tac_plus cleint auth failed with error code 2
2,401 views
Skip to first unread message
Manoj K
Dec 29, 2016, 9:49:32 AM12/29/16
to Event-Driven Servers
Hi all,
when i checking communication between AD and TACACS+ server by using tcpdump got this logs "X80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580"
TACACS+ service is running with out any issue and port is listening, not showing any error in logs.
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-26042-148301839-0
USER tacacs
PASSWORD admin123
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-26042-148301839-0
USER tacacs
RESULT ACK
PASSWORD admin123
SERIAL 7exJimUgCmab6BseA8CiQ=
DBPASSWORD admin123
TACTYPE AUTH
Please help to understand, what will be the issue, whether the issue with in TACACS+ server or Windows AD node. And also we need to do any extra configuration in AD in order to start communication between both servers (i mean any kind of cert.)
Regards,
Manoj K
Manoj K
Jan 4, 2017, 4:01:19 AM1/4/17
to Event-Driven Servers
Dear Colleagues, please help.
Daniel Hartmeier
Jan 4, 2017, 4:32:32 AM1/4/17
to event-driv...@googlegroups.com
On Wed, Jan 04, 2017 at 01:01:19AM -0800, Manoj K wrote:
> Dear Colleagues, please help.
You didn't post your tac_plus.cfg, what you describe could be explained
by a simple missing
pap backend = mavis
HTH,
Daniel
> Dear Colleagues, please help.
You didn't post your tac_plus.cfg, what you describe could be explained
by a simple missing
pap backend = mavis
HTH,
Daniel
Manoj K
Jan 4, 2017, 5:53:20 AM1/4/17
to Event-Driven Servers, dan...@benzedrine.ch
am trying to build "AD + TACACS+ Linux" set up, all linux node will use TACACS+ server for user authentication. But here user authentication is getting failed, when am trying to login from linux client.
This is tac_plus.cfg file
-------------------------------------------------------------------------------------------------------------------
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "10.112.5.165:3268"
#setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "cn=Users,dc=Salat,dc=local"
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "tac...@salat.local"
setenv LDAP_PASSWD = admin@123
setenv AD_GROUP_PREFIX = tacacs
#setenv REQUIRE_TACACS_GROUP_PREFIX = 1
setenv FLAG_USE_MEMBEROF = 1
#setenv FLAG_CHPW = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
host = 0.0.0.0/0 {
#key = cisco
#enable 15 = clear admin@123
key = cisco
}
group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = guest {
default service = permit
enable = deny
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
}
user = cisco {
password = clear cisco
member = admin
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
user = readonly {
password = clear readonly
member = guest
}
}
---------------------------------------------------------------------------------------------------------------------------------------
==>
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-12781-1483526976-0
USER tacacs
PASSWORD admin@123
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-12781-1483526976-0
USER tacacs
RESULT ACK
PASSWORD admin@123
SERIAL ZhFF6zhw6gGp81I3bjIMIg=
DBPASSWORD admin@123
TACTYPE AUTH
# cat /etc/pam.d/tacacs
#%PAM-1.0
auth sufficient /usr/local/pam_tacplus/lib/security/pam_tacplus.so debug server=192.168.10.27 secret=cisco
account sufficient /usr/local/pam_tacplus/lib/security/pam_tacplus.so debug server=192.168.10.27 secret=cisco service=ppp protocol=ssh
session sufficient /usr/local/pam_tacplus/lib/security/pam_tacplus.so debug server=192.168.10.27 secret=cisco service=ppp protocol=ssh
----------------------------------------------------------------------------------------------------------------------------------------------------------
Daniel Hartmeier
Jan 4, 2017, 6:23:43 AM1/4/17
to Manoj K, Event-Driven Servers
The 52e error you see in LDAP traffic indicates the LDAP server is
receiving an invalid password for a user.
You can enable debug logging by adding
debug = PACKET AUTHEN AUTHOR MAVIS PROC
to the id = tac_plus {} section in tac_plus.cfg and then
check the log for lines containing user_msg.
Are the user and the password really the same as in your successful
mavistest run (admin@123 vs. admin123)?
Daniel
receiving an invalid password for a user.
You can enable debug logging by adding
debug = PACKET AUTHEN AUTHOR MAVIS PROC
to the id = tac_plus {} section in tac_plus.cfg and then
check the log for lines containing user_msg.
Are the user and the password really the same as in your successful
mavistest run (admin@123 vs. admin123)?
Daniel
Manoj K
Jan 4, 2017, 7:21:50 AM1/4/17
to Event-Driven Servers, manojk...@gmail.com, dan...@benzedrine.ch
Yes, the password is correct only. Here am using Microsoft AD service (MS2012) as authentication and able to login to MS server directly by using this username/passwd. So any extra config. i need to in AD or MS server.
-----------------------------------------------------------------------
tcpdump o/p is given below between TACACS+ server <=> AD server
lXL%
lXe)
tac...@salat.local
admin@123
lXc1
cn=Users,dc=Salat,dc=local
objectclass
user
sAMAccountName
tacacs0
lX%4
$CN=tacacs,CN=Users,DC=salat,DC=local0
$CN=tacacs,CN=Users,DC=salat,DC=local
X80090308: LdapErr: DSID-0C0903D9, comment: AcceptSecurityContext error, data 52e, v2580
Daniel Hartmeier
Jan 4, 2017, 7:40:05 AM1/4/17
to Manoj K, Event-Driven Servers
On Wed, Jan 04, 2017 at 04:21:50AM -0800, Manoj K wrote:
> tcpdump o/p is given below between TACACS+ server <=> AD server
This doesn't show what the TACACS client sent as password, only the
> tcpdump o/p is given below between TACACS+ server <=> AD server
password configured as LDAP_PASSWD.
Note that there are two LDAP binds (logins), first using the credentials
in LDAP_USER/LDAP_PASSWD to do a search for the user, then a second
using the found CN and with the password supplied by the client.
I suggest you enable debugging in the TACACS server config and check the
password sent by the client.
Daniel
Manoj K
Jan 4, 2017, 8:09:49 AM1/4/17
to Event-Driven Servers, manojk...@gmail.com, dan...@benzedrine.ch
i have enabled the same in tac_plus.cfg file, but didn't find anything either in logs or in tcpdump, showing only ssh auth failed in system logs.
----------------------------------------------------------------------------------------------------------------------------
id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
debug = PACKET AUTHEN AUTHOR MAVIS PROC
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
-----------------------------------------------------------------------------------------------------------------
system messages.
Jan 4 08:01:31 tacasc tac_plus[12964]: 192.168.10.25 pap login for 'tacacs' from 10.233.32.198 on ssh failed
Jan 4 08:02:51 tacasc tac_plus[12964]: 192.168.10.25 pap login for 'tacacs' from 10.233.32.198 on ssh failed
-------------------------------------------------------------------------------------------------------------------------------------------------
Daniel Hartmeier
Jan 4, 2017, 8:33:22 AM1/4/17
to Manoj K, Event-Driven Servers
On Wed, Jan 04, 2017 at 05:09:48AM -0800, Manoj K wrote:
> i have enabled the same in tac_plus.cfg file, but didn't find anything
> either in logs or in tcpdump, showing only ssh auth failed in system logs.
Try stopping the TACACS daemon and starting it manually with
> i have enabled the same in tac_plus.cfg file, but didn't find anything
> either in logs or in tcpdump, showing only ssh auth failed in system logs.
tac_plus -f -d 532518 /path/to/tac_plus.cfg
and you should see the debug output directly.
Daniel
Manoj K
Jan 4, 2017, 10:03:33 AM1/4/17
to Event-Driven Servers, manojk...@gmail.com, dan...@benzedrine.ch
Below o/p am getting while in running in debug mode, it saying like "user lookup failed" in realm default
----------------------------------------------------------------------------------------------------------------------------
[root@tacasc ~]# tac_plus -f -d 532518 /usr/local/etc/tac_plus.cfg
13160: 19:00:00.000 0/00000000: - Version 201611061407 initialized
13160: 10:00:34.561 0/00000000: - cidr match level 0 = (unnamed)
13160: 10:00:34.561 0/00000000: - connection request from 192.168.10.26 (key: cisco)
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 New session
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 ---<start packet>---
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 key used: cisco
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 version: 193, type: 1, seq no: 1, flags: unencrypted
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 session id: 7ef01279 data length: 44
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 AUTHEN/START, priv_lvl=0
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 action=login (1)
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 authen_type=pap (2)
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 service=ppp (3)
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 user_len=7 port_len=3 rem_addr_len=13
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 data_len=13
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 user (len: 7): tactest
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 0000 74 61 63 74 65 73 74 tactest
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 port (len: 3): ssh
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 0000 73 73 68 ssh
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 rem_addr (len: 13): 192.168.10.27
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 0000 31 39 32 2e 31 36 38 2e 31 30 2e 32 37 192.168. 10.27
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 data (len: 13): \b\n\r\177INCORRECT
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 0000 08 0a 0d 7f 49 4e 43 4f 52 52 45 43 54 ....INCO RRECT
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 ---<end packet>---
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 authen: hdr->seq_no: 1
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 looking for user tactest realm default
13160: 10:00:34.561 0/7912f07e: 192.168.10.26 user lookup failed
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 looking for user tactest realm default
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 user lookup failed
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 pap login for 'tactest' from 192.168.10.27 on ssh failed
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 Writing AUTHEN/FAIL size=18
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 ---<start packet>---
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 key used: cisco
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 version: 193, type: 1, seq no: 2, flags: unencrypted
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 session id: 7ef01279 data length: 6
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 AUTHEN status=2 (AUTHEN/FAIL) flags=0x0
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 msg_len=0, data_len=0
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 msg (len: 0):
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 data (len: 0):
13160: 10:00:34.581 0/7912f07e: 192.168.10.26 ---<end packet>---
------------------------------------------------------------------------------------------------------------------------------------------------------
Daniel Hartmeier
Jan 4, 2017, 10:29:22 AM1/4/17
to Manoj K, Event-Driven Servers
On Wed, Jan 04, 2017 at 07:03:33AM -0800, Manoj K wrote:
> Below o/p am getting while in running in debug mode, it saying like "user
> lookup failed" in realm default
> Below o/p am getting while in running in debug mode, it saying like "user
> lookup failed" in realm default
> 13160: 10:00:34.561 0/7912f07e: 192.168.10.26 user (len: 7): tactest
So now you're trying to login as user tactest?
Your working mavistest example shows login as user tacacs.
tactest != tacacs
Daniel
Manoj K
Jan 4, 2017, 11:17:02 AM1/4/17
to Event-Driven Servers, manojk...@gmail.com, dan...@benzedrine.ch
yes, i tried with both users, but getting same error in both cases.
---------------------------------------------------------------------------------------------------
13095: 09:47:45.603 0/e32df97b: 192.168.10.27 ---<start packet>---
13095: 09:47:45.603 0/e32df97b: 192.168.10.27 key used: cisco
13095: 09:47:45.603 0/e32df97b: 192.168.10.27 version: 192, type: 3, seq no: 2, flags: unencrypted
13095: 09:47:45.603 0/e32df97b: 192.168.10.27 session id: 7bf92de3 data length: 5
13095: 09:47:45.603 0/e32df97b: 192.168.10.27 ACCT/REPLY status=1, msg_len=0, data_len=0
13095: 09:47:45.603 0/e32df97b: 192.168.10.27 msg (len: 0):
13095: 09:47:45.603 0/e32df97b: 192.168.10.27 data (len: 0):
13095: 09:47:45.603 0/e32df97b: 192.168.10.27 ---<end packet>---
13095: 09:48:14.831 1/00000000: - cidr match level 0 = (unnamed)
13095: 09:48:14.831 1/00000000: - connection request from 192.168.10.25 (key: cisco)
13095: 09:48:14.832 1/0430474e: 192.168.10.25 New session
13095: 09:48:14.832 1/0430474e: 192.168.10.25 ---<start packet>---
13095: 09:48:14.832 1/0430474e: 192.168.10.25 key used: cisco
13095: 09:48:14.832 1/0430474e: 192.168.10.25 version: 193, type: 1, seq no: 1, flags: unencrypted
13095: 09:48:14.832 1/0430474e: 192.168.10.25 session id: 4e473004 data length: 43
13095: 09:48:14.832 1/0430474e: 192.168.10.25 AUTHEN/START, priv_lvl=0
13095: 09:48:14.832 1/0430474e: 192.168.10.25 action=login (1)
13095: 09:48:14.832 1/0430474e: 192.168.10.25 authen_type=pap (2)
13095: 09:48:14.832 1/0430474e: 192.168.10.25 service=ppp (3)
13095: 09:48:14.832 1/0430474e: 192.168.10.25 user_len=6 port_len=3 rem_addr_len=13
13095: 09:48:14.832 1/0430474e: 192.168.10.25 data_len=13
13095: 09:48:14.832 1/0430474e: 192.168.10.25 user (len: 6): tacacs
13095: 09:48:14.832 1/0430474e: 192.168.10.25 0000 74 61 63 61 63 73 tacacs
13095: 09:48:14.832 1/0430474e: 192.168.10.25 port (len: 3): ssh
13095: 09:48:14.832 1/0430474e: 192.168.10.25 0000 73 73 68 ssh
13095: 09:48:14.832 1/0430474e: 192.168.10.25 rem_addr (len: 13): 10.236.26.215
13095: 09:48:14.832 1/0430474e: 192.168.10.25 0000 31 30 2e 32 33 36 2e 32 36 2e 32 31 35 10.236.2 6.215
13095: 09:48:14.832 1/0430474e: 192.168.10.25 data (len: 13): \b\n\r\177INCORRECT
13095: 09:48:14.832 1/0430474e: 192.168.10.25 0000 08 0a 0d 7f 49 4e 43 4f 52 52 45 43 54 ....INCO RRECT
13095: 09:48:14.832 1/0430474e: 192.168.10.25 ---<end packet>---
13095: 09:48:14.832 1/0430474e: 192.168.10.25 authen: hdr->seq_no: 1
13095: 09:48:14.832 1/0430474e: 192.168.10.25 looking for user tacacs realm default
13095: 09:48:14.832 1/0430474e: 192.168.10.25 user lookup failed
13095: 09:48:14.880 1/0430474e: 192.168.10.25 looking for user tacacs realm default
13095: 09:48:14.880 1/0430474e: 192.168.10.25 user lookup failed
13095: 09:48:14.880 1/0430474e: 192.168.10.25 pap login for 'tacacs' from 10.236.26.215 on ssh failed
13095: 09:48:14.880 1/0430474e: 192.168.10.25 Writing AUTHEN/FAIL size=18
13095: 09:48:14.880 1/0430474e: 192.168.10.25 ---<start packet>---
13095: 09:48:14.880 1/0430474e: 192.168.10.25 key used: cisco
13095: 09:48:14.880 1/0430474e: 192.168.10.25 version: 193, type: 1, seq no: 2, flags: unencrypted
13095: 09:48:14.880 1/0430474e: 192.168.10.25 session id: 4e473004 data length: 6
13095: 09:48:14.880 1/0430474e: 192.168.10.25 AUTHEN status=2 (AUTHEN/FAIL) flags=0x0
13095: 09:48:14.880 1/0430474e: 192.168.10.25 msg_len=0, data_len=0
13095: 09:48:14.880 1/0430474e: 192.168.10.25 msg (len: 0):
13095: 09:48:14.880 1/0430474e: 192.168.10.25 data (len: 0):
13095: 09:48:14.880 1/0430474e: 192.168.10.25 ---<end packet>---
-------------------------------------------------------------------------------------------------------------------------------------------
Daniel Hartmeier
Jan 4, 2017, 11:49:46 AM1/4/17
to Manoj K, Event-Driven Servers
On Wed, Jan 04, 2017 at 08:17:02AM -0800, Manoj K wrote:
> 13095: 09:48:14.832 1/0430474e: 192.168.10.25 user (len: 6): tacacs
> 13095: 09:48:14.832 1/0430474e: 192.168.10.25 user (len: 6): tacacs
> 13095: 09:48:14.832 1/0430474e: 192.168.10.25 data (len: 13):
> \b\n\r\177INCORRECT
> 13095: 09:48:14.832 1/0430474e: 192.168.10.25 0000 08 0a 0d 7f 49 4e 43 4f
> 52 52 45 43 54 ....INCO RRECT
This is the problem.
> \b\n\r\177INCORRECT
> 13095: 09:48:14.832 1/0430474e: 192.168.10.25 0000 08 0a 0d 7f 49 4e 43 4f
> 52 52 45 43 54 ....INCO RRECT
For some reason, your client is sending this strange password,
consisting of backspace, newline, carriage return, delete, INCORRECT.
How are you logging into the client? On a local console, manually typing
the password on a physical keyboard? And you're typing in admin@123?
Or through the network, like with ssh?
It looks like more of an issue with pam_tacplus on the client than with
the tac_plus configuration...
> 13095: 09:48:14.832 1/0430474e: 192.168.10.25 user lookup failed
the config (like local user cisco would be). The authentication can
still succeed, if the group membership from AD results in a lookup
succeeding subsequently. But since LDAP authentication of the user is
failing (due to the bad password), there are no group memberships
returned.
Daniel
Daniel Hartmeier
Jan 4, 2017, 11:57:32 AM1/4/17
to Manoj K, Event-Driven Servers
On Wed, Jan 04, 2017 at 05:49:43PM +0100, Daniel Hartmeier wrote:
> It looks like more of an issue with pam_tacplus on the client than with
> the tac_plus configuration...
Oh joy, sshd will pass password "INCORRECT" through PAM when getpwnam()
> It looks like more of an issue with pam_tacplus on the client than with
> the tac_plus configuration...
fails, i.e. when the user doesn't exist locally on the client, and NSS
isn't properly set up.
Read https://github.com/jeroennijhof/pam_tacplus/issues/28
I'm afraid I can't help much further, good luck!
Daniel
Manoj K
Jan 4, 2017, 12:02:55 PM1/4/17
to Event-Driven Servers, manojk...@gmail.com, dan...@benzedrine.ch
yes, manually typing the password on a physical keyboard, typing in admin@123, but through the network, ssh.
this my pam_tacplus config.
[root@ltt-rh7 pam.d]# cat tacacs
#%PAM-1.0
auth required /usr/local/pam_tacplus/lib/security/pam_tacplus.so debug server=192.168.10.27 secret=cisco login=pap
account required /usr/local/pam_tacplus/lib/security/pam_tacplus.so debug secret=cisco service=ppp protocol=ssh
session required /usr/local/pam_tacplus/lib/security/pam_tacplus.so debug server=192.168.10.27 secret=cisco service=ppp protocol=ssh
Reply all
Reply to author
Forward
0 new messages