From rui-f-meireles at telecom.pt Tue Aug 10 15:20:59 2010 From: rui-f-meireles at telecom.pt (Rui Vitor Figueiras Meireles) Date: Tue, 10 Aug 2010 16:20:59 +0100 Subject: [tac_plus] tac_plus problem Message-ID: <39228668B1473247A5AC45D871ADDF74A0CCE4@PTPTVDEX01.PTPortugal.corpPT.com> Hi there. I've been using your release of tac_plus (F4.0.4.19) because it has ACLs (the others I found didn't have). I'm using authentication, authorization and accounting. The authorization part generates lots of log entries, because we have a server that constantly connects automatically to several routers at a time and enters several commands on them. And each command must be authorized by the tacacs+ server... I've been having lots of errors, there are times when the communication between the router and the tacacs+ server fails. Here are the router logs: RP/0/RSP0/CPU0:Aug 10 04:42:09.489 : tacacsd[386]: %SECURITY-TACACSD-6-SERVER_DOWN : TACACS+ server 10.175.255.114/49 is DOWN - Resource temporarily unavailable Here are the tac_plus logs: Tue Aug 10 04:42:09 2010 [664]: session.peerip is 10.181.0.1 Tue Aug 10 04:42:09 2010 [12126]: connect from 10.181.0.1 [10.181.0.1] Tue Aug 10 04:42:09 2010 [12126]: 10.181.0.1 : fd 2 eof (connection closed) Tue Aug 10 04:42:09 2010 [12126]: Read -1 bytes from 10.181.0.1 , expecting 12 This happens once every other hour, in every router. So I have dozens of errors like these each day. Could it be that tac_plus can only handle a certain number of connections? What could this be? I'd be most thankful if you could help me here. Best Regards, Rui Meireles -------------- next part -------------- An HTML attachment was scrubbed... URL: From kissg at ssg.ki.iif.hu Tue Aug 10 16:16:49 2010 From: kissg at ssg.ki.iif.hu (Kiss Gabor (Bitman)) Date: Tue, 10 Aug 2010 18:16:49 +0200 (CEST) Subject: [tac_plus] tac_plus problem In-Reply-To: <39228668B1473247A5AC45D871ADDF74A0CCE4@PTPTVDEX01.PTPortugal.corpPT.com> References: <39228668B1473247A5AC45D871ADDF74A0CCE4@PTPTVDEX01.PTPortugal.corpPT.com> Message-ID: > I've been having lots of errors, there are times when the communication > between the router and the tacacs+ server fails. If I were you I'd operate two different tac_plus servers with the same config. (Actually I do. :-) Cisco IOS can be configured to use arbitrary number of backup servers. Our experience that each morning when several autocommands run on hundreds of NAS's the main TACACS+ server is unable to serve all the requests and some load is handed over to backup server. I guess the limit is in the operating system. A process cannot have unlimited number of open sockets. Gabor From heas at shrubbery.net Wed Aug 11 01:53:40 2010 From: heas at shrubbery.net (john heasley) Date: Tue, 10 Aug 2010 18:53:40 -0700 Subject: [tac_plus] tac_plus problem In-Reply-To: <39228668B1473247A5AC45D871ADDF74A0CCE4@PTPTVDEX01.PTPortugal.corpPT.com> References: <39228668B1473247A5AC45D871ADDF74A0CCE4@PTPTVDEX01.PTPortugal.corpPT.com> Message-ID: <20100811015340.GN21429@shrubbery.net> Tue, Aug 10, 2010 at 04:20:59PM +0100, Rui Vitor Figueiras Meireles: > Hi there. I've been using your release of tac_plus (F4.0.4.19) because it has ACLs (the others I found didn't have). > I'm using authentication, authorization and accounting. The authorization part generates lots of log entries, because we have a server that constantly connects automatically to several routers at a time and enters several commands on them. And each command must be authorized by the tacacs+ server... > > > I've been having lots of errors, there are times when the communication between the router and the tacacs+ server fails. > > Here are the router logs: > RP/0/RSP0/CPU0:Aug 10 04:42:09.489 : tacacsd[386]: %SECURITY-TACACSD-6-SERVER_DOWN : TACACS+ server 10.175.255.114/49 is DOWN - Resource temporarily unavailable > > Here are the tac_plus logs: > Tue Aug 10 04:42:09 2010 [664]: session.peerip is 10.181.0.1 > Tue Aug 10 04:42:09 2010 [12126]: connect from 10.181.0.1 [10.181.0.1] > Tue Aug 10 04:42:09 2010 [12126]: 10.181.0.1 : fd 2 eof (connection closed) > Tue Aug 10 04:42:09 2010 [12126]: Read -1 bytes from 10.181.0.1 , expecting 12 > > This happens once every other hour, in every router. So I have dozens of errors like these each day. > > Could it be that tac_plus can only handle a certain number of connections? What could this be? > I'd be most thankful if you could help me here. this happens in a few scenarios. most often it is due to the cisco starting a connection, then dropping it. it also occurs if someone connects, then abruptly disconnects (similar to the first). and two others. you can ignore it. maybe the daemon should only log an abrupt disconnect if debugging is enabled. From heas at shrubbery.net Wed Aug 11 01:56:23 2010 From: heas at shrubbery.net (john heasley) Date: Tue, 10 Aug 2010 18:56:23 -0700 Subject: [tac_plus] tac_plus problem In-Reply-To: <20100811015340.GN21429@shrubbery.net> References: <39228668B1473247A5AC45D871ADDF74A0CCE4@PTPTVDEX01.PTPortugal.corpPT.com> <20100811015340.GN21429@shrubbery.net> Message-ID: <20100811015623.GO21429@shrubbery.net> Tue, Aug 10, 2010 at 06:53:40PM -0700, john heasley: > Tue, Aug 10, 2010 at 04:20:59PM +0100, Rui Vitor Figueiras Meireles: > > Hi there. I've been using your release of tac_plus (F4.0.4.19) because it has ACLs (the others I found didn't have). > > I'm using authentication, authorization and accounting. The authorization part generates lots of log entries, because we have a server that constantly connects automatically to several routers at a time and enters several commands on them. And each command must be authorized by the tacacs+ server... > > > > > > I've been having lots of errors, there are times when the communication between the router and the tacacs+ server fails. > > > > Here are the router logs: > > RP/0/RSP0/CPU0:Aug 10 04:42:09.489 : tacacsd[386]: %SECURITY-TACACSD-6-SERVER_DOWN : TACACS+ server 10.175.255.114/49 is DOWN - Resource temporarily unavailable sorry, one other thing. do not use single-connection tacacs. it does not work. > > Here are the tac_plus logs: > > Tue Aug 10 04:42:09 2010 [664]: session.peerip is 10.181.0.1 > > Tue Aug 10 04:42:09 2010 [12126]: connect from 10.181.0.1 [10.181.0.1] > > Tue Aug 10 04:42:09 2010 [12126]: 10.181.0.1 : fd 2 eof (connection closed) > > Tue Aug 10 04:42:09 2010 [12126]: Read -1 bytes from 10.181.0.1 , expecting 12 > > > > This happens once every other hour, in every router. So I have dozens of errors like these each day. > > > > Could it be that tac_plus can only handle a certain number of connections? What could this be? > > I'd be most thankful if you could help me here. > > this happens in a few scenarios. most often it is due to the cisco > starting a connection, then dropping it. it also occurs if someone > connects, then abruptly disconnects (similar to the first). and two > others. > > you can ignore it. maybe the daemon should only log an abrupt > disconnect if debugging is enabled. > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Wed Aug 11 16:00:42 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 11 Aug 2010 09:00:42 -0700 Subject: [tac_plus] tac_plus problem In-Reply-To: <39228668B1473247A5AC45D871ADDF74A57985@PTPTVDEX01.PTPortugal.corpPT.com> References: <39228668B1473247A5AC45D871ADDF74A0CCE4@PTPTVDEX01.PTPortugal.corpPT.com> <20100811015340.GN21429@shrubbery.net> <39228668B1473247A5AC45D871ADDF74A57985@PTPTVDEX01.PTPortugal.corpPT.com> Message-ID: <20100811160041.GH29955@shrubbery.net> Wed, Aug 11, 2010 at 11:27:01AM +0100, Rui Vitor Figueiras Meireles: > Thanks a lot for the quick reply. > I happen to have sometimes 1800 simultaneous tac_plus connections, I was wondering if it could be too much for it to handle. that is possible in a sense; if the listen(2) queue fills, the host will RST or drop additional SYNs. its normally possible to adjust the system-wide listen queue, which often defaults to 1024. also, as it is currently, tac_plus is a forking server, meaning that it forks for each connection. since hosts usually limit the number of total processes per-system and per-user, you could hit that limit as well. you probably need second server to take some of the load. none of that would cause the tacacs daemon log you've quoted below. > I now noticed in tac_plus accounting log that there is a 5 second pause between commands whenever these errors occur. Let's hope that's all the harm that it does. > > > Thanks again. > Rui Meireles > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: quarta-feira, 11 de Agosto de 2010 2:54 > To: Rui Vitor Figueiras Meireles > Cc: tac_plus at shrubbery.net > Subject: Re: [tac_plus] tac_plus problem > > Tue, Aug 10, 2010 at 04:20:59PM +0100, Rui Vitor Figueiras Meireles: > > Hi there. I've been using your release of tac_plus (F4.0.4.19) because it has ACLs (the others I found didn't have). > > I'm using authentication, authorization and accounting. The authorization part generates lots of log entries, because we have a server that constantly connects automatically to several routers at a time and enters several commands on them. And each command must be authorized by the tacacs+ server... > > > > > > I've been having lots of errors, there are times when the communication between the router and the tacacs+ server fails. > > > > Here are the router logs: > > RP/0/RSP0/CPU0:Aug 10 04:42:09.489 : tacacsd[386]: %SECURITY-TACACSD-6-SERVER_DOWN : TACACS+ server 10.175.255.114/49 is DOWN - Resource temporarily unavailable > > > > Here are the tac_plus logs: > > Tue Aug 10 04:42:09 2010 [664]: session.peerip is 10.181.0.1 > > Tue Aug 10 04:42:09 2010 [12126]: connect from 10.181.0.1 [10.181.0.1] > > Tue Aug 10 04:42:09 2010 [12126]: 10.181.0.1 : fd 2 eof (connection closed) > > Tue Aug 10 04:42:09 2010 [12126]: Read -1 bytes from 10.181.0.1 , expecting 12 > > > > This happens once every other hour, in every router. So I have dozens of errors like these each day. > > > > Could it be that tac_plus can only handle a certain number of connections? What could this be? > > I'd be most thankful if you could help me here. > > this happens in a few scenarios. most often it is due to the cisco > starting a connection, then dropping it. it also occurs if someone > connects, then abruptly disconnects (similar to the first). and two > others. > > you can ignore it. maybe the daemon should only log an abrupt > disconnect if debugging is enabled. > From jeffrey.geist at pnpt.com Thu Aug 12 13:04:05 2010 From: jeffrey.geist at pnpt.com (Jeffrey S. Geist) Date: Thu, 12 Aug 2010 08:04:05 -0500 Subject: [tac_plus] Adding users to tacacs passwd file Message-ID: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> Hi, We are currently migrating Tacacs from Solaris to Linux. We haven't had any issues getting Tacacs to run on CentOS and users are authenticating through CentOS (using the old tacacs passwd file from Solaris). The issue we are facing is trying to convert the old Solaris script, that creates the users entries in the tacacs passwd file, over to a script that runs on CentOS. The Solaris script creates a user with a unique "uid". We were wondering if anyone knows of a Linux script that will accomplish the same results. We have a fairly good understanding of Tacacs, but we are no experts. Here is the script used on Solaris: ---------------------------- begin ------------------------------------ #!/bin/sh # # @(#)auth_user 2.2 12.28.05 # modified by RKJ for mail2.swnebr.net Solaris 5.8 11/28/03 # modified by MLW for dns3.pnpt.com Solaris 5.8 1/5/06 # # # add user script for use with sys-config # arguments: uname "fullname" password # # dirname is in SystemV catagory - so put it herein shdirname() { expr \ ${1-.}'/' : '\(/\)[^/]*//*$' \ \| ${1-.}'/' : '\(.*[^/]\)//*[^/][^/]*//*$' \ \| . } myname=`basename $0` Passwd_file=/etc/auth-passwd PATH=$PATH:/usr/ucb:/usr/local/bin export PATH # check for root if [ "`whoami`x" != "root"x ]; then echo "You must be root to do $myname!" exit 1 fi uid=`cat /usr/local/puid` nuid=`expr ${uid} + 1` echo $nuid > /usr/local/puid # check for number of args if [ $# -ne 3 ]; then echo "${myname}: invalid number of arguments" echo " usage: ${myname} uname \"fullname\" password" exit 1 fi # put args into named variables uname=$1 gid=1000 fullname=$2 password=`/usr/local/sbin/generate_passwd $3` #password=`/usr/bin/encrypt encpw passwd $3` ############################################################################## # modified by RKJ for mail2.swnebr.net Solaris 5.8 11/28/03 # homedir="/home/$1" # # # ############################################################################## shell=/bin/false # checks for validity of arguments # check uid echo "uid:" $uid if test $uid -lt 10 ; then echo "uid: uid must be greater than 10 and less than 60000" exit 1 elif test $uid -gt 60000 ; then echo "uid: uid must be greater than 10 and less than 60000" exit 1 fi echo "gid:" $gid # check gid if test $gid -lt 10 ; then echo "gid: gid must be greater than 10 and less than 60000" exit 1 elif test $gid -gt 60000 ; then echo "gid: gid must be greater than 10 and less than 60000" exit 1 fi # check shell if test ! -x $shell ; then echo "$shell: the program does not exist or is not executable" exit 1 fi # create a null /etc/passwd entry # first check if one already exists if grep -s "^${uname}:" ${Passwd_file} ; then echo "${myname}: ERROR: ${uname} aleady in ${Passwd_file}"; exit 1; fi # check if uid already exists if grep -s ".*:.*:${uid}:" ${Passwd_file} ; then echo "uid: ERROR: ${uid} already in ${Passwd_file}"; exit 1; fi pwent="${uname}:${password}:${uid}:${gid}:${fullname}:${homedir}:${shell}" # XXX sould we use tmp file and rename it? ( echo '$' ; echo 'i' ; echo "${pwent}" ; echo '.' ; echo 'w' ; echo 'q' ) | ed -s ${Passwd_file} > /dev/null if grep -s "^${uname}:" ${Passwd_file} ; then : else echo "${myname}: ERROR: password entry didn't go to ${Passwd_file}"; exit 1; fi # echo "Please be patient! This may take some time" echo "" # # # SCP a copy of /etc/auth-passwd to DNS2 and Tacacs # if [ -f /etc/auth-passwd ]; then scp /etc/auth-passwd sysop at dns2:/usr/local/etc/tacacs/authentication/auth-passwd echo "A copy of the auth-passwd file has been sent to DNS2..WHEW!!" scp /etc/auth-passwd sysop at tacacs:/usr/local/etc/tacacs/authentication/auth-passwd echo "A copy of the auth-passwd file has been sent to Tacacs..WHEW!!" echo " " fi # exit 0 # #EOF ---------------------------- end ------------------------------------ Maybe this is more complicated than it needs to be. Any suggests, recommendation or opinions are welcomed! Thanx In Advance, [cid:image003.png at 01CB39F4.EEBC6A80] Jeffrey S. Geist Systems Administrator PinPoint Communications 100 North 12th Street Suite 500 Lincoln, NE 68508 Work: (402) 438-6211 Cellular: (402) 580-0047 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 24221 bytes Desc: image003.png URL: From dterry at dollartree.com Thu Aug 12 13:28:26 2010 From: dterry at dollartree.com (dterry at dollartree.com) Date: Thu, 12 Aug 2010 09:28:26 -0400 Subject: [tac_plus] Adding users to tacacs passwd file In-Reply-To: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> References: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> Message-ID: Why wouldn't you want to use the Linux shadow / passwd files? "Jeffrey S. Geist" "tac_plus at shrubbery.net" Sent by: Mark Urbach Subject [tac_plus] Adding users to tacacs 08/12/2010 09:04 passwd file AM Hi, We are currently migrating Tacacs from Solaris to Linux. We haven't had any issues getting Tacacs to run on CentOS and users are authenticating through CentOS (using the old tacacs passwd file from Solaris). The issue we are facing is trying to convert the old Solaris script, that creates the users entries in the tacacs passwd file, over to a script that runs on CentOS. The Solaris script creates a user with a unique "uid". We were wondering if anyone knows of a Linux script that will accomplish the same results. We have a fairly good understanding of Tacacs, but we are no experts. Here is the script used on Solaris: ---------------------------- begin ------------------------------------ #!/bin/sh # # @(#)auth_user 2.2 12.28.05 # modified by RKJ for mail2.swnebr.net Solaris 5.8 11/28/03 # modified by MLW for dns3.pnpt.com Solaris 5.8 1/5/06 # # # add user script for use with sys-config # arguments: uname "fullname" password # # dirname is in SystemV catagory - so put it herein shdirname() { expr \ ${1-.}'/' : '\(/\)[^/]*//*$' \ \| ${1-.}'/' : '\(.*[^/]\)//*[^/][^/]*//*$' \ \| . } myname=`basename $0` Passwd_file=/etc/auth-passwd PATH=$PATH:/usr/ucb:/usr/local/bin export PATH # check for root if [ "`whoami`x" != "root"x ]; then echo "You must be root to do $myname!" exit 1 fi uid=`cat /usr/local/puid` nuid=`expr ${uid} + 1` echo $nuid > /usr/local/puid # check for number of args if [ $# -ne 3 ]; then echo "${myname}: invalid number of arguments" echo " usage: ${myname} uname \"fullname\" password" exit 1 fi # put args into named variables uname=$1 gid=1000 fullname=$2 password=`/usr/local/sbin/generate_passwd $3` #password=`/usr/bin/encrypt encpw passwd $3` ############################################################################## # modified by RKJ for mail2.swnebr.net Solaris 5.8 11/28/03 # homedir="/home/$1" # # # ############################################################################## shell=/bin/false # checks for validity of arguments # check uid echo "uid:" $uid if test $uid -lt 10 ; then echo "uid: uid must be greater than 10 and less than 60000" exit 1 elif test $uid -gt 60000 ; then echo "uid: uid must be greater than 10 and less than 60000" exit 1 fi echo "gid:" $gid # check gid if test $gid -lt 10 ; then echo "gid: gid must be greater than 10 and less than 60000" exit 1 elif test $gid -gt 60000 ; then echo "gid: gid must be greater than 10 and less than 60000" exit 1 fi # check shell if test ! -x $shell ; then echo "$shell: the program does not exist or is not executable" exit 1 fi # create a null /etc/passwd entry # first check if one already exists if grep -s "^${uname}:" ${Passwd_file} ; then echo "${myname}: ERROR: ${uname} aleady in ${Passwd_file}"; exit 1; fi # check if uid already exists if grep -s ".*:.*:${uid}:" ${Passwd_file} ; then echo "uid: ERROR: ${uid} already in ${Passwd_file}"; exit 1; fi pwent="${uname}:${password}:${uid}:${gid}:${fullname}:${homedir}:${shell}" # XXX sould we use tmp file and rename it? ( echo '$' ; echo 'i' ; echo "${pwent}" ; echo '.' ; echo 'w' ; echo 'q' ) | ed -s ${Passwd_file} > /dev/null if grep -s "^${uname}:" ${Passwd_file} ; then : else echo "${myname}: ERROR: password entry didn't go to $ {Passwd_file}"; exit 1; fi # echo "Please be patient! This may take some time" echo "" # # # SCP a copy of /etc/auth-passwd to DNS2 and Tacacs # if [ -f /etc/auth-passwd ]; then scp /etc/auth-passwd sysop at dns2:/usr/local/etc/tacacs/authentication/auth-passwd echo "A copy of the auth-passwd file has been sent to DNS2..WHEW!!" scp /etc/auth-passwd sysop at tacacs:/usr/local/etc/tacacs/authentication/auth-passwd echo "A copy of the auth-passwd file has been sent to Tacacs..WHEW!!" echo " " fi # exit 0 # #EOF ---------------------------- end ------------------------------------ Maybe this is more complicated than it needs to be. Any suggests, recommendation or opinions are welcomed! Thanx In Advance, [cid:image003.png at 01CB39F4.EEBC6A80] Jeffrey S. Geist Systems Administrator PinPoint Communications 100 North 12th Street Suite 500 Lincoln, NE 68508 Work: (402) 438-6211 Cellular: (402) 580-0047 -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/attachment.html > -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 24221 bytes Desc: image003.png URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/attachment.png > _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From jeffrey.geist at pnpt.com Thu Aug 12 14:08:50 2010 From: jeffrey.geist at pnpt.com (Jeffrey S. Geist) Date: Thu, 12 Aug 2010 09:08:50 -0500 Subject: [tac_plus] Adding users to tacacs passwd file In-Reply-To: References: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> Message-ID: <002001cb3a27$e849d740$b8dd85c0$@geist@pnpt.com> We run two tacacs servers to provide failover and we "scp" the tacacs passwd files between the two servers to keep them "in sync". We thought about using the system passwd and shadow files, but we are concerned about copying these files back and forth between the two tacacs servers and having one or both of these files getting corrupted due to the copying (network "hiccup"). Could make it so we are not able to login into the server as one of the local users or root. Right? Maybe we are being too cautious. -----Original Message----- From: dterry at dollartree.com [mailto:dterry at dollartree.com] Sent: Thursday, August 12, 2010 8:28 AM To: Jeffrey S. Geist Cc: Mark Urbach; tac_plus at shrubbery.net; tac_plus-bounces at shrubbery.net Subject: Re: [tac_plus] Adding users to tacacs passwd file Why wouldn't you want to use the Linux shadow / passwd files? ---------------------------------------------------------------------------- Hi, We are currently migrating Tacacs from Solaris to Linux. We haven't had any issues getting Tacacs to run on CentOS and users are authenticating through CentOS (using the old tacacs passwd file from Solaris). The issue we are facing is trying to convert the old Solaris script, that creates the users entries in the tacacs passwd file, over to a script that runs on CentOS. The Solaris script creates a user with a unique "uid". We were wondering if anyone knows of a Linux script that will accomplish the same results. We have a fairly good understanding of Tacacs, but we are no experts. Here is the script used on Solaris: ---------------------------- begin ------------------------------------ #!/bin/sh # # @(#)auth_user 2.2 12.28.05 # modified by RKJ for mail2.swnebr.net Solaris 5.8 11/28/03 # modified by MLW for dns3.pnpt.com Solaris 5.8 1/5/06 # # # add user script for use with sys-config # arguments: uname "fullname" password # # dirname is in SystemV catagory - so put it herein shdirname() { expr \ ${1-.}'/' : '\(/\)[^/]*//*$' \ \| ${1-.}'/' : '\(.*[^/]\)//*[^/][^/]*//*$' \ \| . } myname=`basename $0` Passwd_file=/etc/auth-passwd PATH=$PATH:/usr/ucb:/usr/local/bin export PATH # check for root if [ "`whoami`x" != "root"x ]; then echo "You must be root to do $myname!" exit 1 fi uid=`cat /usr/local/puid` nuid=`expr ${uid} + 1` echo $nuid > /usr/local/puid # check for number of args if [ $# -ne 3 ]; then echo "${myname}: invalid number of arguments" echo " usage: ${myname} uname \"fullname\" password" exit 1 fi # put args into named variables uname=$1 gid=1000 fullname=$2 password=`/usr/local/sbin/generate_passwd $3` #password=`/usr/bin/encrypt encpw passwd $3` ############################################################################ ## # modified by RKJ for mail2.swnebr.net Solaris 5.8 11/28/03 # homedir="/home/$1" # # # ############################################################################ ## shell=/bin/false # checks for validity of arguments # check uid echo "uid:" $uid if test $uid -lt 10 ; then echo "uid: uid must be greater than 10 and less than 60000" exit 1 elif test $uid -gt 60000 ; then echo "uid: uid must be greater than 10 and less than 60000" exit 1 fi echo "gid:" $gid # check gid if test $gid -lt 10 ; then echo "gid: gid must be greater than 10 and less than 60000" exit 1 elif test $gid -gt 60000 ; then echo "gid: gid must be greater than 10 and less than 60000" exit 1 fi # check shell if test ! -x $shell ; then echo "$shell: the program does not exist or is not executable" exit 1 fi # create a null /etc/passwd entry # first check if one already exists if grep -s "^${uname}:" ${Passwd_file} ; then echo "${myname}: ERROR: ${uname} aleady in ${Passwd_file}"; exit 1; fi # check if uid already exists if grep -s ".*:.*:${uid}:" ${Passwd_file} ; then echo "uid: ERROR: ${uid} already in ${Passwd_file}"; exit 1; fi pwent="${uname}:${password}:${uid}:${gid}:${fullname}:${homedir}:${shell}" # XXX sould we use tmp file and rename it? ( echo '$' ; echo 'i' ; echo "${pwent}" ; echo '.' ; echo 'w' ; echo 'q' ) | ed -s ${Passwd_file} > /dev/null if grep -s "^${uname}:" ${Passwd_file} ; then : else echo "${myname}: ERROR: password entry didn't go to $ {Passwd_file}"; exit 1; fi # echo "Please be patient! This may take some time" echo "" # # # SCP a copy of /etc/auth-passwd to DNS2 and Tacacs # if [ -f /etc/auth-passwd ]; then scp /etc/auth-passwd sysop at dns2:/usr/local/etc/tacacs/authentication/auth-passwd echo "A copy of the auth-passwd file has been sent to DNS2..WHEW!!" scp /etc/auth-passwd sysop at tacacs:/usr/local/etc/tacacs/authentication/auth-passwd echo "A copy of the auth-passwd file has been sent to Tacacs..WHEW!!" echo " " fi # exit 0 # #EOF ---------------------------- end ------------------------------------ Maybe this is more complicated than it needs to be. Any suggests, recommendation or opinions are welcomed! Thanx In Advance, [cid:image003.png at 01CB39F4.EEBC6A80] Jeffrey S. Geist Systems Administrator PinPoint Communications 100 North 12th Street Suite 500 Lincoln, NE 68508 Work: (402) 438-6211 Cellular: (402) 580-0047 -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/at tachment.html > -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 24221 bytes Desc: image003.png URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/at tachment.png > _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From dterry at dollartree.com Thu Aug 12 15:23:44 2010 From: dterry at dollartree.com (dterry at dollartree.com) Date: Thu, 12 Aug 2010 11:23:44 -0400 Subject: [tac_plus] Adding users to tacacs passwd file In-Reply-To: <002001cb3a27$e849d740$b8dd85c0$@geist@pnpt.com> References: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> <002001cb3a27$e849d740$b8dd85c0$@geist@pnpt.com> Message-ID: I am quite certain that you are being too cautious. If you used something like rsync to sync the password files between the two servers and also make a backup copy each time, you have pretty much zero chance of anything becoming corrupt. I have used this method for a long time without issue. "Jeffrey S. Geist" cc 08/12/2010 10:09 "Mark Urbach" AM , , Subject RE: [tac_plus] Adding users to tacacs passwd file We run two tacacs servers to provide failover and we "scp" the tacacs passwd files between the two servers to keep them "in sync". We thought about using the system passwd and shadow files, but we are concerned about copying these files back and forth between the two tacacs servers and having one or both of these files getting corrupted due to the copying (network "hiccup"). Could make it so we are not able to login into the server as one of the local users or root. Right? Maybe we are being too cautious. -----Original Message----- From: dterry at dollartree.com [mailto:dterry at dollartree.com] Sent: Thursday, August 12, 2010 8:28 AM To: Jeffrey S. Geist Cc: Mark Urbach; tac_plus at shrubbery.net; tac_plus-bounces at shrubbery.net Subject: Re: [tac_plus] Adding users to tacacs passwd file Why wouldn't you want to use the Linux shadow / passwd files? ---------------------------------------------------------------------------- Hi, We are currently migrating Tacacs from Solaris to Linux. We haven't had any issues getting Tacacs to run on CentOS and users are authenticating through CentOS (using the old tacacs passwd file from Solaris). The issue we are facing is trying to convert the old Solaris script, that creates the users entries in the tacacs passwd file, over to a script that runs on CentOS. The Solaris script creates a user with a unique "uid". We were wondering if anyone knows of a Linux script that will accomplish the same results. We have a fairly good understanding of Tacacs, but we are no experts. Here is the script used on Solaris: ---------------------------- begin ------------------------------------ #!/bin/sh # # @(#)auth_user 2.2 12.28.05 # modified by RKJ for mail2.swnebr.net Solaris 5.8 11/28/03 # modified by MLW for dns3.pnpt.com Solaris 5.8 1/5/06 # # # add user script for use with sys-config # arguments: uname "fullname" password # # dirname is in SystemV catagory - so put it herein shdirname() { expr \ ${1-.}'/' : '\(/\)[^/]*//*$' \ \| ${1-.}'/' : '\(.*[^/]\)//*[^/][^/]*//*$' \ \| . } myname=`basename $0` Passwd_file=/etc/auth-passwd PATH=$PATH:/usr/ucb:/usr/local/bin export PATH # check for root if [ "`whoami`x" != "root"x ]; then echo "You must be root to do $myname!" exit 1 fi uid=`cat /usr/local/puid` nuid=`expr ${uid} + 1` echo $nuid > /usr/local/puid # check for number of args if [ $# -ne 3 ]; then echo "${myname}: invalid number of arguments" echo " usage: ${myname} uname \"fullname\" password" exit 1 fi # put args into named variables uname=$1 gid=1000 fullname=$2 password=`/usr/local/sbin/generate_passwd $3` #password=`/usr/bin/encrypt encpw passwd $3` ############################################################################ ## # modified by RKJ for mail2.swnebr.net Solaris 5.8 11/28/03 # homedir="/home/$1" # # # ############################################################################ ## shell=/bin/false # checks for validity of arguments # check uid echo "uid:" $uid if test $uid -lt 10 ; then echo "uid: uid must be greater than 10 and less than 60000" exit 1 elif test $uid -gt 60000 ; then echo "uid: uid must be greater than 10 and less than 60000" exit 1 fi echo "gid:" $gid # check gid if test $gid -lt 10 ; then echo "gid: gid must be greater than 10 and less than 60000" exit 1 elif test $gid -gt 60000 ; then echo "gid: gid must be greater than 10 and less than 60000" exit 1 fi # check shell if test ! -x $shell ; then echo "$shell: the program does not exist or is not executable" exit 1 fi # create a null /etc/passwd entry # first check if one already exists if grep -s "^${uname}:" ${Passwd_file} ; then echo "${myname}: ERROR: ${uname} aleady in ${Passwd_file}"; exit 1; fi # check if uid already exists if grep -s ".*:.*:${uid}:" ${Passwd_file} ; then echo "uid: ERROR: ${uid} already in ${Passwd_file}"; exit 1; fi pwent="${uname}:${password}:${uid}:${gid}:${fullname}:${homedir}:${shell}" # XXX sould we use tmp file and rename it? ( echo '$' ; echo 'i' ; echo "${pwent}" ; echo '.' ; echo 'w' ; echo 'q' ) | ed -s ${Passwd_file} > /dev/null if grep -s "^${uname}:" ${Passwd_file} ; then : else echo "${myname}: ERROR: password entry didn't go to $ {Passwd_file}"; exit 1; fi # echo "Please be patient! This may take some time" echo "" # # # SCP a copy of /etc/auth-passwd to DNS2 and Tacacs # if [ -f /etc/auth-passwd ]; then scp /etc/auth-passwd sysop at dns2:/usr/local/etc/tacacs/authentication/auth-passwd echo "A copy of the auth-passwd file has been sent to DNS2..WHEW!!" scp /etc/auth-passwd sysop at tacacs:/usr/local/etc/tacacs/authentication/auth-passwd echo "A copy of the auth-passwd file has been sent to Tacacs..WHEW!!" echo " " fi # exit 0 # #EOF ---------------------------- end ------------------------------------ Maybe this is more complicated than it needs to be. Any suggests, recommendation or opinions are welcomed! Thanx In Advance, [cid:image003.png at 01CB39F4.EEBC6A80] Jeffrey S. Geist Systems Administrator PinPoint Communications 100 North 12th Street Suite 500 Lincoln, NE 68508 Work: (402) 438-6211 Cellular: (402) 580-0047 -------------- next part -------------- An HTML attachment was scrubbed... URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/at tachment.html > -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 24221 bytes Desc: image003.png URL: < http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/at tachment.png > _______________________________________________ tac_plus mailing list tac_plus at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus From heas at shrubbery.net Fri Aug 13 02:07:43 2010 From: heas at shrubbery.net (john heasley) Date: Thu, 12 Aug 2010 19:07:43 -0700 Subject: [tac_plus] Adding users to tacacs passwd file In-Reply-To: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> References: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> Message-ID: <20100813020743.GJ1611@shrubbery.net> Thu, Aug 12, 2010 at 08:04:05AM -0500, Jeffrey S. Geist: > Hi, > > We are currently migrating Tacacs from Solaris to Linux. We haven't had any issues getting Tacacs to run on CentOS and users are authenticating through CentOS (using the old tacacs passwd file from Solaris). The issue we are facing is trying to convert the old Solaris script, that creates the users entries in the tacacs passwd file, over to a script that runs on CentOS. The Solaris script creates a user with a unique "uid". We were wondering if anyone knows of a Linux script that will accomplish the same results. We have a fairly good understanding of Tacacs, but we are no experts. tacacs does not care about the uid. just output any number or leave the field blank. From jeffrey.geist at pnpt.com Wed Aug 18 13:34:06 2010 From: jeffrey.geist at pnpt.com (Jeffrey S. Geist) Date: Wed, 18 Aug 2010 08:34:06 -0500 Subject: [tac_plus] Adding users to tacacs passwd file In-Reply-To: References: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> <002001cb3a27$e849d740$b8dd85c0$@geist@pnpt.com> Message-ID: <001801cb3eda$0be4d590$23ae80b0$@geist@pnpt.com> Hi, We are running tacacs on CentOS 5.5 and have setup tacacs to use the passwd/shadow file under /etc for authentication. We downloaded this version of tacacs from: wget ftp://ftp.muug.mb.ca/mirror/redhat/contrib/libc6/i386/tac_plus-4.0.3-2.i386. rpm Here is our tac_plus.cfg file: -------------------begin---------------------------------------------------- ----- # Created by Devrim SERAL(devrim at tef.gazi.edu.tr) # It's very simple configuration file # Please read user_guide and tacacs+ FAQ to more information to do more # complex tacacs+ configuration files. # # Put your NAS key below key = xibmac # Use /etc/passwd.loc file to do authentication # it's must be in passwd file format. So you must mix shadow-passwd files to do it default authentication = file /etc/passwd # Where is the accounting records to go accounting file = /var/log/tacacs.log user = foobar { login = cleartext engage } # End config file ------------------end------------------------------------------------------- --------- Unfortunately, our test user fails to log into our router. Here is what we see in /var/log/messages: Aug 18 07:28:41 dsn2 tac_plus[9493]: login query for 'test' tty0 from 192.168.8.16 rejected Aug 18 07:29:14 dsn2 tac_plus[9494]: Error 192.168.8.16 tty0: Null reply packet, expecting CONTINUE Here is the information we see from the router: sername: ire 12 header bytes (expect 43 bytes data) *Mar 9 22:01:27.591: TPLUS(00000121)/0/READ: socket event 1 *Mar 9 22:01:27.591: TPLUS(00000121)/0/READ: read entire 55 bytes response *Mar 9 22:01:27.591: TPLUS(00000121)/0/4B148A0: Processing the reply packet *Mar 9 22:01:27.591: TPLUS: Received authen response status GET_USER (7) User Access Verification Username: test Password: *Mar 9 22:01:39.989: TPLUS: Queuing AAA Authentication request 289 for processing *Mar 9 22:01:39.989: TPLUS: processing authentication continue request id 289 *Mar 9 22:01:39.989: TPLUS: Authentication continue packet generated for 289 *Mar 9 22:01:39.989: TPLUS(00000121)/0/WRITE/4EA85A0: Started 5 sec timeout *Mar 9 22:01:39.989: TPLUS(00000121)/0/WRITE: wrote entire 21 bytes request *Mar 9 22:01:39.989: TPLUS(00000121)/0/READ: socket event 1 *Mar 9 22:01:39.989: TPLUS(00000121)/0/READ: read entire 12 header bytes (expect 16 bytes data) *Mar 9 22:01:39.989: TPLUS(00000121)/0/READ: socket event 1 *Mar 9 22:01:39.989: TPLUS(00000121)/0/READ: read entire 28 bytes response *Mar 9 22:01:39.989: TPLUS(00000121)/0/4EA85A0: Processing the reply packet *Mar 9 22:01:39.989: TPLUS: Received authen response status GET_PASSWORD (8) *Mar 9 22:01:49.645: TPLUS: Queuing AAA Authentication request 289 for processing *Mar 9 22:01:49.645: TPLUS: processing authentication continue request id 289 *Mar 9 22:01:49.645: TPLUS: Authentication continue packet generated for 289 *Mar 9 22:01:49.645: TPLUS(00000121)/0/WRITE/4B148A0: Started 5 sec timeout *Mar 9 22:01:49.645: TPLUS(00000121)/0/WRITE: wrote entire 21 bytes request *Mar 9 22:01:49.645: TPLUS(00000121)/0/READ: socket event 1 *Mar 9 22:01:49.645: TPLUS(00000121)/0/READ: read entire 12 header bytes (expect 6 bytes data) *Mar 9 22:01:49.645: TPLUS(00000121)/0/READ: socket event 1 *Mar 9 22:01:49.645: TPLUS(00000121)/0/READ: read entire 18 bytes response *Mar 9 22:01:49.645: TPLUS(00000121)/0/4B148A0: Processing the reply packet *Mar 9 22:01:49.645: TPLUS: Received authen response status FAIL (3) % Authentication failed We don't see any information in the /var/log/tacacs.log file. We assume that no information will happen in this file until we authenticate with tacacs. We do have tacacs running on another CentOS server but we are not using the passwd/shadow files. We are using a passwd file that has username and encrypted passwd in the same file (auth-passwd). We are able to authenticate to this server. This custom passwd file was created by a Solaris script on a Solaris server. We are trying to get away from Solaris. If we copy the passwd file (auth-passwd) from the working tacacs server into our new tacacs server and point the tac_plug.cfg to "auth-passwd", then it works! So, we are not sure what needs to be done in order to use the system passwd/shadow files. Please let us know if there is other information to would help to resolve this issue. TIA, Jeffrey -----Original Message----- From: dterry at dollartree.com [mailto:dterry at dollartree.com] Sent: Thursday, August 12, 2010 10:24 AM To: Jeffrey S. Geist Cc: Mark Urbach; tac_plus at shrubbery.net; tac_plus-bounces at shrubbery.net Subject: RE: [tac_plus] Adding users to tacacs passwd file I am quite certain that you are being too cautious. If you used something like rsync to sync the password files between the two servers and also make a backup copy each time, you have pretty much zero chance of anything becoming corrupt. I have used this method for a long time without issue. ---------------------------------------------------------------------------- ------- We run two tacacs servers to provide failover and we "scp" the tacacs passwd files between the two servers to keep them "in sync". We thought about using the system passwd and shadow files, but we are concerned about copying these files back and forth between the two tacacs servers and having one or both of these files getting corrupted due to the copying (network "hiccup"). Could make it so we are not able to login into the server as one of the local users or root. Right? Maybe we are being too cautious. -----Original Message----- From: dterry at dollartree.com [mailto:dterry at dollartree.com] Sent: Thursday, August 12, 2010 8:28 AM To: Jeffrey S. Geist Cc: Mark Urbach; tac_plus at shrubbery.net; tac_plus-bounces at shrubbery.net Subject: Re: [tac_plus] Adding users to tacacs passwd file Why wouldn't you want to use the Linux shadow / passwd files? ---------------------------------------------------------------------------- Hi, We are currently migrating Tacacs from Solaris to Linux. We haven't had any issues getting Tacacs to run on CentOS and users are authenticating through CentOS (using the old tacacs passwd file from Solaris). The issue we are facing is trying to convert the old Solaris script, that creates the users entries in the tacacs passwd file, over to a script that runs on CentOS. The Solaris script creates a user with a unique "uid". We were wondering if anyone knows of a Linux script that will accomplish the same results. We have a fairly good understanding of Tacacs, but we are no experts. Jeffrey S. Geist Systems Administrator PinPoint Communications 100 North 12th Street Suite 500 Lincoln, NE 68508 Work: (402) 438-6211 Cellular: (402) 580-0047 From heas at shrubbery.net Wed Aug 18 16:27:39 2010 From: heas at shrubbery.net (john heasley) Date: Wed, 18 Aug 2010 16:27:39 +0000 Subject: [tac_plus] Adding users to tacacs passwd file In-Reply-To: <001801cb3eda$0be4d590$23ae80b0$@geist@pnpt.com> References: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> <002001cb3a27$e849d740$b8dd85c0$@geist@pnpt.com> <001801cb3eda$0be4d590$23ae80b0$@geist@pnpt.com> Message-ID: <20100818162737.GI7107@shrubbery.net> Wed, Aug 18, 2010 at 08:34:06AM -0500, Jeffrey S. Geist: > We don't see any information in the /var/log/tacacs.log file. We assume that > no information will happen in this file until we authenticate with tacacs. non-accounting logging prefers syslog. also see the -d option. > We do have tacacs running on another CentOS server but we are not using the > passwd/shadow files. We are using a passwd file that has username and > encrypted passwd in the same file (auth-passwd). We are able to authenticate > to this server. This custom passwd file was created by a Solaris script on a > Solaris server. We are trying to get away from Solaris. afaik, linux/centos is a shadow password machine. anytime you use the file name /etc/passwd, tacacs uses getspnam() to retrieve the DES so that locking & /etc/shadow handling is supplied. if you really want to use your password crypts in /etc/passwd, symlink /etc/tac_plus.pwd to /etc/passwd. From jeffrey.geist at pnpt.com Wed Aug 18 17:52:56 2010 From: jeffrey.geist at pnpt.com (Jeffrey S. Geist) Date: Wed, 18 Aug 2010 12:52:56 -0500 Subject: [tac_plus] Adding users to tacacs passwd file In-Reply-To: <20100818162737.GI7107@shrubbery.net> References: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> <002001cb3a27$e849d740$b8dd85c0$@geist@pnpt.com> <001801cb3eda$0be4d590$23ae80b0$@geist@pnpt.com> <20100818162737.GI7107@shrubbery.net> Message-ID: <002001cb3efe$3151c990$93f55cb0$@geist@pnpt.com> We created the symbolic link: lrwxrwxrwx 1 root root 11 Aug 18 12:32 tac_plus.pwd -> /etc/passwd and edited the tac_plus.cfg with "default authentication = file /etc/tac_plus.pwd". However, this did not correct the issue. -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Wednesday, August 18, 2010 11:28 AM To: Jeffrey S. Geist Cc: dterry at dollartree.com; Jarrod Ronhovde; tac_plus at shrubbery.net; 'Mark Urbach' Subject: Re: [tac_plus] Adding users to tacacs passwd file Wed, Aug 18, 2010 at 08:34:06AM -0500, Jeffrey S. Geist: > We don't see any information in the /var/log/tacacs.log file. We assume that > no information will happen in this file until we authenticate with tacacs. non-accounting logging prefers syslog. also see the -d option. > We do have tacacs running on another CentOS server but we are not using the > passwd/shadow files. We are using a passwd file that has username and > encrypted passwd in the same file (auth-passwd). We are able to authenticate > to this server. This custom passwd file was created by a Solaris script on a > Solaris server. We are trying to get away from Solaris. afaik, linux/centos is a shadow password machine. anytime you use the file name /etc/passwd, tacacs uses getspnam() to retrieve the DES so that locking & /etc/shadow handling is supplied. if you really want to use your password crypts in /etc/passwd, symlink /etc/tac_plus.pwd to /etc/passwd. From heas at shrubbery.net Wed Aug 18 19:17:23 2010 From: heas at shrubbery.net ('john heasley') Date: Wed, 18 Aug 2010 19:17:23 +0000 Subject: [tac_plus] Adding users to tacacs passwd file In-Reply-To: <002001cb3efe$3151c990$93f55cb0$@geist@pnpt.com> References: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> <002001cb3a27$e849d740$b8dd85c0$@geist@pnpt.com> <001801cb3eda$0be4d590$23ae80b0$@geist@pnpt.com> <20100818162737.GI7107@shrubbery.net> <002001cb3efe$3151c990$93f55cb0$@geist@pnpt.com> Message-ID: <20100818191723.GE1750@shrubbery.net> Wed, Aug 18, 2010 at 12:52:56PM -0500, Jeffrey S. Geist: > We created the symbolic link: > > lrwxrwxrwx 1 root root 11 Aug 18 12:32 tac_plus.pwd -> /etc/passwd > > and edited the tac_plus.cfg with "default authentication = file > /etc/tac_plus.pwd". > > However, this did not correct the issue. hrm, not sure why it wouldnt. look at the syslog and -d option for password debugging. From jeffrey.geist at pnpt.com Thu Aug 19 15:52:07 2010 From: jeffrey.geist at pnpt.com (Jeffrey S. Geist) Date: Thu, 19 Aug 2010 10:52:07 -0500 Subject: [tac_plus] Adding users to tacacs passwd file In-Reply-To: <20100818191723.GE1750@shrubbery.net> References: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> <002001cb3a27$e849d740$b8dd85c0$@geist@pnpt.com> <001801cb3eda$0be4d590$23ae80b0$@geist@pnpt.com> <20100818162737.GI7107@shrubbery.net> <002001cb3efe$3151c990$93f55cb0$@geist@pnpt.com> <20100818191723.GE1750@shrubbery.net> Message-ID: <001801cb3fb6$7a4c9c70$6ee5d550$@geist@pnpt.com> Hi, It seems that tacacs is not able to get the encrypted password from the /etc/shadow file. If the tac_plus.cfg is configured with "default authentication = file /etc/passwd" If we copy the encrypted password from /etc/shadow for a particular user and then replace "x" in the /etc/passwd file for that same user with the encrypted passwd, it works! Hope this can shed some light on our issue... -----Original Message----- From: 'john heasley' [mailto:heas at shrubbery.net] Sent: Wednesday, August 18, 2010 2:17 PM To: Jeffrey S. Geist Cc: 'john heasley'; dterry at dollartree.com; Jarrod Ronhovde; tac_plus at shrubbery.net; Mark Urbach Subject: Re: [tac_plus] Adding users to tacacs passwd file Wed, Aug 18, 2010 at 12:52:56PM -0500, Jeffrey S. Geist: > We created the symbolic link: > > lrwxrwxrwx 1 root root 11 Aug 18 12:32 tac_plus.pwd -> /etc/passwd > > and edited the tac_plus.cfg with "default authentication = file > /etc/tac_plus.pwd". > > However, this did not correct the issue. hrm, not sure why it wouldnt. look at the syslog and -d option for password debugging. From heas at shrubbery.net Thu Aug 19 17:37:48 2010 From: heas at shrubbery.net (john heasley) Date: Thu, 19 Aug 2010 17:37:48 +0000 Subject: [tac_plus] Adding users to tacacs passwd file In-Reply-To: <001801cb3fb6$7a4c9c70$6ee5d550$@geist@pnpt.com> References: <7F6D3FC2DB95E44DAEF01815F0C15FAF1CF4FBC1D0@EXCHANGE07.pnpt.local> <002001cb3a27$e849d740$b8dd85c0$@geist@pnpt.com> <001801cb3eda$0be4d590$23ae80b0$@geist@pnpt.com> <20100818162737.GI7107@shrubbery.net> <002001cb3efe$3151c990$93f55cb0$@geist@pnpt.com> <20100818191723.GE1750@shrubbery.net> <001801cb3fb6$7a4c9c70$6ee5d550$@geist@pnpt.com> Message-ID: <20100819173748.GC11723@shrubbery.net> Thu, Aug 19, 2010 at 10:52:07AM -0500, Jeffrey S. Geist: > Hi, > > It seems that tacacs is not able to get the encrypted password from the > /etc/shadow file. If the tac_plus.cfg is configured with > > "default authentication = file /etc/passwd" it should. if you send the debug logs, that may tell us why its failing. > If we copy the encrypted password from /etc/shadow for a particular user and > then replace "x" in the /etc/passwd file for that same user with the > encrypted passwd, it works! > > Hope this can shed some light on our issue... > > > -----Original Message----- > From: 'john heasley' [mailto:heas at shrubbery.net] > Sent: Wednesday, August 18, 2010 2:17 PM > To: Jeffrey S. Geist > Cc: 'john heasley'; dterry at dollartree.com; Jarrod Ronhovde; > tac_plus at shrubbery.net; Mark Urbach > Subject: Re: [tac_plus] Adding users to tacacs passwd file > > Wed, Aug 18, 2010 at 12:52:56PM -0500, Jeffrey S. Geist: > > We created the symbolic link: > > > > lrwxrwxrwx 1 root root 11 Aug 18 12:32 tac_plus.pwd -> /etc/passwd > > > > and edited the tac_plus.cfg with "default authentication = file > > /etc/tac_plus.pwd". > > > > However, this did not correct the issue. > > hrm, not sure why it wouldnt. look at the syslog and -d option for > password debugging. > > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus