[tac_plus] Re: Issue with Cisco switch authentication against Microsoft Active Directory
Tom Murch
tmurch at toniccomputers.com
Tue Nov 24 20:20:33 UTC 2009
Jeroen is correct it does not appear that you are even pulling from the AD.
I would double check all your conf files again.
On Tue, Nov 24, 2009 at 3:05 PM, Jeroen Nijhof <jeroen at nijhofnet.nl> wrote:
> Hi Lou,
>
> That's not right indeed. You should get something like:
> jeroen at tux:~$ getent passwd jeroen
> jeroen:x:1000:1000:Jeroen Nijhof,,,:/home/jeroen:/bin/bash
>
> You should first try with ldapsearch and the binddn you use if you can
> find any users...
> If the users exist directly below the ou=User
> Accounts,dc=hq,dc=corp,dc=mycompany,dc=org tree use ?one and not ?sub.
> Are you sure that the group objects exist in the same tree as the
> users?? Normally you have something like ou=Group,dc=hq,...etc.
>
> Hmm and it seems like you are missing the uid and gid mappings:
>
> nss_map_attribute uidNumber .....
> nss_map_attribute gidNumber .....
>
> Regards,
> Jeroen Nijhof
>
> On Tue, 2009-11-24 at 11:38 -0600, Hailu Meng wrote:
> > Hi Jeroen,
> >
> > I issued the command "getent passwd myusername". It just came back
> > with
> > request done: ld 0x8e124f8 msgid 1
> > request done: ld 0x8e124f8 msgid 2
> >
> > I think this is not right. I did see this kind of message in tacacs
> > log when I tried to log in my router. So I guess something is still
> > wrong with my /etc/ldap.conf
> > here is my current configuration for ldap.conf, the other
> > file /etc/openldap/ldap.conf will point to this file too. I think I
> > have all needed configuration here. Even I put the debug and log
> > configuration here, I still can't get my log show up in the specified
> > directory. Weird. Please help me check this setting. Is there anything
> > wrong with nss mapping? I think that part could be something wrong.
> > Thanks a lot.
> >
> > ***********************************************************
> > host myadserverIP
> > base ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org
> > ldap_version 3
> > scope sub
> > binddn CN=testuser,OU=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org
> > bindpw passwdfortest
> > rootbinddn dc=hq,dc=corp,dc=mycompany,dc=org
> > # The port.
> > # Optional: default is 389. SSL LDAP Port 636
> > port 389
> > # RFC2307bis naming contexts
> > nss_base_passwd ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub
> > nss_base_shadow ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub
> > nss_base_group ou=User Accounts,dc=hq,dc=corp,dc=mycompany,dc=org?sub
> > # RFC 2307 (AD) mappings
> > nss_map_objectclass posixAccount User
> > nss_map_objectclass shadowAccount User
> > nss_map_attribute uid sAMAccountName
> > nss_map_attribute homeDirectory unixHomeDirectory
> > nss_map_attribute gecos cn
> > nss_map_attribute shadowLastChange pwdLastSet
> > nss_map_objectclass posixGroup group
> > nss_map_attribute uniqueMember member
> >
> >
> > # Disable SASL security layers. This is needed for AD.
> > sasl_secprops maxssf=0
> >
> > # PAM_LDAP options
> > pam_login_attribute sAMAccountName
> > pam_filter objectclass=User
> > pam_password ad
> > logdir /var/log/ldap
> > debug 1024
> > ssl no
> > timelimit 30
> > bind_timelimit 30
> >
> >
> > On Tue, Nov 24, 2009 at 9:19 AM, Jeroen Nijhof <jeroen at nijhofnet.nl>
> > wrote:
> >
> > Hi Lou,
> >
> > Check with 'getent passwd <username>' if you get the right
> > user with
> > the right information from your AD via ldap.
> > If not then you should probably check your /etc/ldap.conf for
> > the right
> > search scope and atrribute mappings.
> > Nss_ldap and pam_ldap uses the /etc/ldap.conf file so if it
> > works with a
> > nss lookup via getent it should work for pam_ldap as well.
> > You can define a debug level as well in the /etc/ldap.conf
> > file for
> > logging.
> > It's logging to /var/log/auth.log for me..
> >
> >
> > Regards,
> > Jeroen
> >
> > Op 24/11/2009 schreef "Hailu Meng" <hailumeng at gmail.com>:
> >
> >
> > >Hi Jeroen,
> > >
> > >I see the packets sent back from AD for the search request
> > have 4 attributes
> > >included:
> > >objectclass
> > >cn
> > >description
> > >sAMAccountName
> > >
> > >And these attributes values are correct. sAMAccountName is my
> > login user id.
> > >cn is my Full Name, objectclass is 4 items (top, person,
> > >organizationalperson , user)
> > >
> > >I'm not sure is it enough for PAM to go to the next step? But
> > it did give us
> > >error message "Unknown User". I observed that when I input
> > the password in
> > >my router and hit ENTER, my wireshark captured two search
> > requests from
> > >TACACS and two responses from AD. Same contents as the
> > previous one when I
> > >input my user name in the router. I'm not sure is that
> > possible that TACACS
> > >didn't find the information it wants from AD although AD
> > respond something
> > >(4 attributes values)
> > >
> > >By the way, I can't find any log information about PAM. I
> > think it should be
> > >in /var/log/secure. But nothing in this file. Do you know how
> > to find these
> > >log or turn it on?
> > >
> > >Thanks for the help.
> > >
> > >Lou
> > >
> > >On Tue, Nov 24, 2009 at 4:11 AM, Jeroen Nijhof
> > <jeroen at nijhofnet.nl> wrote:
> > >
> > >>
> > >> Hi Lou,
> > >>
> > >> Yes, most server application's check if a user exist by
> > looking up the
> > >> uid via nss before doing any authentication (i.e. sshd).
> > >>
> > >> Regards,
> > >> Jeroen
> > >>
> > >> Op 23/11/2009 schreef "Hailu Meng" <hailumeng at gmail.com>:
> > >>
> > >> >Hi Jeroen,
> > >> >
> > >> >Thanks for helping. I modified the nssswitch.conf as
> > below:
> > >> >passwd: files ldap
> > >> >shadow: files ldap
> > >> >group: files ldap
> > >> >
> > >> >And leave the other settings as default.
> > >> >
> > >> >the user attributes you are talking about are the
> > attributes retrieving
> > >> from
> > >> >AD? I do see the packets from AD server told my tacacs+
> > server the user
> > >> >attributes including homedir.
> > >> >
> > >> >Thanks.
> > >> >
> > >> >Lou
> > >> >
> > >> >
> > >> >On Mon, Nov 23, 2009 at 4:45 PM, Jeroen Nijhof
> > <jeroen at nijhofnet.nl>
> > >> wrote:
> > >> >
> > >> >> Hi,
> > >> >>
> > >> >> Did you setup the nsswitch.conf as well on your tac_plus
> > server?
> > >> >> Your tac_plus server needs to lookup the user attributes
> > like homedir
> > >> >> etc, otherwise pam will fail.
> > >> >>
> > >> >> Regards,
> > >> >> Jeroen Nijhof
> > >> >>
> > >> >> On Mon, 2009-11-23 at 15:28 -0600, Hailu Meng wrote:
> > >> >> > Ok. With -d 32, I got some more info about pam as red
> > color log.
> > >> >> >
> > >> >> > There is "Unknown user" log info following the input
> > of my user
> > >> password.
> > >> >> > Feel confused since ldap is able to get user info from
> > Active
> > >> directory,
> > >> >> why
> > >> >> > it turns out "Unknown user" here.
> > >> >> >
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Read AUTHEN/CONT
> > size=23
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0),
> > type 1, seq no 3,
> > >> >> flags
> > >> >> > 0x1
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252
> > (0xbe977644),
> > >> Data
> > >> >> > length 11 (0xb)
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN/CONT
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: user_msg_len 6 (0x6),
> > user_data_len 0
> > >> >> (0x0)
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: flags=0x0
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: User msg:
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: myusername
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: User data:
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: choose_authen chose
> > default_fn
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Calling
> > authentication function
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_verify myusername
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: pam_tacacs received 1
> > pam_messages
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Error 10.1.69.89
> > tty0:
> > >> >> PAM_PROMPT_ECHO_OFF
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Writing
> > AUTHEN/GETPASS size=28
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: PACKET: key=mykey
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: version 192 (0xc0),
> > type 1, seq no 4,
> > >> >> flags
> > >> >> > 0x1
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: session_id 3197597252
> > (0xbe977644),
> > >> Data
> > >> >> > length 16 (0x10)
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End header
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: type=AUTHEN status=5
> > (AUTHEN/GETPASS)
> > >> >> > flags=0x1
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg_len=10,
> > data_len=0
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: msg:
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Password:
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: data:
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: End packet
> > >> >> > Mon Nov 23 15:21:16 2009 [3806]: Waiting for packet
> > >> >> > Mon Nov 23 15:21:21 2009 [3806]: Read AUTHEN/CONT
> > size=30
> > >> >> > Mon Nov 23 15:21:21 2009 [3806]: PACKET: key=mykey
> > >> >> > Mon Nov 23 15:21:21 2009 [3806]: version 192 (0xc0),
> > type 1, seq no 5,
> > >> >> flags
> > >> >> > 0x1
> > >> >> > Mon Nov 23 15:21:21 2009 [3806]: session_id 3197597252
> > (0xbe977644),
> > >> Data
> > >> >> > length 18 (0x12)
> > >> >> > Mon Nov 23 15:21:21 2009 [3806]: End header
> > >> >> > Mon Nov 23 15:21:21 2009 [3806]: type=AUTHEN/CONT
> > >> >> > Mon Nov 23 15:21:21 2009 [3806]: user_msg_len 13
> > (0xd), user_data_len
> > >> 0
> > >> >> > (0x0)
> > >> >> > Mon Nov 23 15:21:21 2009 [3806]: flags=0x0
> > >> >> > Mon Nov 23 15:21:21 2009 [3806]: User msg:
> > >> >> > Mon Nov 23 15:21:21 2009 [3806]: mypassword
> > >> >> > Mon Nov 23 15:21:21 2009 [3806]: User data:
> > >> >> > Mon Nov 23 15:21:21 2009 [3806]: End packet
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: Unknown user
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: login query for
> > 'myusername' tty0
> > >> from
> > >> >> > 10.1.69.89 rejected
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: login failure:
> > myusername10.1.69.89
> > >> >> > (10.1.69.89) tty0
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: Writing AUTHEN/FAIL
> > size=18
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: PACKET: key=mykey
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: version 192 (0xc0),
> > type 1, seq no 6,
> > >> >> flags
> > >> >> > 0x1
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: session_id 3197597252
> > (0xbe977644),
> > >> Data
> > >> >> > length 6 (0x6)
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: End header
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: type=AUTHEN status=2
> > (AUTHEN/FAIL)
> > >> >> > flags=0x0
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg_len=0, data_len=0
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: msg:
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: data:
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: End packet
> > >> >> > Mon Nov 23 15:21:22 2009 [3806]: 10.1.69.89:
> > disconnect
> > >> >> >
> > >> >> >
> > >> >> > On Mon, Nov 23, 2009 at 3:16 PM, john heasley
> > <heas at shrubbery.net>
> > >> >> wrote:
> > >> >> >
> > >> >> > > Mon, Nov 23, 2009 at 03:12:53PM -0600, Hailu Meng:
> > >> >> > > > I just saw some posts saying pam_krb winbind could
> > be needed to
> > >> get
> > >> >> pam
> > >> >> > > work
> > >> >> > > > against active directory. Is this true? The post I
> > was following
> > >> >> actually
> > >> >> > > is
> > >> >> > > > for a LDAP server not Active Directory.
> > >> >> > >
> > >> >> > > i dont know; each pam implementation seems to be [at
> > least] slightly
> > >> >> > > different. seems silly to need kerberos for ldap.
> > >> >> > >
> > >> >> > > > On Mon, Nov 23, 2009 at 2:49 PM, Hailu Meng
> > <hailumeng at gmail.com>
> > >> >> wrote:
> > >> >> > > >
> > >> >> > > > > I think I need put my pam configuration here:
> > >> >> > > > >
> > >> >> > > > > I followed this post
> > >> >> > > > >
> > >> >>
> >
> http://www.shrubbery.net/pipermail/tac_plus/2009-January/000332.htmlto
> > >> >> > > > > configure my pam module:
> > >> >> > > > >
> > >> >> > > > > /etc/pam.d/tacacs
> > >> >> > > > >
> > >> >> > > > > auth include system-auth
> > >> >> > > > > account required pam_nologin.so
> > >> >> > > > > account include system-auth
> > >> >> > > > > password include system-auth
> > >> >> > > > > session optional pam_keyinit.so force
> > revoke
> > >> >> > > > > session include system-auth
> > >> >> > > > > session required pam_loginuid.so
> > >> >> > > > >
> > >> >> > > > > /etc/pam.d/system-auth
> > >> >> > > > > #%PAM-1.0
> > >> >> > > > > # This file is auto-generated.
> > >> >> > > > > # User changes will be destroyed the next time
> > authconfig is
> > >> run.
> > >> >> > > > > auth required pam_env.so
> > >> >> > > > > auth sufficient pam_unix.so nullok
> > try_first_pass
> > >> >> > > > > auth requisite pam_succeed_if.so uid
> > >= 500 quiet
> > >> >> > > > > auth sufficient pam_ldap.so
> > use_first_pass
> > >> >> > > > > auth required pam_deny.so
> > >> >> > > > >
> > >> >> > > > > account required pam_unix.so
> > broken_shadow
> > >> >> > > > > account sufficient pam_succeed_if.so uid
> > < 500 quiet
> > >> >> > > > >
> > >> >> > > > > account [default=bad success=ok
> > user_unknown=ignore]
> > >> >> pam_ldap.so
> > >> >> > > > > account required pam_permit.so
> > >> >> > > > >
> > >> >> > > > > password requisite pam_cracklib.so
> > try_first_pass retry=3
> > >> >> > > > > password sufficient pam_unix.so md5 shadow
> > nullok
> > >> >> try_first_pass
> > >> >> > > > > use_authtok
> > >> >> > > > > password sufficient pam_ldap.so
> > use_authtok
> > >> >> > > > > password required pam_deny.so
> > >> >> > > > >
> > >> >> > > > > session optional pam_keyinit.so revoke
> > >> >> > > > > session required pam_limits.so
> > >> >> > > > > session [success=1 default=ignore]
> > pam_succeed_if.so service
> > >> in
> > >> >> > > crond
> > >> >> > > > > quiet use_uid
> > >> >> > > > > session required pam_unix.so
> > >> >> > > > > session optional pam_ldap.so
> > >> >> > > > >
> > >> >> > > > >
> > >> >> > > > > On Mon, Nov 23, 2009 at 2:33 PM, Hailu Meng <
> > >> hailumeng at gmail.com>
> > >> >> > > wrote:
> > >> >> > > > >
> > >> >> > > > >> Hi John,
> > >> >> > > > >>
> > >> >> > > > >> You mean issue commands like tac_plus
> > -C /etct/tac_plus.conf -L
> > >> -p
> > >> >> 49
> > >> >> > > -d
> > >> >> > > > >> 16 -d 256 -g ? -d 16 -d 256 side by side? It
> > didn't make any
> > >> >> change. I
> > >> >> > > got
> > >> >> > > > >> same log info. By the way, I also saw the log
> > info in
> > >> >> > > /var/log/message:
> > >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Reading
> > config
> > >> >> > > > >> Nov 23 14:24:25 NMS tac_plus[3676]: Version
> > F4.0.4.19
> > >> Initialized
> > >> >> 1
> > >> >> > > > >> Nov 23 14:24:29 NMS tac_plus[3676]: connect
> > from 10.1.69.89
> > >> >> > > [10.1.69.89]
> > >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login query
> > for 'myuser'
> > >> tty0
> > >> >> from
> > >> >> > > > >> 10.1.69.89 rejected
> > >> >> > > > >> Nov 23 14:24:37 NMS tac_plus[3676]: login
> > failure: myuser
> > >> >> 10.1.69.89
> > >> >> > > > >> (10.1.69.89) tty0
> > >> >> > > > >>
> > >> >> > > > >> Do we have option to see the log about PAM? I
> > haven't found
> > >> where
> > >> >> it
> > >> >> > > is.
> > >> >> > > > >> if we can check the log of PAM, then we could
> > find something
> > >> >> useful.
> > >> >> > > Right
> > >> >> > > > >> now the log of tac_plus didn't tell too much
> > about why login
> > >> got
> > >> >> > > failure.
> > >> >> > >
> > >> >> > > add -d 32. -d x -d y ... will be logically OR'd
> > together.
> > >> >> > >
> > >> >> > > > >> Lou
> > >> >> > > > >>
> > >> >> > > > >> On Mon, Nov 23, 2009 at 2:20 PM, john heasley <
> > >> heas at shrubbery.net
> > >> >> >
> > >> >> > > wrote:
> > >> >> > > > >>
> > >> >> > > > >>> Mon, Nov 23, 2009 at 12:43:00PM -0600, Hailu
> > Meng:
> > >> >> > > > >>> > Thanks John for helping me check this issue.
> > >> >> > > > >>> >
> > >> >> > > > >>> > I just run tac_plus
> > -C /path/to/tac_plus.conf -L -p 49 -d256
> > >> -g
> > >> >> to
> > >> >> > > see
> > >> >> > > > >>> the
> > >> >> > > > >>>
> > >> >> > > > >>> try -d 16 -d 256. which i think will log the
> > pwd that pam
> > >> >> received
> > >> >> > > from
> > >> >> > > > >>> the device. make its correct. the logs below
> > do appear to be
> > >> a
> > >> >> > > > >>> reject/fail
> > >> >> > > > >>> returned from pam.
> > >> >> > > > >>>
> > >> >> > > > >>> > log in stdout and in log file. I can't see
> > any suspicious
> > >> log
> > >> >> > > > >>> information
> > >> >> > > > >>> > here. I paste the log below:
> > >> >> > > > >>> >
> > >> >> > > > >>> >
> > >> >> > > > >>> > Sat Nov 21 22:28:22 2009 [3393]: Waiting for
> > packet
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Read
> > AUTHEN/CONT size=23
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET:
> > key=mykey
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192
> > (0xc0), type 1,
> > >> >> seq no
> > >> >> > > 5,
> > >> >> > > > >>> flags
> > >> >> > > > >>> > 0x1
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id
> > 3295176910
> > >> >> > > (0xc46868ce),
> > >> >> > > > >>> Data
> > >> >> > > > >>> > length
> > >> >> > > > >>> > 11 (0xb)
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]:
> > type=AUTHEN/CONT
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]:
> > user_msg_len 6 (0x6),
> > >> >> > > user_data_len 0
> > >> >> > > > >>> (0x0)
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: flags=0x0
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User msg:
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: myusername
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: User data:
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]:
> > choose_authen chose
> > >> default_fn
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Calling
> > authentication
> > >> >> function
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Writing
> > AUTHEN/GETPASS
> > >> size=28
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: PACKET:
> > key=mykey
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: version 192
> > (0xc0), type 1,
> > >> >> seq no
> > >> >> > > 6,
> > >> >> > > > >>> flags
> > >> >> > > > >>> > 0x1
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: session_id
> > 3295176910
> > >> >> > > (0xc46868ce),
> > >> >> > > > >>> Data
> > >> >> > > > >>> > length
> > >> >> > > > >>> > 16 (0x10)
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End header
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: type=AUTHEN
> > status=5
> > >> >> > > (AUTHEN/GETPASS)
> > >> >> > > > >>> > flags=0x1
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg_len=10,
> > data_len=0
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: msg:
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Password:
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: data:
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: End packet
> > >> >> > > > >>> > Sat Nov 21 22:28:27 2009 [3393]: Waiting for
> > packet
> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: Read
> > AUTHEN/CONT size=30
> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: PACKET:
> > key=mykey
> > >> >> > > > >>>
> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: version 192
> > (0xc0), type 1,
> > >> >> seq no
> > >> >> > > 7,
> > >> >> > > > >>> flags
> > >> >> > > > >>> > 0x1
> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: session_id
> > 3295176910
> > >> >> > > (0xc46868ce),
> > >> >> > > > >>> Data
> > >> >> > > > >>> > length
> > >> >> > > > >>> > 18 (0x12)
> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End header
> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]:
> > type=AUTHEN/CONT
> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]:
> > user_msg_len 13 (0xd),
> > >> >> > > user_data_len 0
> > >> >> > > > >>> > (0x0)
> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: flags=0x0
> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User msg:
> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: mypassword
> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: User data:
> > >> >> > > > >>> > Sat Nov 21 22:28:34 2009 [3393]: End packet
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login query
> > for
> > >> 'myusername'
> > >> >> tty0
> > >> >> > > from
> > >> >> > > > >>> > 10.1.69.89 r
> > >> >> > > > >>> > ejected
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: login
> > failure: myusername
> > >> >> > > 10.1.69.89
> > >> >> > > > >>> > (10.1.69.89) t
> > >> >> > > > >>> > ty0
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: Writing
> > AUTHEN/FAIL size=18
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: PACKET:
> > key=mykey
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: version 192
> > (0xc0), type 1,
> > >> >> seq no
> > >> >> > > 8,
> > >> >> > > > >>> flags
> > >> >> > > > >>> > 0x1
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: session_id
> > 3295176910
> > >> >> > > (0xc46868ce),
> > >> >> > > > >>> Data
> > >> >> > > > >>> > length
> > >> >> > > > >>> > 6 (0x6)
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End header
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: type=AUTHEN
> > status=2
> > >> >> (AUTHEN/FAIL)
> > >> >> > > > >>> > flags=0x0
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg_len=0,
> > data_len=0
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: msg:
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: data:
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: End packet
> > >> >> > > > >>> > Sat Nov 21 22:28:36 2009 [3393]: 10.1.69.89:
> > disconnect
> > >> >> > > > >>> >
> > >> >> > > > >>> >
> > >> >> > > > >>> >
> > >> >> > > > >>> > On Mon, Nov 23, 2009 at 12:23 PM, john
> > heasley <
> > >> >> heas at shrubbery.net
> > >> >> > > >
> > >> >> > > > >>> wrote:
> > >> >> > > > >>> >
> > >> >> > > > >>> > > Mon, Nov 23, 2009 at 12:12:58PM -0600,
> > Hailu Meng:
> > >> >> > > > >>> > > > Hi Adam,
> > >> >> > > > >>> > > >
> > >> >> > > > >>> > > > If the ldapsearch -D "" -w "" runs
> > successfully, what do
> > >> we
> > >> >> > > suppose
> > >> >> > > > >>> to
> > >> >> > > > >>> > > get
> > >> >> > > > >>> > > > from the output? I just got all of the
> > user information
> > >> in
> > >> >> that
> > >> >> > > > >>> group.
> > >> >> > > > >>> > > Does
> > >> >> > > > >>> > > > that means my password and username got
> > authenticated
> > >> >> > > successfully
> > >> >> > > > >>> > > against
> > >> >> > > > >>> > > > AD?
> > >> >> > > > >>> > > >
> > >> >> > > > >>> > > > This thing drives me crazy. I need solve
> > it through this
> > >> >> week
> > >> >> > > > >>> before the
> > >> >> > > > >>> > > > holiday...
> > >> >> > > > >>> > >
> > >> >> > > > >>> > > i havent followed this thread, as i know
> > nearly zero about
> > >> >> ldap.
> > >> >> > > > >>> but,
> > >> >> > > > >>> > > have you enabled authentication debugging
> > in the tacacas
> > >> >> daemon
> > >> >> > > and
> > >> >> > > > >>> > > checked the logs to determine what is
> > coming back from
> > >> pam?
> > >> >> it
> > >> >> > > very
> > >> >> > > > >>> > > well may be that the ldap client is
> > working just fine, but
> > >> >> there
> > >> >> > > is a
> > >> >> > > > >>> > > pam module bug or a bug in the tacplus
> > daemon or that your
> > >> >> device
> > >> >> > > > >>> > > simply doesnt like something about the
> > replies.
> > >> >> > > > >>> > >
> > >> >> > > > >>> > > > Thanks a lot for the help.
> > >> >> > > > >>> > > >
> > >> >> > > > >>> > > > Lou
> > >> >> > > > >>> > > >
> > >> >> > > > >>> > > > On Fri, Nov 20, 2009 at 7:26 AM, Hailu
> > Meng <
> > >> >> > > hailumeng at gmail.com>
> > >> >> > > > >>> wrote:
> > >> >> > > > >>> > > >
> > >> >> > > > >>> > > > > Still no clue how to turn on the log.
> > binding seems
> > >> good.
> > >> >> See
> > >> >> > > my
> > >> >> > > > >>> > > findings
> > >> >> > > > >>> > > > > below. Thanks a lot.
> > >> >> > > > >>> > > > >
> > >> >> > > > >>> > > > > On Thu, Nov 19, 2009 at 9:26 PM, adam
> > <
> > >> >> > > prozaconstilts at gmail.com>
> > >> >> > > > >>> > > wrote:
> > >> >> > > > >>> > > > >
> > >> >> > > > >>> > > > >> Hailu Meng wrote:
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>> Adam,
> > >> >> > > > >>> > > > >>>
> > >> >> > > > >>> > > > >>> I tried the su - "userid" in my
> > tacacs+ server but I
> > >> >> don't
> > >> >> > > have
> > >> >> > > > >>> that
> > >> >> > > > >>> > > > >>> userid in CentOS. So the CentOS just
> > don't want me
> > >> log
> > >> >> in.
> > >> >> > > I
> > >> >> > > > >>> think
> > >> >> > > > >>> > > this will
> > >> >> > > > >>> > > > >>> not ask tacacs server to
> > authenticate against AD.
> > >> >> > > > >>> > > > >>>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> You shouldn't need to have to define
> > the user in
> > >> CentOS,
> > >> >> > > that's
> > >> >> > > > >>> the
> > >> >> > > > >>> > > point
> > >> >> > > > >>> > > > >> of using ldap for authentication. The
> > user is defined
> > >> in
> > >> >> > > ldap,
> > >> >> > > > >>> not in
> > >> >> > > > >>> > > > >> CentOS. Now that I think about it, su
> > - <user>
> > >> probably
> > >> >> > > wouldn't
> > >> >> > > > >>> work
> > >> >> > > > >>> > > > >> anyway, as AD doesn't by default have
> > the data needed
> > >> by
> > >> >> a
> > >> >> > > linux
> > >> >> > > > >>> box
> > >> >> > > > >>> > > to
> > >> >> > > > >>> > > > >> allow login...but see below for more
> > options.
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>> Is there any other way to test ldap
> > authentication
> > >> >> against
> > >> >> > > AD
> > >> >> > > > >>> with
> > >> >> > > > >>> > > the
> > >> >> > > > >>> > > > >>> userid in AD? I tried ldapsearch. It
> > did find my
> > >> user
> > >> >> id
> > >> >> > > > >>> without
> > >> >> > > > >>> > > problem.
> > >> >> > > > >>> > > > >>> But I haven't found any option to
> > try with password
> > >> and
> > >> >> > > > >>> authenticate
> > >> >> > > > >>> > > against
> > >> >> > > > >>> > > > >>> AD.
> > >> >> > > > >>> > > > >>>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> Try using -D:
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> from `man ldapsearch`:
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> -D binddn
> > >> >> > > > >>> > > > >> Use the Distinguished Name binddn to
> > bind to the
> > >> LDAP
> > >> >> > > > >>> directory.
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> so -D cn=username,ou=my_ou,dc=my_dc
> > should let you
> > >> try
> > >> >> to
> > >> >> > > > >>> authenticate
> > >> >> > > > >>> > > > >> using whatever user you want to
> > define. Just check
> > >> and
> > >> >> > > double
> > >> >> > > > >>> check
> > >> >> > > > >>> > > you get
> > >> >> > > > >>> > > > >> the right path in that dn.
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> I tried -D "
> > cn=username,ou=my_ou,dc=my_dc " but it
> > >> just
> > >> >> > > > >>> returned lots
> > >> >> > > > >>> > > of
> > >> >> > > > >>> > > > > users' information. It means
> > successful?
> > >> >> > > > >>> > > > >
> > >> >> > > > >>> > > > >
> > >> >> > > > >>> > > > >> Do you have ldap server setup or
> > only the openldap
> > >> >> library
> > >> >> > > and
> > >> >> > > > >>> > > openldap
> > >> >> > > > >>> > > > >>> client? I don't understand why the
> > log is not turned
> > >> >> on.
> > >> >> > > There
> > >> >> > > > >>> must
> > >> >> > > > >>> > > be some
> > >> >> > > > >>> > > > >>> debugging info in the log which can
> > help solve this
> > >> >> issue.
> > >> >> > > > >>> > > > >>>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> only the libs and client. You should
> > not need the
> > >> >> server. In
> > >> >> > > the
> > >> >> > > > >>> > > > >> ldapsearch, you can use -d <integer>
> > to get debugging
> > >> >> info
> > >> >> > > for
> > >> >> > > > >>> that
> > >> >> > > > >>> > > search.
> > >> >> > > > >>> > > > >> As before, higher number = more debug
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> If the user can authenticate, does
> > ethereal capture
> > >> >> some
> > >> >> > > > >>> packets
> > >> >> > > > >>> > > about
> > >> >> > > > >>> > > > >>> password verification? Right now I
> > only see the
> > >> packets
> > >> >> > > when
> > >> >> > > > >>> ldap
> > >> >> > > > >>> > > search for
> > >> >> > > > >>> > > > >>> my user id and gets results back
> > from AD.
> > >> >> > > > >>> > > > >>>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> Ethereal should catch all data
> > flowing between the
> > >> >> client
> > >> >> > > and
> > >> >> > > > >>> server.
> > >> >> > > > >>> > > If
> > >> >> > > > >>> > > > >> you can search out the user in your
> > AD right now,
> > >> then
> > >> >> one
> > >> >> > > of
> > >> >> > > > >>> two
> > >> >> > > > >>> > > things is
> > >> >> > > > >>> > > > >> happening:
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> 1. You are performing anonymous
> > searches. In this
> > >> case,
> > >> >> no
> > >> >> > > > >>> username
> > >> >> > > > >>> > > and pw
> > >> >> > > > >>> > > > >> is provided, and your AD is happy to
> > hand over info
> > >> to
> > >> >> > > anyone
> > >> >> > > > >>> who asks
> > >> >> > > > >>> > > for
> > >> >> > > > >>> > > > >> it. If this is the case, you will
> > _not_ see
> > >> >> authentication
> > >> >> > > > >>> > > information. The
> > >> >> > > > >>> > > > >> following MS KB article should
> > probably help you
> > >> >> determine
> > >> >> > > on
> > >> >> > > > >>> your AD
> > >> >> > > > >>> > > if
> > >> >> > > > >>> > > > >> anonymous queries are allowed:
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>
> > http://support.microsoft.com/kb/320528
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> It has exact instructions for how to
> > get it going,
> > >> but
> > >> >> you
> > >> >> > > can
> > >> >> > > > >>> follow
> > >> >> > > > >>> > > > >> along with it to check your current
> > settings without
> > >> >> making
> > >> >> > > any
> > >> >> > > > >>> > > changes.
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >
> > >> >> > > > >>> > > > > I checked our setting. Permission type
> > for normal user
> > >> is
> > >> >> > > "Read &
> > >> >> > > > >>> > > Execute".
> > >> >> > > > >>> > > > > I click edit to check the detail about
> > permission. I
> > >> >> think it
> > >> >> > > > >>> only
> > >> >> > > > >>> > > allow the
> > >> >> > > > >>> > > > > user to read the attributes,
> > permission something and
> > >> >> can't
> > >> >> > > > >>> modify the
> > >> >> > > > >>> > > > > AD.There is "Everyone" setting is also
> > set as "Read &
> > >> >> > > Execute".
> > >> >> > > > >>> By the
> > >> >> > > > >>> > > way,
> > >> >> > > > >>> > > > > the AD is Win2003 R2.
> > >> >> > > > >>> > > > >
> > >> >> > > > >>> > > > >
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> 2. Authentication is happening. It
> > will be the _very_
> > >> >> first
> > >> >> > > > >>> thing the
> > >> >> > > > >>> > > > >> client and server perform, after
> > basic connection
> > >> >> > > establishment.
> > >> >> > > > >>> Look
> > >> >> > > > >>> > > for it
> > >> >> > > > >>> > > > >> at the very beginning of a dump.
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >> Also, it's a bit overkill, but the
> > following article
> > >> is
> > >> >> > > > >>> extremely
> > >> >> > > > >>> > > > >> informative about all the different
> > ways you can plug
> > >> >> linux
> > >> >> > > into
> > >> >> > > > >>> AD
> > >> >> > > > >>> > > for
> > >> >> > > > >>> > > > >> authentication. It might offer some
> > hints...
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>> Maybe I need dig into ldap.conf
> > more. If you have
> > >> any
> > >> >> idea,
> > >> >> > > let
> > >> >> > > > >>> me
> > >> >> > > > >>> > > know.
> > >> >> > > > >>> > > > >>>
> > >> >> > > > >>> > > > >>> Thank you very much.
> > >> >> > > > >>> > > > >>>
> > >> >> > > > >>> > > > >>> Lou
> > >> >> > > > >>> > > > >>>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >>
> > >> >> > > > >>> > > > >
> > >> >> > > > >>> > > > -------------- next part --------------
> > >> >> > > > >>> > > > An HTML attachment was scrubbed...
> > >> >> > > > >>> > > > URL:
> > >> >> > > > >>> > >
> > >> >> > > > >>>
> > >> >> > >
> > >> >>
> > >>
> >
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/bba3d7fb/attachment.html
> > >> >> > > > >>> > > >
> > _______________________________________________
> > >> >> > > > >>> > > > tac_plus mailing list
> > >> >> > > > >>> > > > tac_plus at shrubbery.net
> > >> >> > > > >>> > > >
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> > >> >> > > > >>> > >
> > >> >> > > > >>>
> > >> >> > > > >>
> > >> >> > > > >>
> > >> >> > > > >
> > >> >> > >
> > >> >> > -------------- next part --------------
> > >> >> > An HTML attachment was scrubbed...
> > >> >> > URL:
> > >> >>
> > >>
> >
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20091123/4e65d4d2/attachment.html
> > >> >> > _______________________________________________
> > >> >> > tac_plus mailing list
> > >> >> > tac_plus at shrubbery.net
> > >> >> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> > >> >>
> > >> >>
> > >> >>
> > >>
> >
> >
>
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091124/efddaa4b/attachment.html
More information about the tac_plus
mailing list