug or a bug in the tacplus daemon or > > that > > > > your > > > > > >> device > > > > > >> > > > >>> > > simply doesnt like something about the replies. > > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > Thanks a lot for the help. > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > Lou > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < > > > > > >> > > hailumeng at gmail.com> > > > > > >> > > > >>> wrote: > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > > Still no clue how to turn on the log. binding > > seems > > > > good. > > > > > >> See > > > > > >> > > my > > > > > >> > > > >>> > > findings > > > > > >> > > > >>> > > > > below. Thanks a lot. > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < > > > > > >> > > prozaconstilts at gmail.com> > > > > > >> > > > >>> > > wrote: > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > >> Hailu Meng wrote: > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >>> Adam, > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ > server > > but > > > > I > > > > > >> don't > > > > > >> > > have > > > > > >> > > > >>> that > > > > > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't > > want me > > > > log > > > > > >> in. > > > > > >> > > I > > > > > >> > > > >>> think > > > > > >> > > > >>> > > this will > > > > > >> > > > >>> > > > >>> not ask tacacs server to authenticate > against > > AD. > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> You shouldn't need to have to define the user > > in > > > > CentOS, > > > > > >> > > that's > > > > > >> > > > >>> the > > > > > >> > > > >>> > > point > > > > > >> > > > >>> > > > >> of using ldap for authentication. The user is > > > > defined in > > > > > >> > > ldap, > > > > > >> > > > >>> not in > > > > > >> > > > >>> > > > >> CentOS. Now that I think about it, su - > > > > > probably > > > > > >> > > wouldn't > > > > > >> > > > >>> work > > > > > >> > > > >>> > > > >> anyway, as AD doesn't by default have the > data > > > > needed by > > > > > >> a > > > > > >> > > linux > > > > > >> > > > >>> box > > > > > >> > > > >>> > > to > > > > > >> > > > >>> > > > >> allow login...but see below for more options. > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >>> Is there any other way to test ldap > > authentication > > > > > >> against > > > > > >> > > AD > > > > > >> > > > >>> with > > > > > >> > > > >>> > > the > > > > > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did > find > > my > > > > user > > > > > >> id > > > > > >> > > > >>> without > > > > > >> > > > >>> > > problem. > > > > > >> > > > >>> > > > >>> But I haven't found any option to try with > > > > password and > > > > > >> > > > >>> authenticate > > > > > >> > > > >>> > > against > > > > > >> > > > >>> > > > >>> AD. > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> Try using -D: > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> from `man ldapsearch`: > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> -D binddn > > > > > >> > > > >>> > > > >> Use the Distinguished Name binddn to bind to > > the > > > > LDAP > > > > > >> > > > >>> directory. > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should > let > > you > > > > try > > > > > >> to > > > > > >> > > > >>> authenticate > > > > > >> > > > >>> > > > >> using whatever user you want to define. Just > > check > > > > and > > > > > >> > > double > > > > > >> > > > >>> check > > > > > >> > > > >>> > > you get > > > > > >> > > > >>> > > > >> the right path in that dn. > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " > > but it > > > > just > > > > > >> > > > >>> returned lots > > > > > >> > > > >>> > > of > > > > > >> > > > >>> > > > > users' information. It means successful? > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the > > openldap > > > > > >> library > > > > > >> > > and > > > > > >> > > > >>> > > openldap > > > > > >> > > > >>> > > > >>> client? I don't understand why the log is > not > > > > turned > > > > > >> on. > > > > > >> > > There > > > > > >> > > > >>> must > > > > > >> > > > >>> > > be some > > > > > >> > > > >>> > > > >>> debugging info in the log which can help > solve > > > > this > > > > > >> issue. > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> only the libs and client. You should not need > > the > > > > > >> server. In > > > > > >> > > the > > > > > >> > > > >>> > > > >> ldapsearch, you can use -d to get > > > > debugging > > > > > >> info > > > > > >> > > for > > > > > >> > > > >>> that > > > > > >> > > > >>> > > search. > > > > > >> > > > >>> > > > >> As before, higher number = more debug > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> If the user can authenticate, does ethereal > > > > capture > > > > > >> some > > > > > >> > > > >>> packets > > > > > >> > > > >>> > > about > > > > > >> > > > >>> > > > >>> password verification? Right now I only see > > the > > > > packets > > > > > >> > > when > > > > > >> > > > >>> ldap > > > > > >> > > > >>> > > search for > > > > > >> > > > >>> > > > >>> my user id and gets results back from AD. > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> Ethereal should catch all data flowing > between > > the > > > > > >> client > > > > > >> > > and > > > > > >> > > > >>> server. > > > > > >> > > > >>> > > If > > > > > >> > > > >>> > > > >> you can search out the user in your AD right > > now, > > > > then > > > > > >> one > > > > > >> > > of > > > > > >> > > > >>> two > > > > > >> > > > >>> > > things is > > > > > >> > > > >>> > > > >> happening: > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> 1. You are performing anonymous searches. In > > this > > > > case, > > > > > >> no > > > > > >> > > > >>> username > > > > > >> > > > >>> > > and pw > > > > > >> > > > >>> > > > >> is provided, and your AD is happy to hand > over > > info > > > > to > > > > > >> > > anyone > > > > > >> > > > >>> who asks > > > > > >> > > > >>> > > for > > > > > >> > > > >>> > > > >> it. If this is the case, you will _not_ see > > > > > >> authentication > > > > > >> > > > >>> > > information. The > > > > > >> > > > >>> > > > >> following MS KB article should probably help > > you > > > > > >> determine > > > > > >> > > on > > > > > >> > > > >>> your AD > > > > > >> > > > >>> > > if > > > > > >> > > > >>> > > > >> anonymous queries are allowed: > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> It has exact instructions for how to get it > > going, > > > > but > > > > > >> you > > > > > >> > > can > > > > > >> > > > >>> follow > > > > > >> > > > >>> > > > >> along with it to check your current settings > > > > without > > > > > >> making > > > > > >> > > any > > > > > >> > > > >>> > > changes. > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > > I checked our setting. Permission type for > > normal > > > > user is > > > > > >> > > "Read & > > > > > >> > > > >>> > > Execute". > > > > > >> > > > >>> > > > > I click edit to check the detail about > > permission. I > > > > > >> think it > > > > > >> > > > >>> only > > > > > >> > > > >>> > > allow the > > > > > >> > > > >>> > > > > user to read the attributes, permission > > something > > > > and > > > > > >> can't > > > > > >> > > > >>> modify the > > > > > >> > > > >>> > > > > AD.There is "Everyone" setting is also set as > > "Read > > > > & > > > > > >> > > Execute". > > > > > >> > > > >>> By the > > > > > >> > > > >>> > > way, > > > > > >> > > > >>> > > > > the AD is Win2003 R2. > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> 2. Authentication is happening. It will be > the > > > > _very_ > > > > > >> first > > > > > >> > > > >>> thing the > > > > > >> > > > >>> > > > >> client and server perform, after basic > > connection > > > > > >> > > establishment. > > > > > >> > > > >>> Look > > > > > >> > > > >>> > > for it > > > > > >> > > > >>> > > > >> at the very beginning of a dump. > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the following > > > > article is > > > > > >> > > > >>> extremely > > > > > >> > > > >>> > > > >> informative about all the different ways you > > can > > > > plug > > > > > >> linux > > > > > >> > > into > > > > > >> > > > >>> AD > > > > > >> > > > >>> > > for > > > > > >> > > > >>> > > > >> authentication. It might offer some hints... > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you > > have > > > > any > > > > > >> idea, > > > > > >> > > let > > > > > >> > > > >>> me > > > > > >> > > > >>> > > know. > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >>> Thank you very much. > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >>> Lou > > > > > >> > > > >>> > > > >>> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > >> > > > > > >> > > > >>> > > > > > > > > > >> > > > >>> > > > -------------- next part -------------- > > > > > >> > > > >>> > > > An HTML attachment was scrubbed... > > > > > >> > > > >>> > > > URL: > > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > > > >> > > > > > > > >> > > > > > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > > > > >> > > > >>> > > > _______________________________________________ > > > > > >> > > > >>> > > > tac_plus mailing list > > > > > >> > > > >>> > > > tac_plus at shrubbery.net > > > > > >> > > > >>> > > > > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > > > >> > > > >> > > > > > >> > > > >> > > > > > >> > > > > > > > > > >> > > > > > > > >> > -------------- next part -------------- > > > > > >> > An HTML attachment was scrubbed... > > > > > >> > URL: > > > > > >> > > > > > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > > > > > >> > _______________________________________________ > > > > > >> > tac_plus mailing list > > > > > >> > tac_plus at shrubbery.net > > > > > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > > >> > > > > > >> > > > > > >> > > > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/a877fda6/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/21278ca0/attachment.html From hailumeng at gmail.com Tue Nov 24 18:21:53 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Tue, 24 Nov 2009 12:21:53 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: References: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> <20091124162419.GD7044@shrubbery.net> <8dabae5b0911240905h7b2f3bd8g99c0ca98918c2c3@mail.gmail.com> <20091124173648.GF7044@shrubbery.net> <8dabae5b0911240956p523827fcjf20d33f32b15d4d6@mail.gmail.com> Message-ID: <8dabae5b0911241021q70a8650ajd2c6d94c25092baa@mail.gmail.com> Hi Tom, Thanks for pointing me another way. I haven't tried that yet. Not sure tac_plus will work with these functions or not. Have you tried to deploy this for cisco routers and switches? Thanks. Lou On Tue, Nov 24, 2009 at 12:08 PM, Tom Murch wrote: > now im not an expert on this however I do run a samba server which pulls > the user names from my AD controller. Have you tried using winbind plus pam > for the AD authentication ?? > > http://wiki.samba.org/index.php/Samba_&_Active_Directory I used this for > my samba install but you could get the idea of how winbind and Kerberos > would work. It might give you more luck > > On Tue, Nov 24, 2009 at 12:56 PM, Hailu Meng wrote: > >> John, >> >> I checked my tac_plus configuration for PAM module. the file >> /etc/pam.d/tac_plus. The current configuration is shown below: >> As you suggest I need put pam_ldap.so on the first row for every >> auth,account,password and session, right? >> >> ******************************************************************* >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 >> password sufficient pam_unix.so md5 shadow nullok try_first_pass >> use_authtok >> password sufficient pam_ldap.so use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session [success=1 default=ignore] pam_succeed_if.so service in crond >> quiet use_uid >> session required pam_unix.so >> session optional pam_ldap.so >> >> >> On Tue, Nov 24, 2009 at 11:36 AM, john heasley >> wrote: >> >> > Tue, Nov 24, 2009 at 11:05:59AM -0600, Hailu Meng: >> > > It makes sense. nsswitch.conf should be for like local login not for >> > tacacs. >> > > Thanks John to point it out. I'm such a rookie to these things. Just >> > > followed some guides and combine them here. Need study more. >> > >> > well, it depends upon what modules you use in your tacacs PAM config; >> ie: >> > if you have something like 'require unix_account' (WAG) that requires >> that >> > the login exist in /etc/passwd (or more precisely get_pwent(3) or >> similar), >> > then /etc/nsswitch.conf might affect it. BUT, that means that for you, >> > 'require unix_account' is a misconfiguration of the tacacs PAM config. >> > that >> > is should be something like 'require ldap_account'. >> > >> > >> > > Lou >> > > >> > > On Tue, Nov 24, 2009 at 10:24 AM, john heasley >> > wrote: >> > > >> > > > Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof: >> > > > > >> > > > > Hi Lou, >> > > > > >> > > > > Yes, most server application's check if a user exist by looking up >> > the >> > > > > uid via nss before doing any authentication (i.e. sshd). >> > > > > >> > > > > Regards, >> > > > > Jeroen >> > > > > >> > > > > Op 23/11/2009 schreef "Hailu Meng" : >> > > > > >> > > > > >Hi Jeroen, >> > > > > > >> > > > > >Thanks for helping. I modified the nssswitch.conf as below: >> > > > > >passwd: files ldap >> > > > > >shadow: files ldap >> > > > > >group: files ldap >> > > > > > >> > > > > >And leave the other settings as default. >> > > > > > >> > > > > >the user attributes you are talking about are the attributes >> > retrieving >> > > > from >> > > > > >AD? I do see the packets from AD server told my tacacs+ server >> the >> > user >> > > > > >attributes including homedir. >> > > > >> > > > i would not expect this to affect tacacs, unless you have something >> in >> > your >> > > > pam config that requires it. ie: nsswitch.conf should control auth >> for >> > the >> > > > host (eg: /sbin/login), tacacs is separate. >> > > > >> > > > > >Thanks. >> > > > > > >> > > > > >Lou >> > > > > > >> > > > > > >> > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof < >> jeroen at nijhofnet.nl >> > > >> > > > wrote: >> > > > > > >> > > > > >> Hi, >> > > > > >> >> > > > > >> Did you setup the nsswitch.conf as well on your tac_plus >> server? >> > > > > >> Your tac_plus server needs to lookup the user attributes like >> > homedir >> > > > > >> etc, otherwise pam will fail. >> > > > > >> >> > > > > >> Regards, >> > > > > >> Jeroen Nijhof >> > > > > >> >> > > > > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: >> > > > > >> > Ok. With -d 32, I got some more info about pam as red color >> log. >> > > > > >> > >> > > > > >> > There is "Unknown user" log info following the input of my >> user >> > > > password. >> > > > > >> > Feel confused since ldap is able to get user info from Active >> > > > directory, >> > > > > >> why >> > > > > >> > it turns out "Unknown user" here. >> > > > > >> > >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, >> seq >> > no >> > > > 3, >> > > > > >> flags >> > > > > >> > 0x1 >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 >> > (0xbe977644), >> > > > Data >> > > > > >> > length 11 (0xb) >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), >> > user_data_len >> > > > 0 >> > > > > >> (0x0) >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User data: >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose >> default_fn >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication >> function >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 >> > pam_messages >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: >> > > > > >> PAM_PROMPT_ECHO_OFF >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS >> size=28 >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, >> seq >> > no >> > > > 4, >> > > > > >> flags >> > > > > >> > 0x1 >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 >> > (0xbe977644), >> > > > Data >> > > > > >> > length 16 (0x10) >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 >> > > > (AUTHEN/GETPASS) >> > > > > >> > flags=0x1 >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg: >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Password: >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: data: >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet >> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet >> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 >> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey >> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, >> seq >> > no >> > > > 5, >> > > > > >> flags >> > > > > >> > 0x1 >> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 >> > (0xbe977644), >> > > > Data >> > > > > >> > length 18 (0x12) >> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End header >> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT >> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), >> > > > user_data_len 0 >> > > > > >> > (0x0) >> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 >> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: >> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword >> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User data: >> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername' >> > tty0 >> > > > from >> > > > > >> > 10.1.69.89 rejected >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: >> > myusername10.1.69.89 >> > > > > >> > (10.1.69.89) tty0 >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, >> seq >> > no >> > > > 6, >> > > > > >> flags >> > > > > >> > 0x1 >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 >> > (0xbe977644), >> > > > Data >> > > > > >> > length 6 (0x6) >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End header >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 >> > (AUTHEN/FAIL) >> > > > > >> > flags=0x0 >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg: >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: data: >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet >> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect >> > > > > >> > >> > > > > >> > >> > > > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley < >> > heas at shrubbery.net> >> > > > > >> wrote: >> > > > > >> > >> > > > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: >> > > > > >> > > > I just saw some posts saying pam_krb winbind could be >> needed >> > to >> > > > get >> > > > > >> pam >> > > > > >> > > work >> > > > > >> > > > against active directory. Is this true? The post I was >> > following >> > > > > >> actually >> > > > > >> > > is >> > > > > >> > > > for a LDAP server not Active Directory. >> > > > > >> > > >> > > > > >> > > i dont know; each pam implementation seems to be [at least] >> > > > slightly >> > > > > >> > > different. seems silly to need kerberos for ldap. >> > > > > >> > > >> > > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng < >> > > > hailumeng at gmail.com> >> > > > > >> wrote: >> > > > > >> > > > >> > > > > >> > > > > I think I need put my pam configuration here: >> > > > > >> > > > > >> > > > > >> > > > > I followed this post >> > > > > >> > > > > >> > > > > >> >> > > > >> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto >> > > > > >> > > > > configure my pam module: >> > > > > >> > > > > >> > > > > >> > > > > /etc/pam.d/tacacs >> > > > > >> > > > > >> > > > > >> > > > > auth include system-auth >> > > > > >> > > > > account required pam_nologin.so >> > > > > >> > > > > account include system-auth >> > > > > >> > > > > password include system-auth >> > > > > >> > > > > session optional pam_keyinit.so force revoke >> > > > > >> > > > > session include system-auth >> > > > > >> > > > > session required pam_loginuid.so >> > > > > >> > > > > >> > > > > >> > > > > /etc/pam.d/system-auth >> > > > > >> > > > > #%PAM-1.0 >> > > > > >> > > > > # This file is auto-generated. >> > > > > >> > > > > # User changes will be destroyed the next time >> authconfig >> > is >> > > > run. >> > > > > >> > > > > auth required pam_env.so >> > > > > >> > > > > auth sufficient pam_unix.so nullok >> > try_first_pass >> > > > > >> > > > > auth requisite pam_succeed_if.so uid >= 500 >> > quiet >> > > > > >> > > > > auth sufficient pam_ldap.so use_first_pass >> > > > > >> > > > > auth required pam_deny.so >> > > > > >> > > > > >> > > > > >> > > > > account required pam_unix.so broken_shadow >> > > > > >> > > > > account sufficient pam_succeed_if.so uid < 500 >> > quiet >> > > > > >> > > > > >> > > > > >> > > > > account [default=bad success=ok >> user_unknown=ignore] >> > > > > >> pam_ldap.so >> > > > > >> > > > > account required pam_permit.so >> > > > > >> > > > > >> > > > > >> > > > > password requisite pam_cracklib.so >> try_first_pass >> > > > retry=3 >> > > > > >> > > > > password sufficient pam_unix.so md5 shadow nullok >> > > > > >> try_first_pass >> > > > > >> > > > > use_authtok >> > > > > >> > > > > password sufficient pam_ldap.so use_authtok >> > > > > >> > > > > password required pam_deny.so >> > > > > >> > > > > >> > > > > >> > > > > session optional pam_keyinit.so revoke >> > > > > >> > > > > session required pam_limits.so >> > > > > >> > > > > session [success=1 default=ignore] >> pam_succeed_if.so >> > > > service in >> > > > > >> > > crond >> > > > > >> > > > > quiet use_uid >> > > > > >> > > > > session required pam_unix.so >> > > > > >> > > > > session optional pam_ldap.so >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < >> > > > hailumeng at gmail.com> >> > > > > >> > > wrote: >> > > > > >> > > > > >> > > > > >> > > > >> Hi John, >> > > > > >> > > > >> >> > > > > >> > > > >> You mean issue commands like tac_plus -C >> > /etct/tac_plus.conf >> > > > -L -p >> > > > > >> 49 >> > > > > >> > > -d >> > > > > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't >> make >> > any >> > > > > >> change. I >> > > > > >> > > got >> > > > > >> > > > >> same log info. By the way, I also saw the log info in >> > > > > >> > > /var/log/message: >> > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config >> > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 >> > > > Initialized >> > > > > >> 1 >> > > > > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from >> > 10.1.69.89 >> > > > > >> > > [10.1.69.89] >> > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for >> > 'myuser' >> > > > tty0 >> > > > > >> from >> > > > > >> > > > >> 10.1.69.89 rejected >> > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: >> myuser >> > > > > >> 10.1.69.89 >> > > > > >> > > > >> (10.1.69.89) tty0 >> > > > > >> > > > >> >> > > > > >> > > > >> Do we have option to see the log about PAM? I haven't >> > found >> > > > where >> > > > > >> it >> > > > > >> > > is. >> > > > > >> > > > >> if we can check the log of PAM, then we could find >> > something >> > > > > >> useful. >> > > > > >> > > Right >> > > > > >> > > > >> now the log of tac_plus didn't tell too much about why >> > login >> > > > got >> > > > > >> > > failure. >> > > > > >> > > >> > > > > >> > > add -d 32. -d x -d y ... will be logically OR'd together. >> > > > > >> > > >> > > > > >> > > > >> Lou >> > > > > >> > > > >> >> > > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < >> > > > heas at shrubbery.net >> > > > > >> > >> > > > > >> > > wrote: >> > > > > >> > > > >> >> > > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: >> > > > > >> > > > >>> > Thanks John for helping me check this issue. >> > > > > >> > > > >>> > >> > > > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p >> 49 >> > > > -d256 -g >> > > > > >> to >> > > > > >> > > see >> > > > > >> > > > >>> the >> > > > > >> > > > >>> >> > > > > >> > > > >>> try -d 16 -d 256. which i think will log the pwd >> that >> > pam >> > > > > >> received >> > > > > >> > > from >> > > > > >> > > > >>> the device. make its correct. the logs below do >> appear >> > to >> > > > be a >> > > > > >> > > > >>> reject/fail >> > > > > >> > > > >>> returned from pam. >> > > > > >> > > > >>> >> > > > > >> > > > >>> > log in stdout and in log file. I can't see any >> > suspicious >> > > > log >> > > > > >> > > > >>> information >> > > > > >> > > > >>> > here. I paste the log below: >> > > > > >> > > > >>> > >> > > > > >> > > > >>> > >> > > > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT >> > size=23 >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 >> (0xc0), >> > type >> > > > 1, >> > > > > >> seq no >> > > > > >> > > 5, >> > > > > >> > > > >>> flags >> > > > > >> > > > >>> > 0x1 >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id >> 3295176910 >> > > > > >> > > (0xc46868ce), >> > > > > >> > > > >>> Data >> > > > > >> > > > >>> > length >> > > > > >> > > > >>> > 11 (0xb) >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 >> (0x6), >> > > > > >> > > user_data_len 0 >> > > > > >> > > > >>> (0x0) >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen >> chose >> > > > default_fn >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling >> > authentication >> > > > > >> function >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing >> > AUTHEN/GETPASS >> > > > size=28 >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 >> (0xc0), >> > type >> > > > 1, >> > > > > >> seq no >> > > > > >> > > 6, >> > > > > >> > > > >>> flags >> > > > > >> > > > >>> > 0x1 >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id >> 3295176910 >> > > > > >> > > (0xc46868ce), >> > > > > >> > > > >>> Data >> > > > > >> > > > >>> > length >> > > > > >> > > > >>> > 16 (0x10) >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN >> status=5 >> > > > > >> > > (AUTHEN/GETPASS) >> > > > > >> > > > >>> > flags=0x1 >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, >> > data_len=0 >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet >> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet >> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT >> > size=30 >> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey >> > > > > >> > > > >>> >> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 >> (0xc0), >> > type >> > > > 1, >> > > > > >> seq no >> > > > > >> > > 7, >> > > > > >> > > > >>> flags >> > > > > >> > > > >>> > 0x1 >> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id >> 3295176910 >> > > > > >> > > (0xc46868ce), >> > > > > >> > > > >>> Data >> > > > > >> > > > >>> > length >> > > > > >> > > > >>> > 18 (0x12) >> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header >> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT >> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 >> > (0xd), >> > > > > >> > > user_data_len 0 >> > > > > >> > > > >>> > (0x0) >> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 >> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: >> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword >> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: >> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for >> > > > 'myusername' >> > > > > >> tty0 >> > > > > >> > > from >> > > > > >> > > > >>> > 10.1.69.89 r >> > > > > >> > > > >>> > ejected >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: >> > myusername >> > > > > >> > > 10.1.69.89 >> > > > > >> > > > >>> > (10.1.69.89) t >> > > > > >> > > > >>> > ty0 >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing >> AUTHEN/FAIL >> > > > size=18 >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 >> (0xc0), >> > type >> > > > 1, >> > > > > >> seq no >> > > > > >> > > 8, >> > > > > >> > > > >>> flags >> > > > > >> > > > >>> > 0x1 >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id >> 3295176910 >> > > > > >> > > (0xc46868ce), >> > > > > >> > > > >>> Data >> > > > > >> > > > >>> > length >> > > > > >> > > > >>> > 6 (0x6) >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN >> status=2 >> > > > > >> (AUTHEN/FAIL) >> > > > > >> > > > >>> > flags=0x0 >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, >> data_len=0 >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet >> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: >> > disconnect >> > > > > >> > > > >>> > >> > > > > >> > > > >>> > >> > > > > >> > > > >>> > >> > > > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < >> > > > > >> heas at shrubbery.net >> > > > > >> > > > >> > > > > >> > > > >>> wrote: >> > > > > >> > > > >>> > >> > > > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu >> Meng: >> > > > > >> > > > >>> > > > Hi Adam, >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs >> successfully, >> > what >> > > > do we >> > > > > >> > > suppose >> > > > > >> > > > >>> to >> > > > > >> > > > >>> > > get >> > > > > >> > > > >>> > > > from the output? I just got all of the user >> > > > information in >> > > > > >> that >> > > > > >> > > > >>> group. >> > > > > >> > > > >>> > > Does >> > > > > >> > > > >>> > > > that means my password and username got >> > authenticated >> > > > > >> > > successfully >> > > > > >> > > > >>> > > against >> > > > > >> > > > >>> > > > AD? >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it >> > through >> > > > this >> > > > > >> week >> > > > > >> > > > >>> before the >> > > > > >> > > > >>> > > > holiday... >> > > > > >> > > > >>> > > >> > > > > >> > > > >>> > > i havent followed this thread, as i know nearly >> zero >> > > > about >> > > > > >> ldap. >> > > > > >> > > > >>> but, >> > > > > >> > > > >>> > > have you enabled authentication debugging in the >> > tacacas >> > > > > >> daemon >> > > > > >> > > and >> > > > > >> > > > >>> > > checked the logs to determine what is coming back >> > from >> > > > pam? >> > > > > >> it >> > > > > >> > > very >> > > > > >> > > > >>> > > well may be that the ldap client is working just >> > fine, >> > > > but >> > > > > >> there >> > > > > >> > > is a >> > > > > >> > > > >>> > > pam module bug or a bug in the tacplus daemon or >> > that >> > > > your >> > > > > >> device >> > > > > >> > > > >>> > > simply doesnt like something about the replies. >> > > > > >> > > > >>> > > >> > > > > >> > > > >>> > > > Thanks a lot for the help. >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > Lou >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < >> > > > > >> > > hailumeng at gmail.com> >> > > > > >> > > > >>> wrote: >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > > Still no clue how to turn on the log. binding >> > seems >> > > > good. >> > > > > >> See >> > > > > >> > > my >> > > > > >> > > > >>> > > findings >> > > > > >> > > > >>> > > > > below. Thanks a lot. >> > > > > >> > > > >>> > > > > >> > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < >> > > > > >> > > prozaconstilts at gmail.com> >> > > > > >> > > > >>> > > wrote: >> > > > > >> > > > >>> > > > > >> > > > > >> > > > >>> > > > >> Hailu Meng wrote: >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >>> Adam, >> > > > > >> > > > >>> > > > >>> >> > > > > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ >> server >> > but >> > > > I >> > > > > >> don't >> > > > > >> > > have >> > > > > >> > > > >>> that >> > > > > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't >> > want me >> > > > log >> > > > > >> in. >> > > > > >> > > I >> > > > > >> > > > >>> think >> > > > > >> > > > >>> > > this will >> > > > > >> > > > >>> > > > >>> not ask tacacs server to authenticate >> against >> > AD. >> > > > > >> > > > >>> > > > >>> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> You shouldn't need to have to define the >> user >> > in >> > > > CentOS, >> > > > > >> > > that's >> > > > > >> > > > >>> the >> > > > > >> > > > >>> > > point >> > > > > >> > > > >>> > > > >> of using ldap for authentication. The user >> is >> > > > defined in >> > > > > >> > > ldap, >> > > > > >> > > > >>> not in >> > > > > >> > > > >>> > > > >> CentOS. Now that I think about it, su - >> >> > > > probably >> > > > > >> > > wouldn't >> > > > > >> > > > >>> work >> > > > > >> > > > >>> > > > >> anyway, as AD doesn't by default have the >> data >> > > > needed by >> > > > > >> a >> > > > > >> > > linux >> > > > > >> > > > >>> box >> > > > > >> > > > >>> > > to >> > > > > >> > > > >>> > > > >> allow login...but see below for more >> options. >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >>> Is there any other way to test ldap >> > authentication >> > > > > >> against >> > > > > >> > > AD >> > > > > >> > > > >>> with >> > > > > >> > > > >>> > > the >> > > > > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did >> find >> > my >> > > > user >> > > > > >> id >> > > > > >> > > > >>> without >> > > > > >> > > > >>> > > problem. >> > > > > >> > > > >>> > > > >>> But I haven't found any option to try with >> > > > password and >> > > > > >> > > > >>> authenticate >> > > > > >> > > > >>> > > against >> > > > > >> > > > >>> > > > >>> AD. >> > > > > >> > > > >>> > > > >>> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> Try using -D: >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> from `man ldapsearch`: >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> -D binddn >> > > > > >> > > > >>> > > > >> Use the Distinguished Name binddn to bind >> to >> > the >> > > > LDAP >> > > > > >> > > > >>> directory. >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should >> let >> > you >> > > > try >> > > > > >> to >> > > > > >> > > > >>> authenticate >> > > > > >> > > > >>> > > > >> using whatever user you want to define. Just >> > check >> > > > and >> > > > > >> > > double >> > > > > >> > > > >>> check >> > > > > >> > > > >>> > > you get >> > > > > >> > > > >>> > > > >> the right path in that dn. >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc " >> > but it >> > > > just >> > > > > >> > > > >>> returned lots >> > > > > >> > > > >>> > > of >> > > > > >> > > > >>> > > > > users' information. It means successful? >> > > > > >> > > > >>> > > > > >> > > > > >> > > > >>> > > > > >> > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the >> > openldap >> > > > > >> library >> > > > > >> > > and >> > > > > >> > > > >>> > > openldap >> > > > > >> > > > >>> > > > >>> client? I don't understand why the log is >> not >> > > > turned >> > > > > >> on. >> > > > > >> > > There >> > > > > >> > > > >>> must >> > > > > >> > > > >>> > > be some >> > > > > >> > > > >>> > > > >>> debugging info in the log which can help >> solve >> > > > this >> > > > > >> issue. >> > > > > >> > > > >>> > > > >>> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> only the libs and client. You should not >> need >> > the >> > > > > >> server. In >> > > > > >> > > the >> > > > > >> > > > >>> > > > >> ldapsearch, you can use -d to get >> > > > debugging >> > > > > >> info >> > > > > >> > > for >> > > > > >> > > > >>> that >> > > > > >> > > > >>> > > search. >> > > > > >> > > > >>> > > > >> As before, higher number = more debug >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> If the user can authenticate, does ethereal >> > > > capture >> > > > > >> some >> > > > > >> > > > >>> packets >> > > > > >> > > > >>> > > about >> > > > > >> > > > >>> > > > >>> password verification? Right now I only see >> > the >> > > > packets >> > > > > >> > > when >> > > > > >> > > > >>> ldap >> > > > > >> > > > >>> > > search for >> > > > > >> > > > >>> > > > >>> my user id and gets results back from AD. >> > > > > >> > > > >>> > > > >>> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> Ethereal should catch all data flowing >> between >> > the >> > > > > >> client >> > > > > >> > > and >> > > > > >> > > > >>> server. >> > > > > >> > > > >>> > > If >> > > > > >> > > > >>> > > > >> you can search out the user in your AD right >> > now, >> > > > then >> > > > > >> one >> > > > > >> > > of >> > > > > >> > > > >>> two >> > > > > >> > > > >>> > > things is >> > > > > >> > > > >>> > > > >> happening: >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> 1. You are performing anonymous searches. In >> > this >> > > > case, >> > > > > >> no >> > > > > >> > > > >>> username >> > > > > >> > > > >>> > > and pw >> > > > > >> > > > >>> > > > >> is provided, and your AD is happy to hand >> over >> > info >> > > > to >> > > > > >> > > anyone >> > > > > >> > > > >>> who asks >> > > > > >> > > > >>> > > for >> > > > > >> > > > >>> > > > >> it. If this is the case, you will _not_ see >> > > > > >> authentication >> > > > > >> > > > >>> > > information. The >> > > > > >> > > > >>> > > > >> following MS KB article should probably help >> > you >> > > > > >> determine >> > > > > >> > > on >> > > > > >> > > > >>> your AD >> > > > > >> > > > >>> > > if >> > > > > >> > > > >>> > > > >> anonymous queries are allowed: >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> It has exact instructions for how to get it >> > going, >> > > > but >> > > > > >> you >> > > > > >> > > can >> > > > > >> > > > >>> follow >> > > > > >> > > > >>> > > > >> along with it to check your current settings >> > > > without >> > > > > >> making >> > > > > >> > > any >> > > > > >> > > > >>> > > changes. >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > > >> > > > > >> > > > >>> > > > > I checked our setting. Permission type for >> > normal >> > > > user is >> > > > > >> > > "Read & >> > > > > >> > > > >>> > > Execute". >> > > > > >> > > > >>> > > > > I click edit to check the detail about >> > permission. I >> > > > > >> think it >> > > > > >> > > > >>> only >> > > > > >> > > > >>> > > allow the >> > > > > >> > > > >>> > > > > user to read the attributes, permission >> > something >> > > > and >> > > > > >> can't >> > > > > >> > > > >>> modify the >> > > > > >> > > > >>> > > > > AD.There is "Everyone" setting is also set as >> > "Read >> > > > & >> > > > > >> > > Execute". >> > > > > >> > > > >>> By the >> > > > > >> > > > >>> > > way, >> > > > > >> > > > >>> > > > > the AD is Win2003 R2. >> > > > > >> > > > >>> > > > > >> > > > > >> > > > >>> > > > > >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> 2. Authentication is happening. It will be >> the >> > > > _very_ >> > > > > >> first >> > > > > >> > > > >>> thing the >> > > > > >> > > > >>> > > > >> client and server perform, after basic >> > connection >> > > > > >> > > establishment. >> > > > > >> > > > >>> Look >> > > > > >> > > > >>> > > for it >> > > > > >> > > > >>> > > > >> at the very beginning of a dump. >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the following >> > > > article is >> > > > > >> > > > >>> extremely >> > > > > >> > > > >>> > > > >> informative about all the different ways you >> > can >> > > > plug >> > > > > >> linux >> > > > > >> > > into >> > > > > >> > > > >>> AD >> > > > > >> > > > >>> > > for >> > > > > >> > > > >>> > > > >> authentication. It might offer some hints... >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If >> you >> > have >> > > > any >> > > > > >> idea, >> > > > > >> > > let >> > > > > >> > > > >>> me >> > > > > >> > > > >>> > > know. >> > > > > >> > > > >>> > > > >>> >> > > > > >> > > > >>> > > > >>> Thank you very much. >> > > > > >> > > > >>> > > > >>> >> > > > > >> > > > >>> > > > >>> Lou >> > > > > >> > > > >>> > > > >>> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > >> >> > > > > >> > > > >>> > > > > >> > > > > >> > > > >>> > > > -------------- next part -------------- >> > > > > >> > > > >>> > > > An HTML attachment was scrubbed... >> > > > > >> > > > >>> > > > URL: >> > > > > >> > > > >>> > > >> > > > > >> > > > >>> >> > > > > >> > > >> > > > > >> >> > > > >> > >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html >> > > > > >> > > > >>> > > > _______________________________________________ >> > > > > >> > > > >>> > > > tac_plus mailing list >> > > > > >> > > > >>> > > > tac_plus at shrubbery.net >> > > > > >> > > > >>> > > > >> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> > > > > >> > > > >>> > > >> > > > > >> > > > >>> >> > > > > >> > > > >> >> > > > > >> > > > >> >> > > > > >> > > > > >> > > > > >> > > >> > > > > >> > -------------- next part -------------- >> > > > > >> > An HTML attachment was scrubbed... >> > > > > >> > URL: >> > > > > >> >> > > > >> > >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html >> > > > > >> > _______________________________________________ >> > > > > >> > tac_plus mailing list >> > > > > >> > tac_plus at shrubbery.net >> > > > > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> > > > > >> >> > > > > >> >> > > > > >> >> > > > >> > >> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/a877fda6/attachment.html >> >> _______________________________________________ >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/1b4fae3b/attachment.html From tmurch at toniccomputers.com Tue Nov 24 18:53:24 2009 From: tmurch at toniccomputers.com (Tom Murch) Date: Tue, 24 Nov 2009 13:53:24 -0500 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911241021q70a8650ajd2c6d94c25092baa@mail.gmail.com> References: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> <20091124162419.GD7044@shrubbery.net> <8dabae5b0911240905h7b2f3bd8g99c0ca98918c2c3@mail.gmail.com> <20091124173648.GF7044@shrubbery.net> <8dabae5b0911240956p523827fcjf20d33f32b15d4d6@mail.gmail.com> <8dabae5b0911241021q70a8650ajd2c6d94c25092baa@mail.gmail.com> Message-ID: I use tac_pls for cisco routers and pro curve switches. However I do not authenticate against the AD as its only 4 people who need access so I keep it all in a flat file. On Tue, Nov 24, 2009 at 1:21 PM, Hailu Meng wrote: > Hi Tom, > > Thanks for pointing me another way. I haven't tried that yet. Not sure > tac_plus will work with these functions or not. Have you tried to deploy > this for cisco routers and switches? > > Thanks. > > Lou > > On Tue, Nov 24, 2009 at 12:08 PM, Tom Murch wrote: > >> now im not an expert on this however I do run a samba server which pulls >> the user names from my AD controller. Have you tried using winbind plus pam >> for the AD authentication ?? >> >> http://wiki.samba.org/index.php/Samba_&_Active_Directory I used this for >> my samba install but you could get the idea of how winbind and Kerberos >> would work. It might give you more luck >> >> On Tue, Nov 24, 2009 at 12:56 PM, Hailu Meng wrote: >> >>> John, >>> >>> I checked my tac_plus configuration for PAM module. the file >>> /etc/pam.d/tac_plus. The current configuration is shown below: >>> As you suggest I need put pam_ldap.so on the first row for every >>> auth,account,password and session, right? >>> >>> ******************************************************************* >>> auth required pam_env.so >>> auth sufficient pam_unix.so nullok try_first_pass >>> auth requisite pam_succeed_if.so uid >= 500 quiet >>> auth sufficient pam_ldap.so use_first_pass >>> auth required pam_deny.so >>> >>> account required pam_unix.so broken_shadow >>> account sufficient pam_localuser.so >>> account sufficient pam_succeed_if.so uid < 500 quiet >>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>> account required pam_permit.so >>> >>> password requisite pam_cracklib.so try_first_pass retry=3 >>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>> use_authtok >>> password sufficient pam_ldap.so use_authtok >>> password required pam_deny.so >>> >>> session optional pam_keyinit.so revoke >>> session required pam_limits.so >>> session [success=1 default=ignore] pam_succeed_if.so service in crond >>> quiet use_uid >>> session required pam_unix.so >>> session optional pam_ldap.so >>> >>> >>> On Tue, Nov 24, 2009 at 11:36 AM, john heasley >>> wrote: >>> >>> > Tue, Nov 24, 2009 at 11:05:59AM -0600, Hailu Meng: >>> > > It makes sense. nsswitch.conf should be for like local login not for >>> > tacacs. >>> > > Thanks John to point it out. I'm such a rookie to these things. Just >>> > > followed some guides and combine them here. Need study more. >>> > >>> > well, it depends upon what modules you use in your tacacs PAM config; >>> ie: >>> > if you have something like 'require unix_account' (WAG) that requires >>> that >>> > the login exist in /etc/passwd (or more precisely get_pwent(3) or >>> similar), >>> > then /etc/nsswitch.conf might affect it. BUT, that means that for you, >>> > 'require unix_account' is a misconfiguration of the tacacs PAM config. >>> > that >>> > is should be something like 'require ldap_account'. >>> > >>> > >>> > > Lou >>> > > >>> > > On Tue, Nov 24, 2009 at 10:24 AM, john heasley >>> > wrote: >>> > > >>> > > > Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof: >>> > > > > >>> > > > > Hi Lou, >>> > > > > >>> > > > > Yes, most server application's check if a user exist by looking >>> up >>> > the >>> > > > > uid via nss before doing any authentication (i.e. sshd). >>> > > > > >>> > > > > Regards, >>> > > > > Jeroen >>> > > > > >>> > > > > Op 23/11/2009 schreef "Hailu Meng" : >>> > > > > >>> > > > > >Hi Jeroen, >>> > > > > > >>> > > > > >Thanks for helping. I modified the nssswitch.conf as below: >>> > > > > >passwd: files ldap >>> > > > > >shadow: files ldap >>> > > > > >group: files ldap >>> > > > > > >>> > > > > >And leave the other settings as default. >>> > > > > > >>> > > > > >the user attributes you are talking about are the attributes >>> > retrieving >>> > > > from >>> > > > > >AD? I do see the packets from AD server told my tacacs+ server >>> the >>> > user >>> > > > > >attributes including homedir. >>> > > > >>> > > > i would not expect this to affect tacacs, unless you have something >>> in >>> > your >>> > > > pam config that requires it. ie: nsswitch.conf should control auth >>> for >>> > the >>> > > > host (eg: /sbin/login), tacacs is separate. >>> > > > >>> > > > > >Thanks. >>> > > > > > >>> > > > > >Lou >>> > > > > > >>> > > > > > >>> > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof < >>> jeroen at nijhofnet.nl >>> > > >>> > > > wrote: >>> > > > > > >>> > > > > >> Hi, >>> > > > > >> >>> > > > > >> Did you setup the nsswitch.conf as well on your tac_plus >>> server? >>> > > > > >> Your tac_plus server needs to lookup the user attributes like >>> > homedir >>> > > > > >> etc, otherwise pam will fail. >>> > > > > >> >>> > > > > >> Regards, >>> > > > > >> Jeroen Nijhof >>> > > > > >> >>> > > > > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: >>> > > > > >> > Ok. With -d 32, I got some more info about pam as red color >>> log. >>> > > > > >> > >>> > > > > >> > There is "Unknown user" log info following the input of my >>> user >>> > > > password. >>> > > > > >> > Feel confused since ldap is able to get user info from >>> Active >>> > > > directory, >>> > > > > >> why >>> > > > > >> > it turns out "Unknown user" here. >>> > > > > >> > >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, >>> seq >>> > no >>> > > > 3, >>> > > > > >> flags >>> > > > > >> > 0x1 >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 >>> > (0xbe977644), >>> > > > Data >>> > > > > >> > length 11 (0xb) >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), >>> > user_data_len >>> > > > 0 >>> > > > > >> (0x0) >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User data: >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose >>> default_fn >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication >>> function >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 >>> > pam_messages >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: >>> > > > > >> PAM_PROMPT_ECHO_OFF >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS >>> size=28 >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, >>> seq >>> > no >>> > > > 4, >>> > > > > >> flags >>> > > > > >> > 0x1 >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 >>> > (0xbe977644), >>> > > > Data >>> > > > > >> > length 16 (0x10) >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 >>> > > > (AUTHEN/GETPASS) >>> > > > > >> > flags=0x1 >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg: >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Password: >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: data: >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet >>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet >>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 >>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey >>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, >>> seq >>> > no >>> > > > 5, >>> > > > > >> flags >>> > > > > >> > 0x1 >>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 >>> > (0xbe977644), >>> > > > Data >>> > > > > >> > length 18 (0x12) >>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End header >>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT >>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), >>> > > > user_data_len 0 >>> > > > > >> > (0x0) >>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 >>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: >>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword >>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User data: >>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for >>> 'myusername' >>> > tty0 >>> > > > from >>> > > > > >> > 10.1.69.89 rejected >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: >>> > myusername10.1.69.89 >>> > > > > >> > (10.1.69.89) tty0 >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18 >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, >>> seq >>> > no >>> > > > 6, >>> > > > > >> flags >>> > > > > >> > 0x1 >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 >>> > (0xbe977644), >>> > > > Data >>> > > > > >> > length 6 (0x6) >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End header >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 >>> > (AUTHEN/FAIL) >>> > > > > >> > flags=0x0 >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg: >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: data: >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet >>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect >>> > > > > >> > >>> > > > > >> > >>> > > > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley < >>> > heas at shrubbery.net> >>> > > > > >> wrote: >>> > > > > >> > >>> > > > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: >>> > > > > >> > > > I just saw some posts saying pam_krb winbind could be >>> needed >>> > to >>> > > > get >>> > > > > >> pam >>> > > > > >> > > work >>> > > > > >> > > > against active directory. Is this true? The post I was >>> > following >>> > > > > >> actually >>> > > > > >> > > is >>> > > > > >> > > > for a LDAP server not Active Directory. >>> > > > > >> > > >>> > > > > >> > > i dont know; each pam implementation seems to be [at >>> least] >>> > > > slightly >>> > > > > >> > > different. seems silly to need kerberos for ldap. >>> > > > > >> > > >>> > > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng < >>> > > > hailumeng at gmail.com> >>> > > > > >> wrote: >>> > > > > >> > > > >>> > > > > >> > > > > I think I need put my pam configuration here: >>> > > > > >> > > > > >>> > > > > >> > > > > I followed this post >>> > > > > >> > > > > >>> > > > > >> >>> > > > >>> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto >>> > > > > >> > > > > configure my pam module: >>> > > > > >> > > > > >>> > > > > >> > > > > /etc/pam.d/tacacs >>> > > > > >> > > > > >>> > > > > >> > > > > auth include system-auth >>> > > > > >> > > > > account required pam_nologin.so >>> > > > > >> > > > > account include system-auth >>> > > > > >> > > > > password include system-auth >>> > > > > >> > > > > session optional pam_keyinit.so force revoke >>> > > > > >> > > > > session include system-auth >>> > > > > >> > > > > session required pam_loginuid.so >>> > > > > >> > > > > >>> > > > > >> > > > > /etc/pam.d/system-auth >>> > > > > >> > > > > #%PAM-1.0 >>> > > > > >> > > > > # This file is auto-generated. >>> > > > > >> > > > > # User changes will be destroyed the next time >>> authconfig >>> > is >>> > > > run. >>> > > > > >> > > > > auth required pam_env.so >>> > > > > >> > > > > auth sufficient pam_unix.so nullok >>> > try_first_pass >>> > > > > >> > > > > auth requisite pam_succeed_if.so uid >= 500 >>> > quiet >>> > > > > >> > > > > auth sufficient pam_ldap.so use_first_pass >>> > > > > >> > > > > auth required pam_deny.so >>> > > > > >> > > > > >>> > > > > >> > > > > account required pam_unix.so broken_shadow >>> > > > > >> > > > > account sufficient pam_succeed_if.so uid < 500 >>> > quiet >>> > > > > >> > > > > >>> > > > > >> > > > > account [default=bad success=ok >>> user_unknown=ignore] >>> > > > > >> pam_ldap.so >>> > > > > >> > > > > account required pam_permit.so >>> > > > > >> > > > > >>> > > > > >> > > > > password requisite pam_cracklib.so >>> try_first_pass >>> > > > retry=3 >>> > > > > >> > > > > password sufficient pam_unix.so md5 shadow >>> nullok >>> > > > > >> try_first_pass >>> > > > > >> > > > > use_authtok >>> > > > > >> > > > > password sufficient pam_ldap.so use_authtok >>> > > > > >> > > > > password required pam_deny.so >>> > > > > >> > > > > >>> > > > > >> > > > > session optional pam_keyinit.so revoke >>> > > > > >> > > > > session required pam_limits.so >>> > > > > >> > > > > session [success=1 default=ignore] >>> pam_succeed_if.so >>> > > > service in >>> > > > > >> > > crond >>> > > > > >> > > > > quiet use_uid >>> > > > > >> > > > > session required pam_unix.so >>> > > > > >> > > > > session optional pam_ldap.so >>> > > > > >> > > > > >>> > > > > >> > > > > >>> > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < >>> > > > hailumeng at gmail.com> >>> > > > > >> > > wrote: >>> > > > > >> > > > > >>> > > > > >> > > > >> Hi John, >>> > > > > >> > > > >> >>> > > > > >> > > > >> You mean issue commands like tac_plus -C >>> > /etct/tac_plus.conf >>> > > > -L -p >>> > > > > >> 49 >>> > > > > >> > > -d >>> > > > > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't >>> make >>> > any >>> > > > > >> change. I >>> > > > > >> > > got >>> > > > > >> > > > >> same log info. By the way, I also saw the log info in >>> > > > > >> > > /var/log/message: >>> > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config >>> > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19 >>> > > > Initialized >>> > > > > >> 1 >>> > > > > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from >>> > 10.1.69.89 >>> > > > > >> > > [10.1.69.89] >>> > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for >>> > 'myuser' >>> > > > tty0 >>> > > > > >> from >>> > > > > >> > > > >> 10.1.69.89 rejected >>> > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: >>> myuser >>> > > > > >> 10.1.69.89 >>> > > > > >> > > > >> (10.1.69.89) tty0 >>> > > > > >> > > > >> >>> > > > > >> > > > >> Do we have option to see the log about PAM? I haven't >>> > found >>> > > > where >>> > > > > >> it >>> > > > > >> > > is. >>> > > > > >> > > > >> if we can check the log of PAM, then we could find >>> > something >>> > > > > >> useful. >>> > > > > >> > > Right >>> > > > > >> > > > >> now the log of tac_plus didn't tell too much about >>> why >>> > login >>> > > > got >>> > > > > >> > > failure. >>> > > > > >> > > >>> > > > > >> > > add -d 32. -d x -d y ... will be logically OR'd together. >>> > > > > >> > > >>> > > > > >> > > > >> Lou >>> > > > > >> > > > >> >>> > > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < >>> > > > heas at shrubbery.net >>> > > > > >> > >>> > > > > >> > > wrote: >>> > > > > >> > > > >> >>> > > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: >>> > > > > >> > > > >>> > Thanks John for helping me check this issue. >>> > > > > >> > > > >>> > >>> > > > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L >>> -p 49 >>> > > > -d256 -g >>> > > > > >> to >>> > > > > >> > > see >>> > > > > >> > > > >>> the >>> > > > > >> > > > >>> >>> > > > > >> > > > >>> try -d 16 -d 256. which i think will log the pwd >>> that >>> > pam >>> > > > > >> received >>> > > > > >> > > from >>> > > > > >> > > > >>> the device. make its correct. the logs below do >>> appear >>> > to >>> > > > be a >>> > > > > >> > > > >>> reject/fail >>> > > > > >> > > > >>> returned from pam. >>> > > > > >> > > > >>> >>> > > > > >> > > > >>> > log in stdout and in log file. I can't see any >>> > suspicious >>> > > > log >>> > > > > >> > > > >>> information >>> > > > > >> > > > >>> > here. I paste the log below: >>> > > > > >> > > > >>> > >>> > > > > >> > > > >>> > >>> > > > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for >>> packet >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT >>> > size=23 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 >>> (0xc0), >>> > type >>> > > > 1, >>> > > > > >> seq no >>> > > > > >> > > 5, >>> > > > > >> > > > >>> flags >>> > > > > >> > > > >>> > 0x1 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id >>> 3295176910 >>> > > > > >> > > (0xc46868ce), >>> > > > > >> > > > >>> Data >>> > > > > >> > > > >>> > length >>> > > > > >> > > > >>> > 11 (0xb) >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 >>> (0x6), >>> > > > > >> > > user_data_len 0 >>> > > > > >> > > > >>> (0x0) >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen >>> chose >>> > > > default_fn >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling >>> > authentication >>> > > > > >> function >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing >>> > AUTHEN/GETPASS >>> > > > size=28 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 >>> (0xc0), >>> > type >>> > > > 1, >>> > > > > >> seq no >>> > > > > >> > > 6, >>> > > > > >> > > > >>> flags >>> > > > > >> > > > >>> > 0x1 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id >>> 3295176910 >>> > > > > >> > > (0xc46868ce), >>> > > > > >> > > > >>> Data >>> > > > > >> > > > >>> > length >>> > > > > >> > > > >>> > 16 (0x10) >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN >>> status=5 >>> > > > > >> > > (AUTHEN/GETPASS) >>> > > > > >> > > > >>> > flags=0x1 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, >>> > data_len=0 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet >>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for >>> packet >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT >>> > size=30 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey >>> > > > > >> > > > >>> >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 >>> (0xc0), >>> > type >>> > > > 1, >>> > > > > >> seq no >>> > > > > >> > > 7, >>> > > > > >> > > > >>> flags >>> > > > > >> > > > >>> > 0x1 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id >>> 3295176910 >>> > > > > >> > > (0xc46868ce), >>> > > > > >> > > > >>> Data >>> > > > > >> > > > >>> > length >>> > > > > >> > > > >>> > 18 (0x12) >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 >>> > (0xd), >>> > > > > >> > > user_data_len 0 >>> > > > > >> > > > >>> > (0x0) >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for >>> > > > 'myusername' >>> > > > > >> tty0 >>> > > > > >> > > from >>> > > > > >> > > > >>> > 10.1.69.89 r >>> > > > > >> > > > >>> > ejected >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: >>> > myusername >>> > > > > >> > > 10.1.69.89 >>> > > > > >> > > > >>> > (10.1.69.89) t >>> > > > > >> > > > >>> > ty0 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing >>> AUTHEN/FAIL >>> > > > size=18 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 >>> (0xc0), >>> > type >>> > > > 1, >>> > > > > >> seq no >>> > > > > >> > > 8, >>> > > > > >> > > > >>> flags >>> > > > > >> > > > >>> > 0x1 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id >>> 3295176910 >>> > > > > >> > > (0xc46868ce), >>> > > > > >> > > > >>> Data >>> > > > > >> > > > >>> > length >>> > > > > >> > > > >>> > 6 (0x6) >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN >>> status=2 >>> > > > > >> (AUTHEN/FAIL) >>> > > > > >> > > > >>> > flags=0x0 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, >>> data_len=0 >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet >>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: >>> > disconnect >>> > > > > >> > > > >>> > >>> > > > > >> > > > >>> > >>> > > > > >> > > > >>> > >>> > > > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < >>> > > > > >> heas at shrubbery.net >>> > > > > >> > > > >>> > > > > >> > > > >>> wrote: >>> > > > > >> > > > >>> > >>> > > > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu >>> Meng: >>> > > > > >> > > > >>> > > > Hi Adam, >>> > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs >>> successfully, >>> > what >>> > > > do we >>> > > > > >> > > suppose >>> > > > > >> > > > >>> to >>> > > > > >> > > > >>> > > get >>> > > > > >> > > > >>> > > > from the output? I just got all of the user >>> > > > information in >>> > > > > >> that >>> > > > > >> > > > >>> group. >>> > > > > >> > > > >>> > > Does >>> > > > > >> > > > >>> > > > that means my password and username got >>> > authenticated >>> > > > > >> > > successfully >>> > > > > >> > > > >>> > > against >>> > > > > >> > > > >>> > > > AD? >>> > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it >>> > through >>> > > > this >>> > > > > >> week >>> > > > > >> > > > >>> before the >>> > > > > >> > > > >>> > > > holiday... >>> > > > > >> > > > >>> > > >>> > > > > >> > > > >>> > > i havent followed this thread, as i know nearly >>> zero >>> > > > about >>> > > > > >> ldap. >>> > > > > >> > > > >>> but, >>> > > > > >> > > > >>> > > have you enabled authentication debugging in the >>> > tacacas >>> > > > > >> daemon >>> > > > > >> > > and >>> > > > > >> > > > >>> > > checked the logs to determine what is coming >>> back >>> > from >>> > > > pam? >>> > > > > >> it >>> > > > > >> > > very >>> > > > > >> > > > >>> > > well may be that the ldap client is working just >>> > fine, >>> > > > but >>> > > > > >> there >>> > > > > >> > > is a >>> > > > > >> > > > >>> > > pam module bug or a bug in the tacplus daemon or >>> > that >>> > > > your >>> > > > > >> device >>> > > > > >> > > > >>> > > simply doesnt like something about the replies. >>> > > > > >> > > > >>> > > >>> > > > > >> > > > >>> > > > Thanks a lot for the help. >>> > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > Lou >>> > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < >>> > > > > >> > > hailumeng at gmail.com> >>> > > > > >> > > > >>> wrote: >>> > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > > Still no clue how to turn on the log. >>> binding >>> > seems >>> > > > good. >>> > > > > >> See >>> > > > > >> > > my >>> > > > > >> > > > >>> > > findings >>> > > > > >> > > > >>> > > > > below. Thanks a lot. >>> > > > > >> > > > >>> > > > > >>> > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < >>> > > > > >> > > prozaconstilts at gmail.com> >>> > > > > >> > > > >>> > > wrote: >>> > > > > >> > > > >>> > > > > >>> > > > > >> > > > >>> > > > >> Hailu Meng wrote: >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >>> Adam, >>> > > > > >> > > > >>> > > > >>> >>> > > > > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ >>> server >>> > but >>> > > > I >>> > > > > >> don't >>> > > > > >> > > have >>> > > > > >> > > > >>> that >>> > > > > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't >>> > want me >>> > > > log >>> > > > > >> in. >>> > > > > >> > > I >>> > > > > >> > > > >>> think >>> > > > > >> > > > >>> > > this will >>> > > > > >> > > > >>> > > > >>> not ask tacacs server to authenticate >>> against >>> > AD. >>> > > > > >> > > > >>> > > > >>> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> You shouldn't need to have to define the >>> user >>> > in >>> > > > CentOS, >>> > > > > >> > > that's >>> > > > > >> > > > >>> the >>> > > > > >> > > > >>> > > point >>> > > > > >> > > > >>> > > > >> of using ldap for authentication. The user >>> is >>> > > > defined in >>> > > > > >> > > ldap, >>> > > > > >> > > > >>> not in >>> > > > > >> > > > >>> > > > >> CentOS. Now that I think about it, su - >>> >>> > > > probably >>> > > > > >> > > wouldn't >>> > > > > >> > > > >>> work >>> > > > > >> > > > >>> > > > >> anyway, as AD doesn't by default have the >>> data >>> > > > needed by >>> > > > > >> a >>> > > > > >> > > linux >>> > > > > >> > > > >>> box >>> > > > > >> > > > >>> > > to >>> > > > > >> > > > >>> > > > >> allow login...but see below for more >>> options. >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >>> Is there any other way to test ldap >>> > authentication >>> > > > > >> against >>> > > > > >> > > AD >>> > > > > >> > > > >>> with >>> > > > > >> > > > >>> > > the >>> > > > > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did >>> find >>> > my >>> > > > user >>> > > > > >> id >>> > > > > >> > > > >>> without >>> > > > > >> > > > >>> > > problem. >>> > > > > >> > > > >>> > > > >>> But I haven't found any option to try with >>> > > > password and >>> > > > > >> > > > >>> authenticate >>> > > > > >> > > > >>> > > against >>> > > > > >> > > > >>> > > > >>> AD. >>> > > > > >> > > > >>> > > > >>> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> Try using -D: >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> from `man ldapsearch`: >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> -D binddn >>> > > > > >> > > > >>> > > > >> Use the Distinguished Name binddn to bind >>> to >>> > the >>> > > > LDAP >>> > > > > >> > > > >>> directory. >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should >>> let >>> > you >>> > > > try >>> > > > > >> to >>> > > > > >> > > > >>> authenticate >>> > > > > >> > > > >>> > > > >> using whatever user you want to define. >>> Just >>> > check >>> > > > and >>> > > > > >> > > double >>> > > > > >> > > > >>> check >>> > > > > >> > > > >>> > > you get >>> > > > > >> > > > >>> > > > >> the right path in that dn. >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc >>> " >>> > but it >>> > > > just >>> > > > > >> > > > >>> returned lots >>> > > > > >> > > > >>> > > of >>> > > > > >> > > > >>> > > > > users' information. It means successful? >>> > > > > >> > > > >>> > > > > >>> > > > > >> > > > >>> > > > > >>> > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the >>> > openldap >>> > > > > >> library >>> > > > > >> > > and >>> > > > > >> > > > >>> > > openldap >>> > > > > >> > > > >>> > > > >>> client? I don't understand why the log is >>> not >>> > > > turned >>> > > > > >> on. >>> > > > > >> > > There >>> > > > > >> > > > >>> must >>> > > > > >> > > > >>> > > be some >>> > > > > >> > > > >>> > > > >>> debugging info in the log which can help >>> solve >>> > > > this >>> > > > > >> issue. >>> > > > > >> > > > >>> > > > >>> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> only the libs and client. You should not >>> need >>> > the >>> > > > > >> server. In >>> > > > > >> > > the >>> > > > > >> > > > >>> > > > >> ldapsearch, you can use -d to get >>> > > > debugging >>> > > > > >> info >>> > > > > >> > > for >>> > > > > >> > > > >>> that >>> > > > > >> > > > >>> > > search. >>> > > > > >> > > > >>> > > > >> As before, higher number = more debug >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> If the user can authenticate, does >>> ethereal >>> > > > capture >>> > > > > >> some >>> > > > > >> > > > >>> packets >>> > > > > >> > > > >>> > > about >>> > > > > >> > > > >>> > > > >>> password verification? Right now I only >>> see >>> > the >>> > > > packets >>> > > > > >> > > when >>> > > > > >> > > > >>> ldap >>> > > > > >> > > > >>> > > search for >>> > > > > >> > > > >>> > > > >>> my user id and gets results back from AD. >>> > > > > >> > > > >>> > > > >>> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> Ethereal should catch all data flowing >>> between >>> > the >>> > > > > >> client >>> > > > > >> > > and >>> > > > > >> > > > >>> server. >>> > > > > >> > > > >>> > > If >>> > > > > >> > > > >>> > > > >> you can search out the user in your AD >>> right >>> > now, >>> > > > then >>> > > > > >> one >>> > > > > >> > > of >>> > > > > >> > > > >>> two >>> > > > > >> > > > >>> > > things is >>> > > > > >> > > > >>> > > > >> happening: >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> 1. You are performing anonymous searches. >>> In >>> > this >>> > > > case, >>> > > > > >> no >>> > > > > >> > > > >>> username >>> > > > > >> > > > >>> > > and pw >>> > > > > >> > > > >>> > > > >> is provided, and your AD is happy to hand >>> over >>> > info >>> > > > to >>> > > > > >> > > anyone >>> > > > > >> > > > >>> who asks >>> > > > > >> > > > >>> > > for >>> > > > > >> > > > >>> > > > >> it. If this is the case, you will _not_ see >>> > > > > >> authentication >>> > > > > >> > > > >>> > > information. The >>> > > > > >> > > > >>> > > > >> following MS KB article should probably >>> help >>> > you >>> > > > > >> determine >>> > > > > >> > > on >>> > > > > >> > > > >>> your AD >>> > > > > >> > > > >>> > > if >>> > > > > >> > > > >>> > > > >> anonymous queries are allowed: >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> It has exact instructions for how to get it >>> > going, >>> > > > but >>> > > > > >> you >>> > > > > >> > > can >>> > > > > >> > > > >>> follow >>> > > > > >> > > > >>> > > > >> along with it to check your current >>> settings >>> > > > without >>> > > > > >> making >>> > > > > >> > > any >>> > > > > >> > > > >>> > > changes. >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > > >>> > > > > >> > > > >>> > > > > I checked our setting. Permission type for >>> > normal >>> > > > user is >>> > > > > >> > > "Read & >>> > > > > >> > > > >>> > > Execute". >>> > > > > >> > > > >>> > > > > I click edit to check the detail about >>> > permission. I >>> > > > > >> think it >>> > > > > >> > > > >>> only >>> > > > > >> > > > >>> > > allow the >>> > > > > >> > > > >>> > > > > user to read the attributes, permission >>> > something >>> > > > and >>> > > > > >> can't >>> > > > > >> > > > >>> modify the >>> > > > > >> > > > >>> > > > > AD.There is "Everyone" setting is also set >>> as >>> > "Read >>> > > > & >>> > > > > >> > > Execute". >>> > > > > >> > > > >>> By the >>> > > > > >> > > > >>> > > way, >>> > > > > >> > > > >>> > > > > the AD is Win2003 R2. >>> > > > > >> > > > >>> > > > > >>> > > > > >> > > > >>> > > > > >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> 2. Authentication is happening. It will be >>> the >>> > > > _very_ >>> > > > > >> first >>> > > > > >> > > > >>> thing the >>> > > > > >> > > > >>> > > > >> client and server perform, after basic >>> > connection >>> > > > > >> > > establishment. >>> > > > > >> > > > >>> Look >>> > > > > >> > > > >>> > > for it >>> > > > > >> > > > >>> > > > >> at the very beginning of a dump. >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the >>> following >>> > > > article is >>> > > > > >> > > > >>> extremely >>> > > > > >> > > > >>> > > > >> informative about all the different ways >>> you >>> > can >>> > > > plug >>> > > > > >> linux >>> > > > > >> > > into >>> > > > > >> > > > >>> AD >>> > > > > >> > > > >>> > > for >>> > > > > >> > > > >>> > > > >> authentication. It might offer some >>> hints... >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If >>> you >>> > have >>> > > > any >>> > > > > >> idea, >>> > > > > >> > > let >>> > > > > >> > > > >>> me >>> > > > > >> > > > >>> > > know. >>> > > > > >> > > > >>> > > > >>> >>> > > > > >> > > > >>> > > > >>> Thank you very much. >>> > > > > >> > > > >>> > > > >>> >>> > > > > >> > > > >>> > > > >>> Lou >>> > > > > >> > > > >>> > > > >>> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > >> >>> > > > > >> > > > >>> > > > > >>> > > > > >> > > > >>> > > > -------------- next part -------------- >>> > > > > >> > > > >>> > > > An HTML attachment was scrubbed... >>> > > > > >> > > > >>> > > > URL: >>> > > > > >> > > > >>> > > >>> > > > > >> > > > >>> >>> > > > > >> > > >>> > > > > >> >>> > > > >>> > >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html >>> > > > > >> > > > >>> > > > >>> _______________________________________________ >>> > > > > >> > > > >>> > > > tac_plus mailing list >>> > > > > >> > > > >>> > > > tac_plus at shrubbery.net >>> > > > > >> > > > >>> > > > >>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>> > > > > >> > > > >>> > > >>> > > > > >> > > > >>> >>> > > > > >> > > > >> >>> > > > > >> > > > >> >>> > > > > >> > > > > >>> > > > > >> > > >>> > > > > >> > -------------- next part -------------- >>> > > > > >> > An HTML attachment was scrubbed... >>> > > > > >> > URL: >>> > > > > >> >>> > > > >>> > >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html >>> > > > > >> > _______________________________________________ >>> > > > > >> > tac_plus mailing list >>> > > > > >> > tac_plus at shrubbery.net >>> > > > > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>> > > > > >> >>> > > > > >> >>> > > > > >> >>> > > > >>> > >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/a877fda6/attachment.html >>> >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/82e96110/attachment.html From hailumeng at gmail.com Tue Nov 24 19:19:56 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Tue, 24 Nov 2009 13:19:56 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: References: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> <20091124162419.GD7044@shrubbery.net> <8dabae5b0911240905h7b2f3bd8g99c0ca98918c2c3@mail.gmail.com> <20091124173648.GF7044@shrubbery.net> <8dabae5b0911240956p523827fcjf20d33f32b15d4d6@mail.gmail.com> <8dabae5b0911241021q70a8650ajd2c6d94c25092baa@mail.gmail.com> Message-ID: <8dabae5b0911241119w18037deaj74ff8b312a7797ec@mail.gmail.com> Right. That makes sense for small group. tac_plus did work for me by authenticating user by the setting of in tac_plus.conf. But I want to have more flexibility with AD authentication ability. I'm going through all the documentations about pam and pam_ldap right now. Hope I will have more clear understanding about the current configuration. Thanks for the help. Lou On Tue, Nov 24, 2009 at 12:53 PM, Tom Murch wrote: > I use tac_pls for cisco routers and pro curve switches. However I do not > authenticate against the AD as its only 4 people who need access so I keep > it all in a flat file. > > On Tue, Nov 24, 2009 at 1:21 PM, Hailu Meng wrote: > >> Hi Tom, >> >> Thanks for pointing me another way. I haven't tried that yet. Not sure >> tac_plus will work with these functions or not. Have you tried to deploy >> this for cisco routers and switches? >> >> Thanks. >> >> Lou >> >> On Tue, Nov 24, 2009 at 12:08 PM, Tom Murch wrote: >> >>> now im not an expert on this however I do run a samba server which pulls >>> the user names from my AD controller. Have you tried using winbind plus pam >>> for the AD authentication ?? >>> >>> http://wiki.samba.org/index.php/Samba_&_Active_Directory I used this for >>> my samba install but you could get the idea of how winbind and Kerberos >>> would work. It might give you more luck >>> >>> On Tue, Nov 24, 2009 at 12:56 PM, Hailu Meng wrote: >>> >>>> John, >>>> >>>> I checked my tac_plus configuration for PAM module. the file >>>> /etc/pam.d/tac_plus. The current configuration is shown below: >>>> As you suggest I need put pam_ldap.so on the first row for every >>>> auth,account,password and session, right? >>>> >>>> ******************************************************************* >>>> auth required pam_env.so >>>> auth sufficient pam_unix.so nullok try_first_pass >>>> auth requisite pam_succeed_if.so uid >= 500 quiet >>>> auth sufficient pam_ldap.so use_first_pass >>>> auth required pam_deny.so >>>> >>>> account required pam_unix.so broken_shadow >>>> account sufficient pam_localuser.so >>>> account sufficient pam_succeed_if.so uid < 500 quiet >>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>>> account required pam_permit.so >>>> >>>> password requisite pam_cracklib.so try_first_pass retry=3 >>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>>> use_authtok >>>> password sufficient pam_ldap.so use_authtok >>>> password required pam_deny.so >>>> >>>> session optional pam_keyinit.so revoke >>>> session required pam_limits.so >>>> session [success=1 default=ignore] pam_succeed_if.so service in >>>> crond >>>> quiet use_uid >>>> session required pam_unix.so >>>> session optional pam_ldap.so >>>> >>>> >>>> On Tue, Nov 24, 2009 at 11:36 AM, john heasley >>>> wrote: >>>> >>>> > Tue, Nov 24, 2009 at 11:05:59AM -0600, Hailu Meng: >>>> > > It makes sense. nsswitch.conf should be for like local login not for >>>> > tacacs. >>>> > > Thanks John to point it out. I'm such a rookie to these things. Just >>>> > > followed some guides and combine them here. Need study more. >>>> > >>>> > well, it depends upon what modules you use in your tacacs PAM config; >>>> ie: >>>> > if you have something like 'require unix_account' (WAG) that requires >>>> that >>>> > the login exist in /etc/passwd (or more precisely get_pwent(3) or >>>> similar), >>>> > then /etc/nsswitch.conf might affect it. BUT, that means that for >>>> you, >>>> > 'require unix_account' is a misconfiguration of the tacacs PAM config. >>>> > that >>>> > is should be something like 'require ldap_account'. >>>> > >>>> > >>>> > > Lou >>>> > > >>>> > > On Tue, Nov 24, 2009 at 10:24 AM, john heasley >>>> > wrote: >>>> > > >>>> > > > Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof: >>>> > > > > >>>> > > > > Hi Lou, >>>> > > > > >>>> > > > > Yes, most server application's check if a user exist by looking >>>> up >>>> > the >>>> > > > > uid via nss before doing any authentication (i.e. sshd). >>>> > > > > >>>> > > > > Regards, >>>> > > > > Jeroen >>>> > > > > >>>> > > > > Op 23/11/2009 schreef "Hailu Meng" : >>>> > > > > >>>> > > > > >Hi Jeroen, >>>> > > > > > >>>> > > > > >Thanks for helping. I modified the nssswitch.conf as below: >>>> > > > > >passwd: files ldap >>>> > > > > >shadow: files ldap >>>> > > > > >group: files ldap >>>> > > > > > >>>> > > > > >And leave the other settings as default. >>>> > > > > > >>>> > > > > >the user attributes you are talking about are the attributes >>>> > retrieving >>>> > > > from >>>> > > > > >AD? I do see the packets from AD server told my tacacs+ server >>>> the >>>> > user >>>> > > > > >attributes including homedir. >>>> > > > >>>> > > > i would not expect this to affect tacacs, unless you have >>>> something in >>>> > your >>>> > > > pam config that requires it. ie: nsswitch.conf should control >>>> auth for >>>> > the >>>> > > > host (eg: /sbin/login), tacacs is separate. >>>> > > > >>>> > > > > >Thanks. >>>> > > > > > >>>> > > > > >Lou >>>> > > > > > >>>> > > > > > >>>> > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof < >>>> jeroen at nijhofnet.nl >>>> > > >>>> > > > wrote: >>>> > > > > > >>>> > > > > >> Hi, >>>> > > > > >> >>>> > > > > >> Did you setup the nsswitch.conf as well on your tac_plus >>>> server? >>>> > > > > >> Your tac_plus server needs to lookup the user attributes like >>>> > homedir >>>> > > > > >> etc, otherwise pam will fail. >>>> > > > > >> >>>> > > > > >> Regards, >>>> > > > > >> Jeroen Nijhof >>>> > > > > >> >>>> > > > > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: >>>> > > > > >> > Ok. With -d 32, I got some more info about pam as red color >>>> log. >>>> > > > > >> > >>>> > > > > >> > There is "Unknown user" log info following the input of my >>>> user >>>> > > > password. >>>> > > > > >> > Feel confused since ldap is able to get user info from >>>> Active >>>> > > > directory, >>>> > > > > >> why >>>> > > > > >> > it turns out "Unknown user" here. >>>> > > > > >> > >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23 >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type >>>> 1, seq >>>> > no >>>> > > > 3, >>>> > > > > >> flags >>>> > > > > >> > 0x1 >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 >>>> > (0xbe977644), >>>> > > > Data >>>> > > > > >> > length 11 (0xb) >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), >>>> > user_data_len >>>> > > > 0 >>>> > > > > >> (0x0) >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User data: >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose >>>> default_fn >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication >>>> function >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 >>>> > pam_messages >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0: >>>> > > > > >> PAM_PROMPT_ECHO_OFF >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS >>>> size=28 >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type >>>> 1, seq >>>> > no >>>> > > > 4, >>>> > > > > >> flags >>>> > > > > >> > 0x1 >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 >>>> > (0xbe977644), >>>> > > > Data >>>> > > > > >> > length 16 (0x10) >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 >>>> > > > (AUTHEN/GETPASS) >>>> > > > > >> > flags=0x1 >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0 >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg: >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Password: >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: data: >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet >>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet >>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30 >>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey >>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type >>>> 1, seq >>>> > no >>>> > > > 5, >>>> > > > > >> flags >>>> > > > > >> > 0x1 >>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 >>>> > (0xbe977644), >>>> > > > Data >>>> > > > > >> > length 18 (0x12) >>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End header >>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT >>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd), >>>> > > > user_data_len 0 >>>> > > > > >> > (0x0) >>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 >>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: >>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword >>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User data: >>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for >>>> 'myusername' >>>> > tty0 >>>> > > > from >>>> > > > > >> > 10.1.69.89 rejected >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: >>>> > myusername10.1.69.89 >>>> > > > > >> > (10.1.69.89) tty0 >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL >>>> size=18 >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type >>>> 1, seq >>>> > no >>>> > > > 6, >>>> > > > > >> flags >>>> > > > > >> > 0x1 >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 >>>> > (0xbe977644), >>>> > > > Data >>>> > > > > >> > length 6 (0x6) >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End header >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 >>>> > (AUTHEN/FAIL) >>>> > > > > >> > flags=0x0 >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg: >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: data: >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet >>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect >>>> > > > > >> > >>>> > > > > >> > >>>> > > > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley < >>>> > heas at shrubbery.net> >>>> > > > > >> wrote: >>>> > > > > >> > >>>> > > > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: >>>> > > > > >> > > > I just saw some posts saying pam_krb winbind could be >>>> needed >>>> > to >>>> > > > get >>>> > > > > >> pam >>>> > > > > >> > > work >>>> > > > > >> > > > against active directory. Is this true? The post I was >>>> > following >>>> > > > > >> actually >>>> > > > > >> > > is >>>> > > > > >> > > > for a LDAP server not Active Directory. >>>> > > > > >> > > >>>> > > > > >> > > i dont know; each pam implementation seems to be [at >>>> least] >>>> > > > slightly >>>> > > > > >> > > different. seems silly to need kerberos for ldap. >>>> > > > > >> > > >>>> > > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng < >>>> > > > hailumeng at gmail.com> >>>> > > > > >> wrote: >>>> > > > > >> > > > >>>> > > > > >> > > > > I think I need put my pam configuration here: >>>> > > > > >> > > > > >>>> > > > > >> > > > > I followed this post >>>> > > > > >> > > > > >>>> > > > > >> >>>> > > > >>>> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto >>>> > > > > >> > > > > configure my pam module: >>>> > > > > >> > > > > >>>> > > > > >> > > > > /etc/pam.d/tacacs >>>> > > > > >> > > > > >>>> > > > > >> > > > > auth include system-auth >>>> > > > > >> > > > > account required pam_nologin.so >>>> > > > > >> > > > > account include system-auth >>>> > > > > >> > > > > password include system-auth >>>> > > > > >> > > > > session optional pam_keyinit.so force revoke >>>> > > > > >> > > > > session include system-auth >>>> > > > > >> > > > > session required pam_loginuid.so >>>> > > > > >> > > > > >>>> > > > > >> > > > > /etc/pam.d/system-auth >>>> > > > > >> > > > > #%PAM-1.0 >>>> > > > > >> > > > > # This file is auto-generated. >>>> > > > > >> > > > > # User changes will be destroyed the next time >>>> authconfig >>>> > is >>>> > > > run. >>>> > > > > >> > > > > auth required pam_env.so >>>> > > > > >> > > > > auth sufficient pam_unix.so nullok >>>> > try_first_pass >>>> > > > > >> > > > > auth requisite pam_succeed_if.so uid >= >>>> 500 >>>> > quiet >>>> > > > > >> > > > > auth sufficient pam_ldap.so use_first_pass >>>> > > > > >> > > > > auth required pam_deny.so >>>> > > > > >> > > > > >>>> > > > > >> > > > > account required pam_unix.so broken_shadow >>>> > > > > >> > > > > account sufficient pam_succeed_if.so uid < 500 >>>> > quiet >>>> > > > > >> > > > > >>>> > > > > >> > > > > account [default=bad success=ok >>>> user_unknown=ignore] >>>> > > > > >> pam_ldap.so >>>> > > > > >> > > > > account required pam_permit.so >>>> > > > > >> > > > > >>>> > > > > >> > > > > password requisite pam_cracklib.so >>>> try_first_pass >>>> > > > retry=3 >>>> > > > > >> > > > > password sufficient pam_unix.so md5 shadow >>>> nullok >>>> > > > > >> try_first_pass >>>> > > > > >> > > > > use_authtok >>>> > > > > >> > > > > password sufficient pam_ldap.so use_authtok >>>> > > > > >> > > > > password required pam_deny.so >>>> > > > > >> > > > > >>>> > > > > >> > > > > session optional pam_keyinit.so revoke >>>> > > > > >> > > > > session required pam_limits.so >>>> > > > > >> > > > > session [success=1 default=ignore] >>>> pam_succeed_if.so >>>> > > > service in >>>> > > > > >> > > crond >>>> > > > > >> > > > > quiet use_uid >>>> > > > > >> > > > > session required pam_unix.so >>>> > > > > >> > > > > session optional pam_ldap.so >>>> > > > > >> > > > > >>>> > > > > >> > > > > >>>> > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < >>>> > > > hailumeng at gmail.com> >>>> > > > > >> > > wrote: >>>> > > > > >> > > > > >>>> > > > > >> > > > >> Hi John, >>>> > > > > >> > > > >> >>>> > > > > >> > > > >> You mean issue commands like tac_plus -C >>>> > /etct/tac_plus.conf >>>> > > > -L -p >>>> > > > > >> 49 >>>> > > > > >> > > -d >>>> > > > > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't >>>> make >>>> > any >>>> > > > > >> change. I >>>> > > > > >> > > got >>>> > > > > >> > > > >> same log info. By the way, I also saw the log info >>>> in >>>> > > > > >> > > /var/log/message: >>>> > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config >>>> > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version >>>> F4.0.4.19 >>>> > > > Initialized >>>> > > > > >> 1 >>>> > > > > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from >>>> > 10.1.69.89 >>>> > > > > >> > > [10.1.69.89] >>>> > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for >>>> > 'myuser' >>>> > > > tty0 >>>> > > > > >> from >>>> > > > > >> > > > >> 10.1.69.89 rejected >>>> > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: >>>> myuser >>>> > > > > >> 10.1.69.89 >>>> > > > > >> > > > >> (10.1.69.89) tty0 >>>> > > > > >> > > > >> >>>> > > > > >> > > > >> Do we have option to see the log about PAM? I >>>> haven't >>>> > found >>>> > > > where >>>> > > > > >> it >>>> > > > > >> > > is. >>>> > > > > >> > > > >> if we can check the log of PAM, then we could find >>>> > something >>>> > > > > >> useful. >>>> > > > > >> > > Right >>>> > > > > >> > > > >> now the log of tac_plus didn't tell too much about >>>> why >>>> > login >>>> > > > got >>>> > > > > >> > > failure. >>>> > > > > >> > > >>>> > > > > >> > > add -d 32. -d x -d y ... will be logically OR'd >>>> together. >>>> > > > > >> > > >>>> > > > > >> > > > >> Lou >>>> > > > > >> > > > >> >>>> > > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < >>>> > > > heas at shrubbery.net >>>> > > > > >> > >>>> > > > > >> > > wrote: >>>> > > > > >> > > > >> >>>> > > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng: >>>> > > > > >> > > > >>> > Thanks John for helping me check this issue. >>>> > > > > >> > > > >>> > >>>> > > > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L >>>> -p 49 >>>> > > > -d256 -g >>>> > > > > >> to >>>> > > > > >> > > see >>>> > > > > >> > > > >>> the >>>> > > > > >> > > > >>> >>>> > > > > >> > > > >>> try -d 16 -d 256. which i think will log the pwd >>>> that >>>> > pam >>>> > > > > >> received >>>> > > > > >> > > from >>>> > > > > >> > > > >>> the device. make its correct. the logs below do >>>> appear >>>> > to >>>> > > > be a >>>> > > > > >> > > > >>> reject/fail >>>> > > > > >> > > > >>> returned from pam. >>>> > > > > >> > > > >>> >>>> > > > > >> > > > >>> > log in stdout and in log file. I can't see any >>>> > suspicious >>>> > > > log >>>> > > > > >> > > > >>> information >>>> > > > > >> > > > >>> > here. I paste the log below: >>>> > > > > >> > > > >>> > >>>> > > > > >> > > > >>> > >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for >>>> packet >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT >>>> > size=23 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: >>>> key=mykey >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 >>>> (0xc0), >>>> > type >>>> > > > 1, >>>> > > > > >> seq no >>>> > > > > >> > > 5, >>>> > > > > >> > > > >>> flags >>>> > > > > >> > > > >>> > 0x1 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id >>>> 3295176910 >>>> > > > > >> > > (0xc46868ce), >>>> > > > > >> > > > >>> Data >>>> > > > > >> > > > >>> > length >>>> > > > > >> > > > >>> > 11 (0xb) >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 >>>> (0x6), >>>> > > > > >> > > user_data_len 0 >>>> > > > > >> > > > >>> (0x0) >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen >>>> chose >>>> > > > default_fn >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling >>>> > authentication >>>> > > > > >> function >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing >>>> > AUTHEN/GETPASS >>>> > > > size=28 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: >>>> key=mykey >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 >>>> (0xc0), >>>> > type >>>> > > > 1, >>>> > > > > >> seq no >>>> > > > > >> > > 6, >>>> > > > > >> > > > >>> flags >>>> > > > > >> > > > >>> > 0x1 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id >>>> 3295176910 >>>> > > > > >> > > (0xc46868ce), >>>> > > > > >> > > > >>> Data >>>> > > > > >> > > > >>> > length >>>> > > > > >> > > > >>> > 16 (0x10) >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN >>>> status=5 >>>> > > > > >> > > (AUTHEN/GETPASS) >>>> > > > > >> > > > >>> > flags=0x1 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, >>>> > data_len=0 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for >>>> packet >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT >>>> > size=30 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: >>>> key=mykey >>>> > > > > >> > > > >>> >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 >>>> (0xc0), >>>> > type >>>> > > > 1, >>>> > > > > >> seq no >>>> > > > > >> > > 7, >>>> > > > > >> > > > >>> flags >>>> > > > > >> > > > >>> > 0x1 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id >>>> 3295176910 >>>> > > > > >> > > (0xc46868ce), >>>> > > > > >> > > > >>> Data >>>> > > > > >> > > > >>> > length >>>> > > > > >> > > > >>> > 18 (0x12) >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13 >>>> > (0xd), >>>> > > > > >> > > user_data_len 0 >>>> > > > > >> > > > >>> > (0x0) >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for >>>> > > > 'myusername' >>>> > > > > >> tty0 >>>> > > > > >> > > from >>>> > > > > >> > > > >>> > 10.1.69.89 r >>>> > > > > >> > > > >>> > ejected >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure: >>>> > myusername >>>> > > > > >> > > 10.1.69.89 >>>> > > > > >> > > > >>> > (10.1.69.89) t >>>> > > > > >> > > > >>> > ty0 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing >>>> AUTHEN/FAIL >>>> > > > size=18 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: >>>> key=mykey >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 >>>> (0xc0), >>>> > type >>>> > > > 1, >>>> > > > > >> seq no >>>> > > > > >> > > 8, >>>> > > > > >> > > > >>> flags >>>> > > > > >> > > > >>> > 0x1 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id >>>> 3295176910 >>>> > > > > >> > > (0xc46868ce), >>>> > > > > >> > > > >>> Data >>>> > > > > >> > > > >>> > length >>>> > > > > >> > > > >>> > 6 (0x6) >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN >>>> status=2 >>>> > > > > >> (AUTHEN/FAIL) >>>> > > > > >> > > > >>> > flags=0x0 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, >>>> data_len=0 >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet >>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: >>>> > disconnect >>>> > > > > >> > > > >>> > >>>> > > > > >> > > > >>> > >>>> > > > > >> > > > >>> > >>>> > > > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley < >>>> > > > > >> heas at shrubbery.net >>>> > > > > >> > > > >>>> > > > > >> > > > >>> wrote: >>>> > > > > >> > > > >>> > >>>> > > > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu >>>> Meng: >>>> > > > > >> > > > >>> > > > Hi Adam, >>>> > > > > >> > > > >>> > > > >>>> > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs >>>> successfully, >>>> > what >>>> > > > do we >>>> > > > > >> > > suppose >>>> > > > > >> > > > >>> to >>>> > > > > >> > > > >>> > > get >>>> > > > > >> > > > >>> > > > from the output? I just got all of the user >>>> > > > information in >>>> > > > > >> that >>>> > > > > >> > > > >>> group. >>>> > > > > >> > > > >>> > > Does >>>> > > > > >> > > > >>> > > > that means my password and username got >>>> > authenticated >>>> > > > > >> > > successfully >>>> > > > > >> > > > >>> > > against >>>> > > > > >> > > > >>> > > > AD? >>>> > > > > >> > > > >>> > > > >>>> > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it >>>> > through >>>> > > > this >>>> > > > > >> week >>>> > > > > >> > > > >>> before the >>>> > > > > >> > > > >>> > > > holiday... >>>> > > > > >> > > > >>> > > >>>> > > > > >> > > > >>> > > i havent followed this thread, as i know nearly >>>> zero >>>> > > > about >>>> > > > > >> ldap. >>>> > > > > >> > > > >>> but, >>>> > > > > >> > > > >>> > > have you enabled authentication debugging in >>>> the >>>> > tacacas >>>> > > > > >> daemon >>>> > > > > >> > > and >>>> > > > > >> > > > >>> > > checked the logs to determine what is coming >>>> back >>>> > from >>>> > > > pam? >>>> > > > > >> it >>>> > > > > >> > > very >>>> > > > > >> > > > >>> > > well may be that the ldap client is working >>>> just >>>> > fine, >>>> > > > but >>>> > > > > >> there >>>> > > > > >> > > is a >>>> > > > > >> > > > >>> > > pam module bug or a bug in the tacplus daemon >>>> or >>>> > that >>>> > > > your >>>> > > > > >> device >>>> > > > > >> > > > >>> > > simply doesnt like something about the replies. >>>> > > > > >> > > > >>> > > >>>> > > > > >> > > > >>> > > > Thanks a lot for the help. >>>> > > > > >> > > > >>> > > > >>>> > > > > >> > > > >>> > > > Lou >>>> > > > > >> > > > >>> > > > >>>> > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng < >>>> > > > > >> > > hailumeng at gmail.com> >>>> > > > > >> > > > >>> wrote: >>>> > > > > >> > > > >>> > > > >>>> > > > > >> > > > >>> > > > > Still no clue how to turn on the log. >>>> binding >>>> > seems >>>> > > > good. >>>> > > > > >> See >>>> > > > > >> > > my >>>> > > > > >> > > > >>> > > findings >>>> > > > > >> > > > >>> > > > > below. Thanks a lot. >>>> > > > > >> > > > >>> > > > > >>>> > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam < >>>> > > > > >> > > prozaconstilts at gmail.com> >>>> > > > > >> > > > >>> > > wrote: >>>> > > > > >> > > > >>> > > > > >>>> > > > > >> > > > >>> > > > >> Hailu Meng wrote: >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >>> Adam, >>>> > > > > >> > > > >>> > > > >>> >>>> > > > > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ >>>> server >>>> > but >>>> > > > I >>>> > > > > >> don't >>>> > > > > >> > > have >>>> > > > > >> > > > >>> that >>>> > > > > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just >>>> don't >>>> > want me >>>> > > > log >>>> > > > > >> in. >>>> > > > > >> > > I >>>> > > > > >> > > > >>> think >>>> > > > > >> > > > >>> > > this will >>>> > > > > >> > > > >>> > > > >>> not ask tacacs server to authenticate >>>> against >>>> > AD. >>>> > > > > >> > > > >>> > > > >>> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> You shouldn't need to have to define the >>>> user >>>> > in >>>> > > > CentOS, >>>> > > > > >> > > that's >>>> > > > > >> > > > >>> the >>>> > > > > >> > > > >>> > > point >>>> > > > > >> > > > >>> > > > >> of using ldap for authentication. The user >>>> is >>>> > > > defined in >>>> > > > > >> > > ldap, >>>> > > > > >> > > > >>> not in >>>> > > > > >> > > > >>> > > > >> CentOS. Now that I think about it, su - >>>> >>>> > > > probably >>>> > > > > >> > > wouldn't >>>> > > > > >> > > > >>> work >>>> > > > > >> > > > >>> > > > >> anyway, as AD doesn't by default have the >>>> data >>>> > > > needed by >>>> > > > > >> a >>>> > > > > >> > > linux >>>> > > > > >> > > > >>> box >>>> > > > > >> > > > >>> > > to >>>> > > > > >> > > > >>> > > > >> allow login...but see below for more >>>> options. >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >>> Is there any other way to test ldap >>>> > authentication >>>> > > > > >> against >>>> > > > > >> > > AD >>>> > > > > >> > > > >>> with >>>> > > > > >> > > > >>> > > the >>>> > > > > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did >>>> find >>>> > my >>>> > > > user >>>> > > > > >> id >>>> > > > > >> > > > >>> without >>>> > > > > >> > > > >>> > > problem. >>>> > > > > >> > > > >>> > > > >>> But I haven't found any option to try >>>> with >>>> > > > password and >>>> > > > > >> > > > >>> authenticate >>>> > > > > >> > > > >>> > > against >>>> > > > > >> > > > >>> > > > >>> AD. >>>> > > > > >> > > > >>> > > > >>> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> Try using -D: >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> from `man ldapsearch`: >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> -D binddn >>>> > > > > >> > > > >>> > > > >> Use the Distinguished Name binddn to bind >>>> to >>>> > the >>>> > > > LDAP >>>> > > > > >> > > > >>> directory. >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should >>>> let >>>> > you >>>> > > > try >>>> > > > > >> to >>>> > > > > >> > > > >>> authenticate >>>> > > > > >> > > > >>> > > > >> using whatever user you want to define. >>>> Just >>>> > check >>>> > > > and >>>> > > > > >> > > double >>>> > > > > >> > > > >>> check >>>> > > > > >> > > > >>> > > you get >>>> > > > > >> > > > >>> > > > >> the right path in that dn. >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc >>>> " >>>> > but it >>>> > > > just >>>> > > > > >> > > > >>> returned lots >>>> > > > > >> > > > >>> > > of >>>> > > > > >> > > > >>> > > > > users' information. It means successful? >>>> > > > > >> > > > >>> > > > > >>>> > > > > >> > > > >>> > > > > >>>> > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the >>>> > openldap >>>> > > > > >> library >>>> > > > > >> > > and >>>> > > > > >> > > > >>> > > openldap >>>> > > > > >> > > > >>> > > > >>> client? I don't understand why the log is >>>> not >>>> > > > turned >>>> > > > > >> on. >>>> > > > > >> > > There >>>> > > > > >> > > > >>> must >>>> > > > > >> > > > >>> > > be some >>>> > > > > >> > > > >>> > > > >>> debugging info in the log which can help >>>> solve >>>> > > > this >>>> > > > > >> issue. >>>> > > > > >> > > > >>> > > > >>> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> only the libs and client. You should not >>>> need >>>> > the >>>> > > > > >> server. In >>>> > > > > >> > > the >>>> > > > > >> > > > >>> > > > >> ldapsearch, you can use -d to >>>> get >>>> > > > debugging >>>> > > > > >> info >>>> > > > > >> > > for >>>> > > > > >> > > > >>> that >>>> > > > > >> > > > >>> > > search. >>>> > > > > >> > > > >>> > > > >> As before, higher number = more debug >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> If the user can authenticate, does >>>> ethereal >>>> > > > capture >>>> > > > > >> some >>>> > > > > >> > > > >>> packets >>>> > > > > >> > > > >>> > > about >>>> > > > > >> > > > >>> > > > >>> password verification? Right now I only >>>> see >>>> > the >>>> > > > packets >>>> > > > > >> > > when >>>> > > > > >> > > > >>> ldap >>>> > > > > >> > > > >>> > > search for >>>> > > > > >> > > > >>> > > > >>> my user id and gets results back from AD. >>>> > > > > >> > > > >>> > > > >>> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> Ethereal should catch all data flowing >>>> between >>>> > the >>>> > > > > >> client >>>> > > > > >> > > and >>>> > > > > >> > > > >>> server. >>>> > > > > >> > > > >>> > > If >>>> > > > > >> > > > >>> > > > >> you can search out the user in your AD >>>> right >>>> > now, >>>> > > > then >>>> > > > > >> one >>>> > > > > >> > > of >>>> > > > > >> > > > >>> two >>>> > > > > >> > > > >>> > > things is >>>> > > > > >> > > > >>> > > > >> happening: >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> 1. You are performing anonymous searches. >>>> In >>>> > this >>>> > > > case, >>>> > > > > >> no >>>> > > > > >> > > > >>> username >>>> > > > > >> > > > >>> > > and pw >>>> > > > > >> > > > >>> > > > >> is provided, and your AD is happy to hand >>>> over >>>> > info >>>> > > > to >>>> > > > > >> > > anyone >>>> > > > > >> > > > >>> who asks >>>> > > > > >> > > > >>> > > for >>>> > > > > >> > > > >>> > > > >> it. If this is the case, you will _not_ >>>> see >>>> > > > > >> authentication >>>> > > > > >> > > > >>> > > information. The >>>> > > > > >> > > > >>> > > > >> following MS KB article should probably >>>> help >>>> > you >>>> > > > > >> determine >>>> > > > > >> > > on >>>> > > > > >> > > > >>> your AD >>>> > > > > >> > > > >>> > > if >>>> > > > > >> > > > >>> > > > >> anonymous queries are allowed: >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528 >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> It has exact instructions for how to get >>>> it >>>> > going, >>>> > > > but >>>> > > > > >> you >>>> > > > > >> > > can >>>> > > > > >> > > > >>> follow >>>> > > > > >> > > > >>> > > > >> along with it to check your current >>>> settings >>>> > > > without >>>> > > > > >> making >>>> > > > > >> > > any >>>> > > > > >> > > > >>> > > changes. >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > > >>>> > > > > >> > > > >>> > > > > I checked our setting. Permission type for >>>> > normal >>>> > > > user is >>>> > > > > >> > > "Read & >>>> > > > > >> > > > >>> > > Execute". >>>> > > > > >> > > > >>> > > > > I click edit to check the detail about >>>> > permission. I >>>> > > > > >> think it >>>> > > > > >> > > > >>> only >>>> > > > > >> > > > >>> > > allow the >>>> > > > > >> > > > >>> > > > > user to read the attributes, permission >>>> > something >>>> > > > and >>>> > > > > >> can't >>>> > > > > >> > > > >>> modify the >>>> > > > > >> > > > >>> > > > > AD.There is "Everyone" setting is also set >>>> as >>>> > "Read >>>> > > > & >>>> > > > > >> > > Execute". >>>> > > > > >> > > > >>> By the >>>> > > > > >> > > > >>> > > way, >>>> > > > > >> > > > >>> > > > > the AD is Win2003 R2. >>>> > > > > >> > > > >>> > > > > >>>> > > > > >> > > > >>> > > > > >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> 2. Authentication is happening. It will be >>>> the >>>> > > > _very_ >>>> > > > > >> first >>>> > > > > >> > > > >>> thing the >>>> > > > > >> > > > >>> > > > >> client and server perform, after basic >>>> > connection >>>> > > > > >> > > establishment. >>>> > > > > >> > > > >>> Look >>>> > > > > >> > > > >>> > > for it >>>> > > > > >> > > > >>> > > > >> at the very beginning of a dump. >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the >>>> following >>>> > > > article is >>>> > > > > >> > > > >>> extremely >>>> > > > > >> > > > >>> > > > >> informative about all the different ways >>>> you >>>> > can >>>> > > > plug >>>> > > > > >> linux >>>> > > > > >> > > into >>>> > > > > >> > > > >>> AD >>>> > > > > >> > > > >>> > > for >>>> > > > > >> > > > >>> > > > >> authentication. It might offer some >>>> hints... >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If >>>> you >>>> > have >>>> > > > any >>>> > > > > >> idea, >>>> > > > > >> > > let >>>> > > > > >> > > > >>> me >>>> > > > > >> > > > >>> > > know. >>>> > > > > >> > > > >>> > > > >>> >>>> > > > > >> > > > >>> > > > >>> Thank you very much. >>>> > > > > >> > > > >>> > > > >>> >>>> > > > > >> > > > >>> > > > >>> Lou >>>> > > > > >> > > > >>> > > > >>> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > >> >>>> > > > > >> > > > >>> > > > > >>>> > > > > >> > > > >>> > > > -------------- next part -------------- >>>> > > > > >> > > > >>> > > > An HTML attachment was scrubbed... >>>> > > > > >> > > > >>> > > > URL: >>>> > > > > >> > > > >>> > > >>>> > > > > >> > > > >>> >>>> > > > > >> > > >>>> > > > > >> >>>> > > > >>>> > >>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html >>>> > > > > >> > > > >>> > > > >>>> _______________________________________________ >>>> > > > > >> > > > >>> > > > tac_plus mailing list >>>> > > > > >> > > > >>> > > > tac_plus at shrubbery.net >>>> > > > > >> > > > >>> > > > >>>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>>> > > > > >> > > > >>> > > >>>> > > > > >> > > > >>> >>>> > > > > >> > > > >> >>>> > > > > >> > > > >> >>>> > > > > >> > > > > >>>> > > > > >> > > >>>> > > > > >> > -------------- next part -------------- >>>> > > > > >> > An HTML attachment was scrubbed... >>>> > > > > >> > URL: >>>> > > > > >> >>>> > > > >>>> > >>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html >>>> > > > > >> > _______________________________________________ >>>> > > > > >> > tac_plus mailing list >>>> > > > > >> > tac_plus at shrubbery.net >>>> > > > > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>>> > > > > >> >>>> > > > > >> >>>> > > > > >> >>>> > > > >>>> > >>>> -------------- next part -------------- >>>> An HTML attachment was scrubbed... >>>> URL: >>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/a877fda6/attachment.html >>>> >>>> _______________________________________________ >>>> tac_plus mailing list >>>> tac_plus at shrubbery.net >>>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/38a5ed4d/attachment.html From jeroen at nijhofnet.nl Tue Nov 24 19:48:35 2009 From: jeroen at nijhofnet.nl (Jeroen Nijhof) Date: Tue, 24 Nov 2009 20:48:35 +0100 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911240956p523827fcjf20d33f32b15d4d6@mail.gmail.com> References: <8dabae5b0911231548u2548f07ep85bd045cca8a93ed@mail.gmail.com> <20091124162419.GD7044@shrubbery.net> <8dabae5b0911240905h7b2f3bd8g99c0ca98918c2c3@mail.gmail.com> <20091124173648.GF7044@shrubbery.net> <8dabae5b0911240956p523827fcjf20d33f32b15d4d6@mail.gmail.com> Message-ID: <1259092115.3286.3.camel@tux> Lou, Well if you want to be sure yes you should put it on the first row and use sufficient then it will leave the PAM stack if ldap is successful. Regards, Jeroen On Tue, 2009-11-24 at 11:56 -0600, Hailu Meng wrote: > John, > > I checked my tac_plus configuration for PAM module. the > file /etc/pam.d/tac_plus. The current configuration is shown below: > As you suggest I need put pam_ldap.so on the first row for every > auth,account,password and session, right? > > ******************************************************************* > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > > > On Tue, Nov 24, 2009 at 11:36 AM, john heasley > wrote: > Tue, Nov 24, 2009 at 11:05:59AM -0600, Hailu Meng: > > It makes sense. nsswitch.conf should be for like local login > not for tacacs. > > Thanks John to point it out. I'm such a rookie to these > things. Just > > followed some guides and combine them here. Need study more. > > > well, it depends upon what modules you use in your tacacs PAM > config; ie: > if you have something like 'require unix_account' (WAG) that > requires that > the login exist in /etc/passwd (or more precisely get_pwent(3) > or similar), > then /etc/nsswitch.conf might affect it. BUT, that means that > for you, > 'require unix_account' is a misconfiguration of the tacacs PAM > config. that > is should be something like 'require ldap_account'. > > > > > Lou > > > > On Tue, Nov 24, 2009 at 10:24 AM, john heasley > wrote: > > > > > Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof: > > > > > > > > Hi Lou, > > > > > > > > Yes, most server application's check if a user exist by > looking up the > > > > uid via nss before doing any authentication (i.e. sshd). > > > > > > > > Regards, > > > > Jeroen > > > > > > > > Op 23/11/2009 schreef "Hailu Meng" > : > > > > > > > > >Hi Jeroen, > > > > > > > > > >Thanks for helping. I modified the nssswitch.conf as > below: > > > > >passwd: files ldap > > > > >shadow: files ldap > > > > >group: files ldap > > > > > > > > > >And leave the other settings as default. > > > > > > > > > >the user attributes you are talking about are the > attributes retrieving > > > from > > > > >AD? I do see the packets from AD server told my tacacs+ > server the user > > > > >attributes including homedir. > > > > > > i would not expect this to affect tacacs, unless you have > something in your > > > pam config that requires it. ie: nsswitch.conf should > control auth for the > > > host (eg: /sbin/login), tacacs is separate. > > > > > > > >Thanks. > > > > > > > > > >Lou > > > > > > > > > > > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof > > > > wrote: > > > > > > > > > >> Hi, > > > > >> > > > > >> Did you setup the nsswitch.conf as well on your > tac_plus server? > > > > >> Your tac_plus server needs to lookup the user > attributes like homedir > > > > >> etc, otherwise pam will fail. > > > > >> > > > > >> Regards, > > > > >> Jeroen Nijhof > > > > >> > > > > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > > > > >> > Ok. With -d 32, I got some more info about pam as > red color log. > > > > >> > > > > > >> > There is "Unknown user" log info following the > input of my user > > > password. > > > > >> > Feel confused since ldap is able to get user info > from Active > > > directory, > > > > >> why > > > > >> > it turns out "Unknown user" here. > > > > >> > > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT > size=23 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 > (0xc0), type 1, seq no > > > 3, > > > > >> flags > > > > >> > 0x1 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id > 3197597252 (0xbe977644), > > > Data > > > > >> > length 11 (0xb) > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 > (0x6), user_data_len > > > 0 > > > > >> (0x0) > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User data: > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen > chose default_fn > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling > authentication function > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify > myusername > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs > received 1 pam_messages > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 > tty0: > > > > >> PAM_PROMPT_ECHO_OFF > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing > AUTHEN/GETPASS size=28 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 > (0xc0), type 1, seq no > > > 4, > > > > >> flags > > > > >> > 0x1 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id > 3197597252 (0xbe977644), > > > Data > > > > >> > length 16 (0x10) > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN > status=5 > > > (AUTHEN/GETPASS) > > > > >> > flags=0x1 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, > data_len=0 > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg: > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Password: > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: data: > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT > size=30 > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 > (0xc0), type 1, seq no > > > 5, > > > > >> flags > > > > >> > 0x1 > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id > 3197597252 (0xbe977644), > > > Data > > > > >> > length 18 (0x12) > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End header > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 > (0xd), > > > user_data_len 0 > > > > >> > (0x0) > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User data: > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for > 'myusername' tty0 > > > from > > > > >> > 10.1.69.89 rejected > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: > myusername10.1.69.89 > > > > >> > (10.1.69.89) tty0 > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing > AUTHEN/FAIL size=18 > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 > (0xc0), type 1, seq no > > > 6, > > > > >> flags > > > > >> > 0x1 > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id > 3197597252 (0xbe977644), > > > Data > > > > >> > length 6 (0x6) > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End header > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN > status=2 (AUTHEN/FAIL) > > > > >> > flags=0x0 > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, > data_len=0 > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg: > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: data: > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: > disconnect > > > > >> > > > > > >> > > > > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley > > > > > >> wrote: > > > > >> > > > > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu > Meng: > > > > >> > > > I just saw some posts saying pam_krb winbind > could be needed to > > > get > > > > >> pam > > > > >> > > work > > > > >> > > > against active directory. Is this true? The > post I was following > > > > >> actually > > > > >> > > is > > > > >> > > > for a LDAP server not Active Directory. > > > > >> > > > > > > >> > > i dont know; each pam implementation seems to be > [at least] > > > slightly > > > > >> > > different. seems silly to need kerberos for > ldap. > > > > >> > > > > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng < > > > hailumeng at gmail.com> > > > > >> wrote: > > > > >> > > > > > > > >> > > > > I think I need put my pam configuration here: > > > > >> > > > > > > > > >> > > > > I followed this post > > > > >> > > > > > > > > >> > > > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > > > > >> > > > > configure my pam module: > > > > >> > > > > > > > > >> > > > > /etc/pam.d/tacacs > > > > >> > > > > > > > > >> > > > > auth include system-auth > > > > >> > > > > account required pam_nologin.so > > > > >> > > > > account include system-auth > > > > >> > > > > password include system-auth > > > > >> > > > > session optional pam_keyinit.so force > revoke > > > > >> > > > > session include system-auth > > > > >> > > > > session required pam_loginuid.so > > > > >> > > > > > > > > >> > > > > /etc/pam.d/system-auth > > > > >> > > > > #%PAM-1.0 > > > > >> > > > > # This file is auto-generated. > > > > >> > > > > # User changes will be destroyed the next > time authconfig is > > > run. > > > > >> > > > > auth required pam_env.so > > > > >> > > > > auth sufficient pam_unix.so nullok > try_first_pass > > > > >> > > > > auth requisite pam_succeed_if.so > uid >= 500 quiet > > > > >> > > > > auth sufficient pam_ldap.so > use_first_pass > > > > >> > > > > auth required pam_deny.so > > > > >> > > > > > > > > >> > > > > account required pam_unix.so > broken_shadow > > > > >> > > > > account sufficient pam_succeed_if.so > uid < 500 quiet > > > > >> > > > > > > > > >> > > > > account [default=bad success=ok > user_unknown=ignore] > > > > >> pam_ldap.so > > > > >> > > > > account required pam_permit.so > > > > >> > > > > > > > > >> > > > > password requisite pam_cracklib.so > try_first_pass > > > retry=3 > > > > >> > > > > password sufficient pam_unix.so md5 > shadow nullok > > > > >> try_first_pass > > > > >> > > > > use_authtok > > > > >> > > > > password sufficient pam_ldap.so > use_authtok > > > > >> > > > > password required pam_deny.so > > > > >> > > > > > > > > >> > > > > session optional pam_keyinit.so > revoke > > > > >> > > > > session required pam_limits.so > > > > >> > > > > session [success=1 default=ignore] > pam_succeed_if.so > > > service in > > > > >> > > crond > > > > >> > > > > quiet use_uid > > > > >> > > > > session required pam_unix.so > > > > >> > > > > session optional pam_ldap.so > > > > >> > > > > > > > > >> > > > > > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < > > > hailumeng at gmail.com> > > > > >> > > wrote: > > > > >> > > > > > > > > >> > > > >> Hi John, > > > > >> > > > >> > > > > >> > > > >> You mean issue commands like tac_plus > -C /etct/tac_plus.conf > > > -L -p > > > > >> 49 > > > > >> > > -d > > > > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It > didn't make any > > > > >> change. I > > > > >> > > got > > > > >> > > > >> same log info. By the way, I also saw the > log info in > > > > >> > > /var/log/message: > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading > config > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version > F4.0.4.19 > > > Initialized > > > > >> 1 > > > > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect > from 10.1.69.89 > > > > >> > > [10.1.69.89] > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login > query for 'myuser' > > > tty0 > > > > >> from > > > > >> > > > >> 10.1.69.89 rejected > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login > failure: myuser > > > > >> 10.1.69.89 > > > > >> > > > >> (10.1.69.89) tty0 > > > > >> > > > >> > > > > >> > > > >> Do we have option to see the log about PAM? > I haven't found > > > where > > > > >> it > > > > >> > > is. > > > > >> > > > >> if we can check the log of PAM, then we > could find something > > > > >> useful. > > > > >> > > Right > > > > >> > > > >> now the log of tac_plus didn't tell too much > about why login > > > got > > > > >> > > failure. > > > > >> > > > > > > >> > > add -d 32. -d x -d y ... will be logically OR'd > together. > > > > >> > > > > > > >> > > > >> Lou > > > > >> > > > >> > > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john > heasley < > > > heas at shrubbery.net > > > > >> > > > > > >> > > wrote: > > > > >> > > > >> > > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, > Hailu Meng: > > > > >> > > > >>> > Thanks John for helping me check this > issue. > > > > >> > > > >>> > > > > > >> > > > >>> > I just run tac_plus > -C /path/to/tac_plus.conf -L -p 49 > > > -d256 -g > > > > >> to > > > > >> > > see > > > > >> > > > >>> the > > > > >> > > > >>> > > > > >> > > > >>> try -d 16 -d 256. which i think will log > the pwd that pam > > > > >> received > > > > >> > > from > > > > >> > > > >>> the device. make its correct. the logs > below do appear to > > > be a > > > > >> > > > >>> reject/fail > > > > >> > > > >>> returned from pam. > > > > >> > > > >>> > > > > >> > > > >>> > log in stdout and in log file. I can't > see any suspicious > > > log > > > > >> > > > >>> information > > > > >> > > > >>> > here. I paste the log below: > > > > >> > > > >>> > > > > > >> > > > >>> > > > > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting > for packet > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read > AUTHEN/CONT size=23 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: > key=mykey > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version > 192 (0xc0), type > > > 1, > > > > >> seq no > > > > >> > > 5, > > > > >> > > > >>> flags > > > > >> > > > >>> > 0x1 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > session_id 3295176910 > > > > >> > > (0xc46868ce), > > > > >> > > > >>> Data > > > > >> > > > >>> > length > > > > >> > > > >>> > 11 (0xb) > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End > header > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > type=AUTHEN/CONT > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > user_msg_len 6 (0x6), > > > > >> > > user_data_len 0 > > > > >> > > > >>> (0x0) > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > flags=0x0 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User > msg: > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > myusername > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User > data: > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End > packet > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > choose_authen chose > > > default_fn > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling > authentication > > > > >> function > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing > AUTHEN/GETPASS > > > size=28 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: > key=mykey > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version > 192 (0xc0), type > > > 1, > > > > >> seq no > > > > >> > > 6, > > > > >> > > > >>> flags > > > > >> > > > >>> > 0x1 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > session_id 3295176910 > > > > >> > > (0xc46868ce), > > > > >> > > > >>> Data > > > > >> > > > >>> > length > > > > >> > > > >>> > 16 (0x10) > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End > header > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > type=AUTHEN status=5 > > > > >> > > (AUTHEN/GETPASS) > > > > >> > > > >>> > flags=0x1 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > msg_len=10, data_len=0 > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > Password: > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End > packet > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting > for packet > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read > AUTHEN/CONT size=30 > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: > key=mykey > > > > >> > > > >>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version > 192 (0xc0), type > > > 1, > > > > >> seq no > > > > >> > > 7, > > > > >> > > > >>> flags > > > > >> > > > >>> > 0x1 > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: > session_id 3295176910 > > > > >> > > (0xc46868ce), > > > > >> > > > >>> Data > > > > >> > > > >>> > length > > > > >> > > > >>> > 18 (0x12) > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End > header > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: > type=AUTHEN/CONT > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: > user_msg_len 13 (0xd), > > > > >> > > user_data_len 0 > > > > >> > > > >>> > (0x0) > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: > flags=0x0 > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User > msg: > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: > mypassword > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User > data: > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End > packet > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login > query for > > > 'myusername' > > > > >> tty0 > > > > >> > > from > > > > >> > > > >>> > 10.1.69.89 r > > > > >> > > > >>> > ejected > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login > failure: myusername > > > > >> > > 10.1.69.89 > > > > >> > > > >>> > (10.1.69.89) t > > > > >> > > > >>> > ty0 > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing > AUTHEN/FAIL > > > size=18 > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: > key=mykey > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version > 192 (0xc0), type > > > 1, > > > > >> seq no > > > > >> > > 8, > > > > >> > > > >>> flags > > > > >> > > > >>> > 0x1 > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: > session_id 3295176910 > > > > >> > > (0xc46868ce), > > > > >> > > > >>> Data > > > > >> > > > >>> > length > > > > >> > > > >>> > 6 (0x6) > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End > header > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: > type=AUTHEN status=2 > > > > >> (AUTHEN/FAIL) > > > > >> > > > >>> > flags=0x0 > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: > msg_len=0, data_len=0 > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End > packet > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: > 10.1.69.89: disconnect > > > > >> > > > >>> > > > > > >> > > > >>> > > > > > >> > > > >>> > > > > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john > heasley < > > > > >> heas at shrubbery.net > > > > >> > > > > > > > >> > > > >>> wrote: > > > > >> > > > >>> > > > > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, > Hailu Meng: > > > > >> > > > >>> > > > Hi Adam, > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs > successfully, what > > > do we > > > > >> > > suppose > > > > >> > > > >>> to > > > > >> > > > >>> > > get > > > > >> > > > >>> > > > from the output? I just got all of > the user > > > information in > > > > >> that > > > > >> > > > >>> group. > > > > >> > > > >>> > > Does > > > > >> > > > >>> > > > that means my password and username > got authenticated > > > > >> > > successfully > > > > >> > > > >>> > > against > > > > >> > > > >>> > > > AD? > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > This thing drives me crazy. I need > solve it through > > > this > > > > >> week > > > > >> > > > >>> before the > > > > >> > > > >>> > > > holiday... > > > > >> > > > >>> > > > > > > >> > > > >>> > > i havent followed this thread, as i > know nearly zero > > > about > > > > >> ldap. > > > > >> > > > >>> but, > > > > >> > > > >>> > > have you enabled authentication > debugging in the tacacas > > > > >> daemon > > > > >> > > and > > > > >> > > > >>> > > checked the logs to determine what is > coming back from > > > pam? > > > > >> it > > > > >> > > very > > > > >> > > > >>> > > well may be that the ldap client is > working just fine, > > > but > > > > >> there > > > > >> > > is a > > > > >> > > > >>> > > pam module bug or a bug in the tacplus > daemon or that > > > your > > > > >> device > > > > >> > > > >>> > > simply doesnt like something about the > replies. > > > > >> > > > >>> > > > > > > >> > > > >>> > > > Thanks a lot for the help. > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > Lou > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, > Hailu Meng < > > > > >> > > hailumeng at gmail.com> > > > > >> > > > >>> wrote: > > > > >> > > > >>> > > > > > > > >> > > > >>> > > > > Still no clue how to turn on the > log. binding seems > > > good. > > > > >> See > > > > >> > > my > > > > >> > > > >>> > > findings > > > > >> > > > >>> > > > > below. Thanks a lot. > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, > adam < > > > > >> > > prozaconstilts at gmail.com> > > > > >> > > > >>> > > wrote: > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > >> Hailu Meng wrote: > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >>> Adam, > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >>> I tried the su - "userid" in my > tacacs+ server but > > > I > > > > >> don't > > > > >> > > have > > > > >> > > > >>> that > > > > >> > > > >>> > > > >>> userid in CentOS. So the CentOS > just don't want me > > > log > > > > >> in. > > > > >> > > I > > > > >> > > > >>> think > > > > >> > > > >>> > > this will > > > > >> > > > >>> > > > >>> not ask tacacs server to > authenticate against AD. > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> You shouldn't need to have to > define the user in > > > CentOS, > > > > >> > > that's > > > > >> > > > >>> the > > > > >> > > > >>> > > point > > > > >> > > > >>> > > > >> of using ldap for authentication. > The user is > > > defined in > > > > >> > > ldap, > > > > >> > > > >>> not in > > > > >> > > > >>> > > > >> CentOS. Now that I think about it, > su - > > > probably > > > > >> > > wouldn't > > > > >> > > > >>> work > > > > >> > > > >>> > > > >> anyway, as AD doesn't by default > have the data > > > needed by > > > > >> a > > > > >> > > linux > > > > >> > > > >>> box > > > > >> > > > >>> > > to > > > > >> > > > >>> > > > >> allow login...but see below for > more options. > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >>> Is there any other way to test > ldap authentication > > > > >> against > > > > >> > > AD > > > > >> > > > >>> with > > > > >> > > > >>> > > the > > > > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. > It did find my > > > user > > > > >> id > > > > >> > > > >>> without > > > > >> > > > >>> > > problem. > > > > >> > > > >>> > > > >>> But I haven't found any option to > try with > > > password and > > > > >> > > > >>> authenticate > > > > >> > > > >>> > > against > > > > >> > > > >>> > > > >>> AD. > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> Try using -D: > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> from `man ldapsearch`: > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> -D binddn > > > > >> > > > >>> > > > >> Use the Distinguished Name binddn > to bind to the > > > LDAP > > > > >> > > > >>> directory. > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> so -D > cn=username,ou=my_ou,dc=my_dc should let you > > > try > > > > >> to > > > > >> > > > >>> authenticate > > > > >> > > > >>> > > > >> using whatever user you want to > define. Just check > > > and > > > > >> > > double > > > > >> > > > >>> check > > > > >> > > > >>> > > you get > > > > >> > > > >>> > > > >> the right path in that dn. > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> I tried -D " > cn=username,ou=my_ou,dc=my_dc " but it > > > just > > > > >> > > > >>> returned lots > > > > >> > > > >>> > > of > > > > >> > > > >>> > > > > users' information. It means > successful? > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > >> Do you have ldap server setup or > only the openldap > > > > >> library > > > > >> > > and > > > > >> > > > >>> > > openldap > > > > >> > > > >>> > > > >>> client? I don't understand why > the log is not > > > turned > > > > >> on. > > > > >> > > There > > > > >> > > > >>> must > > > > >> > > > >>> > > be some > > > > >> > > > >>> > > > >>> debugging info in the log which > can help solve > > > this > > > > >> issue. > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> only the libs and client. You > should not need the > > > > >> server. In > > > > >> > > the > > > > >> > > > >>> > > > >> ldapsearch, you can use -d > to get > > > debugging > > > > >> info > > > > >> > > for > > > > >> > > > >>> that > > > > >> > > > >>> > > search. > > > > >> > > > >>> > > > >> As before, higher number = more > debug > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> If the user can authenticate, > does ethereal > > > capture > > > > >> some > > > > >> > > > >>> packets > > > > >> > > > >>> > > about > > > > >> > > > >>> > > > >>> password verification? Right now > I only see the > > > packets > > > > >> > > when > > > > >> > > > >>> ldap > > > > >> > > > >>> > > search for > > > > >> > > > >>> > > > >>> my user id and gets results back > from AD. > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> Ethereal should catch all data > flowing between the > > > > >> client > > > > >> > > and > > > > >> > > > >>> server. > > > > >> > > > >>> > > If > > > > >> > > > >>> > > > >> you can search out the user in > your AD right now, > > > then > > > > >> one > > > > >> > > of > > > > >> > > > >>> two > > > > >> > > > >>> > > things is > > > > >> > > > >>> > > > >> happening: > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> 1. You are performing anonymous > searches. In this > > > case, > > > > >> no > > > > >> > > > >>> username > > > > >> > > > >>> > > and pw > > > > >> > > > >>> > > > >> is provided, and your AD is happy > to hand over info > > > to > > > > >> > > anyone > > > > >> > > > >>> who asks > > > > >> > > > >>> > > for > > > > >> > > > >>> > > > >> it. If this is the case, you will > _not_ see > > > > >> authentication > > > > >> > > > >>> > > information. The > > > > >> > > > >>> > > > >> following MS KB article should > probably help you > > > > >> determine > > > > >> > > on > > > > >> > > > >>> your AD > > > > >> > > > >>> > > if > > > > >> > > > >>> > > > >> anonymous queries are allowed: > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > http://support.microsoft.com/kb/320528 > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> It has exact instructions for how > to get it going, > > > but > > > > >> you > > > > >> > > can > > > > >> > > > >>> follow > > > > >> > > > >>> > > > >> along with it to check your > current settings > > > without > > > > >> making > > > > >> > > any > > > > >> > > > >>> > > changes. > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > > I checked our setting. Permission > type for normal > > > user is > > > > >> > > "Read & > > > > >> > > > >>> > > Execute". > > > > >> > > > >>> > > > > I click edit to check the detail > about permission. I > > > > >> think it > > > > >> > > > >>> only > > > > >> > > > >>> > > allow the > > > > >> > > > >>> > > > > user to read the attributes, > permission something > > > and > > > > >> can't > > > > >> > > > >>> modify the > > > > >> > > > >>> > > > > AD.There is "Everyone" setting is > also set as "Read > > > & > > > > >> > > Execute". > > > > >> > > > >>> By the > > > > >> > > > >>> > > way, > > > > >> > > > >>> > > > > the AD is Win2003 R2. > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> 2. Authentication is happening. It > will be the > > > _very_ > > > > >> first > > > > >> > > > >>> thing the > > > > >> > > > >>> > > > >> client and server perform, after > basic connection > > > > >> > > establishment. > > > > >> > > > >>> Look > > > > >> > > > >>> > > for it > > > > >> > > > >>> > > > >> at the very beginning of a dump. > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the > following > > > article is > > > > >> > > > >>> extremely > > > > >> > > > >>> > > > >> informative about all the > different ways you can > > > plug > > > > >> linux > > > > >> > > into > > > > >> > > > >>> AD > > > > >> > > > >>> > > for > > > > >> > > > >>> > > > >> authentication. It might offer > some hints... > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf > more. If you have > > > any > > > > >> idea, > > > > >> > > let > > > > >> > > > >>> me > > > > >> > > > >>> > > know. > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >>> Thank you very much. > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >>> Lou > > > > >> > > > >>> > > > >>> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > >> > > > > >> > > > >>> > > > > > > > > >> > > > >>> > > > -------------- next part > -------------- > > > > >> > > > >>> > > > An HTML attachment was scrubbed... > > > > >> > > > >>> > > > URL: > > > > >> > > > >>> > > > > > > >> > > > >>> > > > > >> > > > > > > >> > > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > > > >> > > > >>> > > > > _______________________________________________ > > > > >> > > > >>> > > > tac_plus mailing list > > > > >> > > > >>> > > > tac_plus at shrubbery.net > > > > >> > > > >>> > > > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > >> > > > >>> > > > > > > >> > > > >>> > > > > >> > > > >> > > > > >> > > > >> > > > > >> > > > > > > > > >> > > > > > > >> > -------------- next part -------------- > > > > >> > An HTML attachment was scrubbed... > > > > >> > URL: > > > > >> > > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > > > > >> > _______________________________________________ > > > > >> > tac_plus mailing list > > > > >> > tac_plus at shrubbery.net > > > > >> > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > >> > > > > >> > > > > >> > > > > > From jeroen at nijhofnet.nl Tue Nov 24 20:05:48 2009 From: jeroen at nijhofnet.nl (Jeroen Nijhof) Date: Tue, 24 Nov 2009 21:05:48 +0100 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <8dabae5b0911240938v4901c2f9ub622737d084f6c90@mail.gmail.com> References: <8dabae5b0911240522r18c4d9vc65096295522be5d@mail.gmail.com> <0y7wwr4C.1259075977.4075310.jeroen@nijhofnet.nl> <8dabae5b0911240938v4901c2f9ub622737d084f6c90@mail.gmail.com> Message-ID: <1259093148.3286.18.camel@tux> Hi Lou, That's not right indeed. You should get something like: jeroen at tux:~$ getent passwd jeroen jeroen:x:1000:1000:Jeroen Nijhof,,,:/home/jeroen:/bin/bash You should first try with ldapsearch and the binddn you use if you can find any users... If the users exist directly below the ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org tree use ?one and not ?sub. Are you sure that the group objects exist in the same tree as the users?? Normally you have something like ou=Group,dc=hq,...etc. Hmm and it seems like you are missing the uid and gid mappings: nss_map_attribute uidNumber ..... nss_map_attribute gidNumber ..... Regards, Jeroen Nijhof On Tue, 2009-11-24 at 11:38 -0600, Hailu Meng wrote: > Hi Jeroen, > > I issued the command "getent passwd myusername". It just came back > with > request done: ld 0x8e124f8 msgid 1 > request done: ld 0x8e124f8 msgid 2 > > I think this is not right. I did see this kind of message in tacacs > log when I tried to log in my router. So I guess something is still > wrong with my /etc/ldap.conf > here is my current configuration for ldap.conf, the other > file /etc/openldap/ldap.conf will point to this file too. I think I > have all needed configuration here. Even I put the debug and log > configuration here, I still can't get my log show up in the specified > directory. Weird. Please help me check this setting. Is there anything > wrong with nss mapping? I think that part could be something wrong. > Thanks a lot. > > *********************************************************** > host myadserverIP > base ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org > ldap_version 3 > scope sub > binddn CN=testuser,OU=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org > bindpw passwdfortest > rootbinddn dc=hq,dc=corp,dc=mycompany,dc=org > # The port. > # Optional: default is 389. SSL LDAP Port 636 > port 389 > # RFC2307bis naming contexts > nss_base_passwd ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub > nss_base_shadow ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub > nss_base_group ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub > # RFC 2307 (AD) mappings > nss_map_objectclass posixAccount User > nss_map_objectclass shadowAccount User > nss_map_attribute uid sAMAccountName > nss_map_attribute homeDirectory unixHomeDirectory > nss_map_attribute gecos cn > nss_map_attribute shadowLastChange pwdLastSet > nss_map_objectclass posixGroup group > nss_map_attribute uniqueMember member > > > # Disable SASL security layers. This is needed for AD. > sasl_secprops maxssf=0 > > # PAM_LDAP options > pam_login_attribute sAMAccountName > pam_filter objectclass=User > pam_password ad > logdir /var/log/ldap > debug 1024 > ssl no > timelimit 30 > bind_timelimit 30 > > > On Tue, Nov 24, 2009 at 9:19 AM, Jeroen Nijhof > wrote: > > Hi Lou, > > Check with 'getent passwd ' if you get the right > user with > the right information from your AD via ldap. > If not then you should probably check your /etc/ldap.conf for > the right > search scope and atrribute mappings. > Nss_ldap and pam_ldap uses the /etc/ldap.conf file so if it > works with a > nss lookup via getent it should work for pam_ldap as well. > You can define a debug level as well in the /etc/ldap.conf > file for > logging. > It's logging to /var/log/auth.log for me.. > > > Regards, > Jeroen > > Op 24/11/2009 schreef "Hailu Meng" : > > > >Hi Jeroen, > > > >I see the packets sent back from AD for the search request > have 4 attributes > >included: > >objectclass > >cn > >description > >sAMAccountName > > > >And these attributes values are correct. sAMAccountName is my > login user id. > >cn is my Full Name, objectclass is 4 items (top, person, > >organizationalperson , user) > > > >I'm not sure is it enough for PAM to go to the next step? But > it did give us > >error message "Unknown User". I observed that when I input > the password in > >my router and hit ENTER, my wireshark captured two search > requests from > >TACACS and two responses from AD. Same contents as the > previous one when I > >input my user name in the router. I'm not sure is that > possible that TACACS > >didn't find the information it wants from AD although AD > respond something > >(4 attributes values) > > > >By the way, I can't find any log information about PAM. I > think it should be > >in /var/log/secure. But nothing in this file. Do you know how > to find these > >log or turn it on? > > > >Thanks for the help. > > > >Lou > > > >On Tue, Nov 24, 2009 at 4:11 AM, Jeroen Nijhof > wrote: > > > >> > >> Hi Lou, > >> > >> Yes, most server application's check if a user exist by > looking up the > >> uid via nss before doing any authentication (i.e. sshd). > >> > >> Regards, > >> Jeroen > >> > >> Op 23/11/2009 schreef "Hailu Meng" : > >> > >> >Hi Jeroen, > >> > > >> >Thanks for helping. I modified the nssswitch.conf as > below: > >> >passwd: files ldap > >> >shadow: files ldap > >> >group: files ldap > >> > > >> >And leave the other settings as default. > >> > > >> >the user attributes you are talking about are the > attributes retrieving > >> from > >> >AD? I do see the packets from AD server told my tacacs+ > server the user > >> >attributes including homedir. > >> > > >> >Thanks. > >> > > >> >Lou > >> > > >> > > >> >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof > > >> wrote: > >> > > >> >> Hi, > >> >> > >> >> Did you setup the nsswitch.conf as well on your tac_plus > server? > >> >> Your tac_plus server needs to lookup the user attributes > like homedir > >> >> etc, otherwise pam will fail. > >> >> > >> >> Regards, > >> >> Jeroen Nijhof > >> >> > >> >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > >> >> > Ok. With -d 32, I got some more info about pam as red > color log. > >> >> > > >> >> > There is "Unknown user" log info following the input > of my user > >> password. > >> >> > Feel confused since ldap is able to get user info from > Active > >> directory, > >> >> why > >> >> > it turns out "Unknown user" here. > >> >> > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT > size=23 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), > type 1, seq no 3, > >> >> flags > >> >> > 0x1 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > (0xbe977644), > >> Data > >> >> > length 11 (0xb) > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header > >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > >> >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), > user_data_len 0 > >> >> (0x0) > >> >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: > >> >> > Mon Nov 23 15:21:16 2009 [3806]: myusername > >> >> > Mon Nov 23 15:21:16 2009 [3806]: User data: > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > >> >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose > default_fn > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Calling > authentication function > >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 > pam_messages > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 > tty0: > >> >> PAM_PROMPT_ECHO_OFF > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Writing > AUTHEN/GETPASS size=28 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), > type 1, seq no 4, > >> >> flags > >> >> > 0x1 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > (0xbe977644), > >> Data > >> >> > length 16 (0x10) > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header > >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 > (AUTHEN/GETPASS) > >> >> > flags=0x1 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, > data_len=0 > >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg: > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Password: > >> >> > Mon Nov 23 15:21:16 2009 [3806]: data: > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > >> >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT > size=30 > >> >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > >> >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), > type 1, seq no 5, > >> >> flags > >> >> > 0x1 > >> >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 > (0xbe977644), > >> Data > >> >> > length 18 (0x12) > >> >> > Mon Nov 23 15:21:21 2009 [3806]: End header > >> >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > >> >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 > (0xd), user_data_len > >> 0 > >> >> > (0x0) > >> >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > >> >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: > >> >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword > >> >> > Mon Nov 23 15:21:21 2009 [3806]: User data: > >> >> > Mon Nov 23 15:21:21 2009 [3806]: End packet > >> >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > >> >> > Mon Nov 23 15:21:22 2009 [3806]: login query for > 'myusername' tty0 > >> from > >> >> > 10.1.69.89 rejected > >> >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: > myusername10.1.69.89 > >> >> > (10.1.69.89) tty0 > >> >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL > size=18 > >> >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > >> >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), > type 1, seq no 6, > >> >> flags > >> >> > 0x1 > >> >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 > (0xbe977644), > >> Data > >> >> > length 6 (0x6) > >> >> > Mon Nov 23 15:21:22 2009 [3806]: End header > >> >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 > (AUTHEN/FAIL) > >> >> > flags=0x0 > >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg: > >> >> > Mon Nov 23 15:21:22 2009 [3806]: data: > >> >> > Mon Nov 23 15:21:22 2009 [3806]: End packet > >> >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: > disconnect > >> >> > > >> >> > > >> >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley > > >> >> wrote: > >> >> > > >> >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > >> >> > > > I just saw some posts saying pam_krb winbind could > be needed to > >> get > >> >> pam > >> >> > > work > >> >> > > > against active directory. Is this true? The post I > was following > >> >> actually > >> >> > > is > >> >> > > > for a LDAP server not Active Directory. > >> >> > > > >> >> > > i dont know; each pam implementation seems to be [at > least] slightly > >> >> > > different. seems silly to need kerberos for ldap. > >> >> > > > >> >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng > > >> >> wrote: > >> >> > > > > >> >> > > > > I think I need put my pam configuration here: > >> >> > > > > > >> >> > > > > I followed this post > >> >> > > > > > >> >> > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > >> >> > > > > configure my pam module: > >> >> > > > > > >> >> > > > > /etc/pam.d/tacacs > >> >> > > > > > >> >> > > > > auth include system-auth > >> >> > > > > account required pam_nologin.so > >> >> > > > > account include system-auth > >> >> > > > > password include system-auth > >> >> > > > > session optional pam_keyinit.so force > revoke > >> >> > > > > session include system-auth > >> >> > > > > session required pam_loginuid.so > >> >> > > > > > >> >> > > > > /etc/pam.d/system-auth > >> >> > > > > #%PAM-1.0 > >> >> > > > > # This file is auto-generated. > >> >> > > > > # User changes will be destroyed the next time > authconfig is > >> run. > >> >> > > > > auth required pam_env.so > >> >> > > > > auth sufficient pam_unix.so nullok > try_first_pass > >> >> > > > > auth requisite pam_succeed_if.so uid > >= 500 quiet > >> >> > > > > auth sufficient pam_ldap.so > use_first_pass > >> >> > > > > auth required pam_deny.so > >> >> > > > > > >> >> > > > > account required pam_unix.so > broken_shadow > >> >> > > > > account sufficient pam_succeed_if.so uid > < 500 quiet > >> >> > > > > > >> >> > > > > account [default=bad success=ok > user_unknown=ignore] > >> >> pam_ldap.so > >> >> > > > > account required pam_permit.so > >> >> > > > > > >> >> > > > > password requisite pam_cracklib.so > try_first_pass retry=3 > >> >> > > > > password sufficient pam_unix.so md5 shadow > nullok > >> >> try_first_pass > >> >> > > > > use_authtok > >> >> > > > > password sufficient pam_ldap.so > use_authtok > >> >> > > > > password required pam_deny.so > >> >> > > > > > >> >> > > > > session optional pam_keyinit.so revoke > >> >> > > > > session required pam_limits.so > >> >> > > > > session [success=1 default=ignore] > pam_succeed_if.so service > >> in > >> >> > > crond > >> >> > > > > quiet use_uid > >> >> > > > > session required pam_unix.so > >> >> > > > > session optional pam_ldap.so > >> >> > > > > > >> >> > > > > > >> >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < > >> hailumeng at gmail.com> > >> >> > > wrote: > >> >> > > > > > >> >> > > > >> Hi John, > >> >> > > > >> > >> >> > > > >> You mean issue commands like tac_plus > -C /etct/tac_plus.conf -L > >> -p > >> >> 49 > >> >> > > -d > >> >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It > didn't make any > >> >> change. I > >> >> > > got > >> >> > > > >> same log info. By the way, I also saw the log > info in > >> >> > > /var/log/message: > >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading > config > >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version > F4.0.4.19 > >> Initialized > >> >> 1 > >> >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect > from 10.1.69.89 > >> >> > > [10.1.69.89] > >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query > for 'myuser' > >> tty0 > >> >> from > >> >> > > > >> 10.1.69.89 rejected > >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login > failure: myuser > >> >> 10.1.69.89 > >> >> > > > >> (10.1.69.89) tty0 > >> >> > > > >> > >> >> > > > >> Do we have option to see the log about PAM? I > haven't found > >> where > >> >> it > >> >> > > is. > >> >> > > > >> if we can check the log of PAM, then we could > find something > >> >> useful. > >> >> > > Right > >> >> > > > >> now the log of tac_plus didn't tell too much > about why login > >> got > >> >> > > failure. > >> >> > > > >> >> > > add -d 32. -d x -d y ... will be logically OR'd > together. > >> >> > > > >> >> > > > >> Lou > >> >> > > > >> > >> >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < > >> heas at shrubbery.net > >> >> > > >> >> > > wrote: > >> >> > > > >> > >> >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu > Meng: > >> >> > > > >>> > Thanks John for helping me check this issue. > >> >> > > > >>> > > >> >> > > > >>> > I just run tac_plus > -C /path/to/tac_plus.conf -L -p 49 -d256 > >> -g > >> >> to > >> >> > > see > >> >> > > > >>> the > >> >> > > > >>> > >> >> > > > >>> try -d 16 -d 256. which i think will log the > pwd that pam > >> >> received > >> >> > > from > >> >> > > > >>> the device. make its correct. the logs below > do appear to be > >> a > >> >> > > > >>> reject/fail > >> >> > > > >>> returned from pam. > >> >> > > > >>> > >> >> > > > >>> > log in stdout and in log file. I can't see > any suspicious > >> log > >> >> > > > >>> information > >> >> > > > >>> > here. I paste the log below: > >> >> > > > >>> > > >> >> > > > >>> > > >> >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for > packet > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read > AUTHEN/CONT size=23 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: > key=mykey > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 > (0xc0), type 1, > >> >> seq no > >> >> > > 5, > >> >> > > > >>> flags > >> >> > > > >>> > 0x1 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id > 3295176910 > >> >> > > (0xc46868ce), > >> >> > > > >>> Data > >> >> > > > >>> > length > >> >> > > > >>> > 11 (0xb) > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > type=AUTHEN/CONT > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > user_msg_len 6 (0x6), > >> >> > > user_data_len 0 > >> >> > > > >>> (0x0) > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > choose_authen chose > >> default_fn > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling > authentication > >> >> function > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing > AUTHEN/GETPASS > >> size=28 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: > key=mykey > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 > (0xc0), type 1, > >> >> seq no > >> >> > > 6, > >> >> > > > >>> flags > >> >> > > > >>> > 0x1 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id > 3295176910 > >> >> > > (0xc46868ce), > >> >> > > > >>> Data > >> >> > > > >>> > length > >> >> > > > >>> > 16 (0x10) > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN > status=5 > >> >> > > (AUTHEN/GETPASS) > >> >> > > > >>> > flags=0x1 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, > data_len=0 > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for > packet > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read > AUTHEN/CONT size=30 > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: > key=mykey > >> >> > > > >>> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 > (0xc0), type 1, > >> >> seq no > >> >> > > 7, > >> >> > > > >>> flags > >> >> > > > >>> > 0x1 > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id > 3295176910 > >> >> > > (0xc46868ce), > >> >> > > > >>> Data > >> >> > > > >>> > length > >> >> > > > >>> > 18 (0x12) > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: > type=AUTHEN/CONT > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: > user_msg_len 13 (0xd), > >> >> > > user_data_len 0 > >> >> > > > >>> > (0x0) > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query > for > >> 'myusername' > >> >> tty0 > >> >> > > from > >> >> > > > >>> > 10.1.69.89 r > >> >> > > > >>> > ejected > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login > failure: myusername > >> >> > > 10.1.69.89 > >> >> > > > >>> > (10.1.69.89) t > >> >> > > > >>> > ty0 > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing > AUTHEN/FAIL size=18 > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: > key=mykey > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 > (0xc0), type 1, > >> >> seq no > >> >> > > 8, > >> >> > > > >>> flags > >> >> > > > >>> > 0x1 > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id > 3295176910 > >> >> > > (0xc46868ce), > >> >> > > > >>> Data > >> >> > > > >>> > length > >> >> > > > >>> > 6 (0x6) > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN > status=2 > >> >> (AUTHEN/FAIL) > >> >> > > > >>> > flags=0x0 > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, > data_len=0 > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: > disconnect > >> >> > > > >>> > > >> >> > > > >>> > > >> >> > > > >>> > > >> >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john > heasley < > >> >> heas at shrubbery.net > >> >> > > > > >> >> > > > >>> wrote: > >> >> > > > >>> > > >> >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, > Hailu Meng: > >> >> > > > >>> > > > Hi Adam, > >> >> > > > >>> > > > > >> >> > > > >>> > > > If the ldapsearch -D "" -w "" runs > successfully, what do > >> we > >> >> > > suppose > >> >> > > > >>> to > >> >> > > > >>> > > get > >> >> > > > >>> > > > from the output? I just got all of the > user information > >> in > >> >> that > >> >> > > > >>> group. > >> >> > > > >>> > > Does > >> >> > > > >>> > > > that means my password and username got > authenticated > >> >> > > successfully > >> >> > > > >>> > > against > >> >> > > > >>> > > > AD? > >> >> > > > >>> > > > > >> >> > > > >>> > > > This thing drives me crazy. I need solve > it through this > >> >> week > >> >> > > > >>> before the > >> >> > > > >>> > > > holiday... > >> >> > > > >>> > > > >> >> > > > >>> > > i havent followed this thread, as i know > nearly zero about > >> >> ldap. > >> >> > > > >>> but, > >> >> > > > >>> > > have you enabled authentication debugging > in the tacacas > >> >> daemon > >> >> > > and > >> >> > > > >>> > > checked the logs to determine what is > coming back from > >> pam? > >> >> it > >> >> > > very > >> >> > > > >>> > > well may be that the ldap client is > working just fine, but > >> >> there > >> >> > > is a > >> >> > > > >>> > > pam module bug or a bug in the tacplus > daemon or that your > >> >> device > >> >> > > > >>> > > simply doesnt like something about the > replies. > >> >> > > > >>> > > > >> >> > > > >>> > > > Thanks a lot for the help. > >> >> > > > >>> > > > > >> >> > > > >>> > > > Lou > >> >> > > > >>> > > > > >> >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu > Meng < > >> >> > > hailumeng at gmail.com> > >> >> > > > >>> wrote: > >> >> > > > >>> > > > > >> >> > > > >>> > > > > Still no clue how to turn on the log. > binding seems > >> good. > >> >> See > >> >> > > my > >> >> > > > >>> > > findings > >> >> > > > >>> > > > > below. Thanks a lot. > >> >> > > > >>> > > > > > >> >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam > < > >> >> > > prozaconstilts at gmail.com> > >> >> > > > >>> > > wrote: > >> >> > > > >>> > > > > > >> >> > > > >>> > > > >> Hailu Meng wrote: > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >>> Adam, > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >>> I tried the su - "userid" in my > tacacs+ server but I > >> >> don't > >> >> > > have > >> >> > > > >>> that > >> >> > > > >>> > > > >>> userid in CentOS. So the CentOS just > don't want me > >> log > >> >> in. > >> >> > > I > >> >> > > > >>> think > >> >> > > > >>> > > this will > >> >> > > > >>> > > > >>> not ask tacacs server to > authenticate against AD. > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> You shouldn't need to have to define > the user in > >> CentOS, > >> >> > > that's > >> >> > > > >>> the > >> >> > > > >>> > > point > >> >> > > > >>> > > > >> of using ldap for authentication. The > user is defined > >> in > >> >> > > ldap, > >> >> > > > >>> not in > >> >> > > > >>> > > > >> CentOS. Now that I think about it, su > - > >> probably > >> >> > > wouldn't > >> >> > > > >>> work > >> >> > > > >>> > > > >> anyway, as AD doesn't by default have > the data needed > >> by > >> >> a > >> >> > > linux > >> >> > > > >>> box > >> >> > > > >>> > > to > >> >> > > > >>> > > > >> allow login...but see below for more > options. > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >>> Is there any other way to test ldap > authentication > >> >> against > >> >> > > AD > >> >> > > > >>> with > >> >> > > > >>> > > the > >> >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It > did find my > >> user > >> >> id > >> >> > > > >>> without > >> >> > > > >>> > > problem. > >> >> > > > >>> > > > >>> But I haven't found any option to > try with password > >> and > >> >> > > > >>> authenticate > >> >> > > > >>> > > against > >> >> > > > >>> > > > >>> AD. > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> Try using -D: > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> from `man ldapsearch`: > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> -D binddn > >> >> > > > >>> > > > >> Use the Distinguished Name binddn to > bind to the > >> LDAP > >> >> > > > >>> directory. > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc > should let you > >> try > >> >> to > >> >> > > > >>> authenticate > >> >> > > > >>> > > > >> using whatever user you want to > define. Just check > >> and > >> >> > > double > >> >> > > > >>> check > >> >> > > > >>> > > you get > >> >> > > > >>> > > > >> the right path in that dn. > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> I tried -D " > cn=username,ou=my_ou,dc=my_dc " but it > >> just > >> >> > > > >>> returned lots > >> >> > > > >>> > > of > >> >> > > > >>> > > > > users' information. It means > successful? > >> >> > > > >>> > > > > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > >> Do you have ldap server setup or > only the openldap > >> >> library > >> >> > > and > >> >> > > > >>> > > openldap > >> >> > > > >>> > > > >>> client? I don't understand why the > log is not turned > >> >> on. > >> >> > > There > >> >> > > > >>> must > >> >> > > > >>> > > be some > >> >> > > > >>> > > > >>> debugging info in the log which can > help solve this > >> >> issue. > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> only the libs and client. You should > not need the > >> >> server. In > >> >> > > the > >> >> > > > >>> > > > >> ldapsearch, you can use -d > to get debugging > >> >> info > >> >> > > for > >> >> > > > >>> that > >> >> > > > >>> > > search. > >> >> > > > >>> > > > >> As before, higher number = more debug > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> If the user can authenticate, does > ethereal capture > >> >> some > >> >> > > > >>> packets > >> >> > > > >>> > > about > >> >> > > > >>> > > > >>> password verification? Right now I > only see the > >> packets > >> >> > > when > >> >> > > > >>> ldap > >> >> > > > >>> > > search for > >> >> > > > >>> > > > >>> my user id and gets results back > from AD. > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> Ethereal should catch all data > flowing between the > >> >> client > >> >> > > and > >> >> > > > >>> server. > >> >> > > > >>> > > If > >> >> > > > >>> > > > >> you can search out the user in your > AD right now, > >> then > >> >> one > >> >> > > of > >> >> > > > >>> two > >> >> > > > >>> > > things is > >> >> > > > >>> > > > >> happening: > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> 1. You are performing anonymous > searches. In this > >> case, > >> >> no > >> >> > > > >>> username > >> >> > > > >>> > > and pw > >> >> > > > >>> > > > >> is provided, and your AD is happy to > hand over info > >> to > >> >> > > anyone > >> >> > > > >>> who asks > >> >> > > > >>> > > for > >> >> > > > >>> > > > >> it. If this is the case, you will > _not_ see > >> >> authentication > >> >> > > > >>> > > information. The > >> >> > > > >>> > > > >> following MS KB article should > probably help you > >> >> determine > >> >> > > on > >> >> > > > >>> your AD > >> >> > > > >>> > > if > >> >> > > > >>> > > > >> anonymous queries are allowed: > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > http://support.microsoft.com/kb/320528 > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> It has exact instructions for how to > get it going, > >> but > >> >> you > >> >> > > can > >> >> > > > >>> follow > >> >> > > > >>> > > > >> along with it to check your current > settings without > >> >> making > >> >> > > any > >> >> > > > >>> > > changes. > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > > > >> >> > > > >>> > > > > I checked our setting. Permission type > for normal user > >> is > >> >> > > "Read & > >> >> > > > >>> > > Execute". > >> >> > > > >>> > > > > I click edit to check the detail about > permission. I > >> >> think it > >> >> > > > >>> only > >> >> > > > >>> > > allow the > >> >> > > > >>> > > > > user to read the attributes, > permission something and > >> >> can't > >> >> > > > >>> modify the > >> >> > > > >>> > > > > AD.There is "Everyone" setting is also > set as "Read & > >> >> > > Execute". > >> >> > > > >>> By the > >> >> > > > >>> > > way, > >> >> > > > >>> > > > > the AD is Win2003 R2. > >> >> > > > >>> > > > > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> 2. Authentication is happening. It > will be the _very_ > >> >> first > >> >> > > > >>> thing the > >> >> > > > >>> > > > >> client and server perform, after > basic connection > >> >> > > establishment. > >> >> > > > >>> Look > >> >> > > > >>> > > for it > >> >> > > > >>> > > > >> at the very beginning of a dump. > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> Also, it's a bit overkill, but the > following article > >> is > >> >> > > > >>> extremely > >> >> > > > >>> > > > >> informative about all the different > ways you can plug > >> >> linux > >> >> > > into > >> >> > > > >>> AD > >> >> > > > >>> > > for > >> >> > > > >>> > > > >> authentication. It might offer some > hints... > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >>> Maybe I need dig into ldap.conf > more. If you have > >> any > >> >> idea, > >> >> > > let > >> >> > > > >>> me > >> >> > > > >>> > > know. > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >>> Thank you very much. > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >>> Lou > >> >> > > > >>> > > > >>> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > >> > >> >> > > > >>> > > > > > >> >> > > > >>> > > > -------------- next part -------------- > >> >> > > > >>> > > > An HTML attachment was scrubbed... > >> >> > > > >>> > > > URL: > >> >> > > > >>> > > > >> >> > > > >>> > >> >> > > > >> >> > >> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > >> >> > > > >>> > > > > _______________________________________________ > >> >> > > > >>> > > > tac_plus mailing list > >> >> > > > >>> > > > tac_plus at shrubbery.net > >> >> > > > >>> > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > >> >> > > > >>> > > > >> >> > > > >>> > >> >> > > > >> > >> >> > > > >> > >> >> > > > > > >> >> > > > >> >> > -------------- next part -------------- > >> >> > An HTML attachment was scrubbed... > >> >> > URL: > >> >> > >> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > >> >> > _______________________________________________ > >> >> > tac_plus mailing list > >> >> > tac_plus at shrubbery.net > >> >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > >> >> > >> >> > >> >> > >> > > From tmurch at toniccomputers.com Tue Nov 24 20:20:33 2009 From: tmurch at toniccomputers.com (Tom Murch) Date: Tue, 24 Nov 2009 15:20:33 -0500 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <1259093148.3286.18.camel@tux> References: <8dabae5b0911240522r18c4d9vc65096295522be5d@mail.gmail.com> <0y7wwr4C.1259075977.4075310.jeroen@nijhofnet.nl> <8dabae5b0911240938v4901c2f9ub622737d084f6c90@mail.gmail.com> <1259093148.3286.18.camel@tux> Message-ID: Jeroen is correct it does not appear that you are even pulling from the AD. I would double check all your conf files again. On Tue, Nov 24, 2009 at 3:05 PM, Jeroen Nijhof wrote: > Hi Lou, > > That's not right indeed. You should get something like: > jeroen at tux:~$ getent passwd jeroen > jeroen:x:1000:1000:Jeroen Nijhof,,,:/home/jeroen:/bin/bash > > You should first try with ldapsearch and the binddn you use if you can > find any users... > If the users exist directly below the ou=User > Accounts,dc=hq,dc=corp,dc=mycompany,dc=org tree use ?one and not ?sub. > Are you sure that the group objects exist in the same tree as the > users?? Normally you have something like ou=Group,dc=hq,...etc. > > Hmm and it seems like you are missing the uid and gid mappings: > > nss_map_attribute uidNumber ..... > nss_map_attribute gidNumber ..... > > Regards, > Jeroen Nijhof > > On Tue, 2009-11-24 at 11:38 -0600, Hailu Meng wrote: > > Hi Jeroen, > > > > I issued the command "getent passwd myusername". It just came back > > with > > request done: ld 0x8e124f8 msgid 1 > > request done: ld 0x8e124f8 msgid 2 > > > > I think this is not right. I did see this kind of message in tacacs > > log when I tried to log in my router. So I guess something is still > > wrong with my /etc/ldap.conf > > here is my current configuration for ldap.conf, the other > > file /etc/openldap/ldap.conf will point to this file too. I think I > > have all needed configuration here. Even I put the debug and log > > configuration here, I still can't get my log show up in the specified > > directory. Weird. Please help me check this setting. Is there anything > > wrong with nss mapping? I think that part could be something wrong. > > Thanks a lot. > > > > *********************************************************** > > host myadserverIP > > base ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org > > ldap_version 3 > > scope sub > > binddn CN=testuser,OU=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org > > bindpw passwdfortest > > rootbinddn dc=hq,dc=corp,dc=mycompany,dc=org > > # The port. > > # Optional: default is 389. SSL LDAP Port 636 > > port 389 > > # RFC2307bis naming contexts > > nss_base_passwd ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub > > nss_base_shadow ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub > > nss_base_group ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub > > # RFC 2307 (AD) mappings > > nss_map_objectclass posixAccount User > > nss_map_objectclass shadowAccount User > > nss_map_attribute uid sAMAccountName > > nss_map_attribute homeDirectory unixHomeDirectory > > nss_map_attribute gecos cn > > nss_map_attribute shadowLastChange pwdLastSet > > nss_map_objectclass posixGroup group > > nss_map_attribute uniqueMember member > > > > > > # Disable SASL security layers. This is needed for AD. > > sasl_secprops maxssf=0 > > > > # PAM_LDAP options > > pam_login_attribute sAMAccountName > > pam_filter objectclass=User > > pam_password ad > > logdir /var/log/ldap > > debug 1024 > > ssl no > > timelimit 30 > > bind_timelimit 30 > > > > > > On Tue, Nov 24, 2009 at 9:19 AM, Jeroen Nijhof > > wrote: > > > > Hi Lou, > > > > Check with 'getent passwd ' if you get the right > > user with > > the right information from your AD via ldap. > > If not then you should probably check your /etc/ldap.conf for > > the right > > search scope and atrribute mappings. > > Nss_ldap and pam_ldap uses the /etc/ldap.conf file so if it > > works with a > > nss lookup via getent it should work for pam_ldap as well. > > You can define a debug level as well in the /etc/ldap.conf > > file for > > logging. > > It's logging to /var/log/auth.log for me.. > > > > > > Regards, > > Jeroen > > > > Op 24/11/2009 schreef "Hailu Meng" : > > > > > > >Hi Jeroen, > > > > > >I see the packets sent back from AD for the search request > > have 4 attributes > > >included: > > >objectclass > > >cn > > >description > > >sAMAccountName > > > > > >And these attributes values are correct. sAMAccountName is my > > login user id. > > >cn is my Full Name, objectclass is 4 items (top, person, > > >organizationalperson , user) > > > > > >I'm not sure is it enough for PAM to go to the next step? But > > it did give us > > >error message "Unknown User". I observed that when I input > > the password in > > >my router and hit ENTER, my wireshark captured two search > > requests from > > >TACACS and two responses from AD. Same contents as the > > previous one when I > > >input my user name in the router. I'm not sure is that > > possible that TACACS > > >didn't find the information it wants from AD although AD > > respond something > > >(4 attributes values) > > > > > >By the way, I can't find any log information about PAM. I > > think it should be > > >in /var/log/secure. But nothing in this file. Do you know how > > to find these > > >log or turn it on? > > > > > >Thanks for the help. > > > > > >Lou > > > > > >On Tue, Nov 24, 2009 at 4:11 AM, Jeroen Nijhof > > wrote: > > > > > >> > > >> Hi Lou, > > >> > > >> Yes, most server application's check if a user exist by > > looking up the > > >> uid via nss before doing any authentication (i.e. sshd). > > >> > > >> Regards, > > >> Jeroen > > >> > > >> Op 23/11/2009 schreef "Hailu Meng" : > > >> > > >> >Hi Jeroen, > > >> > > > >> >Thanks for helping. I modified the nssswitch.conf as > > below: > > >> >passwd: files ldap > > >> >shadow: files ldap > > >> >group: files ldap > > >> > > > >> >And leave the other settings as default. > > >> > > > >> >the user attributes you are talking about are the > > attributes retrieving > > >> from > > >> >AD? I do see the packets from AD server told my tacacs+ > > server the user > > >> >attributes including homedir. > > >> > > > >> >Thanks. > > >> > > > >> >Lou > > >> > > > >> > > > >> >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof > > > > >> wrote: > > >> > > > >> >> Hi, > > >> >> > > >> >> Did you setup the nsswitch.conf as well on your tac_plus > > server? > > >> >> Your tac_plus server needs to lookup the user attributes > > like homedir > > >> >> etc, otherwise pam will fail. > > >> >> > > >> >> Regards, > > >> >> Jeroen Nijhof > > >> >> > > >> >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > > >> >> > Ok. With -d 32, I got some more info about pam as red > > color log. > > >> >> > > > >> >> > There is "Unknown user" log info following the input > > of my user > > >> password. > > >> >> > Feel confused since ldap is able to get user info from > > Active > > >> directory, > > >> >> why > > >> >> > it turns out "Unknown user" here. > > >> >> > > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT > > size=23 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), > > type 1, seq no 3, > > >> >> flags > > >> >> > 0x1 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > >> Data > > >> >> > length 11 (0xb) > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), > > user_data_len 0 > > >> >> (0x0) > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: myusername > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: User data: > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose > > default_fn > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Calling > > authentication function > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 > > pam_messages > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 > > tty0: > > >> >> PAM_PROMPT_ECHO_OFF > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Writing > > AUTHEN/GETPASS size=28 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), > > type 1, seq no 4, > > >> >> flags > > >> >> > 0x1 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > >> Data > > >> >> > length 16 (0x10) > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 > > (AUTHEN/GETPASS) > > >> >> > flags=0x1 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, > > data_len=0 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg: > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Password: > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: data: > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT > > size=30 > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), > > type 1, seq no 5, > > >> >> flags > > >> >> > 0x1 > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > >> Data > > >> >> > length 18 (0x12) > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: End header > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 > > (0xd), user_data_len > > >> 0 > > >> >> > (0x0) > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: User data: > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: End packet > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: login query for > > 'myusername' tty0 > > >> from > > >> >> > 10.1.69.89 rejected > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: > > myusername10.1.69.89 > > >> >> > (10.1.69.89) tty0 > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL > > size=18 > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), > > type 1, seq no 6, > > >> >> flags > > >> >> > 0x1 > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > >> Data > > >> >> > length 6 (0x6) > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: End header > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 > > (AUTHEN/FAIL) > > >> >> > flags=0x0 > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg: > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: data: > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: End packet > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: > > disconnect > > >> >> > > > >> >> > > > >> >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley > > > > >> >> wrote: > > >> >> > > > >> >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > > >> >> > > > I just saw some posts saying pam_krb winbind could > > be needed to > > >> get > > >> >> pam > > >> >> > > work > > >> >> > > > against active directory. Is this true? The post I > > was following > > >> >> actually > > >> >> > > is > > >> >> > > > for a LDAP server not Active Directory. > > >> >> > > > > >> >> > > i dont know; each pam implementation seems to be [at > > least] slightly > > >> >> > > different. seems silly to need kerberos for ldap. > > >> >> > > > > >> >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng > > > > >> >> wrote: > > >> >> > > > > > >> >> > > > > I think I need put my pam configuration here: > > >> >> > > > > > > >> >> > > > > I followed this post > > >> >> > > > > > > >> >> > > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > > >> >> > > > > configure my pam module: > > >> >> > > > > > > >> >> > > > > /etc/pam.d/tacacs > > >> >> > > > > > > >> >> > > > > auth include system-auth > > >> >> > > > > account required pam_nologin.so > > >> >> > > > > account include system-auth > > >> >> > > > > password include system-auth > > >> >> > > > > session optional pam_keyinit.so force > > revoke > > >> >> > > > > session include system-auth > > >> >> > > > > session required pam_loginuid.so > > >> >> > > > > > > >> >> > > > > /etc/pam.d/system-auth > > >> >> > > > > #%PAM-1.0 > > >> >> > > > > # This file is auto-generated. > > >> >> > > > > # User changes will be destroyed the next time > > authconfig is > > >> run. > > >> >> > > > > auth required pam_env.so > > >> >> > > > > auth sufficient pam_unix.so nullok > > try_first_pass > > >> >> > > > > auth requisite pam_succeed_if.so uid > > >= 500 quiet > > >> >> > > > > auth sufficient pam_ldap.so > > use_first_pass > > >> >> > > > > auth required pam_deny.so > > >> >> > > > > > > >> >> > > > > account required pam_unix.so > > broken_shadow > > >> >> > > > > account sufficient pam_succeed_if.so uid > > < 500 quiet > > >> >> > > > > > > >> >> > > > > account [default=bad success=ok > > user_unknown=ignore] > > >> >> pam_ldap.so > > >> >> > > > > account required pam_permit.so > > >> >> > > > > > > >> >> > > > > password requisite pam_cracklib.so > > try_first_pass retry=3 > > >> >> > > > > password sufficient pam_unix.so md5 shadow > > nullok > > >> >> try_first_pass > > >> >> > > > > use_authtok > > >> >> > > > > password sufficient pam_ldap.so > > use_authtok > > >> >> > > > > password required pam_deny.so > > >> >> > > > > > > >> >> > > > > session optional pam_keyinit.so revoke > > >> >> > > > > session required pam_limits.so > > >> >> > > > > session [success=1 default=ignore] > > pam_succeed_if.so service > > >> in > > >> >> > > crond > > >> >> > > > > quiet use_uid > > >> >> > > > > session required pam_unix.so > > >> >> > > > > session optional pam_ldap.so > > >> >> > > > > > > >> >> > > > > > > >> >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < > > >> hailumeng at gmail.com> > > >> >> > > wrote: > > >> >> > > > > > > >> >> > > > >> Hi John, > > >> >> > > > >> > > >> >> > > > >> You mean issue commands like tac_plus > > -C /etct/tac_plus.conf -L > > >> -p > > >> >> 49 > > >> >> > > -d > > >> >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It > > didn't make any > > >> >> change. I > > >> >> > > got > > >> >> > > > >> same log info. By the way, I also saw the log > > info in > > >> >> > > /var/log/message: > > >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading > > config > > >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version > > F4.0.4.19 > > >> Initialized > > >> >> 1 > > >> >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect > > from 10.1.69.89 > > >> >> > > [10.1.69.89] > > >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query > > for 'myuser' > > >> tty0 > > >> >> from > > >> >> > > > >> 10.1.69.89 rejected > > >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login > > failure: myuser > > >> >> 10.1.69.89 > > >> >> > > > >> (10.1.69.89) tty0 > > >> >> > > > >> > > >> >> > > > >> Do we have option to see the log about PAM? I > > haven't found > > >> where > > >> >> it > > >> >> > > is. > > >> >> > > > >> if we can check the log of PAM, then we could > > find something > > >> >> useful. > > >> >> > > Right > > >> >> > > > >> now the log of tac_plus didn't tell too much > > about why login > > >> got > > >> >> > > failure. > > >> >> > > > > >> >> > > add -d 32. -d x -d y ... will be logically OR'd > > together. > > >> >> > > > > >> >> > > > >> Lou > > >> >> > > > >> > > >> >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < > > >> heas at shrubbery.net > > >> >> > > > >> >> > > wrote: > > >> >> > > > >> > > >> >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu > > Meng: > > >> >> > > > >>> > Thanks John for helping me check this issue. > > >> >> > > > >>> > > > >> >> > > > >>> > I just run tac_plus > > -C /path/to/tac_plus.conf -L -p 49 -d256 > > >> -g > > >> >> to > > >> >> > > see > > >> >> > > > >>> the > > >> >> > > > >>> > > >> >> > > > >>> try -d 16 -d 256. which i think will log the > > pwd that pam > > >> >> received > > >> >> > > from > > >> >> > > > >>> the device. make its correct. the logs below > > do appear to be > > >> a > > >> >> > > > >>> reject/fail > > >> >> > > > >>> returned from pam. > > >> >> > > > >>> > > >> >> > > > >>> > log in stdout and in log file. I can't see > > any suspicious > > >> log > > >> >> > > > >>> information > > >> >> > > > >>> > here. I paste the log below: > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for > > packet > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read > > AUTHEN/CONT size=23 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: > > key=mykey > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 > > (0xc0), type 1, > > >> >> seq no > > >> >> > > 5, > > >> >> > > > >>> flags > > >> >> > > > >>> > 0x1 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id > > 3295176910 > > >> >> > > (0xc46868ce), > > >> >> > > > >>> Data > > >> >> > > > >>> > length > > >> >> > > > >>> > 11 (0xb) > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > > type=AUTHEN/CONT > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > > user_msg_len 6 (0x6), > > >> >> > > user_data_len 0 > > >> >> > > > >>> (0x0) > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > > choose_authen chose > > >> default_fn > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling > > authentication > > >> >> function > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing > > AUTHEN/GETPASS > > >> size=28 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: > > key=mykey > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 > > (0xc0), type 1, > > >> >> seq no > > >> >> > > 6, > > >> >> > > > >>> flags > > >> >> > > > >>> > 0x1 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id > > 3295176910 > > >> >> > > (0xc46868ce), > > >> >> > > > >>> Data > > >> >> > > > >>> > length > > >> >> > > > >>> > 16 (0x10) > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN > > status=5 > > >> >> > > (AUTHEN/GETPASS) > > >> >> > > > >>> > flags=0x1 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, > > data_len=0 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for > > packet > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read > > AUTHEN/CONT size=30 > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: > > key=mykey > > >> >> > > > >>> > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 > > (0xc0), type 1, > > >> >> seq no > > >> >> > > 7, > > >> >> > > > >>> flags > > >> >> > > > >>> > 0x1 > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id > > 3295176910 > > >> >> > > (0xc46868ce), > > >> >> > > > >>> Data > > >> >> > > > >>> > length > > >> >> > > > >>> > 18 (0x12) > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: > > type=AUTHEN/CONT > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: > > user_msg_len 13 (0xd), > > >> >> > > user_data_len 0 > > >> >> > > > >>> > (0x0) > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query > > for > > >> 'myusername' > > >> >> tty0 > > >> >> > > from > > >> >> > > > >>> > 10.1.69.89 r > > >> >> > > > >>> > ejected > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login > > failure: myusername > > >> >> > > 10.1.69.89 > > >> >> > > > >>> > (10.1.69.89) t > > >> >> > > > >>> > ty0 > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing > > AUTHEN/FAIL size=18 > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: > > key=mykey > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 > > (0xc0), type 1, > > >> >> seq no > > >> >> > > 8, > > >> >> > > > >>> flags > > >> >> > > > >>> > 0x1 > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id > > 3295176910 > > >> >> > > (0xc46868ce), > > >> >> > > > >>> Data > > >> >> > > > >>> > length > > >> >> > > > >>> > 6 (0x6) > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN > > status=2 > > >> >> (AUTHEN/FAIL) > > >> >> > > > >>> > flags=0x0 > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, > > data_len=0 > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: > > disconnect > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john > > heasley < > > >> >> heas at shrubbery.net > > >> >> > > > > > >> >> > > > >>> wrote: > > >> >> > > > >>> > > > >> >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, > > Hailu Meng: > > >> >> > > > >>> > > > Hi Adam, > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > If the ldapsearch -D "" -w "" runs > > successfully, what do > > >> we > > >> >> > > suppose > > >> >> > > > >>> to > > >> >> > > > >>> > > get > > >> >> > > > >>> > > > from the output? I just got all of the > > user information > > >> in > > >> >> that > > >> >> > > > >>> group. > > >> >> > > > >>> > > Does > > >> >> > > > >>> > > > that means my password and username got > > authenticated > > >> >> > > successfully > > >> >> > > > >>> > > against > > >> >> > > > >>> > > > AD? > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > This thing drives me crazy. I need solve > > it through this > > >> >> week > > >> >> > > > >>> before the > > >> >> > > > >>> > > > holiday... > > >> >> > > > >>> > > > > >> >> > > > >>> > > i havent followed this thread, as i know > > nearly zero about > > >> >> ldap. > > >> >> > > > >>> but, > > >> >> > > > >>> > > have you enabled authentication debugging > > in the tacacas > > >> >> daemon > > >> >> > > and > > >> >> > > > >>> > > checked the logs to determine what is > > coming back from > > >> pam? > > >> >> it > > >> >> > > very > > >> >> > > > >>> > > well may be that the ldap client is > > working just fine, but > > >> >> there > > >> >> > > is a > > >> >> > > > >>> > > pam module bug or a bug in the tacplus > > daemon or that your > > >> >> device > > >> >> > > > >>> > > simply doesnt like something about the > > replies. > > >> >> > > > >>> > > > > >> >> > > > >>> > > > Thanks a lot for the help. > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > Lou > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu > > Meng < > > >> >> > > hailumeng at gmail.com> > > >> >> > > > >>> wrote: > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > > Still no clue how to turn on the log. > > binding seems > > >> good. > > >> >> See > > >> >> > > my > > >> >> > > > >>> > > findings > > >> >> > > > >>> > > > > below. Thanks a lot. > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam > > < > > >> >> > > prozaconstilts at gmail.com> > > >> >> > > > >>> > > wrote: > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > >> Hailu Meng wrote: > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >>> Adam, > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >>> I tried the su - "userid" in my > > tacacs+ server but I > > >> >> don't > > >> >> > > have > > >> >> > > > >>> that > > >> >> > > > >>> > > > >>> userid in CentOS. So the CentOS just > > don't want me > > >> log > > >> >> in. > > >> >> > > I > > >> >> > > > >>> think > > >> >> > > > >>> > > this will > > >> >> > > > >>> > > > >>> not ask tacacs server to > > authenticate against AD. > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> You shouldn't need to have to define > > the user in > > >> CentOS, > > >> >> > > that's > > >> >> > > > >>> the > > >> >> > > > >>> > > point > > >> >> > > > >>> > > > >> of using ldap for authentication. The > > user is defined > > >> in > > >> >> > > ldap, > > >> >> > > > >>> not in > > >> >> > > > >>> > > > >> CentOS. Now that I think about it, su > > - > > >> probably > > >> >> > > wouldn't > > >> >> > > > >>> work > > >> >> > > > >>> > > > >> anyway, as AD doesn't by default have > > the data needed > > >> by > > >> >> a > > >> >> > > linux > > >> >> > > > >>> box > > >> >> > > > >>> > > to > > >> >> > > > >>> > > > >> allow login...but see below for more > > options. > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >>> Is there any other way to test ldap > > authentication > > >> >> against > > >> >> > > AD > > >> >> > > > >>> with > > >> >> > > > >>> > > the > > >> >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It > > did find my > > >> user > > >> >> id > > >> >> > > > >>> without > > >> >> > > > >>> > > problem. > > >> >> > > > >>> > > > >>> But I haven't found any option to > > try with password > > >> and > > >> >> > > > >>> authenticate > > >> >> > > > >>> > > against > > >> >> > > > >>> > > > >>> AD. > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> Try using -D: > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> from `man ldapsearch`: > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> -D binddn > > >> >> > > > >>> > > > >> Use the Distinguished Name binddn to > > bind to the > > >> LDAP > > >> >> > > > >>> directory. > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc > > should let you > > >> try > > >> >> to > > >> >> > > > >>> authenticate > > >> >> > > > >>> > > > >> using whatever user you want to > > define. Just check > > >> and > > >> >> > > double > > >> >> > > > >>> check > > >> >> > > > >>> > > you get > > >> >> > > > >>> > > > >> the right path in that dn. > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> I tried -D " > > cn=username,ou=my_ou,dc=my_dc " but it > > >> just > > >> >> > > > >>> returned lots > > >> >> > > > >>> > > of > > >> >> > > > >>> > > > > users' information. It means > > successful? > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > >> Do you have ldap server setup or > > only the openldap > > >> >> library > > >> >> > > and > > >> >> > > > >>> > > openldap > > >> >> > > > >>> > > > >>> client? I don't understand why the > > log is not turned > > >> >> on. > > >> >> > > There > > >> >> > > > >>> must > > >> >> > > > >>> > > be some > > >> >> > > > >>> > > > >>> debugging info in the log which can > > help solve this > > >> >> issue. > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> only the libs and client. You should > > not need the > > >> >> server. In > > >> >> > > the > > >> >> > > > >>> > > > >> ldapsearch, you can use -d > > to get debugging > > >> >> info > > >> >> > > for > > >> >> > > > >>> that > > >> >> > > > >>> > > search. > > >> >> > > > >>> > > > >> As before, higher number = more debug > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> If the user can authenticate, does > > ethereal capture > > >> >> some > > >> >> > > > >>> packets > > >> >> > > > >>> > > about > > >> >> > > > >>> > > > >>> password verification? Right now I > > only see the > > >> packets > > >> >> > > when > > >> >> > > > >>> ldap > > >> >> > > > >>> > > search for > > >> >> > > > >>> > > > >>> my user id and gets results back > > from AD. > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> Ethereal should catch all data > > flowing between the > > >> >> client > > >> >> > > and > > >> >> > > > >>> server. > > >> >> > > > >>> > > If > > >> >> > > > >>> > > > >> you can search out the user in your > > AD right now, > > >> then > > >> >> one > > >> >> > > of > > >> >> > > > >>> two > > >> >> > > > >>> > > things is > > >> >> > > > >>> > > > >> happening: > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> 1. You are performing anonymous > > searches. In this > > >> case, > > >> >> no > > >> >> > > > >>> username > > >> >> > > > >>> > > and pw > > >> >> > > > >>> > > > >> is provided, and your AD is happy to > > hand over info > > >> to > > >> >> > > anyone > > >> >> > > > >>> who asks > > >> >> > > > >>> > > for > > >> >> > > > >>> > > > >> it. If this is the case, you will > > _not_ see > > >> >> authentication > > >> >> > > > >>> > > information. The > > >> >> > > > >>> > > > >> following MS KB article should > > probably help you > > >> >> determine > > >> >> > > on > > >> >> > > > >>> your AD > > >> >> > > > >>> > > if > > >> >> > > > >>> > > > >> anonymous queries are allowed: > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > http://support.microsoft.com/kb/320528 > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> It has exact instructions for how to > > get it going, > > >> but > > >> >> you > > >> >> > > can > > >> >> > > > >>> follow > > >> >> > > > >>> > > > >> along with it to check your current > > settings without > > >> >> making > > >> >> > > any > > >> >> > > > >>> > > changes. > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > > I checked our setting. Permission type > > for normal user > > >> is > > >> >> > > "Read & > > >> >> > > > >>> > > Execute". > > >> >> > > > >>> > > > > I click edit to check the detail about > > permission. I > > >> >> think it > > >> >> > > > >>> only > > >> >> > > > >>> > > allow the > > >> >> > > > >>> > > > > user to read the attributes, > > permission something and > > >> >> can't > > >> >> > > > >>> modify the > > >> >> > > > >>> > > > > AD.There is "Everyone" setting is also > > set as "Read & > > >> >> > > Execute". > > >> >> > > > >>> By the > > >> >> > > > >>> > > way, > > >> >> > > > >>> > > > > the AD is Win2003 R2. > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> 2. Authentication is happening. It > > will be the _very_ > > >> >> first > > >> >> > > > >>> thing the > > >> >> > > > >>> > > > >> client and server perform, after > > basic connection > > >> >> > > establishment. > > >> >> > > > >>> Look > > >> >> > > > >>> > > for it > > >> >> > > > >>> > > > >> at the very beginning of a dump. > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> Also, it's a bit overkill, but the > > following article > > >> is > > >> >> > > > >>> extremely > > >> >> > > > >>> > > > >> informative about all the different > > ways you can plug > > >> >> linux > > >> >> > > into > > >> >> > > > >>> AD > > >> >> > > > >>> > > for > > >> >> > > > >>> > > > >> authentication. It might offer some > > hints... > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >>> Maybe I need dig into ldap.conf > > more. If you have > > >> any > > >> >> idea, > > >> >> > > let > > >> >> > > > >>> me > > >> >> > > > >>> > > know. > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >>> Thank you very much. > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >>> Lou > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > -------------- next part -------------- > > >> >> > > > >>> > > > An HTML attachment was scrubbed... > > >> >> > > > >>> > > > URL: > > >> >> > > > >>> > > > > >> >> > > > >>> > > >> >> > > > > >> >> > > >> > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > >> >> > > > >>> > > > > > _______________________________________________ > > >> >> > > > >>> > > > tac_plus mailing list > > >> >> > > > >>> > > > tac_plus at shrubbery.net > > >> >> > > > >>> > > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > >> >> > > > >>> > > > > >> >> > > > >>> > > >> >> > > > >> > > >> >> > > > >> > > >> >> > > > > > > >> >> > > > > >> >> > -------------- next part -------------- > > >> >> > An HTML attachment was scrubbed... > > >> >> > URL: > > >> >> > > >> > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > > >> >> > _______________________________________________ > > >> >> > tac_plus mailing list > > >> >> > tac_plus at shrubbery.net > > >> >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > >> >> > > >> >> > > >> >> > > >> > > > > > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/efddaa4b/attachment.html From hailumeng at gmail.com Tue Nov 24 20:24:54 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Tue, 24 Nov 2009 14:24:54 -0600 Subject: [tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory In-Reply-To: <1259093148.3286.18.camel@tux> References: <8dabae5b0911240522r18c4d9vc65096295522be5d@mail.gmail.com> <0y7wwr4C.1259075977.4075310.jeroen@nijhofnet.nl> <8dabae5b0911240938v4901c2f9ub622737d084f6c90@mail.gmail.com> <1259093148.3286.18.camel@tux> Message-ID: <8dabae5b0911241224r37375447idebe2c45a3c1f1de@mail.gmail.com> Hi Jeroen, I did ldapsearch before and it seems successful to bind to my testing user and I can see all of the users' information returned back. It should work anyway. All, Believe it or not. It works now. I just modified my /etc/pam.d/tac_plus file to the simplest one after reading the pam manual. I think I only need pam_ldap for my tac_plus: auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so On Tue, Nov 24, 2009 at 2:05 PM, Jeroen Nijhof wrote: > Hi Lou, > > That's not right indeed. You should get something like: > jeroen at tux:~$ getent passwd jeroen > jeroen:x:1000:1000:Jeroen Nijhof,,,:/home/jeroen:/bin/bash > > You should first try with ldapsearch and the binddn you use if you can > find any users... > If the users exist directly below the ou=User > Accounts,dc=hq,dc=corp,dc=mycompany,dc=org tree use ?one and not ?sub. > Are you sure that the group objects exist in the same tree as the > users?? Normally you have something like ou=Group,dc=hq,...etc. > > Hmm and it seems like you are missing the uid and gid mappings: > > nss_map_attribute uidNumber ..... > nss_map_attribute gidNumber ..... > > Regards, > Jeroen Nijhof > > On Tue, 2009-11-24 at 11:38 -0600, Hailu Meng wrote: > > Hi Jeroen, > > > > I issued the command "getent passwd myusername". It just came back > > with > > request done: ld 0x8e124f8 msgid 1 > > request done: ld 0x8e124f8 msgid 2 > > > > I think this is not right. I did see this kind of message in tacacs > > log when I tried to log in my router. So I guess something is still > > wrong with my /etc/ldap.conf > > here is my current configuration for ldap.conf, the other > > file /etc/openldap/ldap.conf will point to this file too. I think I > > have all needed configuration here. Even I put the debug and log > > configuration here, I still can't get my log show up in the specified > > directory. Weird. Please help me check this setting. Is there anything > > wrong with nss mapping? I think that part could be something wrong. > > Thanks a lot. > > > > *********************************************************** > > host myadserverIP > > base ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org > > ldap_version 3 > > scope sub > > binddn CN=testuser,OU=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org > > bindpw passwdfortest > > rootbinddn dc=hq,dc=corp,dc=mycompany,dc=org > > # The port. > > # Optional: default is 389. SSL LDAP Port 636 > > port 389 > > # RFC2307bis naming contexts > > nss_base_passwd ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub > > nss_base_shadow ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub > > nss_base_group ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub > > # RFC 2307 (AD) mappings > > nss_map_objectclass posixAccount User > > nss_map_objectclass shadowAccount User > > nss_map_attribute uid sAMAccountName > > nss_map_attribute homeDirectory unixHomeDirectory > > nss_map_attribute gecos cn > > nss_map_attribute shadowLastChange pwdLastSet > > nss_map_objectclass posixGroup group > > nss_map_attribute uniqueMember member > > > > > > # Disable SASL security layers. This is needed for AD. > > sasl_secprops maxssf=0 > > > > # PAM_LDAP options > > pam_login_attribute sAMAccountName > > pam_filter objectclass=User > > pam_password ad > > logdir /var/log/ldap > > debug 1024 > > ssl no > > timelimit 30 > > bind_timelimit 30 > > > > > > On Tue, Nov 24, 2009 at 9:19 AM, Jeroen Nijhof > > wrote: > > > > Hi Lou, > > > > Check with 'getent passwd ' if you get the right > > user with > > the right information from your AD via ldap. > > If not then you should probably check your /etc/ldap.conf for > > the right > > search scope and atrribute mappings. > > Nss_ldap and pam_ldap uses the /etc/ldap.conf file so if it > > works with a > > nss lookup via getent it should work for pam_ldap as well. > > You can define a debug level as well in the /etc/ldap.conf > > file for > > logging. > > It's logging to /var/log/auth.log for me.. > > > > > > Regards, > > Jeroen > > > > Op 24/11/2009 schreef "Hailu Meng" : > > > > > > >Hi Jeroen, > > > > > >I see the packets sent back from AD for the search request > > have 4 attributes > > >included: > > >objectclass > > >cn > > >description > > >sAMAccountName > > > > > >And these attributes values are correct. sAMAccountName is my > > login user id. > > >cn is my Full Name, objectclass is 4 items (top, person, > > >organizationalperson , user) > > > > > >I'm not sure is it enough for PAM to go to the next step? But > > it did give us > > >error message "Unknown User". I observed that when I input > > the password in > > >my router and hit ENTER, my wireshark captured two search > > requests from > > >TACACS and two responses from AD. Same contents as the > > previous one when I > > >input my user name in the router. I'm not sure is that > > possible that TACACS > > >didn't find the information it wants from AD although AD > > respond something > > >(4 attributes values) > > > > > >By the way, I can't find any log information about PAM. I > > think it should be > > >in /var/log/secure. But nothing in this file. Do you know how > > to find these > > >log or turn it on? > > > > > >Thanks for the help. > > > > > >Lou > > > > > >On Tue, Nov 24, 2009 at 4:11 AM, Jeroen Nijhof > > wrote: > > > > > >> > > >> Hi Lou, > > >> > > >> Yes, most server application's check if a user exist by > > looking up the > > >> uid via nss before doing any authentication (i.e. sshd). > > >> > > >> Regards, > > >> Jeroen > > >> > > >> Op 23/11/2009 schreef "Hailu Meng" : > > >> > > >> >Hi Jeroen, > > >> > > > >> >Thanks for helping. I modified the nssswitch.conf as > > below: > > >> >passwd: files ldap > > >> >shadow: files ldap > > >> >group: files ldap > > >> > > > >> >And leave the other settings as default. > > >> > > > >> >the user attributes you are talking about are the > > attributes retrieving > > >> from > > >> >AD? I do see the packets from AD server told my tacacs+ > > server the user > > >> >attributes including homedir. > > >> > > > >> >Thanks. > > >> > > > >> >Lou > > >> > > > >> > > > >> >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof > > > > >> wrote: > > >> > > > >> >> Hi, > > >> >> > > >> >> Did you setup the nsswitch.conf as well on your tac_plus > > server? > > >> >> Your tac_plus server needs to lookup the user attributes > > like homedir > > >> >> etc, otherwise pam will fail. > > >> >> > > >> >> Regards, > > >> >> Jeroen Nijhof > > >> >> > > >> >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote: > > >> >> > Ok. With -d 32, I got some more info about pam as red > > color log. > > >> >> > > > >> >> > There is "Unknown user" log info following the input > > of my user > > >> password. > > >> >> > Feel confused since ldap is able to get user info from > > Active > > >> directory, > > >> >> why > > >> >> > it turns out "Unknown user" here. > > >> >> > > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT > > size=23 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), > > type 1, seq no 3, > > >> >> flags > > >> >> > 0x1 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > >> Data > > >> >> > length 11 (0xb) > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6), > > user_data_len 0 > > >> >> (0x0) > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: User msg: > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: myusername > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: User data: > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose > > default_fn > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Calling > > authentication function > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1 > > pam_messages > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 > > tty0: > > >> >> PAM_PROMPT_ECHO_OFF > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Writing > > AUTHEN/GETPASS size=28 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), > > type 1, seq no 4, > > >> >> flags > > >> >> > 0x1 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > >> Data > > >> >> > length 16 (0x10) > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5 > > (AUTHEN/GETPASS) > > >> >> > flags=0x1 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, > > data_len=0 > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg: > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Password: > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: data: > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet > > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT > > size=30 > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), > > type 1, seq no 5, > > >> >> flags > > >> >> > 0x1 > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > >> Data > > >> >> > length 18 (0x12) > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: End header > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 > > (0xd), user_data_len > > >> 0 > > >> >> > (0x0) > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0 > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: User msg: > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: User data: > > >> >> > Mon Nov 23 15:21:21 2009 [3806]: End packet > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: login query for > > 'myusername' tty0 > > >> from > > >> >> > 10.1.69.89 rejected > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: login failure: > > myusername10.1.69.89 > > >> >> > (10.1.69.89) tty0 > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL > > size=18 > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), > > type 1, seq no 6, > > >> >> flags > > >> >> > 0x1 > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252 > > (0xbe977644), > > >> Data > > >> >> > length 6 (0x6) > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: End header > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2 > > (AUTHEN/FAIL) > > >> >> > flags=0x0 > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0 > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg: > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: data: > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: End packet > > >> >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: > > disconnect > > >> >> > > > >> >> > > > >> >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley > > > > >> >> wrote: > > >> >> > > > >> >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng: > > >> >> > > > I just saw some posts saying pam_krb winbind could > > be needed to > > >> get > > >> >> pam > > >> >> > > work > > >> >> > > > against active directory. Is this true? The post I > > was following > > >> >> actually > > >> >> > > is > > >> >> > > > for a LDAP server not Active Directory. > > >> >> > > > > >> >> > > i dont know; each pam implementation seems to be [at > > least] slightly > > >> >> > > different. seems silly to need kerberos for ldap. > > >> >> > > > > >> >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng > > > > >> >> wrote: > > >> >> > > > > > >> >> > > > > I think I need put my pam configuration here: > > >> >> > > > > > > >> >> > > > > I followed this post > > >> >> > > > > > > >> >> > > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto > > >> >> > > > > configure my pam module: > > >> >> > > > > > > >> >> > > > > /etc/pam.d/tacacs > > >> >> > > > > > > >> >> > > > > auth include system-auth > > >> >> > > > > account required pam_nologin.so > > >> >> > > > > account include system-auth > > >> >> > > > > password include system-auth > > >> >> > > > > session optional pam_keyinit.so force > > revoke > > >> >> > > > > session include system-auth > > >> >> > > > > session required pam_loginuid.so > > >> >> > > > > > > >> >> > > > > /etc/pam.d/system-auth > > >> >> > > > > #%PAM-1.0 > > >> >> > > > > # This file is auto-generated. > > >> >> > > > > # User changes will be destroyed the next time > > authconfig is > > >> run. > > >> >> > > > > auth required pam_env.so > > >> >> > > > > auth sufficient pam_unix.so nullok > > try_first_pass > > >> >> > > > > auth requisite pam_succeed_if.so uid > > >= 500 quiet > > >> >> > > > > auth sufficient pam_ldap.so > > use_first_pass > > >> >> > > > > auth required pam_deny.so > > >> >> > > > > > > >> >> > > > > account required pam_unix.so > > broken_shadow > > >> >> > > > > account sufficient pam_succeed_if.so uid > > < 500 quiet > > >> >> > > > > > > >> >> > > > > account [default=bad success=ok > > user_unknown=ignore] > > >> >> pam_ldap.so > > >> >> > > > > account required pam_permit.so > > >> >> > > > > > > >> >> > > > > password requisite pam_cracklib.so > > try_first_pass retry=3 > > >> >> > > > > password sufficient pam_unix.so md5 shadow > > nullok > > >> >> try_first_pass > > >> >> > > > > use_authtok > > >> >> > > > > password sufficient pam_ldap.so > > use_authtok > > >> >> > > > > password required pam_deny.so > > >> >> > > > > > > >> >> > > > > session optional pam_keyinit.so revoke > > >> >> > > > > session required pam_limits.so > > >> >> > > > > session [success=1 default=ignore] > > pam_succeed_if.so service > > >> in > > >> >> > > crond > > >> >> > > > > quiet use_uid > > >> >> > > > > session required pam_unix.so > > >> >> > > > > session optional pam_ldap.so > > >> >> > > > > > > >> >> > > > > > > >> >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng < > > >> hailumeng at gmail.com> > > >> >> > > wrote: > > >> >> > > > > > > >> >> > > > >> Hi John, > > >> >> > > > >> > > >> >> > > > >> You mean issue commands like tac_plus > > -C /etct/tac_plus.conf -L > > >> -p > > >> >> 49 > > >> >> > > -d > > >> >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It > > didn't make any > > >> >> change. I > > >> >> > > got > > >> >> > > > >> same log info. By the way, I also saw the log > > info in > > >> >> > > /var/log/message: > > >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading > > config > > >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version > > F4.0.4.19 > > >> Initialized > > >> >> 1 > > >> >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect > > from 10.1.69.89 > > >> >> > > [10.1.69.89] > > >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query > > for 'myuser' > > >> tty0 > > >> >> from > > >> >> > > > >> 10.1.69.89 rejected > > >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login > > failure: myuser > > >> >> 10.1.69.89 > > >> >> > > > >> (10.1.69.89) tty0 > > >> >> > > > >> > > >> >> > > > >> Do we have option to see the log about PAM? I > > haven't found > > >> where > > >> >> it > > >> >> > > is. > > >> >> > > > >> if we can check the log of PAM, then we could > > find something > > >> >> useful. > > >> >> > > Right > > >> >> > > > >> now the log of tac_plus didn't tell too much > > about why login > > >> got > > >> >> > > failure. > > >> >> > > > > >> >> > > add -d 32. -d x -d y ... will be logically OR'd > > together. > > >> >> > > > > >> >> > > > >> Lou > > >> >> > > > >> > > >> >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley < > > >> heas at shrubbery.net > > >> >> > > > >> >> > > wrote: > > >> >> > > > >> > > >> >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu > > Meng: > > >> >> > > > >>> > Thanks John for helping me check this issue. > > >> >> > > > >>> > > > >> >> > > > >>> > I just run tac_plus > > -C /path/to/tac_plus.conf -L -p 49 -d256 > > >> -g > > >> >> to > > >> >> > > see > > >> >> > > > >>> the > > >> >> > > > >>> > > >> >> > > > >>> try -d 16 -d 256. which i think will log the > > pwd that pam > > >> >> received > > >> >> > > from > > >> >> > > > >>> the device. make its correct. the logs below > > do appear to be > > >> a > > >> >> > > > >>> reject/fail > > >> >> > > > >>> returned from pam. > > >> >> > > > >>> > > >> >> > > > >>> > log in stdout and in log file. I can't see > > any suspicious > > >> log > > >> >> > > > >>> information > > >> >> > > > >>> > here. I paste the log below: > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for > > packet > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read > > AUTHEN/CONT size=23 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: > > key=mykey > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 > > (0xc0), type 1, > > >> >> seq no > > >> >> > > 5, > > >> >> > > > >>> flags > > >> >> > > > >>> > 0x1 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id > > 3295176910 > > >> >> > > (0xc46868ce), > > >> >> > > > >>> Data > > >> >> > > > >>> > length > > >> >> > > > >>> > 11 (0xb) > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > > type=AUTHEN/CONT > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > > user_msg_len 6 (0x6), > > >> >> > > user_data_len 0 > > >> >> > > > >>> (0x0) > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg: > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data: > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: > > choose_authen chose > > >> default_fn > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling > > authentication > > >> >> function > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing > > AUTHEN/GETPASS > > >> size=28 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: > > key=mykey > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 > > (0xc0), type 1, > > >> >> seq no > > >> >> > > 6, > > >> >> > > > >>> flags > > >> >> > > > >>> > 0x1 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id > > 3295176910 > > >> >> > > (0xc46868ce), > > >> >> > > > >>> Data > > >> >> > > > >>> > length > > >> >> > > > >>> > 16 (0x10) > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN > > status=5 > > >> >> > > (AUTHEN/GETPASS) > > >> >> > > > >>> > flags=0x1 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10, > > data_len=0 > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg: > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password: > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data: > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet > > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for > > packet > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read > > AUTHEN/CONT size=30 > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: > > key=mykey > > >> >> > > > >>> > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 > > (0xc0), type 1, > > >> >> seq no > > >> >> > > 7, > > >> >> > > > >>> flags > > >> >> > > > >>> > 0x1 > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id > > 3295176910 > > >> >> > > (0xc46868ce), > > >> >> > > > >>> Data > > >> >> > > > >>> > length > > >> >> > > > >>> > 18 (0x12) > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: > > type=AUTHEN/CONT > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: > > user_msg_len 13 (0xd), > > >> >> > > user_data_len 0 > > >> >> > > > >>> > (0x0) > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0 > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg: > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data: > > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query > > for > > >> 'myusername' > > >> >> tty0 > > >> >> > > from > > >> >> > > > >>> > 10.1.69.89 r > > >> >> > > > >>> > ejected > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login > > failure: myusername > > >> >> > > 10.1.69.89 > > >> >> > > > >>> > (10.1.69.89) t > > >> >> > > > >>> > ty0 > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing > > AUTHEN/FAIL size=18 > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: > > key=mykey > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 > > (0xc0), type 1, > > >> >> seq no > > >> >> > > 8, > > >> >> > > > >>> flags > > >> >> > > > >>> > 0x1 > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id > > 3295176910 > > >> >> > > (0xc46868ce), > > >> >> > > > >>> Data > > >> >> > > > >>> > length > > >> >> > > > >>> > 6 (0x6) > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN > > status=2 > > >> >> (AUTHEN/FAIL) > > >> >> > > > >>> > flags=0x0 > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, > > data_len=0 > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg: > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data: > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet > > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89: > > disconnect > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > > > >> >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john > > heasley < > > >> >> heas at shrubbery.net > > >> >> > > > > > >> >> > > > >>> wrote: > > >> >> > > > >>> > > > >> >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, > > Hailu Meng: > > >> >> > > > >>> > > > Hi Adam, > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > If the ldapsearch -D "" -w "" runs > > successfully, what do > > >> we > > >> >> > > suppose > > >> >> > > > >>> to > > >> >> > > > >>> > > get > > >> >> > > > >>> > > > from the output? I just got all of the > > user information > > >> in > > >> >> that > > >> >> > > > >>> group. > > >> >> > > > >>> > > Does > > >> >> > > > >>> > > > that means my password and username got > > authenticated > > >> >> > > successfully > > >> >> > > > >>> > > against > > >> >> > > > >>> > > > AD? > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > This thing drives me crazy. I need solve > > it through this > > >> >> week > > >> >> > > > >>> before the > > >> >> > > > >>> > > > holiday... > > >> >> > > > >>> > > > > >> >> > > > >>> > > i havent followed this thread, as i know > > nearly zero about > > >> >> ldap. > > >> >> > > > >>> but, > > >> >> > > > >>> > > have you enabled authentication debugging > > in the tacacas > > >> >> daemon > > >> >> > > and > > >> >> > > > >>> > > checked the logs to determine what is > > coming back from > > >> pam? > > >> >> it > > >> >> > > very > > >> >> > > > >>> > > well may be that the ldap client is > > working just fine, but > > >> >> there > > >> >> > > is a > > >> >> > > > >>> > > pam module bug or a bug in the tacplus > > daemon or that your > > >> >> device > > >> >> > > > >>> > > simply doesnt like something about the > > replies. > > >> >> > > > >>> > > > > >> >> > > > >>> > > > Thanks a lot for the help. > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > Lou > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu > > Meng < > > >> >> > > hailumeng at gmail.com> > > >> >> > > > >>> wrote: > > >> >> > > > >>> > > > > > >> >> > > > >>> > > > > Still no clue how to turn on the log. > > binding seems > > >> good. > > >> >> See > > >> >> > > my > > >> >> > > > >>> > > findings > > >> >> > > > >>> > > > > below. Thanks a lot. > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam > > < > > >> >> > > prozaconstilts at gmail.com> > > >> >> > > > >>> > > wrote: > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > >> Hailu Meng wrote: > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >>> Adam, > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >>> I tried the su - "userid" in my > > tacacs+ server but I > > >> >> don't > > >> >> > > have > > >> >> > > > >>> that > > >> >> > > > >>> > > > >>> userid in CentOS. So the CentOS just > > don't want me > > >> log > > >> >> in. > > >> >> > > I > > >> >> > > > >>> think > > >> >> > > > >>> > > this will > > >> >> > > > >>> > > > >>> not ask tacacs server to > > authenticate against AD. > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> You shouldn't need to have to define > > the user in > > >> CentOS, > > >> >> > > that's > > >> >> > > > >>> the > > >> >> > > > >>> > > point > > >> >> > > > >>> > > > >> of using ldap for authentication. The > > user is defined > > >> in > > >> >> > > ldap, > > >> >> > > > >>> not in > > >> >> > > > >>> > > > >> CentOS. Now that I think about it, su > > - > > >> probably > > >> >> > > wouldn't > > >> >> > > > >>> work > > >> >> > > > >>> > > > >> anyway, as AD doesn't by default have > > the data needed > > >> by > > >> >> a > > >> >> > > linux > > >> >> > > > >>> box > > >> >> > > > >>> > > to > > >> >> > > > >>> > > > >> allow login...but see below for more > > options. > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >>> Is there any other way to test ldap > > authentication > > >> >> against > > >> >> > > AD > > >> >> > > > >>> with > > >> >> > > > >>> > > the > > >> >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It > > did find my > > >> user > > >> >> id > > >> >> > > > >>> without > > >> >> > > > >>> > > problem. > > >> >> > > > >>> > > > >>> But I haven't found any option to > > try with password > > >> and > > >> >> > > > >>> authenticate > > >> >> > > > >>> > > against > > >> >> > > > >>> > > > >>> AD. > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> Try using -D: > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> from `man ldapsearch`: > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> -D binddn > > >> >> > > > >>> > > > >> Use the Distinguished Name binddn to > > bind to the > > >> LDAP > > >> >> > > > >>> directory. > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc > > should let you > > >> try > > >> >> to > > >> >> > > > >>> authenticate > > >> >> > > > >>> > > > >> using whatever user you want to > > define. Just check > > >> and > > >> >> > > double > > >> >> > > > >>> check > > >> >> > > > >>> > > you get > > >> >> > > > >>> > > > >> the right path in that dn. > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> I tried -D " > > cn=username,ou=my_ou,dc=my_dc " but it > > >> just > > >> >> > > > >>> returned lots > > >> >> > > > >>> > > of > > >> >> > > > >>> > > > > users' information. It means > > successful? > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > >> Do you have ldap server setup or > > only the openldap > > >> >> library > > >> >> > > and > > >> >> > > > >>> > > openldap > > >> >> > > > >>> > > > >>> client? I don't understand why the > > log is not turned > > >> >> on. > > >> >> > > There > > >> >> > > > >>> must > > >> >> > > > >>> > > be some > > >> >> > > > >>> > > > >>> debugging info in the log which can > > help solve this > > >> >> issue. > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> only the libs and client. You should > > not need the > > >> >> server. In > > >> >> > > the > > >> >> > > > >>> > > > >> ldapsearch, you can use -d > > to get debugging > > >> >> info > > >> >> > > for > > >> >> > > > >>> that > > >> >> > > > >>> > > search. > > >> >> > > > >>> > > > >> As before, higher number = more debug > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> If the user can authenticate, does > > ethereal capture > > >> >> some > > >> >> > > > >>> packets > > >> >> > > > >>> > > about > > >> >> > > > >>> > > > >>> password verification? Right now I > > only see the > > >> packets > > >> >> > > when > > >> >> > > > >>> ldap > > >> >> > > > >>> > > search for > > >> >> > > > >>> > > > >>> my user id and gets results back > > from AD. > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> Ethereal should catch all data > > flowing between the > > >> >> client > > >> >> > > and > > >> >> > > > >>> server. > > >> >> > > > >>> > > If > > >> >> > > > >>> > > > >> you can search out the user in your > > AD right now, > > >> then > > >> >> one > > >> >> > > of > > >> >> > > > >>> two > > >> >> > > > >>> > > things is > > >> >> > > > >>> > > > >> happening: > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> 1. You are performing anonymous > > searches. In this > > >> case, > > >> >> no > > >> >> > > > >>> username > > >> >> > > > >>> > > and pw > > >> >> > > > >>> > > > >> is provided, and your AD is happy to > > hand over info > > >> to > > >> >> > > anyone > > >> >> > > > >>> who asks > > >> >> > > > >>> > > for > > >> >> > > > >>> > > > >> it. If this is the case, you will > > _not_ see > > >> >> authentication > > >> >> > > > >>> > > information. The > > >> >> > > > >>> > > > >> following MS KB article should > > probably help you > > >> >> determine > > >> >> > > on > > >> >> > > > >>> your AD > > >> >> > > > >>> > > if > > >> >> > > > >>> > > > >> anonymous queries are allowed: > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > http://support.microsoft.com/kb/320528 > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> It has exact instructions for how to > > get it going, > > >> but > > >> >> you > > >> >> > > can > > >> >> > > > >>> follow > > >> >> > > > >>> > > > >> along with it to check your current > > settings without > > >> >> making > > >> >> > > any > > >> >> > > > >>> > > changes. > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > > I checked our setting. Permission type > > for normal user > > >> is > > >> >> > > "Read & > > >> >> > > > >>> > > Execute". > > >> >> > > > >>> > > > > I click edit to check the detail about > > permission. I > > >> >> think it > > >> >> > > > >>> only > > >> >> > > > >>> > > allow the > > >> >> > > > >>> > > > > user to read the attributes, > > permission something and > > >> >> can't > > >> >> > > > >>> modify the > > >> >> > > > >>> > > > > AD.There is "Everyone" setting is also > > set as "Read & > > >> >> > > Execute". > > >> >> > > > >>> By the > > >> >> > > > >>> > > way, > > >> >> > > > >>> > > > > the AD is Win2003 R2. > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> 2. Authentication is happening. It > > will be the _very_ > > >> >> first > > >> >> > > > >>> thing the > > >> >> > > > >>> > > > >> client and server perform, after > > basic connection > > >> >> > > establishment. > > >> >> > > > >>> Look > > >> >> > > > >>> > > for it > > >> >> > > > >>> > > > >> at the very beginning of a dump. > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> Also, it's a bit overkill, but the > > following article > > >> is > > >> >> > > > >>> extremely > > >> >> > > > >>> > > > >> informative about all the different > > ways you can plug > > >> >> linux > > >> >> > > into > > >> >> > > > >>> AD > > >> >> > > > >>> > > for > > >> >> > > > >>> > > > >> authentication. It might offer some > > hints... > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >>> Maybe I need dig into ldap.conf > > more. If you have > > >> any > > >> >> idea, > > >> >> > > let > > >> >> > > > >>> me > > >> >> > > > >>> > > know. > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >>> Thank you very much. > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >>> Lou > > >> >> > > > >>> > > > >>> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > >> > > >> >> > > > >>> > > > > > > >> >> > > > >>> > > > -------------- next part -------------- > > >> >> > > > >>> > > > An HTML attachment was scrubbed... > > >> >> > > > >>> > > > URL: > > >> >> > > > >>> > > > > >> >> > > > >>> > > >> >> > > > > >> >> > > >> > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html > > >> >> > > > >>> > > > > > _______________________________________________ > > >> >> > > > >>> > > > tac_plus mailing list > > >> >> > > > >>> > > > tac_plus at shrubbery.net > > >> >> > > > >>> > > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > >> >> > > > >>> > > > > >> >> > > > >>> > > >> >> > > > >> > > >> >> > > > >> > > >> >> > > > > > > >> >> > > > > >> >> > -------------- next part -------------- > > >> >> > An HTML attachment was scrubbed... > > >> >> > URL: > > >> >> > > >> > > > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html > > >> >> > _______________________________________________ > > >> >> > tac_plus mailing list > > >> >> > tac_plus at shrubbery.net > > >> >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > >> >> > > >> >> > > >> >> > > >> > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/b19e83d9/attachment.html From hailumeng at gmail.com Tue Nov 24 21:04:02 2009 From: hailumeng at gmail.com (Hailu Meng) Date: Tue, 24 Nov 2009 15:04:02 -0600 Subject: [tac_plus] Issues about limiting the commands to be execed in switch Message-ID: <8dabae5b0911241304t18fc582cg1c2b8409739e69c1@mail.gmail.com> Hi All, I'm trying to create two groups in my tac_plus server. One is the admin. The other one has limited rights. So I want to limit this group to priv-level 1 and only can issue show ip and show interface command. Also I configured the authorization in the switch. Here is my configuration in tac_plus.conf. My tac_plus just allow the user to do everything without limiting anything. /etc/tac_plus.conf: accounting file = /var/log/tacacs/acctfile key = "keyfortac" user = $enab15$ { login = cleartext "enablepass" } group = admin { default service = permit service = exec { priv-lvl = 15 } } group = limited { default service = deny service = exec { priv-lvl = 1 } cmd = show { permit ip permit interface } } user = test { member = limited login = PAM } The switch configuration: aaa new-model aaa authentication login default group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ I think these configurations are correct, but it just doesn't work. Am I wrong somewhere? Suppose the "cmd" should deny all the show commands except the ones specified. Please help. Thanks a lot. Lou -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/5ea8b189/attachment.html From asaykao at gmail.com Wed Nov 25 02:45:31 2009 From: asaykao at gmail.com (Andy Saykao) Date: Wed, 25 Nov 2009 13:45:31 +1100 Subject: [tac_plus] Installing tac_plus as a different user other than root?? Message-ID: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> Hi All, Is there a way to install the program as a different user other than root?? I'm installing this on Ubuntu Server 8.10. For example I've created a user called tac-plus with uid and gid of 1001. /etc/passwd: tac-plus:x:1001:1001:TACACS+ User,,,:/home/tac-plus:/bin/bash /etc/group: tac-plus:x:1001: I then configured it with the userid and groupid: ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log --with-logfile=/var/log/tac_plus.log --with-userid=1001 --with-groupid=1001 But once the program was installed, the files and directories are all still own by root? root at tacacs-1:/tac-plus# ls -la total 24 drwxr-xr-x 6 root root 4096 2009-11-25 12:14 . drwxr-xr-x 21 root root 4096 2009-11-25 12:14 .. drwxr-xr-x 2 root root 4096 2009-11-25 12:14 bin drwxr-xr-x 2 root root 4096 2009-11-25 12:14 include drwxr-xr-x 2 root root 4096 2009-11-25 12:14 lib drwxr-xr-x 4 root root 4096 2009-11-25 12:14 share Any ideas how to install it as a different user? Thanks. Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091125/2ea95cb4/attachment.html From alan.mckinnon at gmail.com Wed Nov 25 06:43:30 2009 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 25 Nov 2009 08:43:30 +0200 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> Message-ID: <200911250843.30183.alan.mckinnon@gmail.com> On Wednesday 25 November 2009 04:45:31 Andy Saykao wrote: > Hi All, > > Is there a way to install the program as a different user other than root?? > I'm installing this on Ubuntu Server 8.10. > > For example I've created a user called tac-plus with uid and gid of 1001. > > /etc/passwd: > tac-plus:x:1001:1001:TACACS+ User,,,:/home/tac-plus:/bin/bash > > /etc/group: > tac-plus:x:1001: > > I then configured it with the userid and groupid: > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log > --with-logfile=/var/log/tac_plus.log --with-userid=1001 --with-groupid=1001 > > But once the program was installed, the files and directories are all still > own by root? > > root at tacacs-1:/tac-plus# ls -la > total 24 > drwxr-xr-x 6 root root 4096 2009-11-25 12:14 . > drwxr-xr-x 21 root root 4096 2009-11-25 12:14 .. > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 bin > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 include > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 lib > drwxr-xr-x 4 root root 4096 2009-11-25 12:14 share > > Any ideas how to install it as a different user? It is already correctly installed. The tac-plus user simply needs to read and execute the files, not own them or write to them. Check other daemons that drop privileges at runtime, those files are normally owned by root as well as root is the only user that can write to system areas. tac-plus just needs to be able to write it's pid file -- alan dot mckinnon at gmail dot com From asaykao at gmail.com Wed Nov 25 23:57:38 2009 From: asaykao at gmail.com (Andy Saykao) Date: Thu, 26 Nov 2009 10:57:38 +1100 Subject: [tac_plus] Uninstalling tacacs+ Message-ID: <964ee8e00911251557t71c8b46al8ae9fccd6d6387af@mail.gmail.com> Hi All, Sorry for so many questions, new to the mailing list and eager to learn as much about this product as I can. When I installed tacacs+, I installed everything into the /tac-plus folder with the command ./configure --prefix /tac-plus. To uninstall the program, is it as simple as deleting the entire /tac-plus folder??? Thanks. Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091126/30b1ce3b/attachment.html From asturluismi at gmail.com Thu Nov 26 00:18:40 2009 From: asturluismi at gmail.com (luismi) Date: Thu, 26 Nov 2009 01:18:40 +0100 Subject: [tac_plus] Re: Uninstalling tacacs+ In-Reply-To: <964ee8e00911251557t71c8b46al8ae9fccd6d6387af@mail.gmail.com> References: <964ee8e00911251557t71c8b46al8ae9fccd6d6387af@mail.gmail.com> Message-ID: <1259194720.22630.1.camel@hal9000> which distro? El jue, 26-11-2009 a las 10:57 +1100, Andy Saykao escribi?: > Hi All, > > Sorry for so many questions, new to the mailing list and eager to learn as > much about this product as I can. > > When I installed tacacs+, I installed everything into the /tac-plus folder > with the command ./configure --prefix /tac-plus. > > To uninstall the program, is it as simple as deleting the entire /tac-plus > folder??? > > Thanks. > > Andy > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091126/30b1ce3b/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From asaykao at gmail.com Thu Nov 26 00:43:42 2009 From: asaykao at gmail.com (Andy Saykao) Date: Thu, 26 Nov 2009 11:43:42 +1100 Subject: [tac_plus] Re: Uninstalling tacacs+ In-Reply-To: <1259194720.22630.1.camel@hal9000> References: <964ee8e00911251557t71c8b46al8ae9fccd6d6387af@mail.gmail.com> <1259194720.22630.1.camel@hal9000> Message-ID: <964ee8e00911251643l649f8e85h7bba01f42d0b8586@mail.gmail.com> I am using the latest one - tacacs+-F4.0.4.19 On Thu, Nov 26, 2009 at 11:18 AM, luismi wrote: > which distro? > > El jue, 26-11-2009 a las 10:57 +1100, Andy Saykao escribi?: > > Hi All, > > > > Sorry for so many questions, new to the mailing list and eager to learn > as > > much about this product as I can. > > > > When I installed tacacs+, I installed everything into the /tac-plus > folder > > with the command ./configure --prefix /tac-plus. > > > > To uninstall the program, is it as simple as deleting the entire > /tac-plus > > folder??? > > > > Thanks. > > > > Andy > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091126/30b1ce3b/attachment.html > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091126/8aab9020/attachment.html From asaykao at gmail.com Thu Nov 26 00:45:07 2009 From: asaykao at gmail.com (Andy Saykao) Date: Thu, 26 Nov 2009 11:45:07 +1100 Subject: [tac_plus] Can you log ping and traceroute commands? Message-ID: <964ee8e00911251645x3befbfb7ie798f93ff7138d2f@mail.gmail.com> Hi All, I've set up a hdtest user that can run privilege commands by using privilege-level 3 and going into "enable 3". Whilst the user can run the privilege commands like ping and traceroute, I am not seeing these commands appear in the accounting logs for this user. It looks like the command 'ping' does not appear anywhere in the log even when I use a privilege-level 15 user, so I can only assume that this is the desired behaviour. But with traceroute, I see it appearing in the logs for a privilege-level 15 user but not for a privilege-level 3 user? Any ideas why this is so or how to see it in the log for a privilege-level 3 user? tac_plus.conf: # create hdtest account user = hdtest { member = helpdesk name = "Helpdesk Login" } #Helpdesk Group group = helpdesk { default service = deny login = des "nsQW1T.SSs7Gk" enable = des "nsQW1T.SSs7Gk" cmd = quit { permit .* } cmd = exit { permit .* } cmd = show { permit ip permit interface permit users permit privilege deny .* } cmd = enable { permit 3 deny .* } cmd = ping { permit .* } cmd = traceroute { permit .* } } Cisco AAA Configuration: aaa accounting send stop-record authentication failure aaa accounting delay-start all aaa accounting exec default aaa accounting commands 0 default aaa accounting commands 1 default aaa accounting commands 3 default aaa accounting commands 15 default aaa accounting network default aaa accounting connection default aaa accounting system default Cheers. Andy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091126/ea472a43/attachment.html From asturluismi at gmail.com Thu Nov 26 00:57:44 2009 From: asturluismi at gmail.com (luismi) Date: Thu, 26 Nov 2009 01:57:44 +0100 Subject: [tac_plus] Re: Uninstalling tacacs+ In-Reply-To: <964ee8e00911251643l649f8e85h7bba01f42d0b8586@mail.gmail.com> References: <964ee8e00911251557t71c8b46al8ae9fccd6d6387af@mail.gmail.com> <1259194720.22630.1.camel@hal9000> <964ee8e00911251643l649f8e85h7bba01f42d0b8586@mail.gmail.com> Message-ID: <1259197064.22630.14.camel@hal9000> if you installed it by hand... bad idea. In order to avoid problems with external packages I use "checkinstall" which captures the "make install" orders and it creates a .deb, .rpm... packages as required. If you installed it just with "make install"... unless there is a "make uninstall" you would need to delete it by hand, step by step. :P I can't see another ways now. El jue, 26-11-2009 a las 11:43 +1100, Andy Saykao escribi?: > I am using the latest one - tacacs+-F4.0.4.19 > > On Thu, Nov 26, 2009 at 11:18 AM, luismi > wrote: > which distro? > > El jue, 26-11-2009 a las 10:57 +1100, Andy Saykao escribi?: > > > Hi All, > > > > Sorry for so many questions, new to the mailing list and > eager to learn as > > much about this product as I can. > > > > When I installed tacacs+, I installed everything into > the /tac-plus folder > > with the command ./configure --prefix /tac-plus. > > > > To uninstall the program, is it as simple as deleting the > entire /tac-plus > > folder??? > > > > Thanks. > > > > Andy > > > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091126/30b1ce3b/attachment.html > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > From prozaconstilts at gmail.com Thu Nov 26 02:38:29 2009 From: prozaconstilts at gmail.com (adam) Date: Wed, 25 Nov 2009 21:38:29 -0500 Subject: [tac_plus] Re: Uninstalling tacacs+ In-Reply-To: <964ee8e00911251643l649f8e85h7bba01f42d0b8586@mail.gmail.com> References: <964ee8e00911251557t71c8b46al8ae9fccd6d6387af@mail.gmail.com> <1259194720.22630.1.camel@hal9000> <964ee8e00911251643l649f8e85h7bba01f42d0b8586@mail.gmail.com> Message-ID: <4B0DEA25.9080304@gmail.com> Andy Saykao wrote: > I am using the latest one - tacacs+-F4.0.4.19 > > On Thu, Nov 26, 2009 at 11:18 AM, luismi wrote: > >> which distro? >> >> El jue, 26-11-2009 a las 10:57 +1100, Andy Saykao escribi?: >>> Hi All, >>> >>> Sorry for so many questions, new to the mailing list and eager to learn >> as >>> much about this product as I can. >>> >>> When I installed tacacs+, I installed everything into the /tac-plus >> folder >>> with the command ./configure --prefix /tac-plus. >>> >>> To uninstall the program, is it as simple as deleting the entire >> /tac-plus >>> folder??? >>> >>> Thanks. >>> >>> Andy >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091126/30b1ce3b/attachment.html >>> _______________________________________________ >>> tac_plus mailing list >>> tac_plus at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091126/8aab9020/attachment.html > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus If you still have the makefile that was generated via your configure command, you could check the install portion of it, and do the reverse. I know for me, the configure-generated Makefile did have an uninstall, so it's as simple as `make uninstall`. Adam From asaykao at gmail.com Thu Nov 26 04:14:04 2009 From: asaykao at gmail.com (Andy Saykao) Date: Thu, 26 Nov 2009 15:14:04 +1100 Subject: [tac_plus] Re: Uninstalling tacacs+ In-Reply-To: <4B0DEA25.9080304@gmail.com> References: <964ee8e00911251557t71c8b46al8ae9fccd6d6387af@mail.gmail.com> <1259194720.22630.1.camel@hal9000> <964ee8e00911251643l649f8e85h7bba01f42d0b8586@mail.gmail.com> <4B0DEA25.9080304@gmail.com> Message-ID: <964ee8e00911252014r53d80c96s80921ff96a472c72@mail.gmail.com> Thanks for that. Here's the output of my 'make uninstall'. I guess these are the steps you need to do in order to uninstall it. root at tacacs-1:/usr/local/src/tacacs+-F4.0.4.19# make uninstall ( cd '/tac-plus/bin' && rm -f tac_pwd tac_plus ) ( cd '/tac-plus/include' && rm -f tacacs.h ) /bin/bash ./libtool --mode=uninstall rm -f '/tac-plus/lib/libtacacs.la' rm -f /tac-plus/lib/libtacacs.la /tac-plus/lib/libtacacs.so.1.0.0 /tac-plus/lib/libtacacs.so.1 /tac-plus/lib/libtacacs.so /tac-plus/lib/libtacacs.a ( cd '/tac-plus/share/man/man3' && rm -f regexp.3 ) ( cd '/tac-plus/share/man/man5' && rm -f tac_plus.conf.5 ) ( cd '/tac-plus/share/man/man8' && rm -f tac_plus.8 tac_pwd.8 ) ( cd '/tac-plus/share/tacacs+' && rm -f do_auth.py users_guide ) ( cd '/tac-plus/share/tacacs+' && rm -f tac_convert ) Everything worked except for this step... root at tacacs-1:/tac-plus/include# /bin/bash ./libtool --mode=uninstall rm -f '/tac-plus/lib/libtacacs.la' /bin/bash: ./libtool: No such file or directory To fix that I had to go back into the install directory and run it. root at tacacs-1:/usr/local/src/tacacs+-F4.0.4.19# locate libtool /usr/local/src/tacacs+-F4.0.4.19/libtool cd /usr/local/src/tacacs+-F4.0.4.19/ root at tacacs-1:/usr/local/src/tacacs+-F4.0.4.19# /bin/bash ./libtool --mode=uninstall rm -f '/tac-plus/lib/libtacacs.la' All good now...Thanks everybody !! On Thu, Nov 26, 2009 at 1:38 PM, adam wrote: > Andy Saykao wrote: > >> I am using the latest one - tacacs+-F4.0.4.19 >> >> On Thu, Nov 26, 2009 at 11:18 AM, luismi wrote: >> >> which distro? >>> >>> El jue, 26-11-2009 a las 10:57 +1100, Andy Saykao escribi?: >>> >>>> Hi All, >>>> >>>> Sorry for so many questions, new to the mailing list and eager to learn >>>> >>> as >>> >>>> much about this product as I can. >>>> >>>> When I installed tacacs+, I installed everything into the /tac-plus >>>> >>> folder >>> >>>> with the command ./configure --prefix /tac-plus. >>>> >>>> To uninstall the program, is it as simple as deleting the entire >>>> >>> /tac-plus >>> >>>> folder??? >>>> >>>> Thanks. >>>> >>>> Andy >>>> -------------- next part -------------- >>>> An HTML attachment was scrubbed... >>>> URL: >>>> >>> >>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091126/30b1ce3b/attachment.html >>> >>>> _______________________________________________ >>>> tac_plus mailing list >>>> tac_plus at shrubbery.net >>>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >>>> >>> >>> >>> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: >> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091126/8aab9020/attachment.html_______________________________________________ >> >> tac_plus mailing list >> tac_plus at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus >> > > If you still have the makefile that was generated via your configure > command, you could check the install portion of it, and do the reverse. > > I know for me, the configure-generated Makefile did have an uninstall, so > it's as simple as `make uninstall`. > > Adam > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091126/3cdfbef1/attachment.html From asaykao at gmail.com Fri Nov 27 01:34:34 2009 From: asaykao at gmail.com (Andy Saykao) Date: Fri, 27 Nov 2009 12:34:34 +1100 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <200911250843.30183.alan.mckinnon@gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> <200911250843.30183.alan.mckinnon@gmail.com> Message-ID: <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> Thanks for that piece of information Alan. Much appreciated. As Alan has explained, here is a ps of my user tac-plus running the program. root at tacacs-1:/var/log# ps aux | grep tac tac-plus 10847 0.0 0.0 2316 544 pts/0 S 12:20 0:00 /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg Please be aware that if you want to run it as a different user other than root AND also want to login by using the user's password in /etc/passwd then you will need to set GID to "shadow". This will allow you to read the /etc/passwd file. # grep shadow /etc/group shadow:x:42: ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log --with-logfile=/var/log/tac_plus.log --with-userid=1001 --with-groupid=42 Now when the program starts up it will show the uid=1001 (tac-plus user) and the gid=42 (GID shadow). # /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg -t -g -d 128 Reading config Version F4.0.4.19 Initialized 1 tac_plus server F4.0.4.19 starting uid=1001 euid=1001 gid=42 egid=42 s=5 Thanks to this guy's useful post: http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs Hope that helps newbies like me out there. Cheers. Andy ----- On Wed, Nov 25, 2009 at 5:43 PM, Alan McKinnon wrote: > On Wednesday 25 November 2009 04:45:31 Andy Saykao wrote: > > Hi All, > > > > Is there a way to install the program as a different user other than > root?? > > I'm installing this on Ubuntu Server 8.10. > > > > For example I've created a user called tac-plus with uid and gid of 1001. > > > > /etc/passwd: > > tac-plus:x:1001:1001:TACACS+ User,,,:/home/tac-plus:/bin/bash > > > > /etc/group: > > tac-plus:x:1001: > > > > I then configured it with the userid and groupid: > > > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log > > --with-logfile=/var/log/tac_plus.log --with-userid=1001 > --with-groupid=1001 > > > > But once the program was installed, the files and directories are all > still > > own by root? > > > > root at tacacs-1:/tac-plus# ls -la > > total 24 > > drwxr-xr-x 6 root root 4096 2009-11-25 12:14 . > > drwxr-xr-x 21 root root 4096 2009-11-25 12:14 .. > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 bin > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 include > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 lib > > drwxr-xr-x 4 root root 4096 2009-11-25 12:14 share > > > > Any ideas how to install it as a different user? > > It is already correctly installed. The tac-plus user simply needs to read > and > execute the files, not own them or write to them. > > Check other daemons that drop privileges at runtime, those files are > normally > owned by root as well as root is the only user that can write to system > areas. > > tac-plus just needs to be able to write it's pid file > > -- > alan dot mckinnon at gmail dot com > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091127/365295bc/attachment.html From heas at shrubbery.net Fri Nov 27 06:19:09 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 27 Nov 2009 06:19:09 +0000 Subject: [tac_plus] Re: Can you log ping and traceroute commands? In-Reply-To: <964ee8e00911251645x3befbfb7ie798f93ff7138d2f@mail.gmail.com> References: <964ee8e00911251645x3befbfb7ie798f93ff7138d2f@mail.gmail.com> Message-ID: <20091127061909.GK22013@shrubbery.net> Thu, Nov 26, 2009 at 11:45:07AM +1100, Andy Saykao: > Hi All, > > I've set up a hdtest user that can run privilege commands by using > privilege-level 3 and going into "enable 3". Whilst the user can run the > privilege commands like ping and traceroute, I am not seeing these commands > appear in the accounting logs for this user. > > It looks like the command 'ping' does not appear anywhere in the log even > when I use a privilege-level 15 user, so I can only assume that this is the > desired behaviour. But with traceroute, I see it appearing in the logs for a > privilege-level 15 user but not for a privilege-level 3 user? Any ideas why > this is so or how to see it in the log for a privilege-level 3 user? that'd seem a clear indication that your ios is broken. From asaykao at gmail.com Fri Nov 27 06:26:21 2009 From: asaykao at gmail.com (Andy Saykao) Date: Fri, 27 Nov 2009 17:26:21 +1100 Subject: [tac_plus] Re: Can you log ping and traceroute commands? In-Reply-To: <20091127061909.GK22013@shrubbery.net> References: <964ee8e00911251645x3befbfb7ie798f93ff7138d2f@mail.gmail.com> <20091127061909.GK22013@shrubbery.net> Message-ID: <964ee8e00911262226y23b92abfu8dea5dce10d2526c@mail.gmail.com> Hi John, I certainly hope my IOS version isn't broken. Could somebody please verify if a 'ping' command shows up in the accounting log (so I can go get a new IOS version if that's the case). Many thanks. Andy On Fri, Nov 27, 2009 at 5:19 PM, john heasley wrote: > Thu, Nov 26, 2009 at 11:45:07AM +1100, Andy Saykao: > > Hi All, > > > > I've set up a hdtest user that can run privilege commands by using > > privilege-level 3 and going into "enable 3". Whilst the user can run the > > privilege commands like ping and traceroute, I am not seeing these > commands > > appear in the accounting logs for this user. > > > > It looks like the command 'ping' does not appear anywhere in the log even > > when I use a privilege-level 15 user, so I can only assume that this is > the > > desired behaviour. But with traceroute, I see it appearing in the logs > for a > > privilege-level 15 user but not for a privilege-level 3 user? Any ideas > why > > this is so or how to see it in the log for a privilege-level 3 user? > > that'd seem a clear indication that your ios is broken. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091127/c18d043f/attachment.html From kissg at ssg.ki.iif.hu Fri Nov 27 06:38:40 2009 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Fri, 27 Nov 2009 07:38:40 +0100 (CET) Subject: [tac_plus] Re: Can you log ping and traceroute commands? In-Reply-To: <964ee8e00911262226y23b92abfu8dea5dce10d2526c@mail.gmail.com> References: <964ee8e00911251645x3befbfb7ie798f93ff7138d2f@mail.gmail.com> <20091127061909.GK22013@shrubbery.net> <964ee8e00911262226y23b92abfu8dea5dce10d2526c@mail.gmail.com> Message-ID: > I certainly hope my IOS version isn't broken. > > Could somebody please verify if a 'ping' command shows up in the accounting > log (so I can go get a new IOS version if that's the case). > > Many thanks. I hope this helps: Fri Nov 27 07:34:59 2009 11.22.33.44 kissg tty2 44.33.22.11 start task_id=69559 timezone=MET service=shell start_time=1259303699 Fri Nov 27 07:35:07 2009 11.22.33.44 kissg tty2 44.33.22.11 stop task_id=69559 timezone=MET service=shell start_time=1259303707 priv-lvl=1 cmd=ping this.is.my.host Fri Nov 27 07:35:09 2009 11.22.33.44 kissg tty2 44.33.22.11 stop task_id=69560 timezone=MET service=shell start_time=1259303709 priv-lvl=0 cmd=quit Fri Nov 27 07:35:09 2009 11.22.33.44 kissg tty2 44.33.22.11 stop task_id=69559 timezone=MET service=shell start_time=1259303699 disc-cause=1 disc-cause-ext=9 pre-session-time=10 elapsed_time=10 stop_time=1259303709 Gabor From asaykao at gmail.com Fri Nov 27 06:49:48 2009 From: asaykao at gmail.com (Andy Saykao) Date: Fri, 27 Nov 2009 17:49:48 +1100 Subject: [tac_plus] Re: Can you log ping and traceroute commands? In-Reply-To: References: <964ee8e00911251645x3befbfb7ie798f93ff7138d2f@mail.gmail.com> <20091127061909.GK22013@shrubbery.net> <964ee8e00911262226y23b92abfu8dea5dce10d2526c@mail.gmail.com> Message-ID: <964ee8e00911262249s3022addtc2997074fa88592b@mail.gmail.com> Thanks Kiss. I'll now go and try a different IOS. Very weird that the only command I'm not seeing in the logs is the 'ping' command. Will report back later :) On Fri, Nov 27, 2009 at 5:38 PM, Kiss Gabor (Bitman) wrote: > > I certainly hope my IOS version isn't broken. > > > > Could somebody please verify if a 'ping' command shows up in the > accounting > > log (so I can go get a new IOS version if that's the case). > > > > Many thanks. > > I hope this helps: > > Fri Nov 27 07:34:59 2009 11.22.33.44 kissg tty2 44.33.22.11 > start task_id=69559 timezone=MET service=shell > start_time=1259303699 > Fri Nov 27 07:35:07 2009 11.22.33.44 kissg tty2 44.33.22.11 > stop task_id=69559 timezone=MET service=shell > start_time=1259303707 > priv-lvl=1 cmd=ping this.is.my.host > Fri Nov 27 07:35:09 2009 11.22.33.44 kissg tty2 44.33.22.11 > stop task_id=69560 timezone=MET service=shell > start_time=1259303709 priv-lvl=0 cmd=quit > Fri Nov 27 07:35:09 2009 11.22.33.44 kissg tty2 44.33.22.11 > stop task_id=69559 timezone=MET service=shell > start_time=1259303699 disc-cause=1 disc-cause-ext=9 > pre-session-time=10 elapsed_time=10 stop_time=1259303709 > > Gabor > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091127/53c1b98f/attachment.html From alan.mckinnon at gmail.com Fri Nov 27 08:37:30 2009 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Fri, 27 Nov 2009 10:37:30 +0200 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> <200911250843.30183.alan.mckinnon@gmail.com> <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> Message-ID: <200911271037.30123.alan.mckinnon@gmail.com> Strictly speaking, that applies to ancient systems not running the shadow suite - modern systems leave /etc/passwd world-readable and restrict /etc/shadow to root only: Linux: $ ls -al /etc/passwd /etc/shadow -rw-r--r-- 1 root root 2841 2009-10-23 00:29 /etc/passwd -rw------- 1 root root 1398 2009-10-23 00:30 /etc/shadow FreeBSD: $ ls -al /etc/passwd /etc/master.passwd -rw------- 1 root wheel 5315 Oct 14 10:20 /etc/master.passwd -rw-r--r-- 1 root wheel 4646 Oct 14 10:20 /etc/passwd Solaris-9 $ ls -al /etc/passwd /etc/shadow -r-------- 1 root sys 3692 Sep 22 17:05 /etc/passwd -r-------- 1 root other 1138 Nov 2 15:00 /etc/shadow All three those boxes run tac_plus. Note that Solaris-9 qualifies as ancient. Generally, once can adjust group memberships and setuid/setgid so that tac_plus can read the passwd hashes. But in almost all cases, it's simpler and cleaner to just use pam - On Friday 27 November 2009 03:34:34 Andy Saykao wrote: > Thanks for that piece of information Alan. Much appreciated. > > As Alan has explained, here is a ps of my user tac-plus running the > program. > > root at tacacs-1:/var/log# ps aux | grep tac > tac-plus 10847 0.0 0.0 2316 544 pts/0 S 12:20 0:00 > /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg > > Please be aware that if you want to run it as a different user other than > root AND also want to login by using the user's password in /etc/passwd > then you will need to set GID to "shadow". This will allow you to read the > /etc/passwd file. > > # grep shadow /etc/group > shadow:x:42: > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log > --with-logfile=/var/log/tac_plus.log --with-userid=1001 --with-groupid=42 > > Now when the program starts up it will show the uid=1001 (tac-plus user) > and the gid=42 (GID shadow). > > # /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg -t -g -d 128 > Reading config > Version F4.0.4.19 Initialized 1 > tac_plus server F4.0.4.19 starting > uid=1001 euid=1001 gid=42 egid=42 s=5 > > Thanks to this guy's useful post: > > http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cis > co-howtos-documents-and-notes/cisco-and-tacacs > > Hope that helps newbies like me out there. > > Cheers. > > Andy > > ----- > > On Wed, Nov 25, 2009 at 5:43 PM, Alan McKinnon wrote: > > On Wednesday 25 November 2009 04:45:31 Andy Saykao wrote: > > > Hi All, > > > > > > Is there a way to install the program as a different user other than > > > > root?? > > > > > I'm installing this on Ubuntu Server 8.10. > > > > > > For example I've created a user called tac-plus with uid and gid of > > > 1001. > > > > > > /etc/passwd: > > > tac-plus:x:1001:1001:TACACS+ User,,,:/home/tac-plus:/bin/bash > > > > > > /etc/group: > > > tac-plus:x:1001: > > > > > > I then configured it with the userid and groupid: > > > > > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log > > > --with-logfile=/var/log/tac_plus.log --with-userid=1001 > > > > --with-groupid=1001 > > > > > But once the program was installed, the files and directories are all > > > > still > > > > > own by root? > > > > > > root at tacacs-1:/tac-plus# ls -la > > > total 24 > > > drwxr-xr-x 6 root root 4096 2009-11-25 12:14 . > > > drwxr-xr-x 21 root root 4096 2009-11-25 12:14 .. > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 bin > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 include > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 lib > > > drwxr-xr-x 4 root root 4096 2009-11-25 12:14 share > > > > > > Any ideas how to install it as a different user? > > > > It is already correctly installed. The tac-plus user simply needs to read > > and > > execute the files, not own them or write to them. > > > > Check other daemons that drop privileges at runtime, those files are > > normally > > owned by root as well as root is the only user that can write to system > > areas. > > > > tac-plus just needs to be able to write it's pid file > > > > -- > > alan dot mckinnon at gmail dot com > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- alan dot mckinnon at gmail dot com From heas at shrubbery.net Fri Nov 27 21:38:55 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 27 Nov 2009 13:38:55 -0800 Subject: [tac_plus] Re: Issues about limiting the commands to be execed in switch In-Reply-To: <8dabae5b0911241304t18fc582cg1c2b8409739e69c1@mail.gmail.com> References: <8dabae5b0911241304t18fc582cg1c2b8409739e69c1@mail.gmail.com> Message-ID: <20091127213855.GH7853@shrubbery.net> Tue, Nov 24, 2009 at 03:04:02PM -0600, Hailu Meng: > Hi All, > > I'm trying to create two groups in my tac_plus server. One is the admin. The > other one has limited rights. So I want to limit this group to priv-level 1 > and only can issue show ip and show interface command. Also I configured the > authorization in the switch. Here is my configuration in tac_plus.conf. My > tac_plus just allow the user to do everything without limiting anything. > > /etc/tac_plus.conf: > > accounting file = /var/log/tacacs/acctfile > key = "keyfortac" > > user = $enab15$ { > login = cleartext "enablepass" > } > > group = admin { > default service = permit > service = exec { > priv-lvl = 15 > } > } > > group = limited { > default service = deny > service = exec { > priv-lvl = 1 > } > cmd = show { > permit ip > permit interface > } > } > > user = test { > member = limited > login = PAM > } > > The switch configuration: > aaa new-model > aaa authentication login default group tacacs+ enable > aaa authentication enable default group tacacs+ enable > > aaa authorization exec default group tacacs+ if-authenticated > aaa authorization commands 1 default group tacacs+ if-authenticated > aaa authorization commands 15 default group tacacs+ if-authenticated > > aaa accounting exec default start-stop group tacacs+ > aaa accounting commands 1 default start-stop group tacacs+ > aaa accounting commands 15 default start-stop group tacacs+ > > > I think these configurations are correct, but it just doesn't work. Am I > wrong somewhere? Suppose the "cmd" should deny all the show commands except > the ones specified. Please help. "it doesnt work" isnt much to go on. what doesnt work? here's an example of a working config with command authorization: default authorization = permit acl = limitacl { deny = ^198\.58\.[45]\. permit = .* } user = limited { login = nopassword acl = limitacl service = exec { priv-lvl=1 } cmd = "ping" { permit .* } cmd = "show" { deny tcp.* deny regex.*\\[0-9] deny "ip bgp version .*" deny "ip bgp ipv4 unicast version .*" deny "ip bgp ipv4 multicast version .*" permit .* } cmd = "traceroute" { permit .* } cmd = "terminal" { permit "length .*" } } there is a debug option for authorization; see tac_plus(8). From heas at shrubbery.net Fri Nov 27 22:23:53 2009 From: heas at shrubbery.net (john heasley) Date: Fri, 27 Nov 2009 14:23:53 -0800 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> <200911250843.30183.alan.mckinnon@gmail.com> <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> Message-ID: <20091127222353.GJ7853@shrubbery.net> Fri, Nov 27, 2009 at 12:34:34PM +1100, Andy Saykao: > Thanks to this guy's useful post: > > http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs you dont need htpasswd; tac_plus comes with tac_pwd. see tac_pwd(8). From asaykao at gmail.com Sun Nov 29 21:35:52 2009 From: asaykao at gmail.com (Andy Saykao) Date: Mon, 30 Nov 2009 08:35:52 +1100 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <200911271037.30123.alan.mckinnon@gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> <200911250843.30183.alan.mckinnon@gmail.com> <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> <200911271037.30123.alan.mckinnon@gmail.com> Message-ID: <964ee8e00911291335w645afeaw38a6cee6faaa1b5d@mail.gmail.com> Hi Alan, 1/ So in other words I should be able to run tac_plus using the ID/GID of the tac_plus user I created because /etc/passwd should be world-readable? I intially tried compiling with just the ID/GID of the tac_plus user but was unable to authenticate using /etc/passwd - hence why I compiled it a second time using the GID of the shadow group and was then able to authenticate using /etc/passwd (not sure if this is good or bad but I just followed somebody else's guide). Sorry if I'm a bit naive on the unix file permission stuff, but here's the permissions on the Ubuntu box I'm testing with. # ls -la /etc/passwd /etc/shadow -rw-r--r-- 1 root root 1130 2009-11-27 12:48 /etc/passwd -rw-r----- 1 root shadow 835 2009-11-27 12:48 /etc/shadow 2/ How do I get tac_plus to authenticate using PAM? I've googled around and re-checked the mailing list but not much to go on. I've got a few PAM modules installed and can see that there's a /etc/pam.conf file and /etc/pam.d/ folder. Cheers. Andy On Fri, Nov 27, 2009 at 7:37 PM, Alan McKinnon wrote: > Strictly speaking, that applies to ancient systems not running the shadow > suite - modern systems leave /etc/passwd world-readable and restrict > /etc/shadow to root only: > > Linux: > $ ls -al /etc/passwd /etc/shadow > -rw-r--r-- 1 root root 2841 2009-10-23 00:29 /etc/passwd > -rw------- 1 root root 1398 2009-10-23 00:30 /etc/shadow > > FreeBSD: > $ ls -al /etc/passwd /etc/master.passwd > -rw------- 1 root wheel 5315 Oct 14 10:20 /etc/master.passwd > -rw-r--r-- 1 root wheel 4646 Oct 14 10:20 /etc/passwd > > Solaris-9 > $ ls -al /etc/passwd /etc/shadow > -r-------- 1 root sys 3692 Sep 22 17:05 /etc/passwd > -r-------- 1 root other 1138 Nov 2 15:00 /etc/shadow > > All three those boxes run tac_plus. Note that Solaris-9 qualifies as > ancient. > Generally, once can adjust group memberships and setuid/setgid so that > tac_plus can read the passwd hashes. > > But in almost all cases, it's simpler and cleaner to just use pam - > > > On Friday 27 November 2009 03:34:34 Andy Saykao wrote: > > Thanks for that piece of information Alan. Much appreciated. > > > > As Alan has explained, here is a ps of my user tac-plus running the > > program. > > > > root at tacacs-1:/var/log# ps aux | grep tac > > tac-plus 10847 0.0 0.0 2316 544 pts/0 S 12:20 0:00 > > /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg > > > > Please be aware that if you want to run it as a different user other than > > root AND also want to login by using the user's password in /etc/passwd > > then you will need to set GID to "shadow". This will allow you to read > the > > /etc/passwd file. > > > > # grep shadow /etc/group > > shadow:x:42: > > > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log > > --with-logfile=/var/log/tac_plus.log --with-userid=1001 --with-groupid=42 > > > > Now when the program starts up it will show the uid=1001 (tac-plus user) > > and the gid=42 (GID shadow). > > > > # /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg -t -g -d 128 > > Reading config > > Version F4.0.4.19 Initialized 1 > > tac_plus server F4.0.4.19 starting > > uid=1001 euid=1001 gid=42 egid=42 s=5 > > > > Thanks to this guy's useful post: > > > > > http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cis > > co-howtos-documents-and-notes/cisco-and-tacacs > > > > Hope that helps newbies like me out there. > > > > Cheers. > > > > Andy > > > > ----- > > > > On Wed, Nov 25, 2009 at 5:43 PM, Alan McKinnon > wrote: > > > On Wednesday 25 November 2009 04:45:31 Andy Saykao wrote: > > > > Hi All, > > > > > > > > Is there a way to install the program as a different user other than > > > > > > root?? > > > > > > > I'm installing this on Ubuntu Server 8.10. > > > > > > > > For example I've created a user called tac-plus with uid and gid of > > > > 1001. > > > > > > > > /etc/passwd: > > > > tac-plus:x:1001:1001:TACACS+ User,,,:/home/tac-plus:/bin/bash > > > > > > > > /etc/group: > > > > tac-plus:x:1001: > > > > > > > > I then configured it with the userid and groupid: > > > > > > > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log > > > > --with-logfile=/var/log/tac_plus.log --with-userid=1001 > > > > > > --with-groupid=1001 > > > > > > > But once the program was installed, the files and directories are all > > > > > > still > > > > > > > own by root? > > > > > > > > root at tacacs-1:/tac-plus# ls -la > > > > total 24 > > > > drwxr-xr-x 6 root root 4096 2009-11-25 12:14 . > > > > drwxr-xr-x 21 root root 4096 2009-11-25 12:14 .. > > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 bin > > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 include > > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 lib > > > > drwxr-xr-x 4 root root 4096 2009-11-25 12:14 share > > > > > > > > Any ideas how to install it as a different user? > > > > > > It is already correctly installed. The tac-plus user simply needs to > read > > > and > > > execute the files, not own them or write to them. > > > > > > Check other daemons that drop privileges at runtime, those files are > > > normally > > > owned by root as well as root is the only user that can write to system > > > areas. > > > > > > tac-plus just needs to be able to write it's pid file > > > > > > -- > > > alan dot mckinnon at gmail dot com > > > _______________________________________________ > > > tac_plus mailing list > > > tac_plus at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > -- > alan dot mckinnon at gmail dot com > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091130/4bf65a0d/attachment.html From prozaconstilts at gmail.com Sun Nov 29 21:57:32 2009 From: prozaconstilts at gmail.com (adam) Date: Sun, 29 Nov 2009 16:57:32 -0500 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <964ee8e00911291335w645afeaw38a6cee6faaa1b5d@mail.gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> <200911250843.30183.alan.mckinnon@gmail.com> <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> <200911271037.30123.alan.mckinnon@gmail.com> <964ee8e00911291335w645afeaw38a6cee6faaa1b5d@mail.gmail.com> Message-ID: <4B12EE4C.1070102@gmail.com> Andy Saykao wrote: > Hi Alan, > > 1/ So in other words I should be able to run tac_plus using the ID/GID of > the tac_plus user I created because /etc/passwd should be world-readable? I > intially tried compiling with just the ID/GID of the tac_plus user but was > unable to authenticate using /etc/passwd - hence why I compiled it a second > time using the GID of the shadow group and was then able to authenticate > using /etc/passwd (not sure if this is good or bad but I just followed > somebody else's guide). > > Sorry if I'm a bit naive on the unix file permission stuff, but here's the > permissions on the Ubuntu box I'm testing with. > > # ls -la /etc/passwd /etc/shadow > -rw-r--r-- 1 root root 1130 2009-11-27 12:48 /etc/passwd > -rw-r----- 1 root shadow 835 2009-11-27 12:48 /etc/shadow > > 2/ How do I get tac_plus to authenticate using PAM? I've googled around and > re-checked the mailing list but not much to go on. I've got a few PAM > modules installed and can see that there's a /etc/pam.conf file and > /etc/pam.d/ folder. > > Cheers. > > Andy For Number 2, these instructions use pam_ldap for tac_plus as an example, but you can configure the pam stack for tac_plus to be whatever suits you. Instructions for RHEL5: 1. install the pam-devel package from your repository 2. compile the source for tacacs+, making sure that -lpam was discovered in the configure script 3. define users in the conf file as such: user = { login = PAM } 4. Place a pam stack configuration in /etc/pam.d/tac_plus that has whatever mechanisms you require for authentication (see below) 5. celebrate The pam stack I use looks like this: #cat /etc/pam.d/tac_plus: #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so It's not very obvious in that file, but I include system-auth, which looks like this: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session optional pam_ldap.so So, in this manner, tacacs+, talking to PAM, and using pam_ldap, can authenticate a user with ldap-based credentials. Of course, you can use whatever you like in terms of pam modules. Thanks, Adam From alan.mckinnon at gmail.com Sun Nov 29 22:03:33 2009 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Mon, 30 Nov 2009 00:03:33 +0200 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <964ee8e00911291335w645afeaw38a6cee6faaa1b5d@mail.gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> <200911271037.30123.alan.mckinnon@gmail.com> <964ee8e00911291335w645afeaw38a6cee6faaa1b5d@mail.gmail.com> Message-ID: <200911300003.33200.alan.mckinnon@gmail.com> Hi Andy, You need to get yourself a decent guid on Unix permissions and file ownership. It's not hard to grasp (it's actually the simplest thing that could possibly work) and there are many resources on the internet. Without this knowledge, configuring Unix daemons becomes a Herculean task. So you have Ubuntu, that explains things. It also explains why tac_plus needs to be a member of the shadow group. Your problem is not the /etc/password file - that is always world-readable on Linux so that anything can see what accounts exist. The problem is the /etc/shadow file which contains the password hashes and can only be read by the root user and the shadow group (look at the permissions). Your setup will work as you have attested but I find this way of doing things odd. You will not be using tac_plus to auth users wanting access to the Ubuntu box itself, so why have you given them local accounts on the tacacs server? Unless you have taken steps to disable their shell (make the shell /bin/false or such), they can probably log into the tacacs server itself. This may be what you want, you in the real world usually isn't. It's far easier to simply define your tacacs users in the tac_plus.conf file itself and keep the users off the server. As to PAM - this is a software layer that sits between your applications and the user accounts. In a nutshell, apps can be built with support for PAM and when running, they query PAM to find out if certain access is allowed. PAM answers yes or no depending on the rules you set up. It's a fine idea in principle but the practise is way more complex, and it is exceptionally easy to get it very wrong. PAM requires thorough knowledge of the entire subject, not because PAM is poor quality, but because the subject of authentication itself is *hard* (much like quantum physics is hard :-) ) I don't believe there's such a thing as an easy step by step guide to configuring PAM. Contrary to what I said earlier you should probably leave this alone till you've had time to study it thoroughly. On Sunday 29 November 2009 23:35:52 Andy Saykao wrote: > Hi Alan, > > 1/ So in other words I should be able to run tac_plus using the ID/GID of > the tac_plus user I created because /etc/passwd should be world-readable? I > intially tried compiling with just the ID/GID of the tac_plus user but was > unable to authenticate using /etc/passwd - hence why I compiled it a second > time using the GID of the shadow group and was then able to authenticate > using /etc/passwd (not sure if this is good or bad but I just followed > somebody else's guide). > > Sorry if I'm a bit naive on the unix file permission stuff, but here's the > permissions on the Ubuntu box I'm testing with. > > # ls -la /etc/passwd /etc/shadow > -rw-r--r-- 1 root root 1130 2009-11-27 12:48 /etc/passwd > -rw-r----- 1 root shadow 835 2009-11-27 12:48 /etc/shadow > > 2/ How do I get tac_plus to authenticate using PAM? I've googled around and > re-checked the mailing list but not much to go on. I've got a few PAM > modules installed and can see that there's a /etc/pam.conf file and > /etc/pam.d/ folder. > > Cheers. > > Andy > > On Fri, Nov 27, 2009 at 7:37 PM, Alan McKinnon wrote: > > Strictly speaking, that applies to ancient systems not running the shadow > > suite - modern systems leave /etc/passwd world-readable and restrict > > /etc/shadow to root only: > > > > Linux: > > $ ls -al /etc/passwd /etc/shadow > > -rw-r--r-- 1 root root 2841 2009-10-23 00:29 /etc/passwd > > -rw------- 1 root root 1398 2009-10-23 00:30 /etc/shadow > > > > FreeBSD: > > $ ls -al /etc/passwd /etc/master.passwd > > -rw------- 1 root wheel 5315 Oct 14 10:20 /etc/master.passwd > > -rw-r--r-- 1 root wheel 4646 Oct 14 10:20 /etc/passwd > > > > Solaris-9 > > $ ls -al /etc/passwd /etc/shadow > > -r-------- 1 root sys 3692 Sep 22 17:05 /etc/passwd > > -r-------- 1 root other 1138 Nov 2 15:00 /etc/shadow > > > > All three those boxes run tac_plus. Note that Solaris-9 qualifies as > > ancient. > > Generally, once can adjust group memberships and setuid/setgid so that > > tac_plus can read the passwd hashes. > > > > But in almost all cases, it's simpler and cleaner to just use pam - > > > > On Friday 27 November 2009 03:34:34 Andy Saykao wrote: > > > Thanks for that piece of information Alan. Much appreciated. > > > > > > As Alan has explained, here is a ps of my user tac-plus running the > > > program. > > > > > > root at tacacs-1:/var/log# ps aux | grep tac > > > tac-plus 10847 0.0 0.0 2316 544 pts/0 S 12:20 0:00 > > > /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg > > > > > > Please be aware that if you want to run it as a different user other > > > than root AND also want to login by using the user's password in > > > /etc/passwd then you will need to set GID to "shadow". This will allow > > > you to read > > > > the > > > > > /etc/passwd file. > > > > > > # grep shadow /etc/group > > > shadow:x:42: > > > > > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log > > > --with-logfile=/var/log/tac_plus.log --with-userid=1001 > > > --with-groupid=42 > > > > > > Now when the program starts up it will show the uid=1001 (tac-plus > > > user) and the gid=42 (GID shadow). > > > > > > # /tac-plus/bin/tac_plus -C /tac-plus/etc/tac_plus.cfg -t -g -d 128 > > > Reading config > > > Version F4.0.4.19 Initialized 1 > > > tac_plus server F4.0.4.19 starting > > > uid=1001 euid=1001 gid=42 egid=42 s=5 > > > > > > Thanks to this guy's useful post: > > > > http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-c > >is > > > > > co-howtos-documents-and-notes/cisco-and-tacacs > > > > > > Hope that helps newbies like me out there. > > > > > > Cheers. > > > > > > Andy > > > > > > ----- > > > > > > On Wed, Nov 25, 2009 at 5:43 PM, Alan McKinnon > > > > wrote: > > > > On Wednesday 25 November 2009 04:45:31 Andy Saykao wrote: > > > > > Hi All, > > > > > > > > > > Is there a way to install the program as a different user other > > > > > than > > > > > > > > root?? > > > > > > > > > I'm installing this on Ubuntu Server 8.10. > > > > > > > > > > For example I've created a user called tac-plus with uid and gid of > > > > > 1001. > > > > > > > > > > /etc/passwd: > > > > > tac-plus:x:1001:1001:TACACS+ User,,,:/home/tac-plus:/bin/bash > > > > > > > > > > /etc/group: > > > > > tac-plus:x:1001: > > > > > > > > > > I then configured it with the userid and groupid: > > > > > > > > > > ./configure --prefix /tac-plus --with-acctfile=/var/log/tac_acc.log > > > > > --with-logfile=/var/log/tac_plus.log --with-userid=1001 > > > > > > > > --with-groupid=1001 > > > > > > > > > But once the program was installed, the files and directories are > > > > > all > > > > > > > > still > > > > > > > > > own by root? > > > > > > > > > > root at tacacs-1:/tac-plus# ls -la > > > > > total 24 > > > > > drwxr-xr-x 6 root root 4096 2009-11-25 12:14 . > > > > > drwxr-xr-x 21 root root 4096 2009-11-25 12:14 .. > > > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 bin > > > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 include > > > > > drwxr-xr-x 2 root root 4096 2009-11-25 12:14 lib > > > > > drwxr-xr-x 4 root root 4096 2009-11-25 12:14 share > > > > > > > > > > Any ideas how to install it as a different user? > > > > > > > > It is already correctly installed. The tac-plus user simply needs to > > > > read > > > > > > and > > > > execute the files, not own them or write to them. > > > > > > > > Check other daemons that drop privileges at runtime, those files are > > > > normally > > > > owned by root as well as root is the only user that can write to > > > > system areas. > > > > > > > > tac-plus just needs to be able to write it's pid file > > > > > > > > -- > > > > alan dot mckinnon at gmail dot com > > > > _______________________________________________ > > > > tac_plus mailing list > > > > tac_plus at shrubbery.net > > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > > > > -- > > alan dot mckinnon at gmail dot com > > _______________________________________________ > > tac_plus mailing list > > tac_plus at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus > -- alan dot mckinnon at gmail dot com From asaykao at gmail.com Sun Nov 29 22:14:19 2009 From: asaykao at gmail.com (Andy Saykao) Date: Mon, 30 Nov 2009 09:14:19 +1100 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <4B12EE4C.1070102@gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> <200911250843.30183.alan.mckinnon@gmail.com> <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> <200911271037.30123.alan.mckinnon@gmail.com> <964ee8e00911291335w645afeaw38a6cee6faaa1b5d@mail.gmail.com> <4B12EE4C.1070102@gmail.com> Message-ID: <964ee8e00911291414w4cc31bcdxe313cad193f57f8f@mail.gmail.com> Hi Adam, I came across that post but it was for RHEL so I just skimmed through it bc I'm working on a Ubuntu box. I really just want to use the users in /etc/passwd for now (maybe LDAP further down the track) - nevertheless thank you for your suggestion. So my question is that if I just want to authenticate against /etc/passwd, is it worth me reading up more about PAM and try to get this going or do I just compile is using the GID of the shadow group as per this guide. http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs Thanks. Andy For Number 2, these instructions use pam_ldap for tac_plus as an example, > but you can configure the pam stack for tac_plus to be whatever suits you. > > Instructions for RHEL5: > > 1. install the pam-devel package from your repository > > 2. compile the source for tacacs+, making sure that -lpam was discovered in > the configure script > > 3. define users in the conf file as such: > > user = { > login = PAM > } > > 4. Place a pam stack configuration in /etc/pam.d/tac_plus that has whatever > mechanisms you require for authentication (see below) > > 5. celebrate > > The pam stack I use looks like this: > > #cat /etc/pam.d/tac_plus: > > #%PAM-1.0 > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > session required pam_loginuid.so > > It's not very obvious in that file, but I include system-auth, which > looks like this: > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 > session optional pam_ldap.so > > So, in this manner, tacacs+, talking to PAM, and using pam_ldap, can > authenticate a user with ldap-based credentials. Of course, you can use > whatever you like in terms of pam modules. > > Thanks, > > Adam > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091130/cb8fac8e/attachment.html From prozaconstilts at gmail.com Mon Nov 30 03:48:40 2009 From: prozaconstilts at gmail.com (adam) Date: Sun, 29 Nov 2009 22:48:40 -0500 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <964ee8e00911291414w4cc31bcdxe313cad193f57f8f@mail.gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> <200911250843.30183.alan.mckinnon@gmail.com> <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> <200911271037.30123.alan.mckinnon@gmail.com> <964ee8e00911291335w645afeaw38a6cee6faaa1b5d@mail.gmail.com> <4B12EE4C.1070102@gmail.com> <964ee8e00911291414w4cc31bcdxe313cad193f57f8f@mail.gmail.com> Message-ID: <4B134098.5090501@gmail.com> Andy Saykao wrote: > Hi Adam, > > I came across that post but it was for RHEL so I just skimmed through it > bc I'm working on a Ubuntu box. I really just want to use the users in > /etc/passwd for now (maybe LDAP further down the track) - nevertheless > thank you for your suggestion. > > So my question is that if I just want to authenticate against > /etc/passwd, is it worth me reading up more about PAM and try to get > this going or do I just compile is using the GID of the shadow group as > per this guide. > > http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs > > Thanks. > > Andy > > For Number 2, these instructions use pam_ldap for tac_plus as an > example, but you can configure the pam stack for tac_plus to be > whatever suits you. > > Instructions for RHEL5: > > 1. install the pam-devel package from your repository > > 2. compile the source for tacacs+, making sure that -lpam was > discovered in the configure script > > 3. define users in the conf file as such: > > user = { > login = PAM > } > > 4. Place a pam stack configuration in /etc/pam.d/tac_plus that has > whatever mechanisms you require for authentication (see below) > > 5. celebrate > > The pam stack I use looks like this: > > #cat /etc/pam.d/tac_plus: > > #%PAM-1.0 > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > session required pam_loginuid.so > > It's not very obvious in that file, but I include system-auth, which > looks like this: > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 > session optional pam_ldap.so > > So, in this manner, tacacs+, talking to PAM, and using pam_ldap, can > authenticate a user with ldap-based credentials. Of course, you can > use whatever you like in terms of pam modules. > > Thanks, > > Adam > > These instructions for RHEL should work 95% for ubuntu. Note that the pam_unix module in use in the system-auth file is /etc/passwd and /etc/shadow...so using pam_unix in your tac_plus pam conf should be sufficient. As I recall, while RHEL uses a single system-auth, debian and ubuntu use system auth broken out into common-auth common-password common-account, and common-session in the pam.d directory. You'll need to translate the pam conf files for ubuntu, but the compilation and configuration of tac_plus should remain the same. Adam From prozaconstilts at gmail.com Mon Nov 30 03:55:10 2009 From: prozaconstilts at gmail.com (adam) Date: Sun, 29 Nov 2009 22:55:10 -0500 Subject: [tac_plus] Re: Installing tac_plus as a different user other than root?? In-Reply-To: <964ee8e00911291414w4cc31bcdxe313cad193f57f8f@mail.gmail.com> References: <964ee8e00911241845s62354b87w462c4ae0314ed646@mail.gmail.com> <200911250843.30183.alan.mckinnon@gmail.com> <964ee8e00911261734j19c698bfx5096da6e9a0ec787@mail.gmail.com> <200911271037.30123.alan.mckinnon@gmail.com> <964ee8e00911291335w645afeaw38a6cee6faaa1b5d@mail.gmail.com> <4B12EE4C.1070102@gmail.com> <964ee8e00911291414w4cc31bcdxe313cad193f57f8f@mail.gmail.com> Message-ID: <4B13421E.5080409@gmail.com> Andy Saykao wrote: > Hi Adam, > > I came across that post but it was for RHEL so I just skimmed through it > bc I'm working on a Ubuntu box. I really just want to use the users in > /etc/passwd for now (maybe LDAP further down the track) - nevertheless > thank you for your suggestion. > > So my question is that if I just want to authenticate against > /etc/passwd, is it worth me reading up more about PAM and try to get > this going or do I just compile is using the GID of the shadow group as > per this guide. > > http://www.billyguthrie.com:8081/billyguthrie.com/projects/test/various-cisco-howtos-documents-and-notes/cisco-and-tacacs > > Thanks. > > Andy > > For Number 2, these instructions use pam_ldap for tac_plus as an > example, but you can configure the pam stack for tac_plus to be > whatever suits you. > > Instructions for RHEL5: > > 1. install the pam-devel package from your repository > > 2. compile the source for tacacs+, making sure that -lpam was > discovered in the configure script > > 3. define users in the conf file as such: > > user = { > login = PAM > } > > 4. Place a pam stack configuration in /etc/pam.d/tac_plus that has > whatever mechanisms you require for authentication (see below) > > 5. celebrate > > The pam stack I use looks like this: > > #cat /etc/pam.d/tac_plus: > > #%PAM-1.0 > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > session required pam_loginuid.so > > It's not very obvious in that file, but I include system-auth, which > looks like this: > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 > session optional pam_ldap.so > > So, in this manner, tacacs+, talking to PAM, and using pam_ldap, can > authenticate a user with ldap-based credentials. Of course, you can > use whatever you like in terms of pam modules. > > Thanks, > > Adam > > And after reading your post, I definitely advocate the understanding, compilation, and use of PAM. It allows you to be extremely flexible with your authentication, both now and when LDAP arrives. It's _the_ way your Linux variants perform user authentication, meaning it's widely used, widely understood, and widely supported. It also means it gets heavy scrutiny in terms of code security. I'd take the time to learn how to use it. Thanks, Adam