tacacs on FreeBSD

Mike Barnard

unread,

Feb 23, 2010, 9:32:14 AM2/23/10

to Event-Driven Servers

Hi,

I am trying to get tacacs working on FreeBSD 7.2, authenticating using
Active Directory. I have done my configuration file and checked it for
errors and all is well. For some reason, I cannot get authenticated
from a test CISCO switch, i get no logs entries so I am blind on
that.

I do get to see that my attempts have failed by running show tacacs on
the CISCO switch. I have tried to telnet port 49 of the tacacs server
from the switch and I can get to it.

any pointers?

PS: Below is my conf file

#!/usr/local/bin/tac_plus
# spawnd Configuration. We want to listen on port 49, with a minimun
of one process and
# a maximum of 10 processes. We also want this to run in the
backgroud.

id = spawnd {
listen = {
port = 49
address=192.168.0.1
}
spawn = {
instances min = 1
instances max = 10
}
background = yes
}

# Tacacs+ Configuration options. NOTE: All that is required for
tac_plus is done in here. We are also
# going to use the MAVIS authentication modules.

id = tac_plus {
# Gobal configuration
access log = /var/log/tacacs/%Y/%m/%d/access.log
accounting log = /var/log/tacacs/%Y/%m/%d/accounting.log
umask = 0640
userid = tacacs
groupid = tacacs
# enable = login
login backend = mavis
pap backend = mavis

mavis module = external {

setenv LDAP_HOSTS = "192.168.0.2:389 192.168.0.3:389"
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "OU=Office Users,dc=mydomain,dc=com"
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=
%s))"
setenv LDAP_USER = "DOMAIN\\nms"
setenv LDAP_PASSWD = "password"
setenv TACACS_GROUP_PREFIX = tacacs
# setenv REQUIRE_TACACS_GROUP_PREFIX = 1
setenv USE_TLS = 0
exec = /usr/local/lib/mavis/mavis_tacplus_ads.pl
}

# Host configuration
host = world {
address = ::/0
prompt = "\nWelcome\nHitherto shalt thou come, but no further.
\n\n"
key = 0uLR0
}

host = remoteoffice {
template = world
address = 172.19.67.0/25
}

host = remoteoffice1 {
template = world
address = 172.19.2.32/28
}

host = remoteoffice2 {
template = world
address = 172.19.20.0/24
}

# Users and Groups Configuration
# A user will be in the "admin" group if he's member of the
# corresponding "tacacsadmin" ADS group.

group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}

# A user will be in the "helpdesk" group if he's member of the
# corresponding "tacacshelpdesk" ADS group:

group = helpdesk {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
enable = deny
#member = admin@helpdesklab
}
}

Marc Huber

unread,

Feb 24, 2010, 6:24:30 AM2/24/10

to event-driv...@googlegroups.com

Hi Mike,

please add "user backend = mavis" to the tac_plus section. This will tell the daemon to actually query the AD server for users not defined in the plain-text file. I guess that part is missing in the sample configuration. My apologies ...

For testing authentication you may use the "mavistest" program:

mavistest /usr/local/etc/tac_plus.cfg tac_plus TACPLUS joe p4ssw0rd

or, with full debugging enabled:

mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS joe p4ssw0rd

This may give some hints.

Cheers,

Marc

2010/2/23 Mike Barnard <mike.b...@gmail.com>

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To post to this group, send email to event-driv...@googlegroups.com.
To unsubscribe from this group, send email to event-driven-ser...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/event-driven-servers?hl=en.

Mike Barnard

unread,

Feb 24, 2010, 8:43:21 AM2/24/10

to event-driv...@googlegroups.com

Hi Marc,

On Wed, Feb 24, 2010 at 2:24 PM, Marc Huber <marc.j...@googlemail.com> wrote:

Hi Mike,

please add "user backend = mavis" to the tac_plus section. This will tell the daemon to actually query the AD server for users not defined in the plain-text file. I guess that part is missing in the sample configuration. My apologies ...

I did add this when I went through the file again yesterday and restarted the application, but I still fail to login. I get nothing in the log files. This is what I get on the login attempt to the switch:

[mike@trinity] telnet 172.19.67.12
Trying 172.19.67.12...
Connected to 172.19.67.12.
Escape character is '^]'.

User Access Verification

Username: Kerberos: No default realm defined for Kerberos!

Username: mike
Password:

% Authentication failed.

For testing authentication you may use the "mavistest" program:

mavistest /usr/local/etc/tac_plus.cfg tac_plus TACPLUS joe p4ssw0rd

This returns nothing.

tacacs# /usr/local/bin/mavistest /usr/local/etc/tac_plus.conf tac_plus TACPLUS mike mypassword
tacacs#

or, with full debugging enabled:

mavistest -d -1 /usr/local/etc/tac_plus.cfg tac_plus TACPLUS joe p4ssw0rd

Now this dumps a whole lot of stuff on screen...:

tacacs# /usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.conf tac_plus TACPLUS mike mypassword
30502: line=5 sym=[id] buf='id'
30502: line=5 sym=[=] buf='='
30502: line=5 sym=[<string>] buf='spawnd'
30502: line=5 sym=[{] buf='{'
30502: line=6 sym=[listen] buf='listen'
30502: line=6 sym=[=] buf='='
30502: line=6 sym=[{] buf='{'
30502: line=7 sym=[port] buf='port'
30502: line=7 sym=[=] buf='='
30502: line=7 sym=[<string>] buf='49'
30502: line=8 sym=[address] buf='address'
30502: line=8 sym=[=] buf='='
30502: line=8 sym=[<string>] buf='192.168.0.1'
30502: line=9 sym=[}] buf='}'
30502: line=10 sym=[spawn] buf='spawn'
30502: line=10 sym=[=] buf='='
30502: line=10 sym=[{] buf='{'
30502: line=11 sym=[instances] buf='instances'
30502: line=11 sym=[min] buf='min'
30502: line=11 sym=[=] buf='='
30502: line=11 sym=[<string>] buf='1'
30502: line=12 sym=[instances] buf='instances'
30502: line=12 sym=[max] buf='max'
30502: line=12 sym=[=] buf='='
30502: line=12 sym=[<string>] buf='10'
30502: line=13 sym=[}] buf='}'
30502: line=14 sym=[background] buf='background'
30502: line=14 sym=[=] buf='='
30502: line=14 sym=[yes] buf='yes'
30502: line=15 sym=[}] buf='}'
30502: line=20 sym=[id] buf='id'
30502: line=20 sym=[=] buf='='
30502: line=20 sym=[<string>] buf='tac_plus'
30502: line=20 sym=[{] buf='{'
30502: line=22 sym=[access] buf='access'
30502: line=22 sym=[log] buf='log'
30502: line=22 sym=[=] buf='='
30502: line=22 sym=[<string>] buf='/var/log/tacacs/2010/02/24/access.log'
30502: line=24 sym=[accounting] buf='accounting'
30502: line=24 sym=[log] buf='log'
30502: line=24 sym=[=] buf='='
30502: line=24 sym=[<string>] buf='/var/log/tacacs/2010/02/24/accounting.log'
30502: line=26 sym=[umask] buf='umask'
30502: line=26 sym=[=] buf='='
30502: line=26 sym=[<string>] buf='0640'
30502: line=27 sym=[userid] buf='userid'
30502: line=27 sym=[=] buf='='
30502: line=27 sym=[<string>] buf='tacacs'
30502: line=28 sym=[groupid] buf='groupid'
30502: line=28 sym=[=] buf='='
30502: line=28 sym=[<string>] buf='tacacs'
30502: line=30 sym=[login] buf='login'
30502: line=30 sym=[backend] buf='backend'
30502: line=30 sym=[=] buf='='
30502: line=30 sym=[mavis] buf='mavis'
30502: line=31 sym=[user] buf='user'
30502: line=31 sym=[backend] buf='backend'
30502: line=31 sym=[=] buf='='
30502: line=31 sym=[mavis] buf='mavis'
30502: line=32 sym=[pap] buf='pap'
30502: line=32 sym=[backend] buf='backend'
30502: line=32 sym=[=] buf='='
30502: line=32 sym=[mavis] buf='mavis'
30502: line=34 sym=[mavis] buf='mavis'
30502: line=34 sym=[module] buf='module'
30502: line=34 sym=[=] buf='='
30502: line=34 sym=[<string>] buf='external'
30502: line=34 sym=[{] buf='{'
30502: line=36 sym=[setenv] buf='setenv'
30502: line=36 sym=[<string>] buf='LDAP_HOSTS'
30502: line=36 sym=[=] buf='='
30502: line=36 sym=[<string>] buf='192.168.0.2:389 192.168.0.3:389'
30502: line=37 sym=[setenv] buf='setenv'
30502: line=37 sym=[<string>] buf='LDAP_SCOPE'
30502: line=37 sym=[=] buf='='
30502: line=37 sym=[<string>] buf='sub'
30502: line=39 sym=[setenv] buf='setenv'
30502: line=39 sym=[<string>] buf='LDAP_BASE'
30502: line=39 sym=[=] buf='='
30502: line=39 sym=[<string>] buf='dc=mydomain,dc=com'
30502: line=40 sym=[setenv] buf='setenv'
30502: line=40 sym=[<string>] buf='LDAP_FILTER'
30502: line=40 sym=[=] buf='='
30502: line=40 sym=[<string>] buf='(&(objectclass=user)(sAMAccountName=%s))'
30502: line=41 sym=[setenv] buf='setenv'
30502: line=41 sym=[<string>] buf='LDAP_USER'
30502: line=41 sym=[=] buf='='
30502: line=41 sym=[<string>] buf='ORANGE\nms'
30502: line=42 sym=[setenv] buf='setenv'
30502: line=42 sym=[<string>] buf='LDAP_PASSWD'
30502: line=42 sym=[=] buf='='
30502: line=42 sym=[<string>] buf='password'
30502: line=43 sym=[setenv] buf='setenv'
30502: line=43 sym=[<string>] buf='TACACS_GROUP_PREFIX'
30502: line=43 sym=[=] buf='='
30502: line=43 sym=[<string>] buf='tacacs'
30502: line=45 sym=[setenv] buf='setenv'
30502: line=45 sym=[<string>] buf='USE_TLS'
30502: line=45 sym=[=] buf='='
30502: line=45 sym=[<string>] buf='0'
30502: line=46 sym=[exec] buf='exec'
30502: line=46 sym=[=] buf='='
30502: line=46 sym=[<string>] buf='/usr/local/lib/mavis/mavis_tacplus_ads.pl'
30502: line=47 sym=[}] buf='}'
30502: line=50 sym=[host] buf='host'
30502: line=50 sym=[=] buf='='
30502: line=50 sym=[<string>] buf='world'
30502: line=50 sym=[{] buf='{'
30502: line=51 sym=[address] buf='address'
30502: line=51 sym=[=] buf='='
30502: line=51 sym=[<string>] buf='::/0'
30502: line=52 sym=[prompt] buf='prompt'
30502: line=52 sym=[=] buf='='
30502: line=52 sym=[<string>] buf='
Welcome

Hitherto shalt thou come, but no further.

'
30502: line=53 sym=[key] buf='key'
30502: line=53 sym=[=] buf='='
30502: line=53 sym=[<string>] buf='0uLR0'
30502: line=54 sym=[}] buf='}'
30502: line=56 sym=[host] buf='host'
30502: line=56 sym=[=] buf='='
30502: line=56 sym=[<string>] buf='remoteoffice'
30502: line=56 sym=[{] buf='{'
30502: line=57 sym=[template] buf='template'
30502: line=57 sym=[=] buf='='
30502: line=57 sym=[<string>] buf='world'
30502: line=58 sym=[address] buf='address'
30502: line=58 sym=[=] buf='='
30502: line=58 sym=[<string>] buf='172.19.67.0/25'
30502: line=59 sym=[}] buf='}'
30502: line=61 sym=[host] buf='host'
30502: line=61 sym=[=] buf='='
30502: line=61 sym=[<string>] buf='remoteoffice1'
30502: line=61 sym=[{] buf='{'
30502: line=62 sym=[template] buf='template'
30502: line=62 sym=[=] buf='='
30502: line=62 sym=[<string>] buf='world'
30502: line=63 sym=[address] buf='address'
30502: line=63 sym=[=] buf='='
30502: line=63 sym=[<string>] buf='172.19.2.32/28'
30502: line=64 sym=[}] buf='}'
30502: line=66 sym=[host] buf='host'
30502: line=66 sym=[=] buf='='
30502: line=66 sym=[<string>] buf='remoteoffice2'
30502: line=66 sym=[{] buf='{'
30502: line=67 sym=[template] buf='template'
30502: line=67 sym=[=] buf='='
30502: line=67 sym=[<string>] buf='world'
30502: line=68 sym=[address] buf='address'
30502: line=68 sym=[=] buf='='
30502: line=68 sym=[<string>] buf='172.19.20.0/24'
30502: line=79 sym=[}] buf='}'
30502: line=94 sym=[group] buf='group'
30502: line=94 sym=[=] buf='='
30502: line=94 sym=[<string>] buf='admin'
30502: line=94 sym=[{] buf='{'
30502: line=95 sym=[default] buf='default'
30502: line=95 sym=[service] buf='service'
30502: line=95 sym=[=] buf='='
30502: line=95 sym=[permit] buf='permit'
30502: line=96 sym=[service] buf='service'
30502: line=96 sym=[=] buf='='
30502: line=96 sym=[shell] buf='shell'
30502: line=96 sym=[{] buf='{'
30502: line=97 sym=[default] buf='default'
30502: line=97 sym=[command] buf='command'
30502: line=97 sym=[=] buf='='
30502: line=97 sym=[permit] buf='permit'
30502: line=98 sym=[default] buf='default'
30502: line=98 sym=[attribute] buf='attribute'
30502: line=98 sym=[=] buf='='
30502: line=98 sym=[permit] buf='permit'
30502: line=99 sym=[set] buf='set'
30502: line=99 sym=[<string>] buf='priv-lvl'
30502: line=99 sym=[=] buf='='
30502: line=99 sym=[<string>] buf='15'
30502: line=100 sym=[}] buf='}'
30502: line=101 sym=[}] buf='}'
30502: line=106 sym=[group] buf='group'
30502: line=106 sym=[=] buf='='
30502: line=106 sym=[<string>] buf='helpdesk'
30502: line=106 sym=[{] buf='{'
30502: line=107 sym=[default] buf='default'
30502: line=107 sym=[service] buf='service'
30502: line=107 sym=[=] buf='='
30502: line=107 sym=[permit] buf='permit'
30502: line=108 sym=[service] buf='service'
30502: line=108 sym=[=] buf='='
30502: line=108 sym=[shell] buf='shell'
30502: line=108 sym=[{] buf='{'
30502: line=109 sym=[default] buf='default'
30502: line=109 sym=[command] buf='command'
30502: line=109 sym=[=] buf='='
30502: line=109 sym=[permit] buf='permit'
30502: line=110 sym=[default] buf='default'
30502: line=110 sym=[attribute] buf='attribute'
30502: line=110 sym=[=] buf='='
30502: line=110 sym=[permit] buf='permit'
30502: line=111 sym=[set] buf='set'
30502: line=111 sym=[<string>] buf='priv-lvl'
30502: line=111 sym=[=] buf='='
30502: line=111 sym=[<string>] buf='1'
30502: line=112 sym=[}] buf='}'
30502: line=113 sym=[enable] buf='enable'
30502: line=113 sym=[=] buf='='
30502: line=113 sym=[deny] buf='deny'
30502: line=115 sym=[}] buf='}'
30502: line=117 sym=[}] buf='}'
30502: line=118 sym=[<end-of-file>] buf=''

Sorry, but I could not make out what this was all about :-). It looks like it parsed my configuration file line by line...

Regards,

Mike

--
Mike

Of course, you might discount this possibility, but remember that one in
a million chances happen 99% of the time.
------------------------------------------------------------

Marc Huber

unread,

Feb 24, 2010, 9:17:52 AM2/24/10

to event-driv...@googlegroups.com

Hi Mike,

first, can you please check whether the authentication script works stand-alone?

printf "0 TACPLUS\n4 mike\n8 yourpassword\n49 AUTH\n=\n" | env
LDAP_HOSTS="192.168.0.2:389 192.168.0.3:389" LDAP_SCOPE=sub
LDAP_BASE="OU=Office Users,dc=mydomain,dc=com" LDAP_FILTER =
'(&(objectclass=user)(sAMAccountName=%s))' LDAP_USER="DOMAIN\\nms"
LDAP_PASSWD="password" TACACS_GROUP_PREFIX=tacacs
/usr/local/lib/mavis/mavis_tacplus_ads.pl

If this doesn't work as expected: Please re-compile with debugging support:

make clean; configure --debug tac_plus; make install

Then call mavistest (with -d -1) again. Output should be more useful now ;-)

Cheers,

Marc

Mike Barnard

unread,

Feb 24, 2010, 9:32:35 AM2/24/10

to event-driv...@googlegroups.com

On Wed, Feb 24, 2010 at 5:17 PM, Marc Huber <marc.j...@googlemail.com> wrote:

Hi Mike,

first, can you please check whether the authentication script works stand-alone?

printf "0 TACPLUS\n4 mike\n8 yourpassword\n49 AUTH\n=\n" | env
LDAP_HOSTS="192.168.0.2:389 192.168.0.3:389" LDAP_SCOPE=sub
LDAP_BASE="OU=Office Users,dc=mydomain,dc=com" LDAP_FILTER =
'(&(objectclass=user)(sAMAccountName=%s))' LDAP_USER="DOMAIN\\nms"
LDAP_PASSWD="password" TACACS_GROUP_PREFIX=tacacs

/usr/local/lib/mavis/mavis_tacplus_ads.pl

This works well. I had actually tested this with success...

tacacs# printf "0 TACPLUS\n4 mike\n8 mypassword\n49 AUTH\n=\n" | perl mavis_tacplus_ads.pl
0 TACPLUS
4 mike
6 ACK
8 mypassword
36 mypassword
47 admin
49 AUTH
=0

What I did was to edit the mavis_tacplus_ads.pl file to include all my details other than pass them on command line... and I get authenticated with no problem.

If this doesn't work as expected: Please re-compile with debugging support:

make clean; configure --debug tac_plus; make install

Then call mavistest (with -d -1) again. Output should be more useful now ;-)

I still did recompile and I get the same output as above with an addition of these two lines at the end:

...
...
34012: + mavis_init
34012: - mavis_init: FATAL: no modules configured

That is weird, seeing that mavis is configured... unless I did something wrong :-/

Marc Huber

unread,

Feb 24, 2010, 9:45:32 AM2/24/10

to event-driv...@googlegroups.com

Hi Mike,

2010/2/24 Mike Barnard <mike.b...@gmail.com>:

> 34012: + mavis_init
> 34012: - mavis_init: FATAL: no modules configured

the module search path (usually /usr/local/lib/mavis/, IIRC) might not
match the actual module directory. Does setting

mavis path = ...

to the module directory (within the tac_plus section) help?

Cheers,

Marc

Marc Huber

unread,

Feb 24, 2010, 3:05:53 PM2/24/10

to Event-Driven Servers

Hi Mike,

ok, one problem with mavistest is that it doesn't really understand
the complete tac_plus (or ftpd or whatever) configuration and
basically only searches for the "mavis" keyword. This simplicistic
approach fails miserably in a couple of corner-cases.

Simply re-ordering the configuration file will make mavistest work --
just put all the "login/pap/user backend = mavis" declarations *after*
the "mavis module = external { ... }" block, then run mavistest again.
The output might give some pointers.

Thanks,

Marc

On 24 Feb., 15:45, Marc Huber <marc.j.hu...@googlemail.com> wrote:
> Hi Mike,
>

> 2010/2/24 Mike Barnard <mike.barna...@gmail.com>:

Mike Barnard

unread,

Feb 25, 2010, 12:43:54 AM2/25/10

to event-driv...@googlegroups.com

Hi Marc

On Wed, Feb 24, 2010 at 11:05 PM, Marc Huber <marc.j...@googlemail.com> wrote:

Hi Mike,

ok, one problem with mavistest is that it doesn't really understand
the complete tac_plus (or ftpd or whatever) configuration and
basically only searches for the "mavis" keyword. This simplicistic
approach fails miserably in a couple of corner-cases.

Simply re-ordering the configuration file will make mavistest work --
just put all the "login/pap/user backend = mavis" declarations *after*
the "mavis module = external { ... }" block, then run mavistest again.
The output might give some pointers.

Eureka, that seems to have worked well. I've moved the log/pap/user declarations right after the mavis module declaration and now I have some output... This is what I get now... although I still do not successfully login and still no log entries :-/

tacacs# /usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.conf tac_plus TACPLUS mike mypassword

63724: line=5 sym=[id] buf='id'
63724: line=5 sym=[=] buf='='
63724: line=5 sym=[<string>] buf='spawnd'
63724: line=5 sym=[{] buf='{'
63724: line=6 sym=[listen] buf='listen'
63724: line=6 sym=[=] buf='='
63724: line=6 sym=[{] buf='{'
63724: line=7 sym=[port] buf='port'
63724: line=7 sym=[=] buf='='
63724: line=7 sym=[<string>] buf='49'
63724: line=8 sym=[address] buf='address'
63724: line=8 sym=[=] buf='='
63724: line=8 sym=[<string>] buf='192.168.0.1'
63724: line=9 sym=[}] buf='}'
63724: line=10 sym=[spawn] buf='spawn'
63724: line=10 sym=[=] buf='='
63724: line=10 sym=[{] buf='{'
63724: line=11 sym=[instances] buf='instances'
63724: line=11 sym=[min] buf='min'
63724: line=11 sym=[=] buf='='
63724: line=11 sym=[<string>] buf='1'
63724: line=12 sym=[instances] buf='instances'
63724: line=12 sym=[max] buf='max'
63724: line=12 sym=[=] buf='='
63724: line=12 sym=[<string>] buf='10'
63724: line=13 sym=[}] buf='}'
63724: line=14 sym=[background] buf='background'
63724: line=14 sym=[=] buf='='
63724: line=14 sym=[yes] buf='yes'
63724: line=15 sym=[}] buf='}'
63724: line=20 sym=[id] buf='id'
63724: line=20 sym=[=] buf='='
63724: line=20 sym=[<string>] buf='tac_plus'
63724: line=20 sym=[{] buf='{'
63724: line=22 sym=[access] buf='access'
63724: line=22 sym=[log] buf='log'
63724: line=22 sym=[=] buf='='
63724: line=22 sym=[<string>] buf='/var/log/tacacs/%Y/%m/%d/access.log'
63724: line=23 sym=[accounting] buf='accounting'
63724: line=23 sym=[log] buf='log'
63724: line=23 sym=[=] buf='='
63724: line=23 sym=[<string>] buf='/var/log/tacacs/%Y/%m/%d/accounting.log'
63724: line=24 sym=[umask] buf='umask'
63724: line=24 sym=[=] buf='='
63724: line=24 sym=[<string>] buf='0640'
63724: line=25 sym=[userid] buf='userid'
63724: line=25 sym=[=] buf='='
63724: line=25 sym=[<string>] buf='tacacs'
63724: line=26 sym=[groupid] buf='groupid'
63724: line=26 sym=[=] buf='='
63724: line=26 sym=[<string>] buf='tacacs'
63724: line=29 sym=[mavis] buf='mavis'
63724: line=29 sym=[module] buf='module'
63724: line=29 sym=[=] buf='='
63724: line=29 sym=[<string>] buf='external'
63724: + mavis_method_add(/usr/local/lib/mavis/libmavis_external.so)
63724: - mavis_method_add (OK)
63724: line=29 sym=[{] buf='{'
63724: line=31 sym=[setenv] buf='setenv'
63724: + mavis_parse
63724: + external:Mavis_parse
63724: line=31 sym=[<string>] buf='LDAP_HOSTS'
63724: line=31 sym=[=] buf='='
63724: line=31 sym=[<string>] buf='192.168.0.2:389 192.168.0.3:389'
63724: line=32 sym=[setenv] buf='setenv'
63724: line=32 sym=[<string>] buf='LDAP_SCOPE'
63724: line=32 sym=[=] buf='='
63724: line=32 sym=[<string>] buf='sub'
63724: line=34 sym=[setenv] buf='setenv'
63724: line=34 sym=[<string>] buf='LDAP_BASE'
63724: line=34 sym=[=] buf='='
63724: line=34 sym=[<string>] buf='dc=mydomain,dc=com'
63724: line=35 sym=[setenv] buf='setenv'
63724: line=35 sym=[<string>] buf='LDAP_FILTER'
63724: line=35 sym=[=] buf='='
63724: line=35 sym=[<string>] buf='(&(objectclass=user)(sAMAccountName=%s))'
63724: line=36 sym=[setenv] buf='setenv'
63724: line=36 sym=[<string>] buf='LDAP_USER'
63724: line=36 sym=[=] buf='='
63724: line=36 sym=[<string>] buf='ORANGE\nms'
63724: line=37 sym=[setenv] buf='setenv'
63724: line=37 sym=[<string>] buf='LDAP_PASSWD'
63724: line=37 sym=[=] buf='='
63724: line=37 sym=[<string>] buf='password'
63724: line=38 sym=[setenv] buf='setenv'
63724: line=38 sym=[<string>] buf='TACACS_GROUP_PREFIX'
63724: line=38 sym=[=] buf='='
63724: line=38 sym=[<string>] buf='tacacs'
63724: line=40 sym=[setenv] buf='setenv'
63724: line=40 sym=[<string>] buf='USE_TLS'
63724: line=40 sym=[=] buf='='
63724: line=40 sym=[<string>] buf='0'
63724: line=41 sym=[exec] buf='exec'
63724: line=41 sym=[=] buf='='
63724: line=41 sym=[<string>] buf='/usr/local/lib/mavis/mavis_tacplus_ads.pl'
63724: line=42 sym=[}] buf='}'
63724: - Mavis_parse = 0
63724: - mavis_parse
63724: line=44 sym=[login] buf='login'
63724: line=44 sym=[backend] buf='backend'
63724: line=44 sym=[=] buf='='
63724: line=44 sym=[mavis] buf='mavis'
63724: line=45 sym=[user] buf='user'
63724: line=45 sym=[backend] buf='backend'
63724: line=45 sym=[=] buf='='
63724: line=45 sym=[mavis] buf='mavis'
63724: line=46 sym=[pap] buf='pap'
63724: line=46 sym=[backend] buf='backend'
63724: line=46 sym=[=] buf='='
63724: line=46 sym=[mavis] buf='mavis'
63724: line=50 sym=[host] buf='host'
63724: line=50 sym=[=] buf='='
63724: line=50 sym=[<string>] buf='world'
63724: line=50 sym=[{] buf='{'
63724: line=51 sym=[address] buf='address'
63724: line=51 sym=[=] buf='='
63724: line=51 sym=[<string>] buf='::/0'
63724: line=52 sym=[prompt] buf='prompt'
63724: line=52 sym=[=] buf='='
63724: line=52 sym=[<string>] buf='

63724: + mavis_init
63724: + external:Mavis_init
63724:   + mavis_init_in
63724:    io_init
63724:    forking child number 0
63724:     io_register 6
63724:     io_register 7
63724:     io_register 9
63724:    io_set_i(9)
63724:   - mavis_init_in
63724: - Mavis_init = 0
63724: - mavis_init = 0
63724: + av_clear
63724: - av_clear
63724: av_set(TIMESTAMP) = mavistest-63724-1267075891-0
63724: av_set(TYPE) = TACPLUS
63724: av_set(USER) = mike
63724: av_set(TACTYPE) = AUTH
63724: av_set(PASSWORD) = mypassword

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-63724-1267075891-0
USER                mike
PASSWORD            mypassword
TACTYPE             AUTH

63724: + mavis_send
63724:   av_set(SERIAL) = J2kZ6mVwuVY/k5fIDOchwA=
63724: + external:Mavis_send
63724:    av_get(TYPE) = TACPLUS
63724:    av_get(SERIAL) = J2kZ6mVwuVY/k5fIDOchwA=
63724:   starting query on child 0 (J2kZ6mVwuVY/k5fIDOchwA=)
63724:    av_get(TYPE) = TACPLUS
63724:    av_get(DIGEST_MD5_USER) = (NULL)
63724:    av_get(UDATA) = (NULL)
63724:    av_get(TIMESTAMP) = mavistest-63724-1267075891-0
63724:    av_get(USER) = mike
63724:    av_get(DIGEST) = (NULL)
63724:    av_get(RESULT) = (NULL)
63724:    av_get(PATH) = (NULL)
63724:    av_get(PASSWORD) = mypassword
63724:    av_get(UID) = (NULL)
63724:    av_get(GID) = (NULL)
63724:    av_get(LIMIT) = (NULL)
63724:    av_get(TRANSPORT) = (NULL)
63724:    av_get(TRAFFICSHAPING) = (NULL)
63724:    av_get(IPADDR) = (NULL)
63724:    av_get(QUOTA_LIMIT) = (NULL)
63724:    av_get(QUOTA_PATH) = (NULL)
63724:    av_get(COMMENT) = (NULL)
63724:    av_get(CNONCE) = (NULL)
63724:    av_get(HOME) = (NULL)
63724:    av_get(ROOT) = (NULL)
63724:    av_get(SERIAL) = J2kZ6mVwuVY/k5fIDOchwA=
63724:    av_get(FTP_ANONYMOUS) = (NULL)
63724:    av_get(EMAIL) = (NULL)
63724:    av_get(GIDS) = (NULL)
63724:    av_get(SERVERIP) = (NULL)
63724:    av_get(TARIFF) = (NULL)
63724:    av_get(REALM) = (NULL)
63724:    av_get(DIGEST_URI) = (NULL)
63724:    av_get(ANON_INCOMING) = (NULL)
63724:    av_get(VHOST) = (NULL)
63724:    av_get(UMASK) = (NULL)
63724:    av_get(USER_RESPONSE) = (NULL)
63724:    av_get(AUTH_METHOD) = (NULL)
63724:    av_get(CLASS) = (NULL)
63724:    av_get(DIGEST_MD5_RESPONSE) = (NULL)
63724:    av_get(DBPASSWORD) = (NULL)
63724:    av_get(SCRAM_CLIENT_CHALLENGE) = (NULL)
63724:    av_get(SCRAM_SERVER_CHALLENGE) = (NULL)
63724:    av_get(SCRAM_SERVER_PROOF) = (NULL)
63724:    av_get(SCRAM_CLIENT_PROOF) = (NULL)
63724:    av_get(MAILCHECK_POST) = (NULL)
63724:    av_get(MAILCHECK_PRE) = (NULL)
63724:    av_get(TUNNEL) = (NULL)
63724:    av_get(CERTSUBJ) = (NULL)
63724:    av_get(DBCERTSUBJ) = (NULL)
63724:    av_get(TACCLIENT) = (NULL)
63724:    av_get(TACMEMBER) = (NULL)
63724:    av_get(TACPROFILE) = (NULL)
63724:    av_get(TACTYPE) = AUTH
63724:    av_get(PASSWDNEW) = (NULL)
63724:    av_get(CHALLENGE) = (NULL)
63724:    av_get(PASSWORD_ONESHOT) = (NULL)
63724:    av_get(PASSWORD_MUSTCHANGE) = (NULL)
63724:    av_get(SHELL) = (NULL)
63724:   + write_to_child
63724:    io_set_i(7)
63724:   - write_to_child
63724:   io_poll (0x800f0f160)
63724:   nchanges is 2
63724:   fd 7 ctx 0x800f32000
63724:   fd 7 cb = 0x801004230
63724:   + read_from_child
63724:    ../libmavis_external.c:464
63724:     av_get(SERIAL) = J2kZ6mVwuVY/k5fIDOchwA=
63724:    io_clr_i(7)
63724:    + av_clear
63724:    - av_clear
63724:     av_set(TYPE) = TACPLUS
63724:     av_set(TIMESTAMP) = mavistest-63724-1267075891-0
63724:     av_set(USER) = mike
63724:     av_set(RESULT) = ACK
63724:     av_set(PASSWORD) = mypassword
63724:     av_set(SERIAL) = J2kZ6mVwuVY/k5fIDOchwA=
63724:     av_set(DBPASSWORD) = mypassword
63724:     av_set(TACMEMBER) = admin
63724:     av_set(TACTYPE) = AUTH
63724:     av_get(SERIAL) = J2kZ6mVwuVY/k5fIDOchwA=
63724:   - read_from_child
63724: - Mavis_send = 0
63724: - mavis_send (0)

Output attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-63724-1267075891-0
USER                mike
RESULT              ACK
PASSWORD            mypassword
SERIAL              J2kZ6mVwuVY/k5fIDOchwA=
DBPASSWORD          mypassword
TACMEMBER           admin
TACTYPE             AUTH

63724: + mavis_drop
63724: + external:Mavis_drop
63724:   io_clr_i(7)
63724:   io_clr_o(7)
63724:   io_clr_i(6)
63724:   io_clr_o(6)
63724:   io_clr_i(9)
63724:   io_clr_o(9)
63724: - external:Mavis_drop
63724: - mavis_drop

Marc Huber

unread,

Feb 25, 2010, 6:07:12 AM2/25/10

to event-driv...@googlegroups.com

Hi Mike,

great, that means that backend communication is fine :-)

It's probably time to get deeper into debugging: Please add

debug = PACKET AUTHEN AUTHOR MAVIS

or, for complete debugging output,

debug = -1

to the tac_plus section, plus

debug redirect = /tmp/tac_plus-debug.log

Then restart the daemon. The log file should hopefully contain some
helpful information.

Cheers,

Marc

Mike Barnard

unread,

Feb 25, 2010, 7:48:04 AM2/25/10

to event-driv...@googlegroups.com

Hi Marc...

It's probably time to get deeper into debugging: Please add

debug = PACKET AUTHEN AUTHOR MAVIS

or, for complete debugging output,

debug = -1

to the tac_plus section, plus

debug redirect = /tmp/tac_plus-debug.log

I opted to do the debug = -1 for a complete debugging output. When i run the mavistest, I get some dump to the screen and something logged:

tacacs# /usr/local/bin/mavistest -d -1 /usr/local/etc/tac_plus.conf tac_plus TACPLUS mike mypassword

81276: line=5 sym=[id] buf='id'
81276: line=5 sym=[=] buf='='
81276: line=5 sym=[<string>] buf='spawnd'
81276: line=5 sym=[{] buf='{'
81276: line=6 sym=[listen] buf='listen'
81276: line=6 sym=[=] buf='='
81276: line=6 sym=[{] buf='{'
81276: line=7 sym=[port] buf='port'
81276: line=7 sym=[=] buf='='
81276: line=7 sym=[<string>] buf='49'
81276: line=8 sym=[address] buf='address'
81276: line=8 sym=[=] buf='='
81276: line=8 sym=[<string>] buf='192.168.0.1'
81276: line=9 sym=[}] buf='}'
81276: line=10 sym=[spawn] buf='spawn'
81276: line=10 sym=[=] buf='='
81276: line=10 sym=[{] buf='{'
81276: line=11 sym=[instances] buf='instances'
81276: line=11 sym=[min] buf='min'
81276: line=11 sym=[=] buf='='
81276: line=11 sym=[<string>] buf='1'
81276: line=12 sym=[instances] buf='instances'
81276: line=12 sym=[max] buf='max'
81276: line=12 sym=[=] buf='='
81276: line=12 sym=[<string>] buf='10'
81276: line=13 sym=[}] buf='}'
81276: line=14 sym=[background] buf='background'
81276: line=14 sym=[=] buf='='
81276: line=14 sym=[yes] buf='yes'
81276: line=15 sym=[}] buf='}'
81276: line=20 sym=[id] buf='id'
81276: line=20 sym=[=] buf='='
81276: line=20 sym=[<string>] buf='tac_plus'
81276: line=20 sym=[{] buf='{'
81276: line=22 sym=[debug] buf='debug'
81276: line=22 sym=[=] buf='='
81276: line=22 sym=[<string>] buf='-1'
81276: line=23 sym=[access] buf='access'
81276: line=23 sym=[log] buf='log'
81276: line=23 sym=[=] buf='='
81276: line=23 sym=[<string>] buf='/var/log/tacacs/%Y/%m/%d/access.log'
81276: line=24 sym=[accounting] buf='accounting'
81276: line=24 sym=[log] buf='log'
81276: line=24 sym=[=] buf='='
81276: line=24 sym=[<string>] buf='/var/log/tacacs/%Y/%m/%d/accounting.log'
81276: line=25 sym=[umask] buf='umask'
81276: line=25 sym=[=] buf='='
81276: line=25 sym=[<string>] buf='0640'
81276: line=26 sym=[userid] buf='userid'
81276: line=26 sym=[=] buf='='
81276: line=26 sym=[<string>] buf='tacacs'
81276: line=27 sym=[groupid] buf='groupid'
81276: line=27 sym=[=] buf='='
81276: line=27 sym=[<string>] buf='tacacs'
81276: line=28 sym=[connection] buf='connection'
81276: line=28 sym=[timeout] buf='timeout'
81276: line=28 sym=[=] buf='='
81276: line=28 sym=[<string>] buf='600'
81276: line=31 sym=[mavis] buf='mavis'
81276: line=31 sym=[module] buf='module'
81276: line=31 sym=[=] buf='='
81276: line=31 sym=[<string>] buf='external'
81276: + mavis_method_add(/usr/local/lib/mavis/libmavis_external.so)
81276: - mavis_method_add (OK)
81276: line=31 sym=[{] buf='{'
81276: line=33 sym=[setenv] buf='setenv'
81276: + mavis_parse
81276: + external:Mavis_parse
81276: line=33 sym=[<string>] buf='LDAP_HOSTS'
81276: line=33 sym=[=] buf='='
81276: line=33 sym=[<string>] buf='192.168.0.2:389 192.168.0.3:389'
81276: line=34 sym=[setenv] buf='setenv'
81276: line=34 sym=[<string>] buf='LDAP_SCOPE'
81276: line=34 sym=[=] buf='='
81276: line=34 sym=[<string>] buf='sub'
81276: line=36 sym=[setenv] buf='setenv'
81276: line=36 sym=[<string>] buf='LDAP_BASE'
81276: line=36 sym=[=] buf='='
81276: line=36 sym=[<string>] buf='dc=mydomain,dc=com'
81276: line=37 sym=[setenv] buf='setenv'
81276: line=37 sym=[<string>] buf='LDAP_FILTER'
81276: line=37 sym=[=] buf='='
81276: line=37 sym=[<string>] buf='(&(objectclass=user)(sAMAccountName=%s))'
81276: line=38 sym=[setenv] buf='setenv'
81276: line=38 sym=[<string>] buf='LDAP_USER'
81276: line=38 sym=[=] buf='='
81276: line=38 sym=[<string>] buf='ORANGE\nms'
81276: line=39 sym=[setenv] buf='setenv'
81276: line=39 sym=[<string>] buf='LDAP_PASSWD'
81276: line=39 sym=[=] buf='='
81276: line=39 sym=[<string>] buf='password'
81276: line=40 sym=[setenv] buf='setenv'
81276: line=40 sym=[<string>] buf='TACACS_GROUP_PREFIX'
81276: line=40 sym=[=] buf='='
81276: line=40 sym=[<string>] buf='tacacs'
81276: line=42 sym=[setenv] buf='setenv'
81276: line=42 sym=[<string>] buf='USE_TLS'
81276: line=42 sym=[=] buf='='
81276: line=42 sym=[<string>] buf='0'
81276: line=43 sym=[exec] buf='exec'
81276: line=43 sym=[=] buf='='
81276: line=43 sym=[<string>] buf='/usr/local/lib/mavis/mavis_tacplus_ads.pl'
81276: line=44 sym=[}] buf='}'
81276: - Mavis_parse = 0
81276: - mavis_parse
81276: line=46 sym=[login] buf='login'
81276: line=46 sym=[backend] buf='backend'
81276: line=46 sym=[=] buf='='
81276: line=46 sym=[mavis] buf='mavis'
81276: line=47 sym=[user] buf='user'
81276: line=47 sym=[backend] buf='backend'
81276: line=47 sym=[=] buf='='
81276: line=47 sym=[mavis] buf='mavis'
81276: line=48 sym=[pap] buf='pap'
81276: line=48 sym=[backend] buf='backend'
81276: line=48 sym=[=] buf='='
81276: line=48 sym=[mavis] buf='mavis'
81276: line=49 sym=[debug] buf='debug'
81276: line=49 sym=[redirect] buf='redirect'
81276: line=49 sym=[=] buf='='
81276: line=49 sym=[<string>] buf='/var/log/tacacs/debug.log'

tacacs# more /var/log/tacacs/debug.log
81175: + mavis_init
81175: + external:Mavis_init
81175:   + mavis_init_in
81175:    io_init
81175:    forking child number 0
81175:     io_register 6
81175:     io_register 7
81175:     io_register 9
81175:    io_set_i(9)
81175:   - mavis_init_in
81175: - Mavis_init = 0
81175: - mavis_init = 0
81175: + av_clear
81175: - av_clear
81175: av_set(TIMESTAMP) = mavistest-81175-1267101310-0
81175: av_set(TYPE) = TACPLUS
81175: av_set(USER) = mike
81175: av_set(TACTYPE) = AUTH
81175: av_se 81147: io_sched_exec (0x801252160)
81147: executing ...
81147: io_sched_renew_proc 0x801266220
81147: to be fired at 4b866ee1:000e7065
81147: ... done.
81147: rescheduled at 4b866ee1:000e7065
81147: poll_timeout = 60001ms
81147: io_poll (0x801252160)
81147: nchanges is 0
= Oh7mS7xYoVLK6ifAwcb7PQ=
81175: + external:Mavis_send
81175:    av_get(TYPE) = TACPLUS
81175:    av_get(SERIAL) = Oh7mS7xYoVLK6ifAwcb7PQ=
81175:   starting query on child 0 (Oh7mS7xYoVLK6ifAwcb7PQ=)
81175:    av_get(TYPE) = TACPLUS
81175:    av_get(DIGEST_MD5_USER) = (NULL)
81175:    av_get(UDATA) = (NULL)
81175:    av_get(TIMESTAMP) = mavistest-81175-1267101310-0
81175:    av_get(USER) = mike
81175:    av_get(DIGEST) = (NULL)
81175:    av_get(RESULT) = (NULL)
81175:    av_get(PATH) = (NULL)
81175:    av_get(PASSWORD) = mypassword
81175:    av_get(UID) = (NULL)
81175:    av_get(GID) = (NULL)
81175:    av_get(LIMIT) = (NULL)
81175:    av_get(TRANSPORT) = (NULL)
81175:    av_get(TRAFFICSHAPING) = (NULL)
81175:    av_get(IPADDR) = (NULL)
81175:    av_get(QUOTA_LIMIT) = (NULL)
81175:    av_get(QUOTA_PATH) = (NULL)
81175:    av_get(COMMENT) = (NULL)
81175:    av_get(CNONCE) = (NULL)
81175:    av_get(HOME) = (NULL)
81175:    av_get(ROOT) = (NULL)
81175:    av_get(SERIAL) = Oh7mS7xYoVLK6ifAwcb7PQ=
81175:    av_get(FTP_ANONYMOUS) = (NULL)
81175:    av_get(EMAIL) = (NULL)
81175:    av_get(GIDS) = (NULL)
81175:    av_get(SERVERIP) = (NULL)
81175:    av_get(TARIFF) = (NULL)
81175:    av_get(REALM) = (NULL)
81175:    av_get(DIGEST_URI) = (NULL)
81175:    av_get(ANON_INCOMING) = (NULL)
81175:    av_get(VHOST) = (NULL)
81175:    av_get(UMASK) = (NULL)
81175:    av_get(USER_RESPONSE) = (NULL)
81175:    av_get(AUTH_METHOD) = (NULL)
81175:    av_get(CLASS) = (NULL)
81175:    av_get(DIGEST_MD5_RESPONSE) = (NULL)
81175:    av_get(DBPASSWORD) = (NULL)
81175:    av_get(SCRAM_CLIENT_CHALLENGE) = (NULL)
81175:    av_get(SCRAM_SERVER_CHALLENGE) = (NULL)
81175:    av_get(SCRAM_SERVER_PROOF) = (NULL)
81175:    av_get(SCRAM_CLIENT_PROOF) = (NULL)
81175:    av_get(MAILCHECK_POST) = (NULL)
81175:    av_get(MAILCHECK_PRE) = (NULL)
81175:    av_get(TUNNEL) = (NULL)
81175:    av_get(CERTSUBJ) = (NULL)
81175:    av_get(DBCERTSUBJ) = (NULL)
81175:    av_get(TACCLIENT) = (NULL)
81175:    av_get(TACMEMBER) = (NULL)
81175:    av_get(TACPROFILE) = (NULL)
81175:    av_get(TACTYPE) = AUTH
81175:    av_get(PASSWDNEW) = (NULL)
81175:    av_get(CHALLENGE) = (NULL)
81175:    av_get(PASSWORD_ONESHOT) = (NULL)
81175:    av_get(PASSWORD_MUSTCHANGE) = (NULL)
81175:    av_get(SHELL) = (NULL)
81175:   + write_to_child
81175:    io_set_i(7)
81175:   - write_to_child
81175:   io_poll (0x800f10160)
81175:   nchanges is 2
81175:   fd 7 ctx 0x800f33000
81175:   fd 7 cb = 0x801004230
81175:   + read_from_child
81175:    ../libmavis_external.c:464
81175:     av_get(SERIAL) = Oh7mS7xYoVLK6ifAwcb7PQ=
81175:    io_clr_i(7)
81175:    + av_clear
81175:    - av_clear
81175:     av_set(TYPE) = TACPLUS
81175:     av_set(TIMESTAMP) = mavistest-81175-1267101310-0
81175:     av_set(USER) = mike
81175:     av_set(RESULT) = ACK
81175:     av_set(PASSWORD) = mypassword
81175:     av_set(SERIAL) = Oh7mS7xYoVLK6ifAwcb7PQ=
81175:     av_set(DBPASSWORD) = mypassword
81175:     av_set(TACMEMBER) = admin
81175:     av_set(TACTYPE) = AUTH
81175:     av_get(SERIAL) = Oh7mS7xYoVLK6ifAwcb7PQ=
81175:   - read_from_child
81175: - Mavis_send = 0
81175: - mavis_send (0)

Output attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-81175-1267101310-0

USER                mike
RESULT              ACK
PASSWORD            mypassword

SERIAL Oh7mS7xYoVLK6ifAwcb7PQ=

DBPASSWORD          mypassword
TACMEMBER           admin
TACTYPE             AUTH

81175: + mavis_drop
81175: + external:Mavis_drop
81175:   io_clr_i(7)
81175:   io_clr_o(7)
81175:   io_clr_i(6)
81175:   io_clr_o(6)
81175:   io_clr_i(9)
81175:   io_clr_o(9)
81175: - external:Mavis_drop
81175: - mavis_drop

When I attempt and authentication from my test switch, I get nothing in the debug log file.

Marc Huber

unread,

Feb 25, 2010, 10:34:05 AM2/25/10

to event-driv...@googlegroups.com

Hi Mike,

I just tested the daemon in a FreeBSD 7.0 virtual machine, and it
appears to work just fine.

Can you please have a look at the system logs? Anything interesting in
/var/log/uucp? Yes, I know, this isn't the most obvious place to look.

One more thing you can try: Add "debug = -1" to the spawnd section,
and change the "background" directive to "no". Then start the daemon
manually. You will get both spawnd and tac_plus life debugging output
on your terminal. Now, from another terminal, open a telnet session to
port 49.

Cheers,

Marc

Mike Barnard

unread,

Feb 26, 2010, 5:26:04 AM2/26/10

to event-driv...@googlegroups.com

On Thu, Feb 25, 2010 at 6:34 PM, Marc Huber <marc.j...@googlemail.com> wrote:

Hi Mike,

I just tested the daemon in a FreeBSD 7.0 virtual machine, and it
appears to work just fine.

Can you please have a look at the system logs? Anything interesting in
/var/log/uucp? Yes, I know, this isn't the most obvious place to look.

I dont have the uucp logfiles...

One more thing you can try: Add "debug = -1" to the spawnd section,
and change the "background" directive to "no". Then start the daemon
manually. You will get both spawnd and tac_plus life debugging output
on your terminal. Now, from another terminal, open a telnet session to
port 49.

I cannot add debug to the spawnd section, it dumped an error:

/usr/local/etc/tac_plus.conf:9: Expected 'address', 'path', 'port', 'realm', 'tls', 'userid', 'groupid', 'backlog', 'type' or 'protocol', but got 'debug'

Now, this is the strangest part... will all the debugging turned off and background set to no, I am able to login using tacacs on my test switch. I see nothing being dumped on screen, but I do have an entry in my access.log file showing that I have successfully logged in.

I turned on debugging again and left background set to 'no' and I was still able to login. I then turned all debugging off and set background to 'yes' and I was unable to login.

It seems that when I run the tacacs process in background, something goes dead. And it appears that any one not in the tacacsadmin group can also login :-/

Marc Huber

unread,

Feb 26, 2010, 10:46:27 AM2/26/10

to Event-Driven Servers

Hi Mike,

On 26 Feb., 11:26, Mike Barnard <mike.barna...@gmail.com> wrote:
> I dont have the uucp logfiles...

you can change log facility and level inside the "id = ... { }"
sections, e.g.:

syslog facility = DAEMON
syslog level = DEBUG

Set these to whatever your syslog daemon actually accepts.

> I cannot add debug to the spawnd section, it dumped an error:
>
> /usr/local/etc/tac_plus.conf:9: Expected 'address', 'path', 'port', 'realm',
> 'tls', 'userid', 'groupid', 'backlog', 'type' or 'protocol', but got 'debug'

You've probably put the "debug" statement inside the "listen { ... }
section. The following would work:

id = spawnd {
debug = -1
listen { ... }
spawn { ... }
}

> Now, this is the strangest part... will all the debugging turned off and
> background set to no, I am able to login using tacacs on my test switch. I
> see nothing being dumped on screen, but I do have an entry in my access.log
> file showing that I have successfully logged in.
>
> I turned on debugging again and left background set to 'no' and I was still
> able to login. I then turned all debugging off and set background to 'yes'
> and I was unable to login.
>
> It seems that when I run the tacacs process in background, something goes
> dead.

Ok, thanks, got it. The kqueue() file descriptor doesn't survive
fork(). I knew that, but didn't notice. Fixed in the most recent
snapshot at

http://www.pro-bono-publico.de/projects/src/DEVEL.201002261642.tar.bz2

> And it appears that any one not in the tacacsadmin group can also
> login :-/

Yes, unless configured with

setenv REQUIRE_TACACS_GROUP_PREFIX = 1

the backend doesn't do any group checking.

Cheers,

Marc

Reply all

Reply to author

Forward