[tac_plus] Authentication using Likewise and AD

Tue Mar 31 14:32:37 UTC 2015

Hey there Heasley, 

I have been successful with local authentication using /etc/passwd and
DES.  So I know that TACACS and the switch are talking to each other well.

As for the contents of my pam config, well I¹ve tried numerous things.

Here¹s a few examples:

1)
auth       include      common-auth
account    required     pam_nologin.so
account    include      common-auth
password   include      common-auth
session    optional     pam_keyinit.so force revoke
session    include      common-auth
session    required     pam_loginuid.so

Which produces this common error in /var/log/auth.log:

Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth): check
pass; user unknown
Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
authentication failure; logname=DOMAIN\matta uid=0 euid=0 tty= ruser=
rhost=

2)
# here are the per-package modules (the "Primary" block)
auth	[success=2 default=ignore]	pam_unix.so nullok_secure
auth	[success=1 default=ignore]	pam_lsass.so try_first_pass
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success
code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional			pam_cap.so
# end of pam-auth-update config

Same errors in the auth.log

3)
# here are the per-package modules (the "Primary" block)
account	[success=3 new_authtok_reqd=done default=ignore]	pam_unix.so
account	[success=ok new_authtok_reqd=ok default=ignore]		pam_lsass.so
unknown_ok
account	[success=1 new_authtok_reqd=done default=ignore]	pam_lsass.so
# here's the fallback if no module succeeds
account	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success
code
# since the modules above will each just jump around
account	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

Same errors in the auth.log

I¹m open for any ideas. :)

Thanks, Matt

On 3/31/15, 7:25 AM, "heasley" <heas at shrubbery.net> wrote:

>Tue, Mar 31, 2015 at 01:29:12PM +0000, Matt Almgren:
>> I¹ve been over that guide several times.  When I use the entire library
>>stack as shown in that guide, I get errors that some modules aren¹t
>>found  I assumed it¹s a RHEL vs Ubuntu difference.  I can try and track
>>down the missing modulesŠbut I don¹t want it to conflict the rest of the
>>PAM auth system.
>> 
>> Thanks, Matt
>
>Looking at debian and redhat, both have numerous optional packages
>containing
>additional modules.  you may need some of these, but certainly you must be
>missing those files or they're not in the right location
>(/lib/x86_64-linux-gnu/security/ on debian, but can be a FQPN).
>
>That said, it seems that both are missing manpages - surprise.  On Solaris
>or BSD, there is a debugging option.  If you can figure out if linux has
>one - and what it is; that may help you unravel the PAM chaining.  You may
>also look at the fbsd manpages for more thorough information, which may or
>may not be applicable to linux.
>
>eg: from fbsd:
>
>MODULE OPTIONS
>     Some PAM library functions may alter their behavior when called by a
>ser-
>     vice module if certain module options were specified, regardless of
>     whether the module itself accords them any importance.  One such
>option
>     is debug, which causes the dispatcher to enable debugging messages
>before
>     calling each service function, and disable them afterwards (unless
>they
>     were already enabled).  Other special options include:
>
>	...
>
>You may also wish to begin with a simple pam config which authenticates
>against /etc/passwd (or none) and build upon that, piece by piece.
>
>Lastly, you mentioned errors but did not include them in your email, so we
>are just guessing.  and, unless I've missed it, you also haven't shared
>your
>pam conf for tac_plus.