[tac_plus] Authentication using Likewise and AD

John Fraizer john at op-sec.us
Tue Mar 31 16:50:48 UTC 2015


If you can authenticate to the local box using LDAP (as in, you can log in
via SSH using a username/pw pair that is authenticated against LDAP), you
should be able to just tell tac_plus password = PAM.



--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



On Tue, Mar 31, 2015 at 9:23 AM, Matt Almgren <matta at surveymonkey.com>
wrote:

>
> >you want to verify that the user exists in the local unix password file
>
> But I don’t want it to use the local password file.  I want it to pass the
> login name to the configured LDAP server that Likewise already knows
> about. I *think* this is the way it should work.
>
>
>
>
>
> On 3/31/15, 9:19 AM, "heasley" <heas at shrubbery.net> wrote:
>
> >Tue, Mar 31, 2015 at 02:32:37PM +0000, Matt Almgren:
> >> Hey there Heasley,
> >>
> >> I have been successful with local authentication using /etc/passwd and
> >> DES.  So I know that TACACS and the switch are talking to each other
> >>well.
> >>
> >> As for the contents of my pam config, well I¹ve tried numerous things.
> >>
> >> Here¹s a few examples:
> >>
> >> 1)
> >> auth       include      common-auth
> >> account    required     pam_nologin.so
> >> account    include      common-auth
> >> password   include      common-auth
> >> session    optional     pam_keyinit.so force revoke
> >> session    include      common-auth
> >> session    required     pam_loginuid.so
> >>
> >>
> >> Which produces this common error in /var/log/auth.log:
> >>
> >> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
> >>check
> >> pass; user unknown
> >> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
> >> authentication failure; logname=DOMAIN\matta uid=0 euid=0 tty= ruser=
> >> rhost=
> >
> >this seems to be your issue; it looks like pam_unix is receiving a
> >ldap-like
> >username, but thats not something it can handle, afaik.  if Likewise is
> >ldap-like and you want to verify that the user exists in the local unix
> >password file, then you would need a pam module that strips the "DOMAIN\\"
> >portion of the username before calling the passwd handling library
> >functions.
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150331/ad00ecaa/attachment.html>


More information about the tac_plus mailing list