From KWebb at adva.com Thu May 28 14:43:38 2020 From: KWebb at adva.com (Ken Webb) Date: Thu, 28 May 2020 14:43:38 +0000 Subject: [tac_plus] tac_plus configuration AVP/VSAs Message-ID: Hello - I am trying to use a tac_plus server with a client that uses the open source nss_tacplus library (https://github.com/benschumacher/nss_tacplus). This library attempts to sufficient information for a Linux-based operating system login process via its "nss" subsystem. To do this it tries to leverage the AVPs/VSAs returned from a tacacs+ server during an authorization query. Unfortunately, I have not had any luck devising a tac_plus configuration that will work. The client connects, and the user name is apparently recognized, but the required AVPs are not being passed back. The log messages I get from the nss_tacplus library look like: May 29 06:50:08 nscd: src/nss_tacplus.c: `/etc/tacplus.conf' no change at cycle=23750 May 29 06:50:08 nscd: src/nss_tacplus.c: begin lookup: user=`joan', server=`10.1.27.136:49' May 29 06:50:08 nscd: Args cnt 0 May 29 06:50:08 nscd: src/nss_tacplus.c: found match: user=`joan', server=`10.1.27.136:49', status=1, attributes? no May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'UID' May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'GID' May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'HOME' May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'SHELL' May 29 06:50:08 sshd[19451]: Invalid user joan from 10.11.12.44 port 55294 Do you have any experience inter-operating with this (nss_tacplus) library? Does tac_plus respond to authorization queries with AVPs in its response? Our use of the nss_tacplus library has been validated with Cisco ACS 5.5.0.46. Below is the tac_plus.conf file that I have used : key = cisco accounting file = /var/log/tac.log group = admin { default service = permit # service = adva-exec { # uid=1012 # gid=1014 # home=/home # shell=/bin/bash # service = adva-exec { # uid="2000" # gid="504" # home="/home" # shell="/bin/bash" # } # } } user=joan { member = admin service = adva-exec { uid="2000" gid="504" home="/home" shell="/bin/bash" } } Thank you, Ken Webb Sr Software Engineer ADVA Please see our privacy statement at https://www.adva.com/en/about-us/legal/privacy-statement for details of how ADVA processes personal information. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu May 28 17:03:45 2020 From: heas at shrubbery.net (john heasley) Date: Thu, 28 May 2020 17:03:45 +0000 Subject: [tac_plus] tac_plus configuration AVP/VSAs In-Reply-To: References: Message-ID: <20200528170345.GB61177@shrubbery.net> Thu, May 28, 2020 at 02:43:38PM +0000, Ken Webb: > Hello - > > I am trying to use a tac_plus server with a client that uses the open source nss_tacplus library (https://github.com/benschumacher/nss_tacplus). This library attempts to sufficient information for a Linux-based operating system login process via its "nss" subsystem. To do this it tries to leverage the AVPs/VSAs returned from a tacacs+ server during an authorization query. > > Unfortunately, I have not had any luck devising a tac_plus configuration that will work. The client connects, and the user name is apparently recognized, but the required AVPs are not being passed back. The log messages I get from the nss_tacplus library look like: > > May 29 06:50:08 nscd: src/nss_tacplus.c: `/etc/tacplus.conf' no change at cycle=23750 > May 29 06:50:08 nscd: src/nss_tacplus.c: begin lookup: user=`joan', server=`10.1.27.136:49' > May 29 06:50:08 nscd: Args cnt 0 > May 29 06:50:08 nscd: src/nss_tacplus.c: found match: user=`joan', server=`10.1.27.136:49', status=1, attributes? no > May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'UID' > May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'GID' > May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'HOME' > May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'SHELL' > May 29 06:50:08 sshd[19451]: Invalid user joan from 10.11.12.44 port 55294 is it a case discrepancy? the github readme uses lower case, but the logs above use upper. the readme does not indicate which service is used. I would suggest using the tac_plus daemon's debug logging to see what service it is requesting; adva-exec may be if you configured pam that way. example from the github is linuxlogin - i suspect. session optional /usr/local/lib/security/pam_tacplus.so debug server=10.0.0.1 secret=password service=linuxlogin protocol=ssh timeout=2 > Do you have any experience inter-operating with this (nss_tacplus) library? Does tac_plus respond to authorization queries with AVPs in its response? Our use of the nss_tacplus library has been validated with Cisco ACS 5.5.0.46. > > Below is the tac_plus.conf file that I have used : > > key = cisco > accounting file = /var/log/tac.log > group = admin { > default service = permit > # service = adva-exec { > # uid=1012 > # gid=1014 > # home=/home > # shell=/bin/bash > # service = adva-exec { > # uid="2000" > # gid="504" > # home="/home" > # shell="/bin/bash" > # } > # } > } > > user=joan { > member = admin > service = adva-exec { > uid="2000" > gid="504" > home="/home" > shell="/bin/bash" > } > }