[tac_plus] Authentication using Likewise and AD

Matt Almgren matta at surveymonkey.com
Tue Mar 31 17:02:28 UTC 2015 

John, I would love for it to be that simple.

Correct, we can login to the box using AD credentials and it works just fine.

i.e. "ssh matt at domain@hostname"  works just fine ..

I’m waiting on a domain account in AD to try out straight LDAP authentication.

Just to be sure, you don’t use a /etc/pam.d/tac_plus file?   If you do, what are it’s contents?

Thanks, Matt





From: John Fraizer <john at op-sec.us<mailto:john at op-sec.us>>
Date: Tuesday, March 31, 2015 at 9:50 AM
To: Matt Almgren <matta at surveymonkey.com<mailto:matta at surveymonkey.com>>
Cc: heasley <heas at shrubbery.net<mailto:heas at shrubbery.net>>, "tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>" <tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>>
Subject: Re: [tac_plus] Authentication using Likewise and AD

If you can authenticate to the local box using LDAP (as in, you can log in via SSH using a username/pw pair that is authenticated against LDAP), you should be able to just tell tac_plus password = PAM.



--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



On Tue, Mar 31, 2015 at 9:23 AM, Matt Almgren <matta at surveymonkey.com<mailto:matta at surveymonkey.com>> wrote:

>you want to verify that the user exists in the local unix password file

But I don’t want it to use the local password file.  I want it to pass the
login name to the configured LDAP server that Likewise already knows
about. I *think* this is the way it should work.





On 3/31/15, 9:19 AM, "heasley" <heas at shrubbery.net<mailto:heas at shrubbery.net>> wrote:

>Tue, Mar 31, 2015 at 02:32:37PM +0000, Matt Almgren:
>> Hey there Heasley,
>>
>> I have been successful with local authentication using /etc/passwd and
>> DES.  So I know that TACACS and the switch are talking to each other
>>well.
>>
>> As for the contents of my pam config, well I¹ve tried numerous things.
>>
>> Here¹s a few examples:
>>
>> 1)
>> auth       include      common-auth
>> account    required     pam_nologin.so
>> account    include      common-auth
>> password   include      common-auth
>> session    optional     pam_keyinit.so force revoke
>> session    include      common-auth
>> session    required     pam_loginuid.so
>>
>>
>> Which produces this common error in /var/log/auth.log:
>>
>> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
>>check
>> pass; user unknown
>> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
>> authentication failure; logname=DOMAIN\matta uid=0 euid=0 tty= ruser=
>> rhost=
>
>this seems to be your issue; it looks like pam_unix is receiving a
>ldap-like
>username, but thats not something it can handle, afaik.  if Likewise is
>ldap-like and you want to verify that the user exists in the local unix
>password file, then you would need a pam module that strips the "DOMAIN\\"
>portion of the username before calling the passwd handling library
>functions.

_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/tac_plus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150331/3c748051/attachment.html>

More information about the tac_plus mailing list