[tac_plus] Adding users to tacacs passwd file

Jeffrey S. Geist jeffrey.geist at pnpt.com
Thu Aug 12 13:04:05 UTC 2010 

Hi,

We are currently migrating Tacacs from  Solaris to Linux. We haven't had any issues getting Tacacs to run on CentOS and users are authenticating through CentOS (using the old tacacs passwd file from Solaris). The issue we are facing is trying to convert the old Solaris script, that creates the users entries in the tacacs passwd file, over to a script that runs on CentOS. The Solaris script creates a user with a unique "uid". We were wondering if anyone knows of a Linux script that will accomplish the same results. We have a fairly good understanding of Tacacs, but we are no experts.

Here is the script used on Solaris:

---------------------------- begin ------------------------------------
#!/bin/sh
#
# @(#)auth_user 2.2 12.28.05
#  modified by RKJ for mail2.swnebr.net  Solaris 5.8 11/28/03
#  modified by MLW for dns3.pnpt.com   Solaris 5.8 1/5/06
#
#
# add user script for use with sys-config
# arguments: uname "fullname" password
#
# dirname is in SystemV catagory - so put it herein
shdirname()
{
expr \
  ${1-.}'/' : '\(/\)[^/]*//*$' \
  \| ${1-.}'/' : '\(.*[^/]\)//*[^/][^/]*//*$' \
  \| .
}

myname=`basename $0`
Passwd_file=/etc/auth-passwd
PATH=$PATH:/usr/ucb:/usr/local/bin
export PATH
# check for root
if [ "`whoami`x" != "root"x ]; then
   echo "You must be root to do $myname!"
   exit 1
fi

uid=`cat /usr/local/puid`
nuid=`expr ${uid} + 1`
echo $nuid > /usr/local/puid

# check for number of args
if [ $# -ne 3 ]; then
        echo "${myname}: invalid number of arguments"
        echo "   usage: ${myname} uname \"fullname\" password"
        exit 1
fi

# put args into named variables
uname=$1
gid=1000
fullname=$2
password=`/usr/local/sbin/generate_passwd $3`
#password=`/usr/bin/encrypt encpw passwd $3`
##############################################################################
#  modified by RKJ for mail2.swnebr.net  Solaris 5.8 11/28/03                 #
homedir="/home/$1"
#
#                                                                            #
##############################################################################

shell=/bin/false

# checks for validity of arguments
# check uid

echo "uid:" $uid
if test $uid -lt 10 ; then
        echo  "uid: uid must be greater than 10 and less than 60000"
        exit 1
elif test $uid -gt 60000 ; then
        echo  "uid: uid must be greater than 10 and less than 60000"
        exit 1
fi


echo "gid:" $gid
# check gid
if test $gid -lt 10 ; then
        echo  "gid: gid must be greater than 10 and less than 60000"
        exit 1
elif test $gid -gt 60000 ; then
        echo  "gid: gid must be greater than 10 and less than 60000"
        exit 1
fi


# check shell
if test ! -x $shell ; then
        echo "$shell: the program does not exist or is not executable"
        exit 1
fi

# create a null /etc/passwd entry
# first check if one already exists
if grep -s "^${uname}:" ${Passwd_file} ; then
        echo "${myname}: ERROR: ${uname} aleady in ${Passwd_file}";
        exit 1;
fi
# check if uid already exists
if grep -s ".*:.*:${uid}:" ${Passwd_file} ; then
        echo "uid: ERROR: ${uid} already in ${Passwd_file}";
        exit 1;
fi
pwent="${uname}:${password}:${uid}:${gid}:${fullname}:${homedir}:${shell}"
# XXX sould we use tmp file and rename it?
( echo '$' ;
  echo 'i' ;
  echo "${pwent}" ;
  echo '.' ;
  echo 'w' ;
  echo 'q' ) | ed -s ${Passwd_file} > /dev/null
if grep -s "^${uname}:" ${Passwd_file} ; then
        :
else
        echo "${myname}: ERROR: password entry didn't go to ${Passwd_file}";
        exit 1;
fi
#
echo "Please be patient! This may take some time"
echo ""
#
#
# SCP a copy of /etc/auth-passwd to DNS2 and Tacacs
#
if [ -f /etc/auth-passwd ]; then

        scp /etc/auth-passwd  sysop at dns2:/usr/local/etc/tacacs/authentication/auth-passwd
        echo "A copy of the auth-passwd file has been sent to DNS2..WHEW!!"
        scp /etc/auth-passwd  sysop at tacacs:/usr/local/etc/tacacs/authentication/auth-passwd
        echo "A copy of the auth-passwd file has been sent to Tacacs..WHEW!!"
        echo " "
fi
#
exit 0
#
#EOF
---------------------------- end ------------------------------------

Maybe this is more complicated than it needs to be. Any suggests, recommendation or opinions are welcomed!

Thanx In Advance,

[cid:image003.png at 01CB39F4.EEBC6A80]

Jeffrey S. Geist
Systems Administrator
PinPoint Communications
100 North 12th Street
Suite 500
Lincoln, NE  68508
Work: (402) 438-6211
Cellular: (402) 580-0047




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 24221 bytes
Desc: image003.png
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20100812/93365c6d/attachment.png>

More information about the tac_plus mailing list