AD Login Failed. Error: Password incorrect.

Oleg Kochetkov

unread,

May 17, 2016, 8:34:06 AM5/17/16

to Event-Driven Servers

Hello!

mavitest show that everything ok. But switch show "Error: Password incorrect." Below is the output of logging and configuration file.

/usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS onkoche1 mypass

Input attribute-value-pairs:

TYPE TACPLUS

TIMESTAMP mavistest-27984-1463475785-0

USER onkoche1

PASSWORD mypass

TACTYPE AUTH

Output attribute-value-pairs:

TYPE TACPLUS

TIMESTAMP mavistest-27984-1463475785-0

USER onkoche1

RESULT ACK

PASSWORD mypass

SERIAL AVGeMmjd9Ew5TnVlcmQZXA=

DBPASSWORD mypass

TACMEMBER "testuser"

TACTYPE AUTH

Log files show the error below.

May 17 11:17:54 rad-ldap tac_plus[1713]: 172.22.137.142: shell login for 'onkoche1' from 195.122.226.27 on vty0 failed (no such user)

tac_plus.cfg

#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}

id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
authentication log = /var/log/tac_plus/authentication/%Y%m%d.log
authorization log = /var/log/tac_plus/authorization/%Y%m%d.log

mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "AD01:3268 AD02:3268"
# setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "dc=my,dc=company,dc=local"
# setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "techaccount@mydomain"
setenv LDAP_PASSWD = "********"
setenv AD_GROUP_PREFIX = "0400 DL CMRNN tacacs"
setenv REQUIRE_TACACS_GROUP_PREFIX = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}

login backend = mavis
user backend = mavis
pap backend = mavis

host = world {
address = ::/0
prompt = "Welcome\n"
enable 15 = clear secret
key = cisco
}

group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}

group = guest {
default service = permit
enable = deny
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
}

group = "testuser" {
message = "[Admin privileges]"
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}

user = cisco {
password = clear cisco
member = admin
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}

user = readonly {
password = clear readonly
member = guest
}
}

Thanks

Oleg Kochetkov

unread,

May 17, 2016, 8:34:06 AM5/17/16

to Event-Driven Servers

Hello!

mavitest show that everythink OK. Below is the output of my logging and configuration file.

/usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS onkoche1 mypass

Input attribute-value-pairs:

TYPE TACPLUS

TIMESTAMP mavistest-27984-1463475785-0

USER onkoche1

PASSWORD mypass

TACTYPE AUTH

Output attribute-value-pairs:

TYPE TACPLUS

TIMESTAMP mavistest-27984-1463475785-0

USER onkoche1

RESULT ACK

PASSWORD mypass

SERIAL AVGeMmjd9Ew5TnVlcmQZXA=

DBPASSWORD mypass

TACMEMBER "testuser"

TACTYPE AUTH

Log files both show the error below.

May 17 11:17:54 rad-ldap tac_plus[1713]: 172.22.137.142: shell login for 'onkoche1' from 195.122.226.27 on vty0 failed (no such user)

tac_plus.cfg

#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}

id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
authentication log = /var/log/tac_plus/authentication/%Y%m%d.log
authorization log = /var/log/tac_plus/authorization/%Y%m%d.log

mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"

setenv LDAP_HOSTS = "10.34.6.1:3268 10.34.6.2:3268"

# setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "dc=my,dc=company,dc=local"
# setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"

setenv LDAP_USER = "techaccount@domain"
setenv LDAP_PASSWD = "*********"

Thanks.

Daniel Hartmeier

unread,

May 17, 2016, 9:08:50 AM5/17/16

to event-driv...@googlegroups.com

On Tue, May 17, 2016 at 02:16:07AM -0700, Oleg Kochetkov wrote:

> TACMEMBER "testuser"

Does your group name in AD actually contain quotes?

> setenv AD_GROUP_PREFIX = "0400 DL CMRNN tacacs"

So the full group name is actually

0400 DL CMRNN tacacs "testuser"

If so

> group = admin {
> group = "testuser" {

will not match, because the config parser is consuming the quotes here,
instead try

group = "\"testuser\"" {

HTH,
Daniel

Oleg Kochetkov

unread,

May 17, 2016, 10:14:19 AM5/17/16

to Event-Driven Servers, dan...@benzedrine.ch

Thanks for the quick response. Full group name is 0400 DL CMRNN tacacstestuser, but script return (TACMEMBER "testuser") with quotes.

вторник, 17 мая 2016 г., 16:08:50 UTC+3 пользователь Daniel Hartmeier написал:

Daniel Hartmeier

unread,

May 19, 2016, 9:27:53 AM5/19/16

to event-driv...@googlegroups.com

On Tue, May 17, 2016 at 07:14:18AM -0700, Oleg Kochetkov wrote:

> Thanks for the quick response. Full group name is 0400 DL CMRNN
> tacacstestuser, but script return (TACMEMBER "testuser") with
> quotes.

You can try calling the mavis perl script directly with a shell script
like

#!/bin/sh

export LDAP_SERVER_TYPE="microsoft"
export LDAP_HOSTS="AD01:3268 AD02:3268"
export LDAP_BASE="dc=my,dc=company,dc=local"
export LDAP_USER="techaccount@mydomain"
export LDAP_PASSWD="********"
export AD_GROUP_PREFIX="0400 DL CMRNN tacacs"
export REQUIRE_TACACS_GROUP_PREFIX=1

printf '0 TACPLUS\n4 onkoche1\n8 mypass\n49 AUTH\n=\n' | \
/usr/local/lib/mavis/mavis_tacplus_ldap.pl

The output should contain lines

6 ACK
47 testuser

Or do you see quotes there?

Daniel

tseliko...@gmail.com

unread,

Jul 7, 2016, 12:39:01 PM7/7/16

to Event-Driven Servers, dan...@benzedrine.ch

Hi, Daniel!

The script returns the following

0 TACPLUS

4 antselik

6 NAK

8 MYPASSWORD

49 AUTH

=0

четверг, 19 мая 2016 г., 16:27:53 UTC+3 пользователь Daniel Hartmeier написал:

tseliko...@gmail.com

unread,

Jul 7, 2016, 12:39:01 PM7/7/16

to Event-Driven Servers, dan...@benzedrine.ch

Now I see this:

0 TACPLUS

4 antselik

6 ACK

8 mypass

36 mypass

47 " DL CMRNN tacacstestuser"

49 AUTH

=0

четверг, 19 мая 2016 г., 16:27:53 UTC+3 пользователь Daniel Hartmeier написал:

Daniel Hartmeier

unread,

Jul 8, 2016, 4:21:01 AM7/8/16

to tseliko...@gmail.com, Event-Driven Servers

On Thu, Jul 07, 2016 at 06:22:27AM -0700, tseliko...@gmail.com wrote:

> Now I see this:
>
> 0 TACPLUS
> 4 antselik
> 6 ACK
> 8 mypass
> 36 mypass
> 47 " DL CMRNN tacacstestuser"
> 49 AUTH
> =0

Weird. The group name and prefix is all ASCII characters?

What's the output of

ldapsearch -H host -D account -w password -b base -LLL -o ldif-wrap=no "(samaccountname=antselik)" memberOf

and

grep -A 5 tacacsGroupPrefix /usr/local/lib/mavis/mavis_tacplus_ldap.pl

Daniel

tseliko...@gmail.com

unread,

Jul 8, 2016, 4:46:28 AM7/8/16

to Event-Driven Servers, tseliko...@gmail.com, dan...@benzedrine.ch

Hi, Danie! Thanks for the quick response.

"The group name and prefix is all ASCII characters? " -Yes

The first command have not yet received :(

grep -A 5 tacacsGroupPrefix /usr/local/lib/mavis/mavis_tacplus_ldap.pl :

# corresponding "tacacsadmin" ADS group. See $tacacsGroupPrefix

# and $require_tacacsGroupPrefix in the code.

group = admin {

default service = permit

service = shell {

default command = permit

--

my $tacacsGroupPrefix = 'tacacs';

my $require_tacacsGroupPrefix = undef;

my $unlimit_ad_group_membership = undef;

my $expand_ad_group_membership = undef;

$LDAP_SERVER_TYPE = $ENV{'LDAP_SERVER_TYPE'} if exists $ENV{'LDAP_SERVER_TYPE'};

$flag_chpass = $ENV{'FLAG_CHPW'} if exists $ENV{'FLAG_CHPW'};

--

$tacacsGroupPrefix = $ENV{'TACACS_GROUP_PREFIX'} if exists $ENV{'TACACS_GROUP_PREFIX'};

$tacacsGroupPrefix = $ENV{'TACACS_AD_GROUP_PREFIX'} if exists $ENV{'TACACS_AD_GROUP_PREFIX'};

$tacacsGroupPrefix = $ENV{'AD_GROUP_PREFIX'} if exists $ENV{'AD_GROUP_PREFIX'};

$require_tacacsGroupPrefix = $ENV{'REQUIRE_TACACS_GROUP_PREFIX'} if exists $ENV{'REQUIRE_TACACS_GROUP_PREFIX'};

$require_tacacsGroupPrefix = $ENV{'REQUIRE_TACACS_AD_GROUP_PREFIX'} if exists $ENV{'REQUIRE_TACACS_AD_GROUP_PREFIX'};

$require_tacacsGroupPrefix = $ENV{'REQUIRE_AD_GROUP_PREFIX'} if exists $ENV{'REQUIRE_AD_GROUP_PREFIX'};

$unlimit_ad_group_membership = $ENV{'UNLIMIT_AD_GROUP_MEMBERSHIP'} if exists $ENV{'UNLIMIT_AD_GROUP_MEMBERSHIP'};

$expand_ad_group_membership = $ENV{'EXPAND_AD_GROUP_MEMBERSHIP'} if exists $ENV{'EXPAND_AD_GROUP_MEMBERSHIP'};

unless (defined $flag_use_memberof) {

foreach my $v ('TACACS_GROUP_PREFIX', 'REQUIRE_TACACS_GROUP_PREFIX', 'UNLIMIT_AD_GROUP_MEMBERSHIP',

--

foreach $m (sort grep { /^CN=$tacacsGroupPrefix[^,]*,/i } @$val) {

$m =~ s/^CN=$tacacsGroupPrefix([^,]*),.*$/$1/i;

if ($m) {

if (exists $V[AV_A_TACMEMBER]) {

$V[AV_A_TACMEMBER] .= ',"' . $m . '"';

} else {

$V[AV_A_TACMEMBER] = '"' . $m . '"';

--

if (defined ($require_tacacsGroupPrefix) && !defined($V[AV_A_TACMEMBER])){

goto fail;

}

if (defined($flag_authorize_only) && $V[AV_A_TACTYPE] ne AV_V_TACTYPE_INFO){

пятница, 8 июля 2016 г., 11:21:01 UTC+3 пользователь Daniel Hartmeier написал:

tseliko...@gmail.com

unread,

Jul 8, 2016, 5:10:17 AM7/8/16

to Event-Driven Servers, tseliko...@gmail.com, dan...@benzedrine.ch

Daniel, the second commad should look lake this?

ldapsearch -H ldap://ip.ip.ip.ip:3268 -D ldap...@mydomain.com -w passwd ldapuserpassword -b basedn 0400 DL CMRNN tacacstestuser -LLL -o ldif-wrap=no "(samaccountname=antselik)" memberOf ?

I have a problem:(

пятница, 8 июля 2016 г., 11:21:01 UTC+3 пользователь Daniel Hartmeier написал:

Daniel Hartmeier

unread,

Jul 8, 2016, 5:10:23 AM7/8/16

to event-driv...@googlegroups.com, tseliko...@gmail.com

On Fri, Jul 08, 2016 at 01:46:28AM -0700, tseliko...@gmail.com wrote:

> The first command have not yet received :(

Insert the right host, account, password, and base into the command,
those were meant as placeholders. You can take the values from your
tac_plus.cfg setenv LDAP_* section.

Daniel

Daniel Hartmeier

unread,

Jul 8, 2016, 5:27:24 AM7/8/16

to event-driv...@googlegroups.com, tseliko...@gmail.com

On Fri, Jul 08, 2016 at 02:10:17AM -0700, tseliko...@gmail.com wrote:

> Daniel, the second commad should look lake this?
>
> ldapsearch -H ldap://ip.ip.ip.ip:3268 -D ldap...@mydomain.com -w passwd
> ldapuserpassword -b basedn 0400 DL CMRNN tacacstestuser -LLL -o
> ldif-wrap=no "(samaccountname=antselik)" memberOf ?

-D with LDAP_USER
-w with LDAP_PASSWD
-b with LDAP_BASE

See the man page of ldapsearch...

Daniel

tseliko...@gmail.com

unread,

Jul 8, 2016, 5:56:17 AM7/8/16

to Event-Driven Servers, tseliko...@gmail.com, dan...@benzedrine.ch

Daniel, it happened :)

memberOf: CN=0400 DL CMRNN tacacstestuser,OU=Comstar,OU=Groups,OU=AD Infrastructure Support,OU=00,OU=04,OU=Systems,DC=mydomain,DC=mydomain,DC=com

пятница, 8 июля 2016 г., 12:10:23 UTC+3 пользователь Daniel Hartmeier написал:

Daniel Hartmeier

unread,

Jul 8, 2016, 6:21:23 AM7/8/16

to tseliko...@gmail.com, Event-Driven Servers

On Thu, Jul 07, 2016 at 06:22:27AM -0700, tseliko...@gmail.com wrote:

> Now I see this:
>
> 0 TACPLUS
> 4 antselik
> 6 ACK
> 8 mypass
> 36 mypass
> 47 " DL CMRNN tacacstestuser"
> 49 AUTH
> =0

Are you sure you're using

AD_GROUP_PREFIX="0400 DL CMRNN tacacs"

and not just

AD_GROUP_PREFIX=0400

or missing the quotes there somewhere?

I see your version of mavis_tacplus_ldap.pl adds the quotes,
so that mistery is solved. This fits the most recent version
on

http://www.pro-bono-publico.de/projects/unpacked/mavis/perl/mavis_tacplus_ldap.pl

Mine is older and doesn't add the quotes.

Your tac_plus binary is built from equally new sources?

Daniel

tseliko...@gmail.com

unread,

Jul 8, 2016, 6:45:46 AM7/8/16

to Event-Driven Servers, tseliko...@gmail.com, dan...@benzedrine.ch

Yes, it works when AD_GROUP_PREFIX=0400

I will try to rebuild tac_plus.

thank you very much helped

пятница, 8 июля 2016 г., 13:21:23 UTC+3 пользователь Daniel Hartmeier написал:

tseliko...@gmail.com

unread,

Jul 12, 2016, 4:30:03 AM7/12/16

to Event-Driven Servers, tseliko...@gmail.com, dan...@benzedrine.ch

Hi, Daniel! Help please.

In logs tac_plus now :

172.22.137.142 antselik vty0 x.x.x.x shell login failed ()

Previously:

172.22.137.142: shell login for 'antselik' from x.x.x.x on vty0 failed (no such user)

root@rad-ldap:/var/log/tac_plus/access# /usr/local/bin/mavistest /usr/local/etc/tac_plus_ants.cfg tac_plus TACPLUS antselik mypass

Output attribute-value-pairs:

TYPE TACPLUS

TIMESTAMP mavistest-25657-1468311821-0

USER antselik

RESULT ACK

PASSWORD mypass

SERIAL 6mwDdkH07YYQTc3dT+3MLg=

DBPASSWORD my pass

TACMEMBER "testuser"

TACTYPE AUTH

PASSWORD_ONESHOT 1

setenv AD_GROUP_PREFIX = "0400 DL CMRNN tacacs"

When go to switch:

Username:antselik

Password:

Error:

An error occured while parsing your user profile. Please ask your TACACS+

administrator to have a look at the TACACS+ logs and

Tac_plus reset. It is now installed this DEVEL.201607021603.tar.bz2

Andrew

пятница, 8 июля 2016 г., 13:21:23 UTC+3 пользователь Daniel Hartmeier написал:

tseliko...@gmail.com

unread,

Jul 13, 2016, 1:15:02 AM7/13/16

to Event-Driven Servers, tseliko...@gmail.com, dan...@benzedrine.ch

It works ^___________^ Herzlichen Dank

пятница, 8 июля 2016 г., 13:21:23 UTC+3 пользователь Daniel Hartmeier написал:

Reply all

Reply to author

Forward