<div dir="ltr">No. I don't use a tac_plus file in pam.d.<div><br></div><div>I think your issue right now is that your config is expecting to see userid@domain rather than just userid.</div><div><br></div><div>My TACACS+ is not dependent on LDAP. I do have access to an environment that is authenticating against LDAP though.</div><div><br></div><div>Login to the local box is done with simple username/pw pair. No need to specify domain.</div><div><br></div><div>This is the contents of their /etc/pam.d/tac_plus</div><div><br></div><div><div><font face="monospace, monospace">[root@#### pam.d]# cat tac_plus</font></div><div><font face="monospace, monospace">#%PAM-1.0</font></div><div><font face="monospace, monospace">auth required pam_nologin.so</font></div><div><font face="monospace, monospace">auth include system-auth</font></div><div><font face="monospace, monospace">account include system-auth</font></div><div><font face="monospace, monospace">password include system-auth</font></div><div><font face="monospace, monospace">session include system-auth</font></div></div><div><br></div><div>And since it simply points to system-auth for everything, here is the contents of system-auth:</div><div><br></div><div><div><font face="monospace, monospace">[root@#### pam.d]# cat system-auth</font></div><div><font face="monospace, monospace">#%PAM-1.0</font></div><div><font face="monospace, monospace"># This file is auto-generated.</font></div><div><font face="monospace, monospace"># User changes will be destroyed the next time authconfig is run.</font></div><div><font face="monospace, monospace">auth required pam_env.so</font></div><div><font face="monospace, monospace">auth sufficient pam_unix.so nullok try_first_pass</font></div><div><font face="monospace, monospace">auth requisite pam_succeed_if.so uid >= 500 quiet</font></div><div><font face="monospace, monospace">auth sufficient pam_ldap.so use_first_pass</font></div><div><font face="monospace, monospace">auth required pam_deny.so</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">account required pam_access.so</font></div><div><font face="monospace, monospace">account required pam_unix.so broken_shadow</font></div><div><font face="monospace, monospace">account sufficient pam_localuser.so</font></div><div><font face="monospace, monospace">account sufficient pam_succeed_if.so uid < 500 quiet</font></div><div><font face="monospace, monospace">account [default=bad success=ok user_unknown=ignore] pam_ldap.so</font></div><div><font face="monospace, monospace">account required pam_permit.so</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">password requisite pam_cracklib.so retry=3</font></div><div><font face="monospace, monospace">password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok</font></div><div><font face="monospace, monospace">password sufficient pam_ldap.so use_authtok</font></div><div><font face="monospace, monospace">password required pam_deny.so</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">session optional pam_keyinit.so revoke</font></div><div><font face="monospace, monospace">session required pam_limits.so</font></div><div><font face="monospace, monospace">session optional pam_oddjob_mkhomedir.so skel=/etc/skel umask=0077</font></div><div><font face="monospace, monospace">session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid</font></div><div><font face="monospace, monospace">session required pam_unix.so</font></div><div><font face="monospace, monospace">session optional pam_ldap.so</font></div></div><div><br></div><div><br></div><div>This particular box is running Centos 6.3.</div><div><br></div><div><br></div><div>Note that since tac_plus simply points to system-auth, it doesn't really have any impact at all. I use password = PAM on my tac_plus setup without any specific tac_plus PAM configuration file.</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div>--</div>John Fraizer<div>LinkedIn profile: <a href="http://www.linkedin.com/in/johnfraizer/" target="_blank">http://www.linkedin.com/in/johnfraizer/</a></div><div><br><div><span style="color:rgb(53,53,53);font-family:Arial,sans-serif;font-size:12px;line-height:12px;background-color:rgb(244,244,244)"><br></span></div></div></div></div></div>
<br><div class="gmail_quote">On Tue, Mar 31, 2015 at 10:02 AM, Matt Almgren <span dir="ltr"><<a href="mailto:matta@surveymonkey.com" target="_blank">matta@surveymonkey.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>
<div>John, I would love for it to be that simple. </div>
<div><br>
</div>
<div>Correct, we can login to the box using AD credentials and it works just fine. </div>
<div><br>
</div>
<div>i.e. "ssh matt@domain@hostname" works just fine ..</div>
<div><br>
</div>
<div>I’m waiting on a domain account in AD to try out straight LDAP authentication. </div>
<div><br>
</div>
<div>Just to be sure, you don’t use a /etc/pam.d/tac_plus file? If you do, what are it’s contents?</div>
<div><br>
</div>
<div>Thanks, Matt</div>
<div><br>
</div>
<div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>John Fraizer <<a href="mailto:john@op-sec.us" target="_blank">john@op-sec.us</a>><span class=""><br>
<span style="font-weight:bold">Date: </span>Tuesday, March 31, 2015 at 9:50 AM<br>
<span style="font-weight:bold">To: </span>Matt Almgren <<a href="mailto:matta@surveymonkey.com" target="_blank">matta@surveymonkey.com</a>><br>
</span><span style="font-weight:bold">Cc: </span>heasley <<a href="mailto:heas@shrubbery.net" target="_blank">heas@shrubbery.net</a>>, "<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a>" <<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a>><span class=""><br>
<span style="font-weight:bold">Subject: </span>Re: [tac_plus] Authentication using Likewise and AD<br>
</span></div><div><div class="h5">
<div><br>
</div>
<div>
<div>
<div dir="ltr">If you can authenticate to the local box using LDAP (as in, you can log in via SSH using a username/pw pair that is authenticated against LDAP), you should be able to just tell tac_plus password = PAM.
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>--</div>
John Fraizer
<div>LinkedIn profile: <a href="http://www.linkedin.com/in/johnfraizer/" target="_blank">
http://www.linkedin.com/in/johnfraizer/</a></div>
<div><br>
<div><span style="color:rgb(53,53,53);font-family:Arial,sans-serif;font-size:12px;line-height:12px;background-color:rgb(244,244,244)"><br>
</span></div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Tue, Mar 31, 2015 at 9:23 AM, Matt Almgren <span dir="ltr">
<<a href="mailto:matta@surveymonkey.com" target="_blank">matta@surveymonkey.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<span><br>
>you want to verify that the user exists in the local unix password file<br>
<br>
</span>But I don’t want it to use the local password file. I want it to pass the<br>
login name to the configured LDAP server that Likewise already knows<br>
about. I *think* this is the way it should work.<br>
<div>
<div><br>
<br>
<br>
<br>
<br>
On 3/31/15, 9:19 AM, "heasley" <<a href="mailto:heas@shrubbery.net" target="_blank">heas@shrubbery.net</a>> wrote:<br>
<br>
>Tue, Mar 31, 2015 at 02:32:37PM +0000, Matt Almgren:<br>
>> Hey there Heasley,<br>
>><br>
>> I have been successful with local authentication using /etc/passwd and<br>
>> DES. So I know that TACACS and the switch are talking to each other<br>
>>well.<br>
>><br>
>> As for the contents of my pam config, well I¹ve tried numerous things.<br>
>><br>
>> Here¹s a few examples:<br>
>><br>
>> 1)<br>
>> auth include common-auth<br>
>> account required pam_nologin.so<br>
>> account include common-auth<br>
>> password include common-auth<br>
>> session optional pam_keyinit.so force revoke<br>
>> session include common-auth<br>
>> session required pam_loginuid.so<br>
>><br>
>><br>
>> Which produces this common error in /var/log/auth.log:<br>
>><br>
>> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):<br>
>>check<br>
>> pass; user unknown<br>
>> Mar 31 07:12:44 sjc-tools01 tac_plus[8384]: pam_unix(tac_plus:auth):<br>
>> authentication failure; logname=DOMAIN\matta uid=0 euid=0 tty= ruser=<br>
>> rhost=<br>
><br>
>this seems to be your issue; it looks like pam_unix is receiving a<br>
>ldap-like<br>
>username, but thats not something it can handle, afaik. if Likewise is<br>
>ldap-like and you want to verify that the user exists in the local unix<br>
>password file, then you would need a pam module that strips the "DOMAIN\\"<br>
>portion of the username before calling the passwd handling library<br>
>functions.<br>
<br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div></div></span>
</div>
</blockquote></div><br></div>