[tac_plus] Authentication using Likewise and AD

[Matt Almgren]

>you want to verify that the user exists in the local unix password file

But I don’t want it to use the local password file.  I want it to pass the
login name to the configured LDAP server that Likewise already knows
about. I *think* this is the way it should work.





On 3/31/15, 9:19 AM, "heasley" <heas at shrubbery.net> wrote:

>Tue, Mar 31, 2015 at 02:32:37PM +0000, Matt Almgren:
>> Hey there Heasley,
>> 
>> I have been successful with local authentication using /etc/passwd and
>> DES.  So I know that TACACS and the switch are talking to each other
>>well.
>> 
>> As for the contents of my pam config, well I¹ve tried numerous things.
>> 
>> Here¹s a few examples:
>> 
>> 1)
>> auth       include      common-auth
>> account    required     pam_nologin.so
>> account    include      common-auth
>> password   include      common-auth
>> session    optional     pam_keyinit.so force revoke
>> session    include      common-auth
>> session    required     pam_loginuid.so
>> 
>> 
>> Which produces this common error in /var/log/auth.log:
>> 
>> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
>>check
>> pass; user unknown
>> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
>> authentication failure; logname=DOMAIN\matta uid=0 euid=0 tty= ruser=
>> rhost=
>
>this seems to be your issue; it looks like pam_unix is receiving a
>ldap-like
>username, but thats not something it can handle, afaik.  if Likewise is
>ldap-like and you want to verify that the user exists in the local unix
>password file, then you would need a pam module that strips the "DOMAIN\\"
>portion of the username before calling the passwd handling library
>functions.