[tac_plus] Debugging authorization failures

Daniel Schmidt daniel.schmidt at wyo.gov
Tue Oct 18 17:46:52 UTC 2016 

Don't you need a default service = permit in there somewhere?

On Mon, Oct 17, 2016 at 2:40 PM, Philip Prindeville <
philipp at redfish-solutions.com> wrote:

> Hi.
>
> I’m banging on the source to pam_tacplus’s libtac library and tacc (a
> simple test program) and I’m trying to figure out if the source to that is
> broken or if I’m invoking the test code incorrectly or if the configuration
> that I’m using for testing is wrong.
>
> Here’s the config file that I have:
>
> key = "password"
> accounting file = /var/log/tac.acct
>
> user = fred {
>     login = cleartext "wilma"
>     name = "Fred Flintstone"
>     # member = guest
>     expires = "May 23 2020"
>
>     service = exec {
>         "acl" = 5
>
>         autocmd = "telnet foo"
>     }
> }
>
> group = guest {
>     expires = "May 1 2017"
> }
>
>
> and when I do an authorization query against it, this is the resultant
> logging:
>
> Oct 17 13:35:46 type=AUTHOR, priv_lvl=0, authen=1
> Oct 17 13:35:46 method=tacacs+
> Oct 17 13:35:46 svc=3 user_len=4 port_len=5 rem_addr_len=7
> Oct 17 13:35:46 arg_cnt=2
> Oct 17 13:35:46 User:
> Oct 17 13:35:46 fred
> Oct 17 13:35:46 port:
> Oct 17 13:35:46 pts/2
> Oct 17 13:35:46 rem_addr:
> Oct 17 13:35:46 1.2.3.4
> Oct 17 13:35:46 arg[0]: size=12
> Oct 17 13:35:46 service=exec
> Oct 17 13:35:46 arg[1]: size=11
> Oct 17 13:35:46 protocol=ip
> Oct 17 13:35:46 End packet
> Oct 17 13:35:46 Start authorization request
> Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=acl rec=1
> Oct 17 13:35:46 cfg_get_pvalue: returns NULL
> Oct 17 13:35:46 do_author: user='fred'
> Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=before rec=1
> Oct 17 13:35:46 cfg_get_pvalue: returns NULL
> Oct 17 13:35:46 user 'fred' found
> Oct 17 13:35:46 cfg_get_svc_node: username=fred N_svc proto= svcname=exec
> rec=1
> Oct 17 13:35:46 cfg_get_svc_node: returns NULL
> Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=svc_dflt rec=1
> Oct 17 13:35:46 cfg_get_intvalue: returns 0
> Oct 17 13:35:46 svc=N_svc protocol= not found, denied by default
> Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=after rec=1
> Oct 17 13:35:46 cfg_get_pvalue: returns NULL
> Oct 17 13:35:46 Writing AUTHOR/FAIL size=18
>
>
> What am I missing?
>
> Thanks,
>
> -Philip
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>

-- 

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20161018/e512fceb/attachment.html>

More information about the tac_plus mailing list