[tac_plus] Debugging authorization failures

Philip Prindeville philipp at redfish-solutions.com
Mon Oct 17 20:40:13 UTC 2016


Hi.

I’m banging on the source to pam_tacplus’s libtac library and tacc (a simple test program) and I’m trying to figure out if the source to that is broken or if I’m invoking the test code incorrectly or if the configuration that I’m using for testing is wrong.

Here’s the config file that I have:

key = "password"
accounting file = /var/log/tac.acct

user = fred {
    login = cleartext "wilma"
    name = "Fred Flintstone"
    # member = guest
    expires = "May 23 2020"

    service = exec {
        "acl" = 5

        autocmd = "telnet foo"
    }
}

group = guest {
    expires = "May 1 2017"
}    


and when I do an authorization query against it, this is the resultant logging:

Oct 17 13:35:46 type=AUTHOR, priv_lvl=0, authen=1
Oct 17 13:35:46 method=tacacs+
Oct 17 13:35:46 svc=3 user_len=4 port_len=5 rem_addr_len=7
Oct 17 13:35:46 arg_cnt=2
Oct 17 13:35:46 User: 
Oct 17 13:35:46 fred
Oct 17 13:35:46 port: 
Oct 17 13:35:46 pts/2
Oct 17 13:35:46 rem_addr: 
Oct 17 13:35:46 1.2.3.4
Oct 17 13:35:46 arg[0]: size=12 
Oct 17 13:35:46 service=exec
Oct 17 13:35:46 arg[1]: size=11 
Oct 17 13:35:46 protocol=ip
Oct 17 13:35:46 End packet
Oct 17 13:35:46 Start authorization request
Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=acl rec=1
Oct 17 13:35:46 cfg_get_pvalue: returns NULL
Oct 17 13:35:46 do_author: user='fred'
Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=before rec=1
Oct 17 13:35:46 cfg_get_pvalue: returns NULL
Oct 17 13:35:46 user 'fred' found
Oct 17 13:35:46 cfg_get_svc_node: username=fred N_svc proto= svcname=exec rec=1
Oct 17 13:35:46 cfg_get_svc_node: returns NULL
Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=svc_dflt rec=1
Oct 17 13:35:46 cfg_get_intvalue: returns 0
Oct 17 13:35:46 svc=N_svc protocol= not found, denied by default
Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=after rec=1
Oct 17 13:35:46 cfg_get_pvalue: returns NULL
Oct 17 13:35:46 Writing AUTHOR/FAIL size=18


What am I missing?

Thanks,

-Philip



More information about the tac_plus mailing list