tac_plus and PAM issue

Support for security such as Firewalls and securing linux
Post Reply
williamk7
Posts: 2
Joined: 2018/02/23 06:24:33

tac_plus and PAM issue

Post by williamk7 » 2018/02/23 06:48:26

Hello,

Am trying to get tac_plus from the NUX repo working with Active Directory. Authentication works fine with local accounts on CentOS server, but when I try to authenticate on a switch with an Active Directory account it will fail on the first two attempts but then succeed on the third attempt. The only way I can get Active Directory authentication to work is to set selinix to permissive in /etc/selinux/config. Tac_plus is using PAM to authenticate the user. The PAM stack for tac_plus (/etc/pam.d/tac_plus) looks like this:
auth required pam_nologin.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth

Understanding PAM and how it works with sssd and active directory is a bit of a mystery to me. I can ssh into the CentOS server using Active Directory accounts with no issues. It authenticates the first time every time. So it seems my options are to keep selinux set at permissive system wide or figure out how to get PAM working correctly with tac_plus. Any thoughts?

In logs below you can see the first two fails and then the success:

Feb 22 22:41:38 PF-TACAC-BU fprintd[20215]: Launching FprintObject
Feb 22 22:41:38 PF-TACAC-BU fprintd[20215]: D-Bus service launched with name: net.reactivated.Fprint
Feb 22 22:41:38 PF-TACAC-BU fprintd[20215]: entering main loop
Feb 22 22:41:50 PF-TACAC-BU tac_plus[20217]: connect from 192.168.90.36 [192.168.90.36]
Feb 22 22:42:03 PF-TACAC-BU tac_plus[20214]: 192.168.90.36 tty1: fd 2 eof (connection closed)
Feb 22 22:42:03 PF-TACAC-BU tac_plus[20214]: Read -1 bytes from 192.168.90.36 tty1, expecting 12
Feb 22 22:42:03 PF-TACAC-BU tac_plus[20214]: Error 192.168.90.36 tty1: Null reply packet, expecting CONTINUE
Feb 22 22:42:04 PF-TACAC-BU tac_plus[20218]: connect from 192.168.90.36 [192.168.90.36]
Feb 22 22:42:05 PF-TACAC-BU tac_plus[20214]: login failure: switch 192.168.90.36 (192.168.90.36) tty1
Feb 22 22:42:05 PF-TACAC-BU tac_plus[20214]: 192.168.90.36: exception on fd 2
Feb 22 22:42:09 PF-TACAC-BU fprintd[20215]: No devices in use, exit
Feb 22 22:42:09 PF-TACAC-BU tac_plus[20217]: 192.168.90.36 tty1: fd 2 eof (connection closed)
Feb 22 22:42:09 PF-TACAC-BU tac_plus[20217]: Read -1 bytes from 192.168.90.36 tty1, expecting 12
Feb 22 22:42:09 PF-TACAC-BU tac_plus[20217]: Error 192.168.90.36 tty1: Null reply packet, expecting CONTINUE
Feb 22 22:42:11 PF-TACAC-BU tac_plus[20217]: login failure: switch 192.168.90.36 (192.168.90.36) tty1
Feb 22 22:42:11 PF-TACAC-BU tac_plus[20217]: 192.168.90.36: exception on fd 2
Feb 22 22:42:15 PF-TACAC-BU tac_plus[20218]: pam_sss(tac_plus:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=switch

Post Reply