From vadud3 at gmail.com Fri Feb 9 18:12:27 2018 From: vadud3 at gmail.com (Asif Iqbal) Date: Fri, 9 Feb 2018 13:12:27 -0500 Subject: [tac_plus] tac_plus picked syslog priority error for message with success Message-ID: I am seeing red messages even though it is a successful start because tac_plus is sending message to a wrong log level or it does not have proper systemd implementation? *?* tacacs at cc.service - TACACS+ daemon instance tacacs-cc Loaded: loaded (/etc/systemd/system/tacacs at .service; enabled; vendor preset: disabled) Active: *active (running)* since Fri 2018-02-09 04:02:22 UTC; 13h ago Docs: man:tac_plus(8) man:tac_plus.conf(5) Process: 15379 ExecReload=/bin/sh -c /home/audit/bin/tacsanity /etc/tacacs/tacacs-%i.conf && /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Main PID: 18131 (tac_plus) CGroup: /system.slice/system-tacacs.slice/tacacs at cc.service ??18131 /usr/local/sbin/tac_plus -G -L -B 100.75.8.233 -C /etc/tacacs/tacacs-cc.conf -l /var/log/tacacs/tacacs-cc.daemon.log -p 49 -d 8 -d 16 Feb 09 17:32:21 tacacs.example.net systemd[1]: Reloaded TACACS+ daemon instance tacacs-cc. Feb 09 17:32:21 tacacs.example.net tac_plus[18131]: Received signal Feb 09 17:32:21 tacacs.example.net tac_plus[18131]: Version F4.0.4.28 Initialized 3 Feb 09 17:32:49 tacacs.example.net tac_plus[15392]: *Attempting to lock /tmp/tmp.9YI9LTwhGc.log fd 3* Feb 09 17:32:49 tacacs.example.net tac_plus[15392]: *Successfully locked /tmp/tmp.9YI9LTwhGc.log fd 3 after 1 tries* Feb 09 17:32:49 tacacs.example.net tac_plus[15392]: Reading config Feb 09 17:32:50 tacacs.example.net systemd[1]: Reloaded TACACS+ daemon instance tacacs-cc. Feb 09 17:32:50 tacacs.example.net tac_plus[18131]: Received signal Feb 09 17:32:50 tacacs.example.net tac_plus[18131]: Reading config Feb 09 17:32:50 tacacs.example.net tac_plus[18131]: Version F4.0.4.28 Initialized 4 Also journalctl -o export _SYSTEMD_UNIT=tacacs at cc.service -e does show only those two lines are using syslog priority 3 (error) and hence the red. Trying to see what's the reason behind picking priority 3 (error) for these two lines, instead of priority 5 (notice) or priority 6 (info) like rest of the messages in there? Attempting to lock .... Successfully locked ... Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From coloccia at geneseo.edu Mon Feb 12 16:02:29 2018 From: coloccia at geneseo.edu (Rick Coloccia) Date: Mon, 12 Feb 2018 11:02:29 -0500 Subject: [tac_plus] tac_plus on centos7, script vs. manual startup Message-ID: <5b6c68c7-df83-7197-bce1-c217e86c0abe@geneseo.edu> Hi, I've been using tac_plus for years, never any issues. Thanks for it! Last week we replaced an older centos box with a cenos7 box. I installed tac_plus using an rpm from pbone.net. I could not get it to work to save my life. I messed around with the tacplus config, the pam config, no luck at all. I was at witt's end. I started the process manually with a bunch of -d from the cli and it lit right up. Then I killed it, started it without all the -d from the cli and it still worked. So now I'm confused. When I allow the binary to start using the scripts it won't function, when I start it from cli it works fine. when I run: [root at localhost log]# ps auxw | grep tac_ root???? 16163? 0.0? 0.0? 26000?? 528 ???????? S??? 10:30?? 0:00 /usr/bin/tac_plus -C /etc/tac_plus.conf and when I run: [root at localhost log]# netstat -anp | grep tac_ tcp??????? 0????? 0 0.0.0.0:49 0.0.0.0:*?????????????? LISTEN????? 16163/tac_plus unix? 2????? [ ]???????? DGRAM??????????????????? 6079166 16163/tac_plus The output is the same regardless of whether I started via cli or scripts. I just don't know where to go from here. Looking for suggestions. Thanks! -Rick -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 From alan.mckinnon at gmail.com Mon Feb 12 20:20:49 2018 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Mon, 12 Feb 2018 22:20:49 +0200 Subject: [tac_plus] tac_plus on centos7, script vs. manual startup In-Reply-To: <5b6c68c7-df83-7197-bce1-c217e86c0abe@geneseo.edu> References: <5b6c68c7-df83-7197-bce1-c217e86c0abe@geneseo.edu> Message-ID: <253accf7-771f-1760-1a11-293dbb786c7b@gmail.com> On 12/02/2018 18:02, Rick Coloccia wrote: > Hi, > > I've been using tac_plus for years, never any issues. Thanks for it! > > Last week we replaced an older centos box with a cenos7 box. I installed > tac_plus using an rpm from pbone.net. > > I could not get it to work to save my life. I messed around with the > tacplus config, the pam config, no luck at all. I was at witt's end. > > I started the process manually with a bunch of -d from the cli and it > lit right up. Then I killed it, started it without all the -d from the > cli and it still worked. > > So now I'm confused. When I allow the binary to start using the scripts > it won't function, when I start it from cli it works fine. > > when I run: > > [root at localhost log]# ps auxw | grep tac_ > root???? 16163? 0.0? 0.0? 26000?? 528 ???????? S??? 10:30?? 0:00 > /usr/bin/tac_plus -C /etc/tac_plus.conf > > and when I run: > > [root at localhost log]# netstat -anp | grep tac_ > tcp??????? 0????? 0 0.0.0.0:49 0.0.0.0:*?????????????? LISTEN > 16163/tac_plus > unix? 2????? [ ]???????? DGRAM??????????????????? 6079166 16163/tac_plus > > > The output is the same regardless of whether I started via cli or scripts. > > > I just don't know where to go from here. Looking for suggestions. "scripts" are unlikely to work on Centos 7 as that uses systemd not SysVInit. I'm guessing your rpm was built for a much older Centos and quite likely is getting the log location wrong, or doesn't account for permissions. Just starting the daemon on the cli does the right thing and there's no interfering script messing up the works -- Alan McKinnon alan.mckinnon at gmail.com From coloccia at geneseo.edu Mon Feb 12 20:41:14 2018 From: coloccia at geneseo.edu (Rick Coloccia) Date: Mon, 12 Feb 2018 15:41:14 -0500 Subject: [tac_plus] tac_plus on centos7, script vs. manual startup In-Reply-To: <253accf7-771f-1760-1a11-293dbb786c7b@gmail.com> References: <5b6c68c7-df83-7197-bce1-c217e86c0abe@geneseo.edu> <253accf7-771f-1760-1a11-293dbb786c7b@gmail.com> Message-ID: <9fc193da-862d-8410-97bf-5f3f7a191f61@geneseo.edu> Hi Alan, thanks. I did use a tac_plus rpm that is distributed for centos7. Centos7 does have some backwards compatibility with sysvinit. There are a few other sysvinit startup scripts in place. The startup script does get executed on boot, and the binary does get started. It just doesn't work. Log locations and permissions- I will pursue those ideas. Either way, it seems we need to fix the rpm... Thanks for the pointers! On 2/12/2018 3:20 PM, Alan McKinnon wrote: > On 12/02/2018 18:02, Rick Coloccia wrote: >> Hi, >> >> I've been using tac_plus for years, never any issues. Thanks for it! >> >> Last week we replaced an older centos box with a cenos7 box. I >> installed tac_plus using an rpm from pbone.net. >> >> I could not get it to work to save my life. I messed around with the >> tacplus config, the pam config, no luck at all. I was at witt's end. >> >> I started the process manually with a bunch of -d from the cli and it >> lit right up. Then I killed it, started it without all the -d from >> the cli and it still worked. >> >> So now I'm confused. When I allow the binary to start using the >> scripts it won't function, when I start it from cli it works fine. >> >> when I run: >> >> [root at localhost log]# ps auxw | grep tac_ >> root???? 16163? 0.0? 0.0? 26000?? 528 ???????? S??? 10:30?? 0:00 >> /usr/bin/tac_plus -C /etc/tac_plus.conf >> >> and when I run: >> >> [root at localhost log]# netstat -anp | grep tac_ >> tcp??????? 0????? 0 0.0.0.0:49 0.0.0.0:*?????????????? LISTEN >> 16163/tac_plus >> unix? 2????? [ ]???????? DGRAM??????????????????? 6079166 16163/tac_plus >> >> >> The output is the same regardless of whether I started via cli or >> scripts. >> >> >> I just don't know where to go from here. Looking for suggestions. > > "scripts" are unlikely to work on Centos 7 as that uses systemd not > SysVInit. I'm guessing your rpm was built for a much older Centos and > quite likely is getting the log location wrong, or doesn't account for > permissions. Just starting the daemon on the cli does the right thing > and there's no interfering script messing up the works > > -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 From heas at shrubbery.net Mon Feb 12 21:10:08 2018 From: heas at shrubbery.net (heasley) Date: Mon, 12 Feb 2018 21:10:08 +0000 Subject: [tac_plus] tac_plus on centos7, script vs. manual startup In-Reply-To: <9fc193da-862d-8410-97bf-5f3f7a191f61@geneseo.edu> References: <5b6c68c7-df83-7197-bce1-c217e86c0abe@geneseo.edu> <253accf7-771f-1760-1a11-293dbb786c7b@gmail.com> <9fc193da-862d-8410-97bf-5f3f7a191f61@geneseo.edu> Message-ID: <20180212211008.GE34016@shrubbery.net> Mon, Feb 12, 2018 at 03:41:14PM -0500, Rick Coloccia: > Hi Alan, thanks. > > I did use a tac_plus rpm that is distributed for centos7. > > Centos7 does have some backwards compatibility with sysvinit. There are > a few other sysvinit startup scripts in place. > > The startup script does get executed on boot, and the binary does get > started. It just doesn't work. > > Log locations and permissions- I will pursue those ideas. > > Either way, it seems we need to fix the rpm... I'd check that it has the correct uid/user, isnt chroot()ed, and for similar "helpful" things that linux tends to add as defaults. > Thanks for the pointers! > > > > On 2/12/2018 3:20 PM, Alan McKinnon wrote: > > On 12/02/2018 18:02, Rick Coloccia wrote: > >> Hi, > >> > >> I've been using tac_plus for years, never any issues. Thanks for it! > >> > >> Last week we replaced an older centos box with a cenos7 box. I > >> installed tac_plus using an rpm from pbone.net. > >> > >> I could not get it to work to save my life. I messed around with the > >> tacplus config, the pam config, no luck at all. I was at witt's end. > >> > >> I started the process manually with a bunch of -d from the cli and it > >> lit right up. Then I killed it, started it without all the -d from > >> the cli and it still worked. > >> > >> So now I'm confused. When I allow the binary to start using the > >> scripts it won't function, when I start it from cli it works fine. > >> > >> when I run: > >> > >> [root at localhost log]# ps auxw | grep tac_ > >> root???? 16163? 0.0? 0.0? 26000?? 528 ???????? S??? 10:30?? 0:00 > >> /usr/bin/tac_plus -C /etc/tac_plus.conf > >> > >> and when I run: > >> > >> [root at localhost log]# netstat -anp | grep tac_ > >> tcp??????? 0????? 0 0.0.0.0:49 0.0.0.0:*?????????????? LISTEN > >> 16163/tac_plus > >> unix? 2????? [ ]???????? DGRAM??????????????????? 6079166 16163/tac_plus > >> > >> > >> The output is the same regardless of whether I started via cli or > >> scripts. > >> > >> > >> I just don't know where to go from here. Looking for suggestions. > > > > "scripts" are unlikely to work on Centos 7 as that uses systemd not > > SysVInit. I'm guessing your rpm was built for a much older Centos and > > quite likely is getting the log location wrong, or doesn't account for > > permissions. Just starting the daemon on the cli does the right thing > > and there's no interfering script messing up the works > > > > > > -- > Rick Coloccia, Jr. > Network Manager > State University of NY College at Geneseo > 1 College Circle, 119 South Hall > Geneseo, NY 14454 > V: 585-245-5577 > F: 585-245-5579 > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus From vadud3 at gmail.com Tue Feb 13 00:27:27 2018 From: vadud3 at gmail.com (Asif Iqbal) Date: Mon, 12 Feb 2018 19:27:27 -0500 Subject: [tac_plus] tac_plus on centos7, script vs. manual startup In-Reply-To: <5b6c68c7-df83-7197-bce1-c217e86c0abe@geneseo.edu> References: <5b6c68c7-df83-7197-bce1-c217e86c0abe@geneseo.edu> Message-ID: I use something similar to this with centos 7, a custom systemd tacacs service # cat /etc/systemd/system/tacacs.service [Unit] Description=TACACS+ daemon instance tacacs Documentation=man:tac_plus(8) man:tac_plus.conf(5) After=network.target [Service] Type=simple ExecStartPre=/usr/local/sbin/tac_plus -P -C /etc/tacacs/tacacs.conf ExecStart=/usr/local/sbin/tac_plus_mss -G -C /etc/tacacs.conf -l /var/log/tacacs.daemon.log -p 49 -d 8 -d 16 ExecReload=/bin/sh -c "/usr/local/sbin/tac_plus -P -C /etc/tacacs.conf >/dev/null 2>&1" && /bin/kill -HUP $MAINPID" Restart=always [Install] WantedBy=multi-user.target It should work perfectly with systemd. The only odd thing is tac_plus uses wrong syslog priority level for some of the status messages and they show red even for success. I already have an email about this and have not see any response to that. However, actually systemd fuctionality should be fine and I have it tested and running in production On Mon, Feb 12, 2018 at 11:02 AM, Rick Coloccia wrote: > Hi, > > I've been using tac_plus for years, never any issues. Thanks for it! > > Last week we replaced an older centos box with a cenos7 box. I installed > tac_plus using an rpm from pbone.net. > > I could not get it to work to save my life. I messed around with the > tacplus config, the pam config, no luck at all. I was at witt's end. > > I started the process manually with a bunch of -d from the cli and it lit > right up. Then I killed it, started it without all the -d from the cli and > it still worked. > > So now I'm confused. When I allow the binary to start using the scripts it > won't function, when I start it from cli it works fine. > > when I run: > > [root at localhost log]# ps auxw | grep tac_ > root 16163 0.0 0.0 26000 528 ? S 10:30 0:00 > /usr/bin/tac_plus -C /etc/tac_plus.conf > > and when I run: > > [root at localhost log]# netstat -anp | grep tac_ > tcp 0 0 0.0.0.0:49 0.0.0.0:* LISTEN > 16163/tac_plus > unix 2 [ ] DGRAM 6079166 16163/tac_plus > > > The output is the same regardless of whether I started via cli or scripts. > > > I just don't know where to go from here. Looking for suggestions. > > Thanks! > > -Rick > > > -- > Rick Coloccia, Jr. > Network Manager > State University of NY College at Geneseo > 1 College Circle > , 119 > South Hall > Geneseo, NY 14454 > V: 585-245-5577 > F: 585-245-5579 > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From vadud3 at gmail.com Tue Feb 20 19:28:46 2018 From: vadud3 at gmail.com (Asif Iqbal) Date: Tue, 20 Feb 2018 14:28:46 -0500 Subject: [tac_plus] need help with crafting a cmd with some regex Message-ID: All users can execute ip route A.A.A.A B.B.B.B . However, without , tacacs should reject it. Meaning the ip route command would have to contain a VLAN or Interface specifier , or be rejected. Here are some examples: Good static route ? accepted: ip route 192.168.1.128 255.255.255.192 Vlan1686 192.168.1.6 name foo_to_bar ip route 192.168.2.0 255.255.255.0 TenGigabitEthernet4/16.689 192.168.2.12 ip route vrf S609150:1678 172.26.0.0 255.255.0.0 Vlan1682 10.35.174.33 Bad static route: - rejected: ip route vrf s617:securities-micro:B 192.168.7.60 255.255.255.255 192.168.7.58 ip route 172.29.141.48 255.255.255.240 172.26.250.73 name bar_to_foo Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Feb 20 22:12:49 2018 From: heas at shrubbery.net (heasley) Date: Tue, 20 Feb 2018 22:12:49 +0000 Subject: [tac_plus] need help with crafting a cmd with some regex In-Reply-To: References: Message-ID: <20180220221249.GB40353@shrubbery.net> Tue, Feb 20, 2018 at 02:28:46PM -0500, Asif Iqbal: > All users can execute ip route A.A.A.A B.B.B.B IP>. However, without , tacacs should reject it. > > Meaning the ip route command would have to contain a VLAN or Interface > specifier , or be rejected. > > Here are some examples: > > Good static route ? accepted: > ip route 192.168.1.128 255.255.255.192 Vlan1686 192.168.1.6 name foo_to_bar > ip route 192.168.2.0 255.255.255.0 TenGigabitEthernet4/16.689 192.168.2.12 > ip route vrf S609150:1678 172.26.0.0 255.255.0.0 Vlan1682 10.35.174.33 > > Bad static route: - rejected: > ip route vrf s617:securities-micro:B 192.168.7.60 255.255.255.255 > 192.168.7.58 > ip route 172.29.141.48 255.255.255.240 172.26.250.73 name bar_to_foo permit ip route ip ip interface ip name permit ip route ip ip interface ip$ permit ip route vrf word ip ip interface ip$ deny ip route > Thanks > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus