[tac_plus] Authentication using Likewise and AD
John Fraizer
john at op-sec.us
Tue Mar 31 16:50:48 UTC 2015
If you can authenticate to the local box using LDAP (as in, you can log in
via SSH using a username/pw pair that is authenticated against LDAP), you
should be able to just tell tac_plus password = PAM.
--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
On Tue, Mar 31, 2015 at 9:23 AM, Matt Almgren <matta at surveymonkey.com>
wrote:
>
> >you want to verify that the user exists in the local unix password file
>
> But I don’t want it to use the local password file. I want it to pass the
> login name to the configured LDAP server that Likewise already knows
> about. I *think* this is the way it should work.
>
>
>
>
>
> On 3/31/15, 9:19 AM, "heasley" <heas at shrubbery.net> wrote:
>
> >Tue, Mar 31, 2015 at 02:32:37PM +0000, Matt Almgren:
> >> Hey there Heasley,
> >>
> >> I have been successful with local authentication using /etc/passwd and
> >> DES. So I know that TACACS and the switch are talking to each other
> >>well.
> >>
> >> As for the contents of my pam config, well I¹ve tried numerous things.
> >>
> >> Here¹s a few examples:
> >>
> >> 1)
> >> auth include common-auth
> >> account required pam_nologin.so
> >> account include common-auth
> >> password include common-auth
> >> session optional pam_keyinit.so force revoke
> >> session include common-auth
> >> session required pam_loginuid.so
> >>
> >>
> >> Which produces this common error in /var/log/auth.log:
> >>
> >> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
> >>check
> >> pass; user unknown
> >> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
> >> authentication failure; logname=DOMAIN\matta uid=0 euid=0 tty= ruser=
> >> rhost=
> >
> >this seems to be your issue; it looks like pam_unix is receiving a
> >ldap-like
> >username, but thats not something it can handle, afaik. if Likewise is
> >ldap-like and you want to verify that the user exists in the local unix
> >password file, then you would need a pam module that strips the "DOMAIN\\"
> >portion of the username before calling the passwd handling library
> >functions.
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150331/ad00ecaa/attachment.html>
More information about the tac_plus
mailing list