[tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory
john heasley
heas at shrubbery.net
Tue Nov 24 18:15:24 UTC 2009
Tue, Nov 24, 2009 at 11:56:23AM -0600, Hailu Meng:
> John,
>
> I checked my tac_plus configuration for PAM module. the file
> /etc/pam.d/tac_plus. The current configuration is shown below:
> As you suggest I need put pam_ldap.so on the first row for every
> auth,account,password and session, right?
i don't know; i'm not that familiar with pam. read the manual for pam
and each of the modules. for example, pam_unix on my machine seems to
check passwd(5) entries for authentication, which you probably do not
want.
> *******************************************************************
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
>
> On Tue, Nov 24, 2009 at 11:36 AM, john heasley <heas at shrubbery.net> wrote:
>
> > Tue, Nov 24, 2009 at 11:05:59AM -0600, Hailu Meng:
> > > It makes sense. nsswitch.conf should be for like local login not for
> > tacacs.
> > > Thanks John to point it out. I'm such a rookie to these things. Just
> > > followed some guides and combine them here. Need study more.
> >
> > well, it depends upon what modules you use in your tacacs PAM config; ie:
> > if you have something like 'require unix_account' (WAG) that requires that
> > the login exist in /etc/passwd (or more precisely get_pwent(3) or similar),
> > then /etc/nsswitch.conf might affect it. BUT, that means that for you,
> > 'require unix_account' is a misconfiguration of the tacacs PAM config.
> > that
> > is should be something like 'require ldap_account'.
> >
> >
> > > Lou
> > >
> > > On Tue, Nov 24, 2009 at 10:24 AM, john heasley <heas at shrubbery.net>
> > wrote:
> > >
> > > > Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof:
> > > > >
> > > > > Hi Lou,
> > > > >
> > > > > Yes, most server application's check if a user exist by looking up
> > the
> > > > > uid via nss before doing any authentication (i.e. sshd).
> > > > >
> > > > > Regards,
> > > > > Jeroen
> > > > >
> > > > > Op 23/11/2009 schreef "Hailu Meng" <hailumeng at gmail.com>:
> > > > >
> > > > > >Hi Jeroen,
> > > > > >
> > > > > >Thanks for helping. I modified the nssswitch.conf as below:
> > > > > >passwd: files ldap
> > > > > >shadow: files ldap
> > > > > >group: files ldap
> > > > > >
> > > > > >And leave the other settings as default.
> > > > > >
> > > > > >the user attributes you are talking about are the attributes
> > retrieving
> > > > from
> > > > > >AD? I do see the packets from AD server told my tacacs+ server the
> > user
> > > > > >attributes including homedir.
> > > >
> > > > i would not expect this to affect tacacs, unless you have something in
> > your
> > > > pam config that requires it. ie: nsswitch.conf should control auth for
> > the
> > > > host (eg: /sbin/login), tacacs is separate.
> > > >
> > > > > >Thanks.
> > > > > >
> > > > > >Lou
> > > > > >
> > > > > >
> > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof <jeroen at nijhofnet.nl
> > >
> > > > wrote:
> > > > > >
> > > > > >> Hi,
> > > > > >>
> > > > > >> Did you setup the nsswitch.conf as well on your tac_plus server?
> > > > > >> Your tac_plus server needs to lookup the user attributes like
> > homedir
> > > > > >> etc, otherwise pam will fail.
> > > > > >>
> > > > > >> Regards,
> > > > > >> Jeroen Nijhof
> > > > > >>
> > > > > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote:
> > > > > >> > Ok. With -d 32, I got some more info about pam as red color log.
> > > > > >> >
> > > > > >> > There is "Unknown user" log info following the input of my user
> > > > password.
> > > > > >> > Feel confused since ldap is able to get user info from Active
> > > > directory,
> > > > > >> why
> > > > > >> > it turns out "Unknown user" here.
> > > > > >> >
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq
> > no
> > > > 3,
> > > > > >> flags
> > > > > >> > 0x1
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252
> > (0xbe977644),
> > > > Data
> > > > > >> > length 11 (0xb)
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6),
> > user_data_len
> > > > 0
> > > > > >> (0x0)
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg:
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User data:
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose default_fn
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication function
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1
> > pam_messages
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0:
> > > > > >> PAM_PROMPT_ECHO_OFF
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS size=28
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1, seq
> > no
> > > > 4,
> > > > > >> flags
> > > > > >> > 0x1
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252
> > (0xbe977644),
> > > > Data
> > > > > >> > length 16 (0x10)
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5
> > > > (AUTHEN/GETPASS)
> > > > > >> > flags=0x1
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg:
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Password:
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: data:
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1, seq
> > no
> > > > 5,
> > > > > >> flags
> > > > > >> > 0x1
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252
> > (0xbe977644),
> > > > Data
> > > > > >> > length 18 (0x12)
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End header
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd),
> > > > user_data_len 0
> > > > > >> > (0x0)
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg:
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User data:
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername'
> > tty0
> > > > from
> > > > > >> > 10.1.69.89 rejected
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure:
> > myusername10.1.69.89
> > > > > >> > (10.1.69.89) tty0
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1, seq
> > no
> > > > 6,
> > > > > >> flags
> > > > > >> > 0x1
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252
> > (0xbe977644),
> > > > Data
> > > > > >> > length 6 (0x6)
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End header
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2
> > (AUTHEN/FAIL)
> > > > > >> > flags=0x0
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg:
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: data:
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect
> > > > > >> >
> > > > > >> >
> > > > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley <
> > heas at shrubbery.net>
> > > > > >> wrote:
> > > > > >> >
> > > > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng:
> > > > > >> > > > I just saw some posts saying pam_krb winbind could be needed
> > to
> > > > get
> > > > > >> pam
> > > > > >> > > work
> > > > > >> > > > against active directory. Is this true? The post I was
> > following
> > > > > >> actually
> > > > > >> > > is
> > > > > >> > > > for a LDAP server not Active Directory.
> > > > > >> > >
> > > > > >> > > i dont know; each pam implementation seems to be [at least]
> > > > slightly
> > > > > >> > > different. seems silly to need kerberos for ldap.
> > > > > >> > >
> > > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng <
> > > > hailumeng at gmail.com>
> > > > > >> wrote:
> > > > > >> > > >
> > > > > >> > > > > I think I need put my pam configuration here:
> > > > > >> > > > >
> > > > > >> > > > > I followed this post
> > > > > >> > > > >
> > > > > >>
> > > > http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto
> > > > > >> > > > > configure my pam module:
> > > > > >> > > > >
> > > > > >> > > > > /etc/pam.d/tacacs
> > > > > >> > > > >
> > > > > >> > > > > auth include system-auth
> > > > > >> > > > > account required pam_nologin.so
> > > > > >> > > > > account include system-auth
> > > > > >> > > > > password include system-auth
> > > > > >> > > > > session optional pam_keyinit.so force revoke
> > > > > >> > > > > session include system-auth
> > > > > >> > > > > session required pam_loginuid.so
> > > > > >> > > > >
> > > > > >> > > > > /etc/pam.d/system-auth
> > > > > >> > > > > #%PAM-1.0
> > > > > >> > > > > # This file is auto-generated.
> > > > > >> > > > > # User changes will be destroyed the next time authconfig
> > is
> > > > run.
> > > > > >> > > > > auth required pam_env.so
> > > > > >> > > > > auth sufficient pam_unix.so nullok
> > try_first_pass
> > > > > >> > > > > auth requisite pam_succeed_if.so uid >= 500
> > quiet
> > > > > >> > > > > auth sufficient pam_ldap.so use_first_pass
> > > > > >> > > > > auth required pam_deny.so
> > > > > >> > > > >
> > > > > >> > > > > account required pam_unix.so broken_shadow
> > > > > >> > > > > account sufficient pam_succeed_if.so uid < 500
> > quiet
> > > > > >> > > > >
> > > > > >> > > > > account [default=bad success=ok user_unknown=ignore]
> > > > > >> pam_ldap.so
> > > > > >> > > > > account required pam_permit.so
> > > > > >> > > > >
> > > > > >> > > > > password requisite pam_cracklib.so try_first_pass
> > > > retry=3
> > > > > >> > > > > password sufficient pam_unix.so md5 shadow nullok
> > > > > >> try_first_pass
> > > > > >> > > > > use_authtok
> > > > > >> > > > > password sufficient pam_ldap.so use_authtok
> > > > > >> > > > > password required pam_deny.so
> > > > > >> > > > >
> > > > > >> > > > > session optional pam_keyinit.so revoke
> > > > > >> > > > > session required pam_limits.so
> > > > > >> > > > > session [success=1 default=ignore] pam_succeed_if.so
> > > > service in
> > > > > >> > > crond
> > > > > >> > > > > quiet use_uid
> > > > > >> > > > > session required pam_unix.so
> > > > > >> > > > > session optional pam_ldap.so
> > > > > >> > > > >
> > > > > >> > > > >
> > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng <
> > > > hailumeng at gmail.com>
> > > > > >> > > wrote:
> > > > > >> > > > >
> > > > > >> > > > >> Hi John,
> > > > > >> > > > >>
> > > > > >> > > > >> You mean issue commands like tac_plus -C
> > /etct/tac_plus.conf
> > > > -L -p
> > > > > >> 49
> > > > > >> > > -d
> > > > > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't make
> > any
> > > > > >> change. I
> > > > > >> > > got
> > > > > >> > > > >> same log info. By the way, I also saw the log info in
> > > > > >> > > /var/log/message:
> > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config
> > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19
> > > > Initialized
> > > > > >> 1
> > > > > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from
> > 10.1.69.89
> > > > > >> > > [10.1.69.89]
> > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for
> > 'myuser'
> > > > tty0
> > > > > >> from
> > > > > >> > > > >> 10.1.69.89 rejected
> > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure: myuser
> > > > > >> 10.1.69.89
> > > > > >> > > > >> (10.1.69.89) tty0
> > > > > >> > > > >>
> > > > > >> > > > >> Do we have option to see the log about PAM? I haven't
> > found
> > > > where
> > > > > >> it
> > > > > >> > > is.
> > > > > >> > > > >> if we can check the log of PAM, then we could find
> > something
> > > > > >> useful.
> > > > > >> > > Right
> > > > > >> > > > >> now the log of tac_plus didn't tell too much about why
> > login
> > > > got
> > > > > >> > > failure.
> > > > > >> > >
> > > > > >> > > add -d 32. -d x -d y ... will be logically OR'd together.
> > > > > >> > >
> > > > > >> > > > >> Lou
> > > > > >> > > > >>
> > > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley <
> > > > heas at shrubbery.net
> > > > > >> >
> > > > > >> > > wrote:
> > > > > >> > > > >>
> > > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng:
> > > > > >> > > > >>> > Thanks John for helping me check this issue.
> > > > > >> > > > >>> >
> > > > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p 49
> > > > -d256 -g
> > > > > >> to
> > > > > >> > > see
> > > > > >> > > > >>> the
> > > > > >> > > > >>>
> > > > > >> > > > >>> try -d 16 -d 256. which i think will log the pwd that
> > pam
> > > > > >> received
> > > > > >> > > from
> > > > > >> > > > >>> the device. make its correct. the logs below do appear
> > to
> > > > be a
> > > > > >> > > > >>> reject/fail
> > > > > >> > > > >>> returned from pam.
> > > > > >> > > > >>>
> > > > > >> > > > >>> > log in stdout and in log file. I can't see any
> > suspicious
> > > > log
> > > > > >> > > > >>> information
> > > > > >> > > > >>> > here. I paste the log below:
> > > > > >> > > > >>> >
> > > > > >> > > > >>> >
> > > > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT
> > size=23
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0),
> > type
> > > > 1,
> > > > > >> seq no
> > > > > >> > > 5,
> > > > > >> > > > >>> flags
> > > > > >> > > > >>> > 0x1
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910
> > > > > >> > > (0xc46868ce),
> > > > > >> > > > >>> Data
> > > > > >> > > > >>> > length
> > > > > >> > > > >>> > 11 (0xb)
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6 (0x6),
> > > > > >> > > user_data_len 0
> > > > > >> > > > >>> (0x0)
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg:
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data:
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose
> > > > default_fn
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling
> > authentication
> > > > > >> function
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing
> > AUTHEN/GETPASS
> > > > size=28
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0),
> > type
> > > > 1,
> > > > > >> seq no
> > > > > >> > > 6,
> > > > > >> > > > >>> flags
> > > > > >> > > > >>> > 0x1
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id 3295176910
> > > > > >> > > (0xc46868ce),
> > > > > >> > > > >>> Data
> > > > > >> > > > >>> > length
> > > > > >> > > > >>> > 16 (0x10)
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN status=5
> > > > > >> > > (AUTHEN/GETPASS)
> > > > > >> > > > >>> > flags=0x1
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10,
> > data_len=0
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg:
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password:
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data:
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT
> > size=30
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey
> > > > > >> > > > >>>
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0),
> > type
> > > > 1,
> > > > > >> seq no
> > > > > >> > > 7,
> > > > > >> > > > >>> flags
> > > > > >> > > > >>> > 0x1
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id 3295176910
> > > > > >> > > (0xc46868ce),
> > > > > >> > > > >>> Data
> > > > > >> > > > >>> > length
> > > > > >> > > > >>> > 18 (0x12)
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13
> > (0xd),
> > > > > >> > > user_data_len 0
> > > > > >> > > > >>> > (0x0)
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg:
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data:
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for
> > > > 'myusername'
> > > > > >> tty0
> > > > > >> > > from
> > > > > >> > > > >>> > 10.1.69.89 r
> > > > > >> > > > >>> > ejected
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure:
> > myusername
> > > > > >> > > 10.1.69.89
> > > > > >> > > > >>> > (10.1.69.89) t
> > > > > >> > > > >>> > ty0
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL
> > > > size=18
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0),
> > type
> > > > 1,
> > > > > >> seq no
> > > > > >> > > 8,
> > > > > >> > > > >>> flags
> > > > > >> > > > >>> > 0x1
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id 3295176910
> > > > > >> > > (0xc46868ce),
> > > > > >> > > > >>> Data
> > > > > >> > > > >>> > length
> > > > > >> > > > >>> > 6 (0x6)
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN status=2
> > > > > >> (AUTHEN/FAIL)
> > > > > >> > > > >>> > flags=0x0
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0, data_len=0
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg:
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data:
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89:
> > disconnect
> > > > > >> > > > >>> >
> > > > > >> > > > >>> >
> > > > > >> > > > >>> >
> > > > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley <
> > > > > >> heas at shrubbery.net
> > > > > >> > > >
> > > > > >> > > > >>> wrote:
> > > > > >> > > > >>> >
> > > > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng:
> > > > > >> > > > >>> > > > Hi Adam,
> > > > > >> > > > >>> > > >
> > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully,
> > what
> > > > do we
> > > > > >> > > suppose
> > > > > >> > > > >>> to
> > > > > >> > > > >>> > > get
> > > > > >> > > > >>> > > > from the output? I just got all of the user
> > > > information in
> > > > > >> that
> > > > > >> > > > >>> group.
> > > > > >> > > > >>> > > Does
> > > > > >> > > > >>> > > > that means my password and username got
> > authenticated
> > > > > >> > > successfully
> > > > > >> > > > >>> > > against
> > > > > >> > > > >>> > > > AD?
> > > > > >> > > > >>> > > >
> > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it
> > through
> > > > this
> > > > > >> week
> > > > > >> > > > >>> before the
> > > > > >> > > > >>> > > > holiday...
> > > > > >> > > > >>> > >
> > > > > >> > > > >>> > > i havent followed this thread, as i know nearly zero
> > > > about
> > > > > >> ldap.
> > > > > >> > > > >>> but,
> > > > > >> > > > >>> > > have you enabled authentication debugging in the
> > tacacas
> > > > > >> daemon
> > > > > >> > > and
> > > > > >> > > > >>> > > checked the logs to determine what is coming back
> > from
> > > > pam?
> > > > > >> it
> > > > > >> > > very
> > > > > >> > > > >>> > > well may be that the ldap client is working just
> > fine,
> > > > but
> > > > > >> there
> > > > > >> > > is a
> > > > > >> > > > >>> > > pam module bug or a bug in the tacplus daemon or
> > that
> > > > your
> > > > > >> device
> > > > > >> > > > >>> > > simply doesnt like something about the replies.
> > > > > >> > > > >>> > >
> > > > > >> > > > >>> > > > Thanks a lot for the help.
> > > > > >> > > > >>> > > >
> > > > > >> > > > >>> > > > Lou
> > > > > >> > > > >>> > > >
> > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng <
> > > > > >> > > hailumeng at gmail.com>
> > > > > >> > > > >>> wrote:
> > > > > >> > > > >>> > > >
> > > > > >> > > > >>> > > > > Still no clue how to turn on the log. binding
> > seems
> > > > good.
> > > > > >> See
> > > > > >> > > my
> > > > > >> > > > >>> > > findings
> > > > > >> > > > >>> > > > > below. Thanks a lot.
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam <
> > > > > >> > > prozaconstilts at gmail.com>
> > > > > >> > > > >>> > > wrote:
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > >> Hailu Meng wrote:
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>> Adam,
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+ server
> > but
> > > > I
> > > > > >> don't
> > > > > >> > > have
> > > > > >> > > > >>> that
> > > > > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't
> > want me
> > > > log
> > > > > >> in.
> > > > > >> > > I
> > > > > >> > > > >>> think
> > > > > >> > > > >>> > > this will
> > > > > >> > > > >>> > > > >>> not ask tacacs server to authenticate against
> > AD.
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> You shouldn't need to have to define the user
> > in
> > > > CentOS,
> > > > > >> > > that's
> > > > > >> > > > >>> the
> > > > > >> > > > >>> > > point
> > > > > >> > > > >>> > > > >> of using ldap for authentication. The user is
> > > > defined in
> > > > > >> > > ldap,
> > > > > >> > > > >>> not in
> > > > > >> > > > >>> > > > >> CentOS. Now that I think about it, su - <user>
> > > > probably
> > > > > >> > > wouldn't
> > > > > >> > > > >>> work
> > > > > >> > > > >>> > > > >> anyway, as AD doesn't by default have the data
> > > > needed by
> > > > > >> a
> > > > > >> > > linux
> > > > > >> > > > >>> box
> > > > > >> > > > >>> > > to
> > > > > >> > > > >>> > > > >> allow login...but see below for more options.
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>> Is there any other way to test ldap
> > authentication
> > > > > >> against
> > > > > >> > > AD
> > > > > >> > > > >>> with
> > > > > >> > > > >>> > > the
> > > > > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did find
> > my
> > > > user
> > > > > >> id
> > > > > >> > > > >>> without
> > > > > >> > > > >>> > > problem.
> > > > > >> > > > >>> > > > >>> But I haven't found any option to try with
> > > > password and
> > > > > >> > > > >>> authenticate
> > > > > >> > > > >>> > > against
> > > > > >> > > > >>> > > > >>> AD.
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> Try using -D:
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> from `man ldapsearch`:
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> -D binddn
> > > > > >> > > > >>> > > > >> Use the Distinguished Name binddn to bind to
> > the
> > > > LDAP
> > > > > >> > > > >>> directory.
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should let
> > you
> > > > try
> > > > > >> to
> > > > > >> > > > >>> authenticate
> > > > > >> > > > >>> > > > >> using whatever user you want to define. Just
> > check
> > > > and
> > > > > >> > > double
> > > > > >> > > > >>> check
> > > > > >> > > > >>> > > you get
> > > > > >> > > > >>> > > > >> the right path in that dn.
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc "
> > but it
> > > > just
> > > > > >> > > > >>> returned lots
> > > > > >> > > > >>> > > of
> > > > > >> > > > >>> > > > > users' information. It means successful?
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the
> > openldap
> > > > > >> library
> > > > > >> > > and
> > > > > >> > > > >>> > > openldap
> > > > > >> > > > >>> > > > >>> client? I don't understand why the log is not
> > > > turned
> > > > > >> on.
> > > > > >> > > There
> > > > > >> > > > >>> must
> > > > > >> > > > >>> > > be some
> > > > > >> > > > >>> > > > >>> debugging info in the log which can help solve
> > > > this
> > > > > >> issue.
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> only the libs and client. You should not need
> > the
> > > > > >> server. In
> > > > > >> > > the
> > > > > >> > > > >>> > > > >> ldapsearch, you can use -d <integer> to get
> > > > debugging
> > > > > >> info
> > > > > >> > > for
> > > > > >> > > > >>> that
> > > > > >> > > > >>> > > search.
> > > > > >> > > > >>> > > > >> As before, higher number = more debug
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> If the user can authenticate, does ethereal
> > > > capture
> > > > > >> some
> > > > > >> > > > >>> packets
> > > > > >> > > > >>> > > about
> > > > > >> > > > >>> > > > >>> password verification? Right now I only see
> > the
> > > > packets
> > > > > >> > > when
> > > > > >> > > > >>> ldap
> > > > > >> > > > >>> > > search for
> > > > > >> > > > >>> > > > >>> my user id and gets results back from AD.
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> Ethereal should catch all data flowing between
> > the
> > > > > >> client
> > > > > >> > > and
> > > > > >> > > > >>> server.
> > > > > >> > > > >>> > > If
> > > > > >> > > > >>> > > > >> you can search out the user in your AD right
> > now,
> > > > then
> > > > > >> one
> > > > > >> > > of
> > > > > >> > > > >>> two
> > > > > >> > > > >>> > > things is
> > > > > >> > > > >>> > > > >> happening:
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> 1. You are performing anonymous searches. In
> > this
> > > > case,
> > > > > >> no
> > > > > >> > > > >>> username
> > > > > >> > > > >>> > > and pw
> > > > > >> > > > >>> > > > >> is provided, and your AD is happy to hand over
> > info
> > > > to
> > > > > >> > > anyone
> > > > > >> > > > >>> who asks
> > > > > >> > > > >>> > > for
> > > > > >> > > > >>> > > > >> it. If this is the case, you will _not_ see
> > > > > >> authentication
> > > > > >> > > > >>> > > information. The
> > > > > >> > > > >>> > > > >> following MS KB article should probably help
> > you
> > > > > >> determine
> > > > > >> > > on
> > > > > >> > > > >>> your AD
> > > > > >> > > > >>> > > if
> > > > > >> > > > >>> > > > >> anonymous queries are allowed:
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> It has exact instructions for how to get it
> > going,
> > > > but
> > > > > >> you
> > > > > >> > > can
> > > > > >> > > > >>> follow
> > > > > >> > > > >>> > > > >> along with it to check your current settings
> > > > without
> > > > > >> making
> > > > > >> > > any
> > > > > >> > > > >>> > > changes.
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > > I checked our setting. Permission type for
> > normal
> > > > user is
> > > > > >> > > "Read &
> > > > > >> > > > >>> > > Execute".
> > > > > >> > > > >>> > > > > I click edit to check the detail about
> > permission. I
> > > > > >> think it
> > > > > >> > > > >>> only
> > > > > >> > > > >>> > > allow the
> > > > > >> > > > >>> > > > > user to read the attributes, permission
> > something
> > > > and
> > > > > >> can't
> > > > > >> > > > >>> modify the
> > > > > >> > > > >>> > > > > AD.There is "Everyone" setting is also set as
> > "Read
> > > > &
> > > > > >> > > Execute".
> > > > > >> > > > >>> By the
> > > > > >> > > > >>> > > way,
> > > > > >> > > > >>> > > > > the AD is Win2003 R2.
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> 2. Authentication is happening. It will be the
> > > > _very_
> > > > > >> first
> > > > > >> > > > >>> thing the
> > > > > >> > > > >>> > > > >> client and server perform, after basic
> > connection
> > > > > >> > > establishment.
> > > > > >> > > > >>> Look
> > > > > >> > > > >>> > > for it
> > > > > >> > > > >>> > > > >> at the very beginning of a dump.
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the following
> > > > article is
> > > > > >> > > > >>> extremely
> > > > > >> > > > >>> > > > >> informative about all the different ways you
> > can
> > > > plug
> > > > > >> linux
> > > > > >> > > into
> > > > > >> > > > >>> AD
> > > > > >> > > > >>> > > for
> > > > > >> > > > >>> > > > >> authentication. It might offer some hints...
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you
> > have
> > > > any
> > > > > >> idea,
> > > > > >> > > let
> > > > > >> > > > >>> me
> > > > > >> > > > >>> > > know.
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>> Thank you very much.
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>> Lou
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > -------------- next part --------------
> > > > > >> > > > >>> > > > An HTML attachment was scrubbed...
> > > > > >> > > > >>> > > > URL:
> > > > > >> > > > >>> > >
> > > > > >> > > > >>>
> > > > > >> > >
> > > > > >>
> > > >
> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html
> > > > > >> > > > >>> > > > _______________________________________________
> > > > > >> > > > >>> > > > tac_plus mailing list
> > > > > >> > > > >>> > > > tac_plus at shrubbery.net
> > > > > >> > > > >>> > > >
> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> > > > > >> > > > >>> > >
> > > > > >> > > > >>>
> > > > > >> > > > >>
> > > > > >> > > > >>
> > > > > >> > > > >
> > > > > >> > >
> > > > > >> > -------------- next part --------------
> > > > > >> > An HTML attachment was scrubbed...
> > > > > >> > URL:
> > > > > >>
> > > >
> > http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html
> > > > > >> > _______________________________________________
> > > > > >> > tac_plus mailing list
> > > > > >> > tac_plus at shrubbery.net
> > > > > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> > > > > >>
> > > > > >>
> > > > > >>
> > > >
> >
More information about the tac_plus
mailing list