[tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory

Hailu Meng hailumeng at gmail.com
Tue Nov 24 19:19:56 UTC 2009


Right. That makes sense for small group. tac_plus did work for me by
authenticating user by the setting of in tac_plus.conf. But I want to have
more flexibility with AD authentication ability.

I'm going through all the documentations about pam and pam_ldap right now.
Hope I will have more clear understanding about the current configuration.
Thanks for the help.

Lou

On Tue, Nov 24, 2009 at 12:53 PM, Tom Murch <tmurch at toniccomputers.com>wrote:

> I use tac_pls for cisco routers and pro curve switches. However I do not
> authenticate against the AD as its only 4 people who need access so I keep
> it all in a flat file.
>
> On Tue, Nov 24, 2009 at 1:21 PM, Hailu Meng <hailumeng at gmail.com> wrote:
>
>> Hi Tom,
>>
>> Thanks for pointing me another way. I haven't tried that yet. Not sure
>> tac_plus will work with these functions or not. Have you tried to deploy
>> this for cisco routers and switches?
>>
>> Thanks.
>>
>> Lou
>>
>> On Tue, Nov 24, 2009 at 12:08 PM, Tom Murch <tmurch at toniccomputers.com>wrote:
>>
>>> now im not an expert on this however I do run a samba server which pulls
>>> the user names from my AD controller. Have you tried using winbind plus pam
>>> for the AD authentication ??
>>>
>>> http://wiki.samba.org/index.php/Samba_&_Active_Directory I used this for
>>> my samba install but you could get the idea of how winbind and Kerberos
>>> would work. It might give you more luck
>>>
>>> On Tue, Nov 24, 2009 at 12:56 PM, Hailu Meng <hailumeng at gmail.com>wrote:
>>>
>>>> John,
>>>>
>>>> I checked my tac_plus configuration for PAM module. the file
>>>> /etc/pam.d/tac_plus. The current configuration is shown below:
>>>> As you suggest I need put pam_ldap.so on the first row for every
>>>> auth,account,password and session, right?
>>>>
>>>> *******************************************************************
>>>> auth        required      pam_env.so
>>>> auth        sufficient    pam_unix.so nullok try_first_pass
>>>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>>> auth        sufficient    pam_ldap.so use_first_pass
>>>> auth        required      pam_deny.so
>>>>
>>>> account     required      pam_unix.so broken_shadow
>>>> account     sufficient    pam_localuser.so
>>>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>>>> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>> account     required      pam_permit.so
>>>>
>>>> password    requisite     pam_cracklib.so try_first_pass retry=3
>>>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>>>> use_authtok
>>>> password    sufficient    pam_ldap.so use_authtok
>>>> password    required      pam_deny.so
>>>>
>>>> session     optional      pam_keyinit.so revoke
>>>> session     required      pam_limits.so
>>>> session     [success=1 default=ignore] pam_succeed_if.so service in
>>>> crond
>>>> quiet use_uid
>>>> session     required      pam_unix.so
>>>> session     optional      pam_ldap.so
>>>>
>>>>
>>>> On Tue, Nov 24, 2009 at 11:36 AM, john heasley <heas at shrubbery.net>
>>>> wrote:
>>>>
>>>> > Tue, Nov 24, 2009 at 11:05:59AM -0600, Hailu Meng:
>>>> > > It makes sense. nsswitch.conf should be for like local login not for
>>>> > tacacs.
>>>> > > Thanks John to point it out. I'm such a rookie to these things. Just
>>>> > > followed some guides and combine them here. Need study more.
>>>> >
>>>> > well, it depends upon what modules you use in your tacacs PAM config;
>>>> ie:
>>>> > if you have something like 'require unix_account' (WAG) that requires
>>>> that
>>>> > the login exist in /etc/passwd (or more precisely get_pwent(3) or
>>>> similar),
>>>> > then /etc/nsswitch.conf might affect it.  BUT, that means that for
>>>> you,
>>>> > 'require unix_account' is a misconfiguration of the tacacs PAM config.
>>>> >  that
>>>> > is should be something like 'require ldap_account'.
>>>> >
>>>> >
>>>> > > Lou
>>>> > >
>>>> > > On Tue, Nov 24, 2009 at 10:24 AM, john heasley <heas at shrubbery.net>
>>>> > wrote:
>>>> > >
>>>> > > > Tue, Nov 24, 2009 at 11:11:57AM +0100, Jeroen Nijhof:
>>>> > > > >
>>>> > > > > Hi Lou,
>>>> > > > >
>>>> > > > > Yes, most server application's check if a user exist by looking
>>>> up
>>>> > the
>>>> > > > > uid via nss before doing any authentication (i.e. sshd).
>>>> > > > >
>>>> > > > > Regards,
>>>> > > > > Jeroen
>>>> > > > >
>>>> > > > > Op 23/11/2009 schreef "Hailu Meng" <hailumeng at gmail.com>:
>>>> > > > >
>>>> > > > > >Hi Jeroen,
>>>> > > > > >
>>>> > > > > >Thanks for helping. I modified the nssswitch.conf as below:
>>>> > > > > >passwd:     files ldap
>>>> > > > > >shadow:     files ldap
>>>> > > > > >group:      files ldap
>>>> > > > > >
>>>> > > > > >And leave the other settings as default.
>>>> > > > > >
>>>> > > > > >the user attributes you are talking about are the attributes
>>>> > retrieving
>>>> > > > from
>>>> > > > > >AD? I do see the packets from AD server told my tacacs+ server
>>>> the
>>>> > user
>>>> > > > > >attributes including homedir.
>>>> > > >
>>>> > > > i would not expect this to affect tacacs, unless you have
>>>> something in
>>>> > your
>>>> > > > pam config that requires it.  ie: nsswitch.conf should control
>>>> auth for
>>>> > the
>>>> > > > host (eg: /sbin/login), tacacs is separate.
>>>> > > >
>>>> > > > > >Thanks.
>>>> > > > > >
>>>> > > > > >Lou
>>>> > > > > >
>>>> > > > > >
>>>> > > > > >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof <
>>>> jeroen at nijhofnet.nl
>>>> > >
>>>> > > > wrote:
>>>> > > > > >
>>>> > > > > >> Hi,
>>>> > > > > >>
>>>> > > > > >> Did you setup the nsswitch.conf as well on your tac_plus
>>>> server?
>>>> > > > > >> Your tac_plus server needs to lookup the user attributes like
>>>> > homedir
>>>> > > > > >> etc, otherwise pam will fail.
>>>> > > > > >>
>>>> > > > > >> Regards,
>>>> > > > > >> Jeroen Nijhof
>>>> > > > > >>
>>>> > > > > >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote:
>>>> > > > > >> > Ok. With -d 32, I got some more info about pam as red color
>>>> log.
>>>> > > > > >> >
>>>> > > > > >> > There is "Unknown user" log info following the input of my
>>>> user
>>>> > > > password.
>>>> > > > > >> > Feel confused since ldap is able to get user info from
>>>> Active
>>>> > > > directory,
>>>> > > > > >> why
>>>> > > > > >> > it turns out "Unknown user" here.
>>>> > > > > >> >
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT size=23
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type
>>>> 1, seq
>>>> > no
>>>> > > > 3,
>>>> > > > > >> flags
>>>> > > > > >> > 0x1
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252
>>>> > (0xbe977644),
>>>> > > > Data
>>>> > > > > >> > length 11 (0xb)
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6),
>>>> > user_data_len
>>>> > > > 0
>>>> > > > > >> (0x0)
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User msg:
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: myusername
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: User data:
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose
>>>> default_fn
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Calling authentication
>>>> function
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1
>>>> > pam_messages
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89 tty0:
>>>> > > > > >> PAM_PROMPT_ECHO_OFF
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Writing AUTHEN/GETPASS
>>>> size=28
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0), type
>>>> 1, seq
>>>> > no
>>>> > > > 4,
>>>> > > > > >> flags
>>>> > > > > >> > 0x1
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252
>>>> > (0xbe977644),
>>>> > > > Data
>>>> > > > > >> > length 16 (0x10)
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End header
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5
>>>> > > > (AUTHEN/GETPASS)
>>>> > > > > >> > flags=0x1
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10, data_len=0
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: msg:
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Password:
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: data:
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: End packet
>>>> > > > > >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet
>>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT size=30
>>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey
>>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0), type
>>>> 1, seq
>>>> > no
>>>> > > > 5,
>>>> > > > > >> flags
>>>> > > > > >> > 0x1
>>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252
>>>> > (0xbe977644),
>>>> > > > Data
>>>> > > > > >> > length 18 (0x12)
>>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End header
>>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT
>>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13 (0xd),
>>>> > > > user_data_len 0
>>>> > > > > >> > (0x0)
>>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0
>>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User msg:
>>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword
>>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: User data:
>>>> > > > > >> > Mon Nov 23 15:21:21 2009 [3806]: End packet
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login query for
>>>> 'myusername'
>>>> > tty0
>>>> > > > from
>>>> > > > > >> > 10.1.69.89 rejected
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: login failure:
>>>> > myusername10.1.69.89
>>>> > > > > >> > (10.1.69.89) tty0
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL
>>>> size=18
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0), type
>>>> 1, seq
>>>> > no
>>>> > > > 6,
>>>> > > > > >> flags
>>>> > > > > >> > 0x1
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252
>>>> > (0xbe977644),
>>>> > > > Data
>>>> > > > > >> > length 6 (0x6)
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End header
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2
>>>> > (AUTHEN/FAIL)
>>>> > > > > >> > flags=0x0
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: msg:
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: data:
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: End packet
>>>> > > > > >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89: disconnect
>>>> > > > > >> >
>>>> > > > > >> >
>>>> > > > > >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley <
>>>> > heas at shrubbery.net>
>>>> > > > > >> wrote:
>>>> > > > > >> >
>>>> > > > > >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng:
>>>> > > > > >> > > > I just saw some posts saying pam_krb winbind could be
>>>> needed
>>>> > to
>>>> > > > get
>>>> > > > > >> pam
>>>> > > > > >> > > work
>>>> > > > > >> > > > against active directory. Is this true? The post I was
>>>> > following
>>>> > > > > >> actually
>>>> > > > > >> > > is
>>>> > > > > >> > > > for a LDAP server not Active Directory.
>>>> > > > > >> > >
>>>> > > > > >> > > i dont know; each pam implementation seems to be [at
>>>> least]
>>>> > > > slightly
>>>> > > > > >> > > different.  seems silly to need kerberos for ldap.
>>>> > > > > >> > >
>>>> > > > > >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng <
>>>> > > > hailumeng at gmail.com>
>>>> > > > > >> wrote:
>>>> > > > > >> > > >
>>>> > > > > >> > > > > I think I need put my pam configuration here:
>>>> > > > > >> > > > >
>>>> > > > > >> > > > > I followed this post
>>>> > > > > >> > > > >
>>>> > > > > >>
>>>> > > >
>>>> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto
>>>> > > > > >> > > > > configure my pam module:
>>>> > > > > >> > > > >
>>>> > > > > >> > > > > /etc/pam.d/tacacs
>>>> > > > > >> > > > >
>>>> > > > > >> > > > > auth       include      system-auth
>>>> > > > > >> > > > > account    required     pam_nologin.so
>>>> > > > > >> > > > > account    include      system-auth
>>>> > > > > >> > > > > password   include      system-auth
>>>> > > > > >> > > > > session    optional     pam_keyinit.so force revoke
>>>> > > > > >> > > > > session    include      system-auth
>>>> > > > > >> > > > > session    required     pam_loginuid.so
>>>> > > > > >> > > > >
>>>> > > > > >> > > > > /etc/pam.d/system-auth
>>>> > > > > >> > > > > #%PAM-1.0
>>>> > > > > >> > > > > # This file is auto-generated.
>>>> > > > > >> > > > > # User changes will be destroyed the next time
>>>> authconfig
>>>> > is
>>>> > > > run.
>>>> > > > > >> > > > > auth        required      pam_env.so
>>>> > > > > >> > > > > auth        sufficient    pam_unix.so nullok
>>>> > try_first_pass
>>>> > > > > >> > > > > auth        requisite     pam_succeed_if.so uid >=
>>>> 500
>>>> > quiet
>>>> > > > > >> > > > > auth        sufficient    pam_ldap.so use_first_pass
>>>> > > > > >> > > > > auth        required      pam_deny.so
>>>> > > > > >> > > > >
>>>> > > > > >> > > > > account     required      pam_unix.so broken_shadow
>>>> > > > > >> > > > > account     sufficient    pam_succeed_if.so uid < 500
>>>> > quiet
>>>> > > > > >> > > > >
>>>> > > > > >> > > > > account     [default=bad success=ok
>>>> user_unknown=ignore]
>>>> > > > > >> pam_ldap.so
>>>> > > > > >> > > > > account     required      pam_permit.so
>>>> > > > > >> > > > >
>>>> > > > > >> > > > > password    requisite     pam_cracklib.so
>>>> try_first_pass
>>>> > > > retry=3
>>>> > > > > >> > > > > password    sufficient    pam_unix.so md5 shadow
>>>> nullok
>>>> > > > > >> try_first_pass
>>>> > > > > >> > > > > use_authtok
>>>> > > > > >> > > > > password    sufficient    pam_ldap.so use_authtok
>>>> > > > > >> > > > > password    required      pam_deny.so
>>>> > > > > >> > > > >
>>>> > > > > >> > > > > session     optional      pam_keyinit.so revoke
>>>> > > > > >> > > > > session     required      pam_limits.so
>>>> > > > > >> > > > > session     [success=1 default=ignore]
>>>> pam_succeed_if.so
>>>> > > > service in
>>>> > > > > >> > > crond
>>>> > > > > >> > > > > quiet use_uid
>>>> > > > > >> > > > > session     required      pam_unix.so
>>>> > > > > >> > > > > session     optional      pam_ldap.so
>>>> > > > > >> > > > >
>>>> > > > > >> > > > >
>>>> > > > > >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng <
>>>> > > > hailumeng at gmail.com>
>>>> > > > > >> > > wrote:
>>>> > > > > >> > > > >
>>>> > > > > >> > > > >> Hi John,
>>>> > > > > >> > > > >>
>>>> > > > > >> > > > >> You mean issue commands like tac_plus -C
>>>> > /etct/tac_plus.conf
>>>> > > > -L -p
>>>> > > > > >> 49
>>>> > > > > >> > > -d
>>>> > > > > >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It didn't
>>>> make
>>>> > any
>>>> > > > > >> change. I
>>>> > > > > >> > > got
>>>> > > > > >> > > > >> same log info. By the way, I also saw the log info
>>>> in
>>>> > > > > >> > > /var/log/message:
>>>> > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading config
>>>> > > > > >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version
>>>> F4.0.4.19
>>>> > > > Initialized
>>>> > > > > >> 1
>>>> > > > > >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect from
>>>> > 10.1.69.89
>>>> > > > > >> > > [10.1.69.89]
>>>> > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query for
>>>> > 'myuser'
>>>> > > > tty0
>>>> > > > > >> from
>>>> > > > > >> > > > >> 10.1.69.89 rejected
>>>> > > > > >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login failure:
>>>> myuser
>>>> > > > > >> 10.1.69.89
>>>> > > > > >> > > > >> (10.1.69.89) tty0
>>>> > > > > >> > > > >>
>>>> > > > > >> > > > >> Do we have option to see the log about PAM? I
>>>> haven't
>>>> > found
>>>> > > > where
>>>> > > > > >> it
>>>> > > > > >> > > is.
>>>> > > > > >> > > > >> if we can check the log of PAM, then we could find
>>>> > something
>>>> > > > > >> useful.
>>>> > > > > >> > > Right
>>>> > > > > >> > > > >> now the log of tac_plus didn't tell too much about
>>>> why
>>>> > login
>>>> > > > got
>>>> > > > > >> > > failure.
>>>> > > > > >> > >
>>>> > > > > >> > > add -d 32.  -d x -d y ... will be logically OR'd
>>>> together.
>>>> > > > > >> > >
>>>> > > > > >> > > > >> Lou
>>>> > > > > >> > > > >>
>>>> > > > > >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley <
>>>> > > > heas at shrubbery.net
>>>> > > > > >> >
>>>> > > > > >> > > wrote:
>>>> > > > > >> > > > >>
>>>> > > > > >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu Meng:
>>>> > > > > >> > > > >>> > Thanks John for helping me check this issue.
>>>> > > > > >> > > > >>> >
>>>> > > > > >> > > > >>> > I just run tac_plus -C /path/to/tac_plus.conf -L
>>>> -p 49
>>>> > > > -d256 -g
>>>> > > > > >> to
>>>> > > > > >> > > see
>>>> > > > > >> > > > >>> the
>>>> > > > > >> > > > >>>
>>>> > > > > >> > > > >>> try -d 16 -d 256.  which i think will log the pwd
>>>> that
>>>> > pam
>>>> > > > > >> received
>>>> > > > > >> > > from
>>>> > > > > >> > > > >>> the device.  make its correct.  the logs below do
>>>> appear
>>>> > to
>>>> > > > be a
>>>> > > > > >> > > > >>> reject/fail
>>>> > > > > >> > > > >>> returned from pam.
>>>> > > > > >> > > > >>>
>>>> > > > > >> > > > >>> > log in stdout and in log file. I can't see any
>>>> > suspicious
>>>> > > > log
>>>> > > > > >> > > > >>> information
>>>> > > > > >> > > > >>> > here. I paste the log below:
>>>> > > > > >> > > > >>> >
>>>> > > > > >> > > > >>> >
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for
>>>> packet
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read AUTHEN/CONT
>>>> > size=23
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET:
>>>> key=mykey
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192
>>>> (0xc0),
>>>> > type
>>>> > > > 1,
>>>> > > > > >> seq no
>>>> > > > > >> > > 5,
>>>> > > > > >> > > > >>> flags
>>>> > > > > >> > > > >>> > 0x1
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id
>>>> 3295176910
>>>> > > > > >> > > (0xc46868ce),
>>>> > > > > >> > > > >>> Data
>>>> > > > > >> > > > >>> > length
>>>> > > > > >> > > > >>> >  11 (0xb)
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN/CONT
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: user_msg_len 6
>>>> (0x6),
>>>> > > > > >> > > user_data_len 0
>>>> > > > > >> > > > >>> (0x0)
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg:
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data:
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: choose_authen
>>>> chose
>>>> > > > default_fn
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling
>>>> > authentication
>>>> > > > > >> function
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing
>>>> > AUTHEN/GETPASS
>>>> > > > size=28
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET:
>>>> key=mykey
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192
>>>> (0xc0),
>>>> > type
>>>> > > > 1,
>>>> > > > > >> seq no
>>>> > > > > >> > > 6,
>>>> > > > > >> > > > >>> flags
>>>> > > > > >> > > > >>> > 0x1
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id
>>>> 3295176910
>>>> > > > > >> > > (0xc46868ce),
>>>> > > > > >> > > > >>> Data
>>>> > > > > >> > > > >>> > length
>>>> > > > > >> > > > >>> >  16 (0x10)
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN
>>>> status=5
>>>> > > > > >> > > (AUTHEN/GETPASS)
>>>> > > > > >> > > > >>> > flags=0x1
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10,
>>>> > data_len=0
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg:
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password:
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data:
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for
>>>> packet
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read AUTHEN/CONT
>>>> > size=30
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET:
>>>> key=mykey
>>>> > > > > >> > > > >>>
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192
>>>> (0xc0),
>>>> > type
>>>> > > > 1,
>>>> > > > > >> seq no
>>>> > > > > >> > > 7,
>>>> > > > > >> > > > >>> flags
>>>> > > > > >> > > > >>> > 0x1
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id
>>>> 3295176910
>>>> > > > > >> > > (0xc46868ce),
>>>> > > > > >> > > > >>> Data
>>>> > > > > >> > > > >>> > length
>>>> > > > > >> > > > >>> >  18 (0x12)
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: type=AUTHEN/CONT
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: user_msg_len 13
>>>> > (0xd),
>>>> > > > > >> > > user_data_len 0
>>>> > > > > >> > > > >>> > (0x0)
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg:
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data:
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query for
>>>> > > > 'myusername'
>>>> > > > > >> tty0
>>>> > > > > >> > > from
>>>> > > > > >> > > > >>> > 10.1.69.89 r
>>>> > > > > >> > > > >>> > ejected
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login failure:
>>>> > myusername
>>>> > > > > >> > > 10.1.69.89
>>>> > > > > >> > > > >>> > (10.1.69.89) t
>>>> > > > > >> > > > >>> > ty0
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing
>>>> AUTHEN/FAIL
>>>> > > > size=18
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET:
>>>> key=mykey
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192
>>>> (0xc0),
>>>> > type
>>>> > > > 1,
>>>> > > > > >> seq no
>>>> > > > > >> > > 8,
>>>> > > > > >> > > > >>> flags
>>>> > > > > >> > > > >>> > 0x1
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id
>>>> 3295176910
>>>> > > > > >> > > (0xc46868ce),
>>>> > > > > >> > > > >>> Data
>>>> > > > > >> > > > >>> > length
>>>> > > > > >> > > > >>> >  6 (0x6)
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN
>>>> status=2
>>>> > > > > >> (AUTHEN/FAIL)
>>>> > > > > >> > > > >>> > flags=0x0
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0,
>>>> data_len=0
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg:
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data:
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet
>>>> > > > > >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89:
>>>> > disconnect
>>>> > > > > >> > > > >>> >
>>>> > > > > >> > > > >>> >
>>>> > > > > >> > > > >>> >
>>>> > > > > >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john heasley <
>>>> > > > > >> heas at shrubbery.net
>>>> > > > > >> > > >
>>>> > > > > >> > > > >>> wrote:
>>>> > > > > >> > > > >>> >
>>>> > > > > >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600, Hailu
>>>> Meng:
>>>> > > > > >> > > > >>> > > > Hi Adam,
>>>> > > > > >> > > > >>> > > >
>>>> > > > > >> > > > >>> > > > If the ldapsearch -D "" -w "" runs
>>>> successfully,
>>>> > what
>>>> > > > do we
>>>> > > > > >> > > suppose
>>>> > > > > >> > > > >>> to
>>>> > > > > >> > > > >>> > > get
>>>> > > > > >> > > > >>> > > > from the output? I just got all of the user
>>>> > > > information in
>>>> > > > > >> that
>>>> > > > > >> > > > >>> group.
>>>> > > > > >> > > > >>> > > Does
>>>> > > > > >> > > > >>> > > > that means my password and username got
>>>> > authenticated
>>>> > > > > >> > > successfully
>>>> > > > > >> > > > >>> > > against
>>>> > > > > >> > > > >>> > > > AD?
>>>> > > > > >> > > > >>> > > >
>>>> > > > > >> > > > >>> > > > This thing drives me crazy. I need solve it
>>>> > through
>>>> > > > this
>>>> > > > > >> week
>>>> > > > > >> > > > >>> before the
>>>> > > > > >> > > > >>> > > > holiday...
>>>> > > > > >> > > > >>> > >
>>>> > > > > >> > > > >>> > > i havent followed this thread, as i know nearly
>>>> zero
>>>> > > > about
>>>> > > > > >> ldap.
>>>> > > > > >> > > > >>>  but,
>>>> > > > > >> > > > >>> > > have you enabled authentication debugging in
>>>> the
>>>> > tacacas
>>>> > > > > >> daemon
>>>> > > > > >> > > and
>>>> > > > > >> > > > >>> > > checked the logs to determine what is coming
>>>> back
>>>> > from
>>>> > > > pam?
>>>> > > > > >>  it
>>>> > > > > >> > > very
>>>> > > > > >> > > > >>> > > well may be that the ldap client is working
>>>> just
>>>> > fine,
>>>> > > > but
>>>> > > > > >> there
>>>> > > > > >> > > is a
>>>> > > > > >> > > > >>> > > pam module bug or a bug in the tacplus daemon
>>>> or
>>>> > that
>>>> > > > your
>>>> > > > > >> device
>>>> > > > > >> > > > >>> > > simply doesnt like something about the replies.
>>>> > > > > >> > > > >>> > >
>>>> > > > > >> > > > >>> > > > Thanks a lot for the help.
>>>> > > > > >> > > > >>> > > >
>>>> > > > > >> > > > >>> > > > Lou
>>>> > > > > >> > > > >>> > > >
>>>> > > > > >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu Meng <
>>>> > > > > >> > > hailumeng at gmail.com>
>>>> > > > > >> > > > >>> wrote:
>>>> > > > > >> > > > >>> > > >
>>>> > > > > >> > > > >>> > > > > Still no clue how to turn on the log.
>>>> binding
>>>> > seems
>>>> > > > good.
>>>> > > > > >> See
>>>> > > > > >> > > my
>>>> > > > > >> > > > >>> > > findings
>>>> > > > > >> > > > >>> > > > > below. Thanks a lot.
>>>> > > > > >> > > > >>> > > > >
>>>> > > > > >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam <
>>>> > > > > >> > > prozaconstilts at gmail.com>
>>>> > > > > >> > > > >>> > > wrote:
>>>> > > > > >> > > > >>> > > > >
>>>> > > > > >> > > > >>> > > > >> Hailu Meng wrote:
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>> Adam,
>>>> > > > > >> > > > >>> > > > >>>
>>>> > > > > >> > > > >>> > > > >>> I tried the su - "userid" in my tacacs+
>>>> server
>>>> > but
>>>> > > > I
>>>> > > > > >> don't
>>>> > > > > >> > > have
>>>> > > > > >> > > > >>> that
>>>> > > > > >> > > > >>> > > > >>> userid in CentOS. So the CentOS just
>>>> don't
>>>> > want me
>>>> > > > log
>>>> > > > > >> in.
>>>> > > > > >> > > I
>>>> > > > > >> > > > >>> think
>>>> > > > > >> > > > >>> > > this will
>>>> > > > > >> > > > >>> > > > >>> not ask tacacs server to authenticate
>>>> against
>>>> > AD.
>>>> > > > > >> > > > >>> > > > >>>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> You shouldn't need to have to define the
>>>> user
>>>> > in
>>>> > > > CentOS,
>>>> > > > > >> > > that's
>>>> > > > > >> > > > >>> the
>>>> > > > > >> > > > >>> > > point
>>>> > > > > >> > > > >>> > > > >> of using ldap for authentication. The user
>>>> is
>>>> > > > defined in
>>>> > > > > >> > > ldap,
>>>> > > > > >> > > > >>> not in
>>>> > > > > >> > > > >>> > > > >> CentOS. Now that I think about it, su -
>>>> <user>
>>>> > > > probably
>>>> > > > > >> > > wouldn't
>>>> > > > > >> > > > >>> work
>>>> > > > > >> > > > >>> > > > >> anyway, as AD doesn't by default have the
>>>> data
>>>> > > > needed by
>>>> > > > > >> a
>>>> > > > > >> > > linux
>>>> > > > > >> > > > >>> box
>>>> > > > > >> > > > >>> > > to
>>>> > > > > >> > > > >>> > > > >> allow login...but see below for more
>>>> options.
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>> Is there any other way to test ldap
>>>> > authentication
>>>> > > > > >> against
>>>> > > > > >> > > AD
>>>> > > > > >> > > > >>> with
>>>> > > > > >> > > > >>> > > the
>>>> > > > > >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It did
>>>> find
>>>> > my
>>>> > > > user
>>>> > > > > >> id
>>>> > > > > >> > > > >>> without
>>>> > > > > >> > > > >>> > > problem.
>>>> > > > > >> > > > >>> > > > >>> But I haven't found any option to try
>>>> with
>>>> > > > password and
>>>> > > > > >> > > > >>> authenticate
>>>> > > > > >> > > > >>> > > against
>>>> > > > > >> > > > >>> > > > >>> AD.
>>>> > > > > >> > > > >>> > > > >>>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> Try using -D:
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> from `man ldapsearch`:
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> -D binddn
>>>> > > > > >> > > > >>> > > > >>  Use the Distinguished Name binddn to bind
>>>> to
>>>> > the
>>>> > > > LDAP
>>>> > > > > >> > > > >>> directory.
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc should
>>>> let
>>>> > you
>>>> > > > try
>>>> > > > > >> to
>>>> > > > > >> > > > >>> authenticate
>>>> > > > > >> > > > >>> > > > >> using whatever user you want to define.
>>>> Just
>>>> > check
>>>> > > > and
>>>> > > > > >> > > double
>>>> > > > > >> > > > >>> check
>>>> > > > > >> > > > >>> > > you get
>>>> > > > > >> > > > >>> > > > >> the right path in that dn.
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> I tried -D " cn=username,ou=my_ou,dc=my_dc
>>>> "
>>>> > but it
>>>> > > > just
>>>> > > > > >> > > > >>> returned lots
>>>> > > > > >> > > > >>> > > of
>>>> > > > > >> > > > >>> > > > > users' information. It means successful?
>>>> > > > > >> > > > >>> > > > >
>>>> > > > > >> > > > >>> > > > >
>>>> > > > > >> > > > >>> > > > >>  Do you have ldap server setup or only the
>>>> > openldap
>>>> > > > > >> library
>>>> > > > > >> > > and
>>>> > > > > >> > > > >>> > > openldap
>>>> > > > > >> > > > >>> > > > >>> client? I don't understand why the log is
>>>> not
>>>> > > > turned
>>>> > > > > >> on.
>>>> > > > > >> > > There
>>>> > > > > >> > > > >>> must
>>>> > > > > >> > > > >>> > > be some
>>>> > > > > >> > > > >>> > > > >>> debugging info in the log which can help
>>>> solve
>>>> > > > this
>>>> > > > > >> issue.
>>>> > > > > >> > > > >>> > > > >>>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> only the libs and client. You should not
>>>> need
>>>> > the
>>>> > > > > >> server. In
>>>> > > > > >> > > the
>>>> > > > > >> > > > >>> > > > >> ldapsearch, you can use -d <integer> to
>>>> get
>>>> > > > debugging
>>>> > > > > >> info
>>>> > > > > >> > > for
>>>> > > > > >> > > > >>> that
>>>> > > > > >> > > > >>> > > search.
>>>> > > > > >> > > > >>> > > > >> As before, higher number = more debug
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>  If the user can authenticate, does
>>>> ethereal
>>>> > > > capture
>>>> > > > > >> some
>>>> > > > > >> > > > >>> packets
>>>> > > > > >> > > > >>> > > about
>>>> > > > > >> > > > >>> > > > >>> password verification? Right now I only
>>>> see
>>>> > the
>>>> > > > packets
>>>> > > > > >> > > when
>>>> > > > > >> > > > >>> ldap
>>>> > > > > >> > > > >>> > > search for
>>>> > > > > >> > > > >>> > > > >>> my user id and gets results back from AD.
>>>> > > > > >> > > > >>> > > > >>>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> Ethereal should catch all data flowing
>>>> between
>>>> > the
>>>> > > > > >> client
>>>> > > > > >> > > and
>>>> > > > > >> > > > >>> server.
>>>> > > > > >> > > > >>> > > If
>>>> > > > > >> > > > >>> > > > >> you can search out the user in your AD
>>>> right
>>>> > now,
>>>> > > > then
>>>> > > > > >> one
>>>> > > > > >> > > of
>>>> > > > > >> > > > >>> two
>>>> > > > > >> > > > >>> > > things is
>>>> > > > > >> > > > >>> > > > >> happening:
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> 1. You are performing anonymous searches.
>>>> In
>>>> > this
>>>> > > > case,
>>>> > > > > >> no
>>>> > > > > >> > > > >>> username
>>>> > > > > >> > > > >>> > > and pw
>>>> > > > > >> > > > >>> > > > >> is provided, and your AD is happy to hand
>>>> over
>>>> > info
>>>> > > > to
>>>> > > > > >> > > anyone
>>>> > > > > >> > > > >>> who asks
>>>> > > > > >> > > > >>> > > for
>>>> > > > > >> > > > >>> > > > >> it. If this is the case, you will _not_
>>>> see
>>>> > > > > >> authentication
>>>> > > > > >> > > > >>> > > information. The
>>>> > > > > >> > > > >>> > > > >> following MS KB article should probably
>>>> help
>>>> > you
>>>> > > > > >> determine
>>>> > > > > >> > > on
>>>> > > > > >> > > > >>> your AD
>>>> > > > > >> > > > >>> > > if
>>>> > > > > >> > > > >>> > > > >> anonymous queries are allowed:
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> http://support.microsoft.com/kb/320528
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> It has exact instructions for how to get
>>>> it
>>>> > going,
>>>> > > > but
>>>> > > > > >> you
>>>> > > > > >> > > can
>>>> > > > > >> > > > >>> follow
>>>> > > > > >> > > > >>> > > > >> along with it to check your current
>>>> settings
>>>> > > > without
>>>> > > > > >> making
>>>> > > > > >> > > any
>>>> > > > > >> > > > >>> > > changes.
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >
>>>> > > > > >> > > > >>> > > > > I checked our setting. Permission type for
>>>> > normal
>>>> > > > user is
>>>> > > > > >> > > "Read &
>>>> > > > > >> > > > >>> > > Execute".
>>>> > > > > >> > > > >>> > > > > I click edit to check the detail about
>>>> > permission. I
>>>> > > > > >> think it
>>>> > > > > >> > > > >>> only
>>>> > > > > >> > > > >>> > > allow the
>>>> > > > > >> > > > >>> > > > > user to read the attributes, permission
>>>> > something
>>>> > > > and
>>>> > > > > >> can't
>>>> > > > > >> > > > >>> modify the
>>>> > > > > >> > > > >>> > > > > AD.There is "Everyone" setting is also set
>>>> as
>>>> > "Read
>>>> > > > &
>>>> > > > > >> > > Execute".
>>>> > > > > >> > > > >>> By the
>>>> > > > > >> > > > >>> > > way,
>>>> > > > > >> > > > >>> > > > > the AD is Win2003 R2.
>>>> > > > > >> > > > >>> > > > >
>>>> > > > > >> > > > >>> > > > >
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> 2. Authentication is happening. It will be
>>>> the
>>>> > > > _very_
>>>> > > > > >> first
>>>> > > > > >> > > > >>> thing the
>>>> > > > > >> > > > >>> > > > >> client and server perform, after basic
>>>> > connection
>>>> > > > > >> > > establishment.
>>>> > > > > >> > > > >>> Look
>>>> > > > > >> > > > >>> > > for it
>>>> > > > > >> > > > >>> > > > >> at the very beginning of a dump.
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >> Also, it's a bit overkill, but the
>>>> following
>>>> > > > article is
>>>> > > > > >> > > > >>> extremely
>>>> > > > > >> > > > >>> > > > >> informative about all the different ways
>>>> you
>>>> > can
>>>> > > > plug
>>>> > > > > >> linux
>>>> > > > > >> > > into
>>>> > > > > >> > > > >>> AD
>>>> > > > > >> > > > >>> > > for
>>>> > > > > >> > > > >>> > > > >> authentication. It might offer some
>>>> hints...
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>> Maybe I need dig into ldap.conf more. If
>>>> you
>>>> > have
>>>> > > > any
>>>> > > > > >> idea,
>>>> > > > > >> > > let
>>>> > > > > >> > > > >>> me
>>>> > > > > >> > > > >>> > > know.
>>>> > > > > >> > > > >>> > > > >>>
>>>> > > > > >> > > > >>> > > > >>> Thank you very much.
>>>> > > > > >> > > > >>> > > > >>>
>>>> > > > > >> > > > >>> > > > >>> Lou
>>>> > > > > >> > > > >>> > > > >>>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >>
>>>> > > > > >> > > > >>> > > > >
>>>> > > > > >> > > > >>> > > > -------------- next part --------------
>>>> > > > > >> > > > >>> > > > An HTML attachment was scrubbed...
>>>> > > > > >> > > > >>> > > > URL:
>>>> > > > > >> > > > >>> > >
>>>> > > > > >> > > > >>>
>>>> > > > > >> > >
>>>> > > > > >>
>>>> > > >
>>>> >
>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html
>>>> > > > > >> > > > >>> > > >
>>>> _______________________________________________
>>>> > > > > >> > > > >>> > > > tac_plus mailing list
>>>> > > > > >> > > > >>> > > > tac_plus at shrubbery.net
>>>> > > > > >> > > > >>> > > >
>>>> > > > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>>>> > > > > >> > > > >>> > >
>>>> > > > > >> > > > >>>
>>>> > > > > >> > > > >>
>>>> > > > > >> > > > >>
>>>> > > > > >> > > > >
>>>> > > > > >> > >
>>>> > > > > >> > -------------- next part --------------
>>>> > > > > >> > An HTML attachment was scrubbed...
>>>> > > > > >> > URL:
>>>> > > > > >>
>>>> > > >
>>>> >
>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html
>>>> > > > > >> > _______________________________________________
>>>> > > > > >> > tac_plus mailing list
>>>> > > > > >> > tac_plus at shrubbery.net
>>>> > > > > >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>>>> > > > > >>
>>>> > > > > >>
>>>> > > > > >>
>>>> > > >
>>>> >
>>>> -------------- next part --------------
>>>> An HTML attachment was scrubbed...
>>>> URL:
>>>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/a877fda6/attachment.html
>>>>
>>>> _______________________________________________
>>>> tac_plus mailing list
>>>> tac_plus at shrubbery.net
>>>> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/38a5ed4d/attachment.html 


More information about the tac_plus mailing list