[tac_plus] AD version of the pam guide

heasley heas at shrubbery.net
Wed Apr 25 17:29:32 UTC 2012 

Wed, Apr 25, 2012 at 11:03:44AM -0600, Daniel Schmidt:
> Same thing - I don't get it.  I compiled the latest version, -lpam yes,
> it's checking PAM - it seems like everything should be right.  Pull my
> hair out - any ideas appreciated, thx for your help.
> 
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: homer at SIMPSON.EDU
> 
> Valid starting     Expires            Service principal
> <date>         	<snip>           krbtgt/<snip>
>         renew until <snip>
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
> $ kestroy
> 
> user = homer {
>         default service = permit
>         service = exec {
>                 priv-lvl = 1
>                 # brocade-privlvl = 5
>                 idletime = 10 }
>         service = ciscowlc {
>                 role1 = MONITOR
>         }
>         after authorization "/usr/bin/python /root/do_auth.pyo -i $address
> -fix_crs_bug -u $user -d $name -l /root/log.txt -f /root/do_auth.ini"
>         login = PAM
>         pap = PAM
> }
> 
> # egrep 4031 tac_log.txt
> Wed Apr 25 10:34:39 2012 [4031]: connect from 1.1.1.1 [1.1.1.1]
> Wed Apr 25 10:34:39 2012 [4031]: pam_verify homer
> Wed Apr 25 10:34:39 2012 [4031]: pam_tacacs received 1 pam_messages
> Wed Apr 25 10:34:39 2012 [4031]: 1.1.1.1 tty14: PAM_PROMPT_ECHO_OFF
> Wed Apr 25 10:34:42 2012 [4031]: Unknown user

does homer have a unix account?  is his uid less than 500?  etc etc.  all
those options.  reduce the complexity until you have something that works;
do the absolute minimum in the lab.

honestly, i added pam to get SecurID to work for an eval trial;  I've long
thought that the configuration of pam was a bit esoteric and manual pages
are lacking.

> Wed Apr 25 10:34:42 2012 [4031]: login query for 'homer' tty14 from
> 1.1.1.1 rejected
> Wed Apr 25 10:34:42 2012 [4031]: login failure: homer 1.1.1.1 (1.1.1.1)
> tty14
> 
> $ cat /etc/pam.d/tac_plus
> auth        required      pam_env.so
> auth        sufficient    pam_krb5.so use_first_pass
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        required      pam_deny.so
> 
> account     required      pam_unix.so broken_shadow

and where is the krb5 account check?

> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     required      pam_permit.so
> 
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
>

More information about the tac_plus mailing list