[tac_plus] Two TACACS+ server and primary one is always busy

[Alan McKinnon]

On 12/07/2013 18:41, Asif Iqbal wrote:
>     What are the hash types you use for your passwords and is it a method
>     that be hashed quickly by the OS
> 
> 
> using PAM -> AD.
> 
>  
> 
>     Those would be the first thing I'd look at. Second is to post your
>     tac_plus.conf. there aren't really any best practices as such for this,
>     tac_plus is more than adequate to deal with just about any realistic
>     scenario so the "best practice" is whatever works for you and gives
>     *you* the control *you* need.
> 
> 
> 
> Need to sanitize a lot before posting it, but I have 31 group stanzas,
> 1325 user stanzas, 
> 19 acl stanzas and some of those acls have about 130 permit lines. 
> 
> currently I have 24 tac_plus instance running like below
> 
> $ ps -e -o pid,ppid,vsz,rss,cmd | grep tac_pl[u]s
>  4692     1  78296 53708 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l
> /var/log/tacacs.daemon.log -C /etc/tacacs.conf 
> 27276  4692  78296 53340 /usr/local/bin/tac_plus -L -B 192.168.6.20 -l
> /var/log/tacacs.daemon.log -C /etc/tacacs.conf 
> 


No need to post and sanitize your configs, the thing to investigate
first is your PAM -> AD authen setup.

I have a config similar to yours in terms of numbers and my setup works
as expected. Most systems use a passwd file, one system has all the
users directly in tac_plus.conf. I've run it on FreeBSD, Linux and
Solaris and there's never been a hint of memory leaks at all. And no-one
else here has posted about memory leaks as far as I can recall.

All that seems to point towards tac_plus itself working correctly, so we
should look at things you have that are different.

And AD via PAM is one such thing :-)
Using PAM for auth in tac_plus is poorly documented and most folks who
ask about it end up experimenting a lot to get it right.

Can you post how your setup works and what your PAM config is?



-- 
Alan McKinnon
alan.mckinnon at gmail.com