[tac_plus] AD version of the pam guide

Daniel Schmidt daniel.schmidt at wyo.gov
Wed Apr 25 17:59:08 UTC 2012 

So... you're saying.... homer would need to exist locally on the box
first?  :-\

Of course, that works much better.  My sincerest apologies for wasting
everybody's time on this, thanks Adam and 'Heas.  When I get a chance,
I'll add this to tacacs.org lest anybody waste your time with this again.
(New version of do_auth also coming - support for juniper pairs)

-----Original Message-----
From: heasley [mailto:heas at shrubbery.net]
Sent: Wednesday, April 25, 2012 11:30 AM
To: Daniel Schmidt
Cc: Adam Allred; tac_plus at shrubbery.net
Subject: Re: [tac_plus] AD version of the pam guide

Wed, Apr 25, 2012 at 11:03:44AM -0600, Daniel Schmidt:
> Same thing - I don't get it.  I compiled the latest version, -lpam
> yes, it's checking PAM - it seems like everything should be right.
> Pull my hair out - any ideas appreciated, thx for your help.
>
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: homer at SIMPSON.EDU
>
> Valid starting     Expires            Service principal
> <date>         	<snip>           krbtgt/<snip>
>         renew until <snip>
>
>
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
> $ kestroy
>
> user = homer {
>         default service = permit
>         service = exec {
>                 priv-lvl = 1
>                 # brocade-privlvl = 5
>                 idletime = 10 }
>         service = ciscowlc {
>                 role1 = MONITOR
>         }
>         after authorization "/usr/bin/python /root/do_auth.pyo -i
> $address -fix_crs_bug -u $user -d $name -l /root/log.txt -f
/root/do_auth.ini"
>         login = PAM
>         pap = PAM
> }
>
> # egrep 4031 tac_log.txt
> Wed Apr 25 10:34:39 2012 [4031]: connect from 1.1.1.1 [1.1.1.1] Wed
> Apr 25 10:34:39 2012 [4031]: pam_verify homer Wed Apr 25 10:34:39 2012
> [4031]: pam_tacacs received 1 pam_messages Wed Apr 25 10:34:39 2012
> [4031]: 1.1.1.1 tty14: PAM_PROMPT_ECHO_OFF Wed Apr 25 10:34:42 2012
> [4031]: Unknown user

does homer have a unix account?  is his uid less than 500?  etc etc.  all
those options.  reduce the complexity until you have something that works;
do the absolute minimum in the lab.

honestly, i added pam to get SecurID to work for an eval trial;  I've long
thought that the configuration of pam was a bit esoteric and manual pages
are lacking.

> Wed Apr 25 10:34:42 2012 [4031]: login query for 'homer' tty14 from
> 1.1.1.1 rejected
> Wed Apr 25 10:34:42 2012 [4031]: login failure: homer 1.1.1.1
> (1.1.1.1)
> tty14
>
> $ cat /etc/pam.d/tac_plus
> auth        required      pam_env.so
> auth        sufficient    pam_krb5.so use_first_pass
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow

and where is the krb5 account check?

> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
crond
> quiet use_uid
> session     required      pam_unix.so
>
E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.

More information about the tac_plus mailing list