[tac_plus] Authentication using Likewise and AD

John Fraizer john at op-sec.us
Tue Mar 31 17:14:10 UTC 2015 

No.  I don't use a tac_plus file in pam.d.

I think your issue right now is that your config is expecting to see
userid at domain rather than just userid.

My TACACS+ is not dependent on LDAP.  I do have access to an environment
that is authenticating against LDAP though.

Login to the local box is done with simple username/pw pair.  No need to
specify domain.

This is the contents of their /etc/pam.d/tac_plus

[root@#### pam.d]# cat tac_plus
#%PAM-1.0
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

And since it simply points to system-auth for everything, here is the
contents of system-auth:

[root@#### pam.d]# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so


This particular box is running Centos 6.3.


Note that since tac_plus simply points to system-auth, it doesn't really
have any impact at all.  I use password = PAM on my tac_plus setup without
any specific tac_plus PAM configuration file.


--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



On Tue, Mar 31, 2015 at 10:02 AM, Matt Almgren <matta at surveymonkey.com>
wrote:

>  John, I would love for it to be that simple.
>
>  Correct, we can login to the box using AD credentials and it works just
> fine.
>
>  i.e. "ssh matt at domain@hostname"  works just fine ..
>
>  I’m waiting on a domain account in AD to try out straight LDAP
> authentication.
>
>  Just to be sure, you don’t use a /etc/pam.d/tac_plus file?   If you do,
> what are it’s contents?
>
>  Thanks, Matt
>
>
>
>
>
>   From: John Fraizer <john at op-sec.us>
> Date: Tuesday, March 31, 2015 at 9:50 AM
> To: Matt Almgren <matta at surveymonkey.com>
> Cc: heasley <heas at shrubbery.net>, "tac_plus at shrubbery.net" <
> tac_plus at shrubbery.net>
> Subject: Re: [tac_plus] Authentication using Likewise and AD
>
>   If you can authenticate to the local box using LDAP (as in, you can log
> in via SSH using a username/pw pair that is authenticated against LDAP),
> you should be able to just tell tac_plus password = PAM.
>
>
>
>   --
> John Fraizer
> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
>
>
>
> On Tue, Mar 31, 2015 at 9:23 AM, Matt Almgren <matta at surveymonkey.com>
> wrote:
>
>>
>> >you want to verify that the user exists in the local unix password file
>>
>> But I don’t want it to use the local password file.  I want it to pass the
>> login name to the configured LDAP server that Likewise already knows
>> about. I *think* this is the way it should work.
>>
>>
>>
>>
>>
>> On 3/31/15, 9:19 AM, "heasley" <heas at shrubbery.net> wrote:
>>
>> >Tue, Mar 31, 2015 at 02:32:37PM +0000, Matt Almgren:
>> >> Hey there Heasley,
>> >>
>> >> I have been successful with local authentication using /etc/passwd and
>> >> DES.  So I know that TACACS and the switch are talking to each other
>> >>well.
>> >>
>> >> As for the contents of my pam config, well I¹ve tried numerous things.
>> >>
>> >> Here¹s a few examples:
>> >>
>> >> 1)
>> >> auth       include      common-auth
>> >> account    required     pam_nologin.so
>> >> account    include      common-auth
>> >> password   include      common-auth
>> >> session    optional     pam_keyinit.so force revoke
>> >> session    include      common-auth
>> >> session    required     pam_loginuid.so
>> >>
>> >>
>> >> Which produces this common error in /var/log/auth.log:
>> >>
>> >> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
>> >>check
>> >> pass; user unknown
>> >> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
>> >> authentication failure; logname=DOMAIN\matta uid=0 euid=0 tty= ruser=
>> >> rhost=
>> >
>> >this seems to be your issue; it looks like pam_unix is receiving a
>> >ldap-like
>> >username, but thats not something it can handle, afaik.  if Likewise is
>> >ldap-like and you want to verify that the user exists in the local unix
>> >password file, then you would need a pam module that strips the
>> "DOMAIN\\"
>> >portion of the username before calling the passwd handling library
>> >functions.
>>
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150331/31c7c65c/attachment.html>

More information about the tac_plus mailing list