[tac_plus] Debugging authorization failures

Philip Prindeville philipp at redfish-solutions.com
Tue Oct 18 18:19:18 UTC 2016 

Yeah, I was trying and finally got that to work, but I had a couple of questions/observations.

Why does the “default service = permit” need to be the first statement in the user profile (or else it doesn’t parse)?

And do you have to have a “default service” or can you explicitly permit just named services?

-Philip


> On Oct 18, 2016, at 11:46 AM, Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
> 
> Don't you need a default service = permit in there somewhere?
> 
> On Mon, Oct 17, 2016 at 2:40 PM, Philip Prindeville <philipp at redfish-solutions.com <mailto:philipp at redfish-solutions.com>> wrote:
> Hi.
> 
> I’m banging on the source to pam_tacplus’s libtac library and tacc (a simple test program) and I’m trying to figure out if the source to that is broken or if I’m invoking the test code incorrectly or if the configuration that I’m using for testing is wrong.
> 
> Here’s the config file that I have:
> 
> key = "password"
> accounting file = /var/log/tac.acct
> 
> user = fred {
>     login = cleartext "wilma"
>     name = "Fred Flintstone"
>     # member = guest
>     expires = "May 23 2020"
> 
>     service = exec {
>         "acl" = 5
> 
>         autocmd = "telnet foo"
>     }
> }
> 
> group = guest {
>     expires = "May 1 2017"
> }
> 
> 
> and when I do an authorization query against it, this is the resultant logging:
> 
> Oct 17 13:35:46 type=AUTHOR, priv_lvl=0, authen=1
> Oct 17 13:35:46 method=tacacs+
> Oct 17 13:35:46 svc=3 user_len=4 port_len=5 rem_addr_len=7
> Oct 17 13:35:46 arg_cnt=2
> Oct 17 13:35:46 User:
> Oct 17 13:35:46 fred
> Oct 17 13:35:46 port:
> Oct 17 13:35:46 pts/2
> Oct 17 13:35:46 rem_addr:
> Oct 17 13:35:46 1.2.3.4
> Oct 17 13:35:46 arg[0]: size=12
> Oct 17 13:35:46 service=exec
> Oct 17 13:35:46 arg[1]: size=11
> Oct 17 13:35:46 protocol=ip
> Oct 17 13:35:46 End packet
> Oct 17 13:35:46 Start authorization request
> Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=acl rec=1
> Oct 17 13:35:46 cfg_get_pvalue: returns NULL
> Oct 17 13:35:46 do_author: user='fred'
> Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=before rec=1
> Oct 17 13:35:46 cfg_get_pvalue: returns NULL
> Oct 17 13:35:46 user 'fred' found
> Oct 17 13:35:46 cfg_get_svc_node: username=fred N_svc proto= svcname=exec rec=1
> Oct 17 13:35:46 cfg_get_svc_node: returns NULL
> Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=svc_dflt rec=1
> Oct 17 13:35:46 cfg_get_intvalue: returns 0
> Oct 17 13:35:46 svc=N_svc protocol= not found, denied by default
> Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=after rec=1
> Oct 17 13:35:46 cfg_get_pvalue: returns NULL
> Oct 17 13:35:46 Writing AUTHOR/FAIL size=18
> 
> 
> What am I missing?
> 
> Thanks,
> 
> -Philip
> 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net <mailto:tac_plus at shrubbery.net>
> http://www.shrubbery.net/mailman/listinfo/tac_plus <http://www.shrubbery.net/mailman/listinfo/tac_plus>
> 
> 
> 
> E-Mail to and from me, in connection with the transaction 
> of public business, is subject to the Wyoming Public Records 
> Act and may be disclosed to third parties.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20161018/cd81e8a6/attachment.html>

More information about the tac_plus mailing list