RE: tac_plus AD integration with PAM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am running CentOS

R/

Danny Rivera
SSI Project Manager
ITC Network Engineer
w.571.258.6667
c.757.581.6597

________________________________________
From: pam-list-bounces@xxxxxxxxxx <pam-list-bounces@xxxxxxxxxx> on behalf of Yu Wang <yuwang@xxxxxxxxxx>
Sent: Thursday, March 20, 2014 1:13 PM
To: Pluggable Authentication Modules
Subject: RE: tac_plus AD integration with PAM

What is your OS and it's major release version? If it's Redhat 6, it'll be
/etc/pam_ldap.conf. If your OS is not Redhat 6, then you may need to
create a hard link for /etc/ldap.conf that links to
/etc/openldap/ldap.conf. You can do ldapsearch from command line to test
your query. strace would show which ldap.conf it reads. Once you can
get valid query result from cli, you can move on to test tacacs. Also make
sure AD is listening on the port that is defined in ldap.conf and your
server is allowed to access the port (a simple telnet test from your
server will do).

I am not sure how you would use pam_krb5 to do authorization (retrieving
account information). For authentication, pam_krb5.so uses password handed
down by pam stack. How pam_krb5.so talks to AD without a password in pam
account part? Its option is to use a valid kerberos ticket or a keytab. Is
there a valid ticket for pam_krb5.so to use (the account that tacacs+ runs
on)? Do you have a keytab created in AD for this server?
Also, what result pam_krb5.so will get from AD? A unix style uid or a
principle name (with @domain attached)? I only used pam_krb5.so for
authentication so someone else can answer these questions.


Yu

On Thu, 20 Mar 2014, Donato Rivera wrote:

> Yu,
>
> Thank you for the contribution and help.
>
> I have tried changing these settings with no change.  I am not sure if my ldap.conf is correct or if I need to link it to another file.  currently it sits in this dir  /etc/openldap/ldap.conf.
>
> I used the krb5.conf file going of the instructions found on the shrubbery.net forums which recommened using krb5 and not ldap for Active Directory integration with tac_plus.
>
> Going from a paid application to this solution has had challenges but this is really the last hurdle to cross so I am open to trying any configuration at this point.
>
> I will keep try variations of your suggestion and let you know the outcome.
>
> Once again thank you for the post and if you have any other suggestions please pass them along.
>
> Danny
>
> ________________________________________
> From: pam-list-bounces@xxxxxxxxxx <pam-list-bounces@xxxxxxxxxx> on behalf of Yu Wang <yuwang@xxxxxxxxxx>
> Sent: Thursday, March 20, 2014 10:56 AM
> To: Pluggable Authentication Modules
> Subject: Re: tac_plus AD integration with PAM
>
> Try use pam_ldap for account (authorize) part. You will need to create
> pam_ldap.conf or ldap.conf, depends on your server OS, to query a user's
> attribute (uid).
>
> Your pam.d/tac_plus account part would look like:
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> <------
> account     required      pam_permit.so
>
>
>
> On Thu, 20 Mar 2014, Donato Rivera wrote:
>
>> Greetings,
>>
>>
>> I am attempting to integrate my tac_plus solution with AD using PAM. I have tried numerous iterations I found online with no luck. I am listing my config below, the krb5.conf seems to pass which I will also list. Any assistance is greatly appreciated.
>>
>>
>> AD Credentials Test using kerberos:
>>
>>
>> [root@pam.d]# kinit Dan
>> Password for Dan@domain:
>>
>> [root@pam.d]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Dan@domain
>>
>> Valid starting     Expires            Service principal
>> 03/20/14 10:00:50  03/20/14 20:00:56  krbtgt/domain
>>        renew until 03/27/14 10:00:50
>>
>>
>> Configuration:
>>
>>
>> /etc/tac_plus.conf
>>
>> key = "TestKey"
>> accounting file = /var/log/tac.acct.log
>> # authentication users not appearing elsewhere via
>> # the file /etc/passwd
>> #default authentication = file /etc/passwd
>>
>>
>> # A group that can change some limited configuration on switchports
>> # related to host-side network configuration
>>
>> group = Admin {
>>        # login = file /etc/passwd
>>        # or authenticated via PAM:
>>        # login = PAM
>>         service = exec {
>>         priv-lvl = 15
>>                }
>>                 }
>>
>> user = dan {
>>        login = PAM
>>        member = Admin
>> }
>>
>>
>> /etc/pam.d/tac_plus
>>
>> auth        required      pam_env.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>> auth        sufficient    pam_krb5.so use_first_pass
>> auth        required      pam_deny.so
>>
>> account     required      pam_unix.so broken_shadow
>> account     sufficient    pam_localuser.so
>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
>> account     required      pam_permit.so
>>
>> password    requisite     pam_cracklib.so try_first_pass retry=3
>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password    sufficient    pam_krb5.so use_authtok
>> password    required      pam_deny.so
>>
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session     required      pam_unix.so
>> session     optional      pam_krb5.so
>>
>>
>> /etc/krb5.conf
>>
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = domain_name
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ticket_lifetime = 24h
>> renew_lifetime = 7d
>> forwardable = true
>>
>> [realms]
>> domain_name = {
>>  kdc = x.x.x.x
>>  admin_server = x.x.x.x
>> }
>>
>> [domain_realm]
>> domain_name = domain_name
>>
>>
>> Thanks,
>>
>> Danny
>>
>
> --
> --Yu Wang
>
> ****************************************************
>       Computer & Network System Administrator
> ****************************************************
>
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list
>
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list
>

--
--Yu Wang

****************************************************
       Computer & Network System Administrator
****************************************************

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list




[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux