tac_plus-ng ldap authentication problem

[Realgreef]

Hi,

I'm trying the new tac_plus-ng, but is not able to get LDAP authentication to work.

I think I'm missing something with the group configuration, but cannot figure it out.

mavistest seems to work fine, and listing all AD-groups, matching the prefix, the AD-user is member of.

The local user in the config works fine, so I guess the profile and ruleset is ok.

See config below and please tell me what I need to correct :)

The AD-group is named GTC_ad-admins

I've tried a lot of different configurations with the group definitions but nothing seems to work. In old tac_plus I was able to use the "member = admins" in the group definition, but that is deprecated. I also tried "group" and "parent" in a lot of combinations but no succes.

#!/usr/local/sbin/tac_plus-ng

id = spawnd {
    listen = { port = 49 }
    spawn = {
        instances min = 1
        instances max = 10
    }
    background = no
}

id = tac_plus-ng {

    mavis module = external {
        setenv LDAP_SERVER_TYPE = "microsoft"
        setenv LDAP_HOSTS = "ldap://dc01 ldap://dc02"
        setenv LDAP_SCOPE = sub
        setenv LDAP_BASE = "dc=dc,dc=local"
        setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
        setenv LDAP_USER = tcuser
        setenv LDAP_PASSWD = xxxxxx
        setenv AD_GROUP_PREFIX = GTC_
        setenv USE_TLS = 0
        exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
    }

    login backend = mavis
#    user backend = mavis
    pap backend = mavis

    host CISCO1 {
        address = 172.16.1.10
        key = xxxx
    }


    profile readwrite {
        script {
            if (service == shell) {
                if (cmd == "") {
                    set priv-lvl = 15
                    permit
                }
        permit
            }
        }
    }


    group admins {    }

    group ad-admins { }

user test1 {
    password login = clear secret
    member = admins
}

    ruleset {
        rule CISCORULE {
            enabled = yes
            script {
                if (nas == CISCO1) {
                    if (member == admins) {
                        profile = readwrite
                        permit
                    }
                    if (member == ad-admins) {
                                                profile = readwrite
                                                permit
                                        }

                }                    
            }
        }
    }

}

[Marc Huber]

Hi,

On 23.09.2022 08:54, Realgreef wrote:
> mavistest seems to work fine, and listing all AD-groups, matching the
> prefix, the AD-user is member of.

this one

> # user backend = mavis

disables user lookup ...

Cheers,

Marc

[Realgreef]

Thanks for the quick reply!

My problem persists even when enabling 'user backend = mavis'.

Have I specified the groups correct? I mean, is it enough to just specify my AD-group as 'group ad-admins { }' ? In tac_plus the AD-group needs to be a member of a TACACS group, I think..

[Marc Huber]

Hi,

yes, your group specs look fine to me -- with AD_GROUP_PREFIX = GTC_ the
TACACS+ group membership for "CN=GTC_ad-admins" will be "ad-admins".

tac_plus-ng also has support for direct memberOf evaluation. In that
case, the prefix won't be stripped:

if (memberof =~ /^CN=GTC_admins,/) { profile = readwrite permit }

Could you provide debug output?

Running the daemon with the "-fd -1 -1" options will cause it to stay in
foreground and write debug data to stderr.

Thanks,

Marc

[Realgreef]

Hi, thanks again.

I tried to use 'memberof', but that doesn't work either :(

I don't know but it doesn't look like it even tries AD lookup?

Here is a authentication attempt:

219620: 09:53:30.975 0/00000000: - proxied connection request from <unknown> for 172.16.1.10 (realm: default)
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 New session
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 ---<start packet>---
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 key used: fa7jVrcZcVOzzY1d4Gzy
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 version: 192, type: 1, seq no: 1, flags: unencrypted
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 session id: 4e974a9b, data length: 31
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 packet body (len: 31): \001\001\001\001\b\004\v\000tacadmintty110.10.5.100
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 0000 01 01 01 01 08 04 0b 00  74 61 63 61 64 6d 69 6e  ........ tacadmin
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 0010 74 74 79 31 31 30 2e 31  30 2e 35 2e 31 30 30     tty110.1 0.5.100
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 AUTHEN/START, priv_lvl=1
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 action=login (1)
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 authen_type=ascii (1)
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 service=login (1)
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 user_len=8 port_len=4 rem_addr_len=11
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 data_len=0
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 user (len: 8): tacadmin
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 0000 74 61 63 61 64 6d 69 6e                           tacadmin
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 port (len: 4): tty1
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 0000 74 74 79 31                                       tty1
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 rem_addr (len: 11): 10.10.5.100
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 0000 31 30 2e 31 30 2e 35 2e  31 30 30                 10.10.5. 100
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 ---<end packet>---
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 authen: hdr->seq_no: 1
219620: file=/home/admin1/event-driven-servers/tac_plus-ng/authen.c line=1365 sym=[<string>] buf='User Access Verification

${message}${umessage}' => buf='User Access Verification

${message}${umessage}'
219620: file=/home/admin1/event-driven-servers/tac_plus-ng/authen.c line=1365 sym=[<string>] buf='User Access Verification

${message}${umessage}'
219620: file=/home/admin1/event-driven-servers/tac_plus-ng/authen.c line=1365 sym=[<end-of-file>] buf=''
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 looking for user tacadmin realm default
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 user lookup failed
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 shell login for 'tacadmin' from 10.10.5.100 on tty1 denied by ACL
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 Writing AUTHEN/FAIL size=18
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 ---<start packet>---
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 key used: fa7jVrcZcVOzzY1d4Gzy
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 version: 192, type: 1, seq no: 2, flags: unencrypted
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 session id: 4e974a9b, data length: 6
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 packet body (len: 6): \002\000\000\000\000\000
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 0000 02 00 00 00 00 00                                 ......
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 AUTHEN, status=2 (AUTHEN/FAIL) flags=0x0
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 msg_len=0, data_len=0
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 msg (len: 0):
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 data (len: 0):
219620: 09:53:30.975 0/9b4a974e: 172.16.1.10 ---<end packet>---

219620: 09:53:42.558 1/00000000: - proxied connection request from <unknown> for 172.16.1.10 (realm: default)
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 New session
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 ---<start packet>---
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 key used: fa7jVrcZcVOzzY1d4Gzy
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 version: 192, type: 1, seq no: 1, flags: unencrypted
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 session id: 927b1b5f, data length: 31
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 packet body (len: 31): \001\001\001\001\b\004\v\000tacadmintty110.10.5.100
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 0000 01 01 01 01 08 04 0b 00  74 61 63 61 64 6d 69 6e  ........ tacadmin
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 0010 74 74 79 31 31 30 2e 31  30 2e 35 2e 31 30 30     tty110.1 0.5.100
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 AUTHEN/START, priv_lvl=1
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 action=login (1)
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 authen_type=ascii (1)
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 service=login (1)
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 user_len=8 port_len=4 rem_addr_len=11
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 data_len=0
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 user (len: 8): tacadmin
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 0000 74 61 63 61 64 6d 69 6e                           tacadmin
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 port (len: 4): tty1
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 0000 74 74 79 31                                       tty1
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 rem_addr (len: 11): 10.10.5.100
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 0000 31 30 2e 31 30 2e 35 2e  31 30 30                 10.10.5. 100
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 ---<end packet>---
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 authen: hdr->seq_no: 1
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 looking for user tacadmin realm default
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 user lookup failed
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 shell login for 'tacadmin' from 10.10.5.100 on tty1 denied by ACL
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 Writing AUTHEN/FAIL size=18
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 ---<start packet>---
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 key used: fa7jVrcZcVOzzY1d4Gzy
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 version: 192, type: 1, seq no: 2, flags: unencrypted
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 session id: 927b1b5f, data length: 6
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 packet body (len: 6): \002\000\000\000\000\000
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 0000 02 00 00 00 00 00                                 ......
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 AUTHEN, status=2 (AUTHEN/FAIL) flags=0x0
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 msg_len=0, data_len=0
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 msg (len: 0):
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 data (len: 0):
219620: 09:53:42.558 1/5f1b7b92: 172.16.1.10 ---<end packet>---
219620: 09:53:42.560 0/00000000: - Received signal 15, shutting down.
219620: 09:53:42.560 0/00000000: - exit status=0

[Marc Huber]

Hi,

could you do a git pull and install and run the tactrace.pl script?
Installation/usage instructions:

https://www.pro-bono-publico.de/projects/tac_plus-ng.html#AEN2705

Alternatively, please

make clean
./configure --debug tac_plus-ng
make && sudo make install

This will result in extended debug output for the MAVIS back-end.

I've just tried a slightly modified variant of your configuration (I've
no LDAP server available right now, I typically use pammavis for
testing) and saw no apparent issues.

Thanks,

Marc

[Realgreef]

Hi!

I recompiled with --debug.

The output from tac_plus-ng is pasted below. Does it help? If not, please tell me what else I can do to debug :)

223384: 22:44:28.671 0/00000000: - Version a1b922b69908e66e3e48027c40a0b4597b064315 initialized
223384: io_sched_add 0x56027d4e85b0 60.0
223384: + mavis_init
223384:  + external:Mavis_init
223384:   + external:mavis_init_in
223384:    forking child number 0
223384:     io_register 7
223384:     io_register 8
223384:     io_register 10
223384:    forking child number 1
223384:     io_register 9
223384:     io_register 11
223384:     io_register 13
223384:    forking child number 2
223384:     io_register 12
223384:     io_register 14
223384:     io_register 16
223384:    forking child number 3
223384:     io_register 15
223384:     io_register 17
223384:     io_register 19
223384:   - external:mavis_init_in
223384:  - external:Mavis_init = 0
223384: - mavis_init = 0
223384: io_main (0x56027d4c7b30)
223384: io_sched_exec (0x56027d4c7b30)
223384: poll_timeout = 60000ms
223384: io_poll (0x56027d4c7b30)


223384: fd 5 ctx 0x56027d4c71f0
223384: fd 5 cb = 0x7f84a3b50e55
223384: + spawnd_accepted
223384: 22:44:53.318 0/00000000: - proxied connection request from <unknown> for 172.16.1.10 (realm: default)
223384:   io_register 6
223384:  io_sched_add 0x56027d4e8cd0 60.0
223384: - spawnd_accepted
223384: io_sched_exec (0x56027d4c7b30)
223384: poll_timeout = 35362ms
223384: io_poll (0x56027d4c7b30)
223384: fd 6 ctx 0x56027d4e8cd0
223384: fd 6 cb = 0x56027c90ef67
223384: 22:44:53.319 0/221a6976: 172.16.1.10 New session
223384: 22:44:53.319 0/221a6976: 172.16.1.10 ---<start packet>---
223384: 22:44:53.319 0/221a6976: 172.16.1.10 key used: fa7jVrcZcVOzzY1d4Gzy
223384: 22:44:53.319 0/221a6976: 172.16.1.10 version: 192, type: 1, seq no: 1, flags: unencrypted
223384: 22:44:53.319 0/221a6976: 172.16.1.10 session id: 76691a22, data length: 31
223384: 22:44:53.319 0/221a6976: 172.16.1.10 packet body (len: 31): \001\001\001\001\b\004\v\000tacadmintty210.10.5.100
223384: 22:44:53.319 0/221a6976: 172.16.1.10 0000 01 01 01 01 08 04 0b 00  74 61 63 61 64 6d 69 6e  ........ tacadmin
223384: 22:44:53.319 0/221a6976: 172.16.1.10 0010 74 74 79 32 31 30 2e 31  30 2e 35 2e 31 30 30     tty210.1 0.5.100
223384: 22:44:53.319 0/221a6976: 172.16.1.10 AUTHEN/START, priv_lvl=1
223384: 22:44:53.319 0/221a6976: 172.16.1.10 action=login (1)
223384: 22:44:53.319 0/221a6976: 172.16.1.10 authen_type=ascii (1)
223384: 22:44:53.319 0/221a6976: 172.16.1.10 service=login (1)
223384: 22:44:53.319 0/221a6976: 172.16.1.10 user_len=8 port_len=4 rem_addr_len=11
223384: 22:44:53.319 0/221a6976: 172.16.1.10 data_len=0
223384: 22:44:53.319 0/221a6976: 172.16.1.10 user (len: 8): tacadmin
223384: 22:44:53.319 0/221a6976: 172.16.1.10 0000 74 61 63 61 64 6d 69 6e                           tacadmin
223384: 22:44:53.319 0/221a6976: 172.16.1.10 port (len: 4): tty2
223384: 22:44:53.319 0/221a6976: 172.16.1.10 0000 74 74 79 32                                       tty2
223384: 22:44:53.319 0/221a6976: 172.16.1.10 rem_addr (len: 11): 10.10.5.100
223384: 22:44:53.319 0/221a6976: 172.16.1.10 0000 31 30 2e 31 30 2e 35 2e  31 30 30                 10.10.5. 100
223384: 22:44:53.319 0/221a6976: 172.16.1.10 ---<end packet>---
223384: 22:44:53.319 0/221a6976: 172.16.1.10 authen: hdr->seq_no: 1
223384: file=/home/admin1/event-driven-servers/tac_plus-ng/authen.c line=1365 sym=[<string>] buf='User Access Verification

${message}${umessage}' => buf='User Access Verification

${message}${umessage}'

223384: file=/home/admin1/event-driven-servers/tac_plus-ng/authen.c line=1365 sym=[<string>] buf='User Access Verification

${message}${umessage}'
223384: file=/home/admin1/event-driven-servers/tac_plus-ng/authen.c line=1365 sym=[<end-of-file>] buf=''
223384: 22:44:53.319 0/221a6976: 172.16.1.10 looking for user tacadmin realm default
223384: 22:44:53.319 0/221a6976: 172.16.1.10 user lookup failed
223384: 22:44:53.319 0/221a6976: 172.16.1.10 shell login for 'tacadmin' from 10.10.5.100 on tty2 denied by ACL
223384:  io_register 18
223384: + buffer_write
223384:  buffer_get = 0x56027d4ea9a0
223384: - buffer_write
223384: 22:44:53.319 0/221a6976: 172.16.1.10 Writing AUTHEN/FAIL size=18
223384: 22:44:53.319 0/221a6976: 172.16.1.10 ---<start packet>---
223384: 22:44:53.319 0/221a6976: 172.16.1.10 key used: fa7jVrcZcVOzzY1d4Gzy
223384: 22:44:53.319 0/221a6976: 172.16.1.10 version: 192, type: 1, seq no: 2, flags: unencrypted
223384: 22:44:53.319 0/221a6976: 172.16.1.10 session id: 76691a22, data length: 6
223384: 22:44:53.319 0/221a6976: 172.16.1.10 packet body (len: 6): \002\000\000\000\000\000
223384: 22:44:53.319 0/221a6976: 172.16.1.10 0000 02 00 00 00 00 00                                 ......
223384: 22:44:53.319 0/221a6976: 172.16.1.10 AUTHEN, status=2 (AUTHEN/FAIL) flags=0x0
223384: 22:44:53.319 0/221a6976: 172.16.1.10 msg_len=0, data_len=0
223384: 22:44:53.319 0/221a6976: 172.16.1.10 msg (len: 0):
223384: 22:44:53.319 0/221a6976: 172.16.1.10 data (len: 0):
223384: 22:44:53.319 0/221a6976: 172.16.1.10 ---<end packet>---
223384: io_sched_exec (0x56027d4c7b30)
223384: poll_timeout = 35361ms
223384: io_poll (0x56027d4c7b30)
223384: fd 6 ctx 0x56027d4e8cd0
223384: fd 6 cb = 0x56027c90e4a0
223384: fd 18 ctx 0x56027d4e9960
223384: fd 18 cb = 0x56027c910c86
223384: buffer_release (0x56027d4ea9a0, 89)
223384: buffer_free (0x56027d4ea9a0)
223384: buffer_release = (nil)
223384: io_sched_exec (0x56027d4c7b30)
223384: poll_timeout = 35361ms
223384: io_poll (0x56027d4c7b30)
223384: fd 6 ctx 0x56027d4e8cd0
223384: fd 6 cb = 0x56027c90ef67
223384: + io_sched_pop
223384: - io_sched_pop
223384:  io_unregister 6
223384: io_sched_exec (0x56027d4c7b30)
223384: poll_timeout = 35360ms
223384: io_poll (0x56027d4c7b30)
223384: fd 5 ctx 0x56027d4c71f0
223384: fd 5 cb = 0x7f84a3b50e55
223384: + spawnd_accepted
223384: 22:44:55.397 1/00000000: - proxied connection request from <unknown> for 172.16.1.10 (realm: default)
223384:   io_register 6
223384:  io_sched_add 0x56027d4e9330 60.0
223384: - spawnd_accepted
223384: io_sched_exec (0x56027d4c7b30)
223384: poll_timeout = 33283ms
223384: io_poll (0x56027d4c7b30)
223384: fd 6 ctx 0x56027d4e9330
223384: fd 6 cb = 0x56027c90ef67
223384: 22:44:55.397 1/93c29946: 172.16.1.10 New session
223384: 22:44:55.397 1/93c29946: 172.16.1.10 ---<start packet>---
223384: 22:44:55.397 1/93c29946: 172.16.1.10 key used: fa7jVrcZcVOzzY1d4Gzy
223384: 22:44:55.397 1/93c29946: 172.16.1.10 version: 192, type: 1, seq no: 1, flags: unencrypted
223384: 22:44:55.397 1/93c29946: 172.16.1.10 session id: 4699c293, data length: 31
223384: 22:44:55.397 1/93c29946: 172.16.1.10 packet body (len: 31): \001\001\001\001\b\004\v\000tacadmintty210.10.5.100
223384: 22:44:55.397 1/93c29946: 172.16.1.10 0000 01 01 01 01 08 04 0b 00  74 61 63 61 64 6d 69 6e  ........ tacadmin
223384: 22:44:55.397 1/93c29946: 172.16.1.10 0010 74 74 79 32 31 30 2e 31  30 2e 35 2e 31 30 30     tty210.1 0.5.100
223384: 22:44:55.397 1/93c29946: 172.16.1.10 AUTHEN/START, priv_lvl=1
223384: 22:44:55.397 1/93c29946: 172.16.1.10 action=login (1)
223384: 22:44:55.397 1/93c29946: 172.16.1.10 authen_type=ascii (1)
223384: 22:44:55.397 1/93c29946: 172.16.1.10 service=login (1)
223384: 22:44:55.397 1/93c29946: 172.16.1.10 user_len=8 port_len=4 rem_addr_len=11
223384: 22:44:55.397 1/93c29946: 172.16.1.10 data_len=0
223384: 22:44:55.397 1/93c29946: 172.16.1.10 user (len: 8): tacadmin
223384: 22:44:55.397 1/93c29946: 172.16.1.10 0000 74 61 63 61 64 6d 69 6e                           tacadmin
223384: 22:44:55.397 1/93c29946: 172.16.1.10 port (len: 4): tty2
223384: 22:44:55.397 1/93c29946: 172.16.1.10 0000 74 74 79 32                                       tty2
223384: 22:44:55.397 1/93c29946: 172.16.1.10 rem_addr (len: 11): 10.10.5.100
223384: 22:44:55.397 1/93c29946: 172.16.1.10 0000 31 30 2e 31 30 2e 35 2e  31 30 30                 10.10.5. 100
223384: 22:44:55.397 1/93c29946: 172.16.1.10 ---<end packet>---
223384: 22:44:55.397 1/93c29946: 172.16.1.10 authen: hdr->seq_no: 1
223384: 22:44:55.397 1/93c29946: 172.16.1.10 looking for user tacadmin realm default
223384: 22:44:55.397 1/93c29946: 172.16.1.10 user lookup failed
223384: 22:44:55.397 1/93c29946: 172.16.1.10 shell login for 'tacadmin' from 10.10.5.100 on tty2 denied by ACL
223384: + buffer_write
223384:  buffer_get = 0x56027d4ea9a0
223384: - buffer_write
223384: 22:44:55.397 1/93c29946: 172.16.1.10 Writing AUTHEN/FAIL size=18
223384: 22:44:55.397 1/93c29946: 172.16.1.10 ---<start packet>---
223384: 22:44:55.397 1/93c29946: 172.16.1.10 key used: fa7jVrcZcVOzzY1d4Gzy
223384: 22:44:55.397 1/93c29946: 172.16.1.10 version: 192, type: 1, seq no: 2, flags: unencrypted
223384: 22:44:55.397 1/93c29946: 172.16.1.10 session id: 4699c293, data length: 6
223384: 22:44:55.397 1/93c29946: 172.16.1.10 packet body (len: 6): \002\000\000\000\000\000
223384: 22:44:55.397 1/93c29946: 172.16.1.10 0000 02 00 00 00 00 00                                 ......
223384: 22:44:55.397 1/93c29946: 172.16.1.10 AUTHEN, status=2 (AUTHEN/FAIL) flags=0x0
223384: 22:44:55.397 1/93c29946: 172.16.1.10 msg_len=0, data_len=0
223384: 22:44:55.397 1/93c29946: 172.16.1.10 msg (len: 0):
223384: 22:44:55.397 1/93c29946: 172.16.1.10 data (len: 0):
223384: 22:44:55.397 1/93c29946: 172.16.1.10 ---<end packet>---
223384: io_sched_exec (0x56027d4c7b30)
223384: poll_timeout = 33283ms
223384: io_poll (0x56027d4c7b30)
223384: fd 6 ctx 0x56027d4e9330
223384: fd 6 cb = 0x56027c90e4a0
223384: fd 18 ctx 0x56027d4e9960
223384: fd 18 cb = 0x56027c910c86
223384: buffer_release (0x56027d4ea9a0, 89)
223384: buffer_free (0x56027d4ea9a0)
223384: buffer_release = (nil)
223384: io_sched_exec (0x56027d4c7b30)
223384: poll_timeout = 33283ms
223384: io_poll (0x56027d4c7b30)
223384: fd 6 ctx 0x56027d4e9330
223384: fd 6 cb = 0x56027c90ef67
223384: + io_sched_pop
223384: - io_sched_pop
223384:  io_unregister 6
223384: io_sched_exec (0x56027d4c7b30)
223384: poll_timeout = 33282ms
223384: io_poll (0x56027d4c7b30)
223384: 22:44:55.399 0/00000000: - Received signal 15, shutting down.
223384: 22:44:55.399 0/00000000: - exit status=0

[Marc Huber]

Hi,

my bad ... the latest commit should fix the problem you're seeing, please git pull and try again.

Thanks,

Marc

diff --git a/tac_plus-ng/authen.c b/tac_plus-ng/authen.c
index f6d77ea..dbe4c77 100644
--- a/tac_plus-ng/authen.c
+++ b/tac_plus-ng/authen.c
@@ -297,7 +297,7 @@ static enum token lookup_and_set_user(tac_session * session)
        session->passwdp = eval_passwd_acl(session);
     }
     report(session, LOG_DEBUG, DEBUG_AUTHEN_FLAG, "user lookup %s", session->user ? "succeded" : "failed");
-    return session->user ? S_permit : S_deny;
+    return session->user ? S_permit : S_unknown;
 }

 static int query_mavis_auth_login(tac_session * session, void (*f)(tac_session *), enum pw_ix pw_ix)
@@ -414,7 +414,7 @@ static int check_access(tac_session * session, struct pwdat *pwdat, char *passwd
                break;
            }
            session->mavisauth_res = TAC_PLUS_AUTHEN_STATUS_FAIL;
-       } else if (pwdat)
+       } else if (pwdat && passwd)
            res = compare_pwdat(pwdat, passwd, hint);

        if (S_permit != eval_ruleset(session, session->ctx->realm)) {

[Realgreef]

Hi,

thanks Marc! Now it's working =)

Really appreciate your help and quick replies!

[Marc Huber]

Hi,

I think it's my turn to say thank you for your help! And thanks for
trying out tac_plus-ng, too ;-)

Best regards,

Marc

On 26.09.2022 21:24, Realgreef wrote:
> Hi,
>
> thanks Marc! Now it's working =)
>
> Really appreciate your help and quick replies!
>
>
> måndag 26 september 2022 kl. 01:21:07 UTC+2 skrev Marc Huber:
>
>> Hi,
>>
>> my bad ... the latest commit should fix the problem you're seeing, please
>> git pull and try again.
>>
>> Thanks,
>>
>> Marc
>>
>> diff --git a/tac_plus-ng/authen.c b/tac_plus-ng/authen.c
>> index f6d77ea..dbe4c77 100644
>> --- a/tac_plus-ng/authen.c
>> +++ b/tac_plus-ng/authen.c
>> @@ -297,7 +297,7 @@ static enum token lookup_and_set_user(tac_session *
>> session)
>> session->passwdp = eval_passwd_acl(session);
>> }
>> report(session, LOG_DEBUG, DEBUG_AUTHEN_FLAG, "user lookup %s",
>> session->user ? "succeded" : "failed");

>> - return session->user ? S_permit : *S_deny*;
>> + return session->user ? S_permit : *S_unknown*;