[tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory
Tom Murch
tmurch at toniccomputers.com
Tue Nov 24 18:08:36 UTC 2009
now im not an expert on this however I do run a samba server which pulls the
user names from my AD controller. Have you tried using winbind plus pam for
the AD authentication ??
http://wiki.samba.org/index.php/Samba_&_Active_Directory I used this for my
samba install but you could get the idea of how winbind and Kerberos would
work. It might give you more luck
On Tue, Nov 24, 2009 at 12:56 PM, Hailu Meng <hailumeng at gmail.com> wrote:
> John,
>
> I checked my tac_plus configuration for PAM module. the file
> /etc/pam.d/tac_plus. The current configuration is shown below:
> As you suggest I need put pam_ldap.so on the first row for every
> auth,account,password and session, right?
>
> *******************************************************************
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
>
>
> On Tue, Nov 24, 2009 at 11:36 AM, john heasley <heas at shrubbery.net> wrote:
>
> > Tue, Nov 24, 2009 at 11:05:59AM -0600, Hailu Meng:
> > > It makes sense. nsswitch.conf should be for like local login not for
> > tacacs.
> > > Thanks John to point it out. I'm such a rookie to these things. Just
> > > followed some guides and combine them here. Need study more.
> >
> > well, it depends upon what modules you use in your tacacs PAM config; ie:
> > if you have something like 'require unix_account' (WAG) that requires
> that
> > the login exist in /etc/passwd (or more precisely get_pwent(3) or
> similar),
> > then /etc/nsswitch.conf might affect it. BUT, that means that for you,
> > 'require unix_account' is a misconfiguration of the tacacs PAM config.
> > that
> > is should be something like 'require ldap_account'.
> >
> >
> > > Lou
> > >
> > > On Tue, Nov 24, 2009 at 10:24 AM, john heasley <heas at shrubbery.net>
> > wrote:
> > >
> > > > Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof:
> > > > >
> > > > > Hi Lou,
> > > > >
> > > > > Yes, most server application's check if a user exist by looking up
> > the
> > > > > uid via nss before doing any authentication (i.e. sshd).
> > > > >
> > > > > Regards,
> > > > > Jeroen
> > > > >
> > > > > Op 23/11/2009 schreef "Hailu Meng" <hailumeng at gmail.com>:
> > > > >
> > > > > >Hi Jeroen,
> > > > > >
> > > > > >Thanks for helping. I modified the nssswitch.conf as below:
> > > > > >passwd: files ldap
> > > > > >shadow: files ldap
> > > > > >group: files ldap
> > > > > >
> > > > > >And leave the other settings as default.
> > > > > >
> > > > > >the user attributes you are talking about are the attributes
> > retrieving
> > > > from
> > > > > >AD? I do see the packets from AD server told my tacacs+ server the
> > user
> > > > > >attributes including homedir.
> > > >
> > > > i would not expect this to affect tacacs, unless you have something
> in
> > your
> > > > pam config that requires it. ie: nsswitch.conf should control auth
> for
> > the
> > > > host (eg: /sbin/login), tacacs is separate.
> > > >
> > > > > >Thanks.
> > > > > >
> > > > > >Lou
> > > > > >
> > > > > >
> > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof <
> jeroen at nijhofnet.nl
> > >
> > > > wrote:
> > > > > >
> > > > > >> Hi,
> > > > > >>
> > > > > >> Did you setup the nsswitch.conf as well on your tac_plus server?
> > > > > >> Your tac_plus server needs to lookup the user attributes like
> > homedir
> > > > > >> etc, otherwise pam will fail.
> > > > > >>
> > > > > >> Regards,
> > > > > >> Jeroen Nijhof
> > > > > >>
> > > > > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote:
> > > > > >> > Ok. With -d 32, I got some more info about pam as red color
> log.
> > > > > >> >
> > > > > >> > There is "Unknown user" log info following the input of my
> user
> > > > password.
> > > > > >> > Feel confused since ldap is able to get user info from Active
> > > > directory,
> > > > > >> why
> > > > > >> > it turns out "Unknown user" here.
> > > > > >> >
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1,
> seq
> > no
> > > > 3,
> > > > > >> flags
> > > > > >> > 0x1
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252
> > (0xbe977644),
> > > > Data
> > > > > >> > length 11 (0xb)
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6),
> > user_data_len
> > > > 0
> > > > > >> (0x0)
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg:
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User data:
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose
> default_fn
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication
> function
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1
> > pam_messages
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0:
> > > > > >> PAM_PROMPT_ECHO_OFF
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS
> size=28
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type 1,
> seq
> > no
> > > > 4,
> > > > > >> flags
> > > > > >> > 0x1
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252
> > (0xbe977644),
> > > > Data
> > > > > >> > length 16 (0x10)
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5
> > > > (AUTHEN/GETPASS)
> > > > > >> > flags=0x1
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg:
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Password:
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: data:
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet
> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type 1,
> seq
> > no
> > > > 5,
> > > > > >> flags
> > > > > >> > 0x1
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252
> > (0xbe977644),
> > > > Data
> > > > > >> > length 18 (0x12)
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End header
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd),
> > > > user_data_len 0
> > > > > >> > (0x0)
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg:
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User data:
> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for 'myusername'
> > tty0
> > > > from
> > > > > >> > 10.1.69.89 rejected
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure:
> > myusername10.1.69.89
> > > > > >> > (10.1.69.89) tty0
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL size=18
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type 1,
> seq
> > no
> > > > 6,
> > > > > >> flags
> > > > > >> > 0x1
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252
> > (0xbe977644),
> > > > Data
> > > > > >> > length 6 (0x6)
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End header
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2
> > (AUTHEN/FAIL)
> > > > > >> > flags=0x0
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg:
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: data:
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet
> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect
> > > > > >> >
> > > > > >> >
> > > > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley <
> > heas at shrubbery.net>
> > > > > >> wrote:
> > > > > >> >
> > > > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng:
> > > > > >> > > > I just saw some posts saying pam_krb winbind could be
> needed
> > to
> > > > get
> > > > > >> pam
> > > > > >> > > work
> > > > > >> > > > against active directory. Is this true? The post I was
> > following
> > > > > >> actually
> > > > > >> > > is
> > > > > >> > > > for a LDAP server not Active Directory.
> > > > > >> > >
> > > > > >> > > i dont know; each pam implementation seems to be [at least]
> > > > slightly
> > > > > >> > > different. seems silly to need kerberos for ldap.
> > > > > >> > >
> > > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng <
> > > > hailumeng at gmail.com>
> > > > > >> wrote:
> > > > > >> > > >
> > > > > >> > > > > I think I need put my pam configuration here:
> > > > > >> > > > >
> > > > > >> > > > > I followed this post
> > > > > >> > > > >
> > > > > >>
> > > >
> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto
> > > > > >> > > > > configure my pam module:
> > > > > >> > > > >
> > > > > >> > > > > /etc/pam.d/tacacs
> > > > > >> > > > >
> > > > > >> > > > > auth include system-auth
> > > > > >> > > > > account required pam_nologin.so
> > > > > >> > > > > account include system-auth
> > > > > >> > > > > password include system-auth
> > > > > >> > > > > session optional pam_keyinit.so force revoke
> > > > > >> > > > > session include system-auth
> > > > > >> > > > > session required pam_loginuid.so
> > > > > >> > > > >
> > > > > >> > > > > /etc/pam.d/system-auth
> > > > > >> > > > > #%PAM-1.0
> > > > > >> > > > > # This file is auto-generated.
> > > > > >> > > > > # User changes will be destroyed the next time
> authconfig
> > is
> > > > run.
> > > > > >> > > > > auth required pam_env.so
> > > > > >> > > > > auth sufficient pam_unix.so nullok
> > try_first_pass
> > > > > >> > > > > auth requisite pam_succeed_if.so uid >= 500
> > quiet
> > > > > >> > > > > auth sufficient pam_ldap.so use_first_pass
> > > > > >> > > > > auth required pam_deny.so
> > > > > >> > > > >
> > > > > >> > > > > account required pam_unix.so broken_shadow
> > > > > >> > > > > account sufficient pam_succeed_if.so uid < 500
> > quiet
> > > > > >> > > > >
> > > > > >> > > > > account [default=bad success=ok user_unknown=ignore]
> > > > > >> pam_ldap.so
> > > > > >> > > > > account required pam_permit.so
> > > > > >> > > > >
> > > > > >> > > > > password requisite pam_cracklib.so try_first_pass
> > > > retry=3
> > > > > >> > > > > password sufficient pam_unix.so md5 shadow nullok
> > > > > >> try_first_pass
> > > > > >> > > > > use_authtok
> > > > > >> > > > > password sufficient pam_ldap.so use_authtok
> > > > > >> > > > > password required pam_deny.so
> > > > > >> > > > >
> > > > > >> > > > > session optional pam_keyinit.so revoke
> > > > > >> > > > > session required pam_limits.so
> > > > > >> > > > > session [success=1 default=ignore] pam_succeed_if.so
> > > > service in
> > > > > >> > > crond
> > > > > >> > > > > quiet use_uid
> > > > > >> > > > > session required pam_unix.so
> > > > > >> > > > > session optional pam_ldap.so
> > > > > >> > > > >
> > > > > >> > > > >
> > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng <
> > > > hailumeng at gmail.com>
> > > > > >> > > wrote:
> > > > > >> > > > >
> > > > > >> > > > >> Hi John,
> > > > > >> > > > >>
> > > > > >> > > > >> You mean issue commands like tac_plus -C
> > /etct/tac_plus.conf
> > > > -L -p
> > > > > >> 49
> > > > > >> > > -d
> > > > > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't
> make
> > any
> > > > > >> change. I
> > > > > >> > > got
> > > > > >> > > > >> same log info. By the way, I also saw the log info in
> > > > > >> > > /var/log/message:
> > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config
> > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version F4.0.4.19
> > > > Initialized
> > > > > >> 1
> > > > > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from
> > 10.1.69.89
> > > > > >> > > [10.1.69.89]
> > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for
> > 'myuser'
> > > > tty0
> > > > > >> from
> > > > > >> > > > >> 10.1.69.89 rejected
> > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure:
> myuser
> > > > > >> 10.1.69.89
> > > > > >> > > > >> (10.1.69.89) tty0
> > > > > >> > > > >>
> > > > > >> > > > >> Do we have option to see the log about PAM? I haven't
> > found
> > > > where
> > > > > >> it
> > > > > >> > > is.
> > > > > >> > > > >> if we can check the log of PAM, then we could find
> > something
> > > > > >> useful.
> > > > > >> > > Right
> > > > > >> > > > >> now the log of tac_plus didn't tell too much about why
> > login
> > > > got
> > > > > >> > > failure.
> > > > > >> > >
> > > > > >> > > add -d 32. -d x -d y ... will be logically OR'd together.
> > > > > >> > >
> > > > > >> > > > >> Lou
> > > > > >> > > > >>
> > > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley <
> > > > heas at shrubbery.net
> > > > > >> >
> > > > > >> > > wrote:
> > > > > >> > > > >>
> > > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng:
> > > > > >> > > > >>> > Thanks John for helping me check this issue.
> > > > > >> > > > >>> >
> > > > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L -p
> 49
> > > > -d256 -g
> > > > > >> to
> > > > > >> > > see
> > > > > >> > > > >>> the
> > > > > >> > > > >>>
> > > > > >> > > > >>> try -d 16 -d 256. which i think will log the pwd that
> > pam
> > > > > >> received
> > > > > >> > > from
> > > > > >> > > > >>> the device. make its correct. the logs below do
> appear
> > to
> > > > be a
> > > > > >> > > > >>> reject/fail
> > > > > >> > > > >>> returned from pam.
> > > > > >> > > > >>>
> > > > > >> > > > >>> > log in stdout and in log file. I can't see any
> > suspicious
> > > > log
> > > > > >> > > > >>> information
> > > > > >> > > > >>> > here. I paste the log below:
> > > > > >> > > > >>> >
> > > > > >> > > > >>> >
> > > > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for packet
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT
> > size=23
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0),
> > type
> > > > 1,
> > > > > >> seq no
> > > > > >> > > 5,
> > > > > >> > > > >>> flags
> > > > > >> > > > >>> > 0x1
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id
> 3295176910
> > > > > >> > > (0xc46868ce),
> > > > > >> > > > >>> Data
> > > > > >> > > > >>> > length
> > > > > >> > > > >>> > 11 (0xb)
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6
> (0x6),
> > > > > >> > > user_data_len 0
> > > > > >> > > > >>> (0x0)
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg:
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data:
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen chose
> > > > default_fn
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling
> > authentication
> > > > > >> function
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing
> > AUTHEN/GETPASS
> > > > size=28
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET: key=mykey
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192 (0xc0),
> > type
> > > > 1,
> > > > > >> seq no
> > > > > >> > > 6,
> > > > > >> > > > >>> flags
> > > > > >> > > > >>> > 0x1
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id
> 3295176910
> > > > > >> > > (0xc46868ce),
> > > > > >> > > > >>> Data
> > > > > >> > > > >>> > length
> > > > > >> > > > >>> > 16 (0x10)
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN
> status=5
> > > > > >> > > (AUTHEN/GETPASS)
> > > > > >> > > > >>> > flags=0x1
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10,
> > data_len=0
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg:
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password:
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data:
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet
> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for packet
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT
> > size=30
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET: key=mykey
> > > > > >> > > > >>>
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192 (0xc0),
> > type
> > > > 1,
> > > > > >> seq no
> > > > > >> > > 7,
> > > > > >> > > > >>> flags
> > > > > >> > > > >>> > 0x1
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id
> 3295176910
> > > > > >> > > (0xc46868ce),
> > > > > >> > > > >>> Data
> > > > > >> > > > >>> > length
> > > > > >> > > > >>> > 18 (0x12)
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13
> > (0xd),
> > > > > >> > > user_data_len 0
> > > > > >> > > > >>> > (0x0)
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg:
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data:
> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for
> > > > 'myusername'
> > > > > >> tty0
> > > > > >> > > from
> > > > > >> > > > >>> > 10.1.69.89 r
> > > > > >> > > > >>> > ejected
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure:
> > myusername
> > > > > >> > > 10.1.69.89
> > > > > >> > > > >>> > (10.1.69.89) t
> > > > > >> > > > >>> > ty0
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing AUTHEN/FAIL
> > > > size=18
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET: key=mykey
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192 (0xc0),
> > type
> > > > 1,
> > > > > >> seq no
> > > > > >> > > 8,
> > > > > >> > > > >>> flags
> > > > > >> > > > >>> > 0x1
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id
> 3295176910
> > > > > >> > > (0xc46868ce),
> > > > > >> > > > >>> Data
> > > > > >> > > > >>> > length
> > > > > >> > > > >>> > 6 (0x6)
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN
> status=2
> > > > > >> (AUTHEN/FAIL)
> > > > > >> > > > >>> > flags=0x0
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0,
> data_len=0
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg:
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data:
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet
> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89:
> > disconnect
> > > > > >> > > > >>> >
> > > > > >> > > > >>> >
> > > > > >> > > > >>> >
> > > > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley <
> > > > > >> heas at shrubbery.net
> > > > > >> > > >
> > > > > >> > > > >>> wrote:
> > > > > >> > > > >>> >
> > > > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu Meng:
> > > > > >> > > > >>> > > > Hi Adam,
> > > > > >> > > > >>> > > >
> > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs successfully,
> > what
> > > > do we
> > > > > >> > > suppose
> > > > > >> > > > >>> to
> > > > > >> > > > >>> > > get
> > > > > >> > > > >>> > > > from the output? I just got all of the user
> > > > information in
> > > > > >> that
> > > > > >> > > > >>> group.
> > > > > >> > > > >>> > > Does
> > > > > >> > > > >>> > > > that means my password and username got
> > authenticated
> > > > > >> > > successfully
> > > > > >> > > > >>> > > against
> > > > > >> > > > >>> > > > AD?
> > > > > >> > > > >>> > > >
> > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it
> > through
> > > > this
> > > > > >> week
> > > > > >> > > > >>> before the
> > > > > >> > > > >>> > > > holiday...
> > > > > >> > > > >>> > >
> > > > > >> > > > >>> > > i havent followed this thread, as i know nearly
> zero
> > > > about
> > > > > >> ldap.
> > > > > >> > > > >>> but,
> > > > > >> > > > >>> > > have you enabled authentication debugging in the
> > tacacas
> > > > > >> daemon
> > > > > >> > > and
> > > > > >> > > > >>> > > checked the logs to determine what is coming back
> > from
> > > > pam?
> > > > > >> it
> > > > > >> > > very
> > > > > >> > > > >>> > > well may be that the ldap client is working just
> > fine,
> > > > but
> > > > > >> there
> > > > > >> > > is a
> > > > > >> > > > >>> > > pam module bug or a bug in the tacplus daemon or
> > that
> > > > your
> > > > > >> device
> > > > > >> > > > >>> > > simply doesnt like something about the replies.
> > > > > >> > > > >>> > >
> > > > > >> > > > >>> > > > Thanks a lot for the help.
> > > > > >> > > > >>> > > >
> > > > > >> > > > >>> > > > Lou
> > > > > >> > > > >>> > > >
> > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng <
> > > > > >> > > hailumeng at gmail.com>
> > > > > >> > > > >>> wrote:
> > > > > >> > > > >>> > > >
> > > > > >> > > > >>> > > > > Still no clue how to turn on the log. binding
> > seems
> > > > good.
> > > > > >> See
> > > > > >> > > my
> > > > > >> > > > >>> > > findings
> > > > > >> > > > >>> > > > > below. Thanks a lot.
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam <
> > > > > >> > > prozaconstilts at gmail.com>
> > > > > >> > > > >>> > > wrote:
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > >> Hailu Meng wrote:
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>> Adam,
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+
> server
> > but
> > > > I
> > > > > >> don't
> > > > > >> > > have
> > > > > >> > > > >>> that
> > > > > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just don't
> > want me
> > > > log
> > > > > >> in.
> > > > > >> > > I
> > > > > >> > > > >>> think
> > > > > >> > > > >>> > > this will
> > > > > >> > > > >>> > > > >>> not ask tacacs server to authenticate
> against
> > AD.
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> You shouldn't need to have to define the user
> > in
> > > > CentOS,
> > > > > >> > > that's
> > > > > >> > > > >>> the
> > > > > >> > > > >>> > > point
> > > > > >> > > > >>> > > > >> of using ldap for authentication. The user is
> > > > defined in
> > > > > >> > > ldap,
> > > > > >> > > > >>> not in
> > > > > >> > > > >>> > > > >> CentOS. Now that I think about it, su -
> <user>
> > > > probably
> > > > > >> > > wouldn't
> > > > > >> > > > >>> work
> > > > > >> > > > >>> > > > >> anyway, as AD doesn't by default have the
> data
> > > > needed by
> > > > > >> a
> > > > > >> > > linux
> > > > > >> > > > >>> box
> > > > > >> > > > >>> > > to
> > > > > >> > > > >>> > > > >> allow login...but see below for more options.
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>> Is there any other way to test ldap
> > authentication
> > > > > >> against
> > > > > >> > > AD
> > > > > >> > > > >>> with
> > > > > >> > > > >>> > > the
> > > > > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did
> find
> > my
> > > > user
> > > > > >> id
> > > > > >> > > > >>> without
> > > > > >> > > > >>> > > problem.
> > > > > >> > > > >>> > > > >>> But I haven't found any option to try with
> > > > password and
> > > > > >> > > > >>> authenticate
> > > > > >> > > > >>> > > against
> > > > > >> > > > >>> > > > >>> AD.
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> Try using -D:
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> from `man ldapsearch`:
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> -D binddn
> > > > > >> > > > >>> > > > >> Use the Distinguished Name binddn to bind to
> > the
> > > > LDAP
> > > > > >> > > > >>> directory.
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should
> let
> > you
> > > > try
> > > > > >> to
> > > > > >> > > > >>> authenticate
> > > > > >> > > > >>> > > > >> using whatever user you want to define. Just
> > check
> > > > and
> > > > > >> > > double
> > > > > >> > > > >>> check
> > > > > >> > > > >>> > > you get
> > > > > >> > > > >>> > > > >> the right path in that dn.
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc "
> > but it
> > > > just
> > > > > >> > > > >>> returned lots
> > > > > >> > > > >>> > > of
> > > > > >> > > > >>> > > > > users' information. It means successful?
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > >> Do you have ldap server setup or only the
> > openldap
> > > > > >> library
> > > > > >> > > and
> > > > > >> > > > >>> > > openldap
> > > > > >> > > > >>> > > > >>> client? I don't understand why the log is
> not
> > > > turned
> > > > > >> on.
> > > > > >> > > There
> > > > > >> > > > >>> must
> > > > > >> > > > >>> > > be some
> > > > > >> > > > >>> > > > >>> debugging info in the log which can help
> solve
> > > > this
> > > > > >> issue.
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> only the libs and client. You should not need
> > the
> > > > > >> server. In
> > > > > >> > > the
> > > > > >> > > > >>> > > > >> ldapsearch, you can use -d <integer> to get
> > > > debugging
> > > > > >> info
> > > > > >> > > for
> > > > > >> > > > >>> that
> > > > > >> > > > >>> > > search.
> > > > > >> > > > >>> > > > >> As before, higher number = more debug
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> If the user can authenticate, does ethereal
> > > > capture
> > > > > >> some
> > > > > >> > > > >>> packets
> > > > > >> > > > >>> > > about
> > > > > >> > > > >>> > > > >>> password verification? Right now I only see
> > the
> > > > packets
> > > > > >> > > when
> > > > > >> > > > >>> ldap
> > > > > >> > > > >>> > > search for
> > > > > >> > > > >>> > > > >>> my user id and gets results back from AD.
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> Ethereal should catch all data flowing
> between
> > the
> > > > > >> client
> > > > > >> > > and
> > > > > >> > > > >>> server.
> > > > > >> > > > >>> > > If
> > > > > >> > > > >>> > > > >> you can search out the user in your AD right
> > now,
> > > > then
> > > > > >> one
> > > > > >> > > of
> > > > > >> > > > >>> two
> > > > > >> > > > >>> > > things is
> > > > > >> > > > >>> > > > >> happening:
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> 1. You are performing anonymous searches. In
> > this
> > > > case,
> > > > > >> no
> > > > > >> > > > >>> username
> > > > > >> > > > >>> > > and pw
> > > > > >> > > > >>> > > > >> is provided, and your AD is happy to hand
> over
> > info
> > > > to
> > > > > >> > > anyone
> > > > > >> > > > >>> who asks
> > > > > >> > > > >>> > > for
> > > > > >> > > > >>> > > > >> it. If this is the case, you will _not_ see
> > > > > >> authentication
> > > > > >> > > > >>> > > information. The
> > > > > >> > > > >>> > > > >> following MS KB article should probably help
> > you
> > > > > >> determine
> > > > > >> > > on
> > > > > >> > > > >>> your AD
> > > > > >> > > > >>> > > if
> > > > > >> > > > >>> > > > >> anonymous queries are allowed:
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> It has exact instructions for how to get it
> > going,
> > > > but
> > > > > >> you
> > > > > >> > > can
> > > > > >> > > > >>> follow
> > > > > >> > > > >>> > > > >> along with it to check your current settings
> > > > without
> > > > > >> making
> > > > > >> > > any
> > > > > >> > > > >>> > > changes.
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > > I checked our setting. Permission type for
> > normal
> > > > user is
> > > > > >> > > "Read &
> > > > > >> > > > >>> > > Execute".
> > > > > >> > > > >>> > > > > I click edit to check the detail about
> > permission. I
> > > > > >> think it
> > > > > >> > > > >>> only
> > > > > >> > > > >>> > > allow the
> > > > > >> > > > >>> > > > > user to read the attributes, permission
> > something
> > > > and
> > > > > >> can't
> > > > > >> > > > >>> modify the
> > > > > >> > > > >>> > > > > AD.There is "Everyone" setting is also set as
> > "Read
> > > > &
> > > > > >> > > Execute".
> > > > > >> > > > >>> By the
> > > > > >> > > > >>> > > way,
> > > > > >> > > > >>> > > > > the AD is Win2003 R2.
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> 2. Authentication is happening. It will be
> the
> > > > _very_
> > > > > >> first
> > > > > >> > > > >>> thing the
> > > > > >> > > > >>> > > > >> client and server perform, after basic
> > connection
> > > > > >> > > establishment.
> > > > > >> > > > >>> Look
> > > > > >> > > > >>> > > for it
> > > > > >> > > > >>> > > > >> at the very beginning of a dump.
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the following
> > > > article is
> > > > > >> > > > >>> extremely
> > > > > >> > > > >>> > > > >> informative about all the different ways you
> > can
> > > > plug
> > > > > >> linux
> > > > > >> > > into
> > > > > >> > > > >>> AD
> > > > > >> > > > >>> > > for
> > > > > >> > > > >>> > > > >> authentication. It might offer some hints...
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If you
> > have
> > > > any
> > > > > >> idea,
> > > > > >> > > let
> > > > > >> > > > >>> me
> > > > > >> > > > >>> > > know.
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>> Thank you very much.
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>> Lou
> > > > > >> > > > >>> > > > >>>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >>
> > > > > >> > > > >>> > > > >
> > > > > >> > > > >>> > > > -------------- next part --------------
> > > > > >> > > > >>> > > > An HTML attachment was scrubbed...
> > > > > >> > > > >>> > > > URL:
> > > > > >> > > > >>> > >
> > > > > >> > > > >>>
> > > > > >> > >
> > > > > >>
> > > >
> >
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html
> > > > > >> > > > >>> > > > _______________________________________________
> > > > > >> > > > >>> > > > tac_plus mailing list
> > > > > >> > > > >>> > > > tac_plus at shrubbery.net
> > > > > >> > > > >>> > > >
> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> > > > > >> > > > >>> > >
> > > > > >> > > > >>>
> > > > > >> > > > >>
> > > > > >> > > > >>
> > > > > >> > > > >
> > > > > >> > >
> > > > > >> > -------------- next part --------------
> > > > > >> > An HTML attachment was scrubbed...
> > > > > >> > URL:
> > > > > >>
> > > >
> >
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html
> > > > > >> > _______________________________________________
> > > > > >> > tac_plus mailing list
> > > > > >> > tac_plus at shrubbery.net
> > > > > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> > > > > >>
> > > > > >>
> > > > > >>
> > > >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/a877fda6/attachment.html
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/21278ca0/attachment.html
More information about the tac_plus
mailing list