[tac_plus] Authentication using Likewise and AD
Matt Almgren
matta at surveymonkey.com
Tue Mar 31 17:02:28 UTC 2015
John, I would love for it to be that simple.
Correct, we can login to the box using AD credentials and it works just fine.
i.e. "ssh matt at domain@hostname" works just fine ..
I’m waiting on a domain account in AD to try out straight LDAP authentication.
Just to be sure, you don’t use a /etc/pam.d/tac_plus file? If you do, what are it’s contents?
Thanks, Matt
From: John Fraizer <john at op-sec.us<mailto:john at op-sec.us>>
Date: Tuesday, March 31, 2015 at 9:50 AM
To: Matt Almgren <matta at surveymonkey.com<mailto:matta at surveymonkey.com>>
Cc: heasley <heas at shrubbery.net<mailto:heas at shrubbery.net>>, "tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>" <tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>>
Subject: Re: [tac_plus] Authentication using Likewise and AD
If you can authenticate to the local box using LDAP (as in, you can log in via SSH using a username/pw pair that is authenticated against LDAP), you should be able to just tell tac_plus password = PAM.
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Tue, Mar 31, 2015 at 9:23 AM, Matt Almgren <matta at surveymonkey.com<mailto:matta at surveymonkey.com>> wrote:
>you want to verify that the user exists in the local unix password file
But I don’t want it to use the local password file. I want it to pass the
login name to the configured LDAP server that Likewise already knows
about. I *think* this is the way it should work.
On 3/31/15, 9:19 AM, "heasley" <heas at shrubbery.net<mailto:heas at shrubbery.net>> wrote:
>Tue, Mar 31, 2015 at 02:32:37PM +0000, Matt Almgren:
>> Hey there Heasley,
>>
>> I have been successful with local authentication using /etc/passwd and
>> DES. So I know that TACACS and the switch are talking to each other
>>well.
>>
>> As for the contents of my pam config, well I¹ve tried numerous things.
>>
>> Here¹s a few examples:
>>
>> 1)
>> auth include common-auth
>> account required pam_nologin.so
>> account include common-auth
>> password include common-auth
>> session optional pam_keyinit.so force revoke
>> session include common-auth
>> session required pam_loginuid.so
>>
>>
>> Which produces this common error in /var/log/auth.log:
>>
>> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
>>check
>> pass; user unknown
>> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
>> authentication failure; logname=DOMAIN\matta uid=0 euid=0 tty= ruser=
>> rhost=
>
>this seems to be your issue; it looks like pam_unix is receiving a
>ldap-like
>username, but thats not something it can handle, afaik. if Likewise is
>ldap-like and you want to verify that the user exists in the local unix
>password file, then you would need a pam module that strips the "DOMAIN\\"
>portion of the username before calling the passwd handling library
>functions.
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/tac_plus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150331/3c748051/attachment.html>
More information about the tac_plus
mailing list