[tac_plus] tac_plus configuration AVP/VSAs

john heasley heas at shrubbery.net
Thu May 28 17:03:45 UTC 2020 

Thu, May 28, 2020 at 02:43:38PM +0000, Ken Webb:
> Hello  -
> 
> I am trying to use a tac_plus server with a client that uses the open source nss_tacplus library (https://github.com/benschumacher/nss_tacplus).  This library attempts to sufficient information for a Linux-based operating system login process via its "nss" subsystem.  To do this it tries to leverage the AVPs/VSAs returned from a tacacs+ server during an authorization query.
> 
> Unfortunately, I have not had any luck devising a tac_plus configuration that will work.  The client connects, and the user name is apparently recognized, but the required AVPs are not being passed back.   The log messages I get from the nss_tacplus library look like:
> 
> May 29 06:50:08 nscd: src/nss_tacplus.c: `/etc/tacplus.conf' no change at cycle=23750
> May 29 06:50:08 nscd: src/nss_tacplus.c: begin lookup: user=`joan', server=`10.1.27.136:49'
> May 29 06:50:08 nscd: Args cnt 0
> May 29 06:50:08 nscd: src/nss_tacplus.c: found match: user=`joan', server=`10.1.27.136:49', status=1, attributes? no
> May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'UID'
> May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'GID'
> May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'HOME'
> May 29 06:50:08 nscd: src/nss_tacplus.c: missing required attribute 'SHELL'
> May 29 06:50:08 sshd[19451]: Invalid user joan from 10.11.12.44 port 55294

is it a case discrepancy?  the github readme uses lower case, but the logs
above use upper.

the readme does not indicate which service is used.  I would suggest using
the tac_plus daemon's debug logging to see what service it is requesting; 
adva-exec may be if you configured pam that way.  example from the github
is linuxlogin - i suspect.

session optional /usr/local/lib/security/pam_tacplus.so debug server=10.0.0.1 secret=password service=linuxlogin protocol=ssh timeout=2


> Do you have any experience inter-operating with this (nss_tacplus) library?  Does tac_plus respond to authorization queries with AVPs in its response?   Our use of the nss_tacplus library has been validated with Cisco ACS 5.5.0.46.
> 
> Below is the tac_plus.conf file that I have used :
> 
> key = cisco
> accounting file = /var/log/tac.log
> group = admin {
>         default service = permit
> #        service = adva-exec {
> #                  uid=1012
> #                  gid=1014
> #                  home=/home
> #                  shell=/bin/bash
> #    service = adva-exec {
> #        uid="2000"
> #        gid="504"
> #        home="/home"
> #        shell="/bin/bash"
> #    }
> #       }
> }
> 
> user=joan {
>     member = admin
>     service = adva-exec {
>         uid="2000"
>         gid="504"
>         home="/home"
>         shell="/bin/bash"
>     }
> }

More information about the tac_plus mailing list