[tac_plus] Authentication using Likewise and AD

heasley heas at shrubbery.net
Tue Mar 31 18:19:05 UTC 2015


Tue, Mar 31, 2015 at 09:50:48AM -0700, John Fraizer:
> If you can authenticate to the local box using LDAP (as in, you can log in
> via SSH using a username/pw pair that is authenticated against LDAP), you
> should be able to just tell tac_plus password = PAM.

I'm no pam expert, but I do not think that is necessarily true; it could be,
but it is entiredly dependent upon the modules used, their implementation,
and control flags and options used for each.

if you can log into the host with ssh using the same username, with the
domain, and that is used for tacacs - and, there is no special handling
occuring in /bin/login or sshd - then, assuming that you use the same
config for tac_plus as with ssh, it *should* work.

but, in pam_unix(8) on redhat, i do not see anything indicating special
handling of the domain prefix.

> > >> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
> > >>check
> > >> pass; user unknown
> > >> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):
> > >> authentication failure; logname=DOMAIN\matta uid=0 euid=0 tty= ruser=
> > >> rhost=

so, when pam_unix starts walking through passwd, getpwent(), its never going
to find DOMAIN\matta.  how pam goes from DOMAIN\matta to matta for pam_unix
is not something that i can answer.

given http://linux.die.net/man/5/pam_ldap pam_login_attribute and pam_filter
appear to play a role in this...but beyond that, ???

again, not a pam expert and don't know anything about Likewise and little
about ldap.


More information about the tac_plus mailing list