[tac_plus] Debugging authorization failures

Dave Olson olson at cumulusnetworks.com
Tue Oct 18 00:32:05 UTC 2016 

Philip Prindeville <philipp at redfish-solutions.com> wrote:

> I’m banging on the source to pam_tacplus’s libtac library and tacc (a simple test program) and I’m trying to figure out if the source to that is broken or if I’m invoking the test code incorrectly or if the configuration that I’m using for testing is wrong.
> 
> Here’s the config file that I have:

I think the key is this debug line:
  svc=N_svc protocol= not found, denied by default

I think you need to pass a protocol, and even then, I think
you need to permit the service, or add
   default service = permit
to your tac_plus.conf

When I run (with top of git tree pam_tacplus, none of your changes):
  tacc -u olsont -R -S ppp -P ssh -s 192.168.3.189 -k tacacskey -r 10.0.1.228
it works for me.

I have the default service = permit in my tac_plus.conf, and on the
server I get:

  Oct 17 13:52:21 tacastest tac_plus[24975]: svc=N_svc_ppp protocol=ssh svcname= not found, permitted by default

> key = "password"
> accounting file = /var/log/tac.acct
> 
> user = fred {
>     login = cleartext "wilma"
>     name = "Fred Flintstone"
>     # member = guest
>     expires = "May 23 2020"
> 
>     service = exec {
>         "acl" = 5
> 
>         autocmd = "telnet foo"
>     }
> }
> 
> group = guest {
>     expires = "May 1 2017"
> }    
> 
> 
> and when I do an authorization query against it, this is the resultant logging:
> 
> Oct 17 13:35:46 type=AUTHOR, priv_lvl=0, authen=1
> Oct 17 13:35:46 method=tacacs+
> Oct 17 13:35:46 svc=3 user_len=4 port_len=5 rem_addr_len=7
> Oct 17 13:35:46 arg_cnt=2
> Oct 17 13:35:46 User: 
> Oct 17 13:35:46 fred
> Oct 17 13:35:46 port: 
> Oct 17 13:35:46 pts/2
> Oct 17 13:35:46 rem_addr: 
> Oct 17 13:35:46 1.2.3.4
> Oct 17 13:35:46 arg[0]: size=12 
> Oct 17 13:35:46 service=exec
> Oct 17 13:35:46 arg[1]: size=11 
> Oct 17 13:35:46 protocol=ip
> Oct 17 13:35:46 End packet
> Oct 17 13:35:46 Start authorization request
> Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=acl rec=1
> Oct 17 13:35:46 cfg_get_pvalue: returns NULL
> Oct 17 13:35:46 do_author: user='fred'
> Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=before rec=1
> Oct 17 13:35:46 cfg_get_pvalue: returns NULL
> Oct 17 13:35:46 user 'fred' found
> Oct 17 13:35:46 cfg_get_svc_node: username=fred N_svc proto= svcname=exec rec=1
> Oct 17 13:35:46 cfg_get_svc_node: returns NULL
> Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=svc_dflt rec=1
> Oct 17 13:35:46 cfg_get_intvalue: returns 0
> Oct 17 13:35:46 svc=N_svc protocol= not found, denied by default
> Oct 17 13:35:46 cfg_get_value: name=fred isuser=1 attr=after rec=1
> Oct 17 13:35:46 cfg_get_pvalue: returns NULL
> Oct 17 13:35:46 Writing AUTHOR/FAIL size=18
> 
> 
> What am I missing?
> 
> Thanks,
> 
> -Philip
> 

Dave Olson
olson at cumulusnetworks.com

More information about the tac_plus mailing list