Greetings,<br><br>I'm writing to ask that a blurb be placed in the tac_plus users_guide, faq or man page so that others may not suffer the same excruciating debug session to discover why PAM and tac_plus didn't work together the way I thought they should:<br>
<br><div style="margin-left: 40px;">Be aware that when the tac_plus daemon runs as a non-root user (as is the default in FreeBSD /usr/ports), it will not be able to authenticate using the pam_unix.so module. This is because the system function getpwnam() called by pam_unix.so requires root privileges to retrieve the password to validate from the /etc/master.passwd or /etc/shadow file. The symptom will be that for each authentiction that is attempted, the password will appear to be wrong whether it was typed correctly or not.<br>
</div><br>The maddening bit was that by default, PAM debug messages are suppressed in tac_plus via the PAM_SILENT flag passed to pam_authenticate() in the pwlib.c source file. This was compounded by FreeBSD also hard coding that all libpam debug messages be disabled as well. Once those hurdles were cleared, the cuplable system function was identified. After inserting some additional debug statements, it was obvious what the problem was. Too obvious as it turned out. I should have known better.<br>
<br>Cheers,<br><br>Aaron M. Scarisbrick<br><br>