TACACS Auth Supported in Cumulus?

  • 17 November 2015
  • 35 replies
  • 8401 views


Show first post

35 replies

Dave, here are the outputs.

/etc/pam.d/*
cumulus@san-af145-cls-6712-04:~$ grep tacplus /etc/pam.d/*
/etc/pam.d/common-account:account [authinfo_unavail=ignore success=done default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login protocol=ssh service=shell
/etc/pam.d/common-auth:auth [authinfo_unavail=ignore success=done default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login protocol=ssh service=shell
/etc/pam.d/common-session:session [authinfo_unavail=ignore success=done default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login protocol=ssh service=shell
/etc/pam.d/common-session-noninteractive:session [authinfo_unavail=ignore success=done default=ignore] pam_tacplus.so include=/etc/tacplus_servers login=login protocol=ssh service=shell

and here is :

dpkg -l \*tac\* | grep cl3
ii audisp-tacplus 1.0.0-cl3eau1 amd64 audisp module for TACACS+ accounting
ii libnss-tacplus 1.0.1-cl3eau1 amd64 NSS module for TACACS+ authentication without local passwd entry
ii libpam-tacplus 1.4.0-cl3eau1 amd64 PAM module for using TACACS+ as an authentication service
ii libsimple-tacacct1 1.0.0-cl3eau1 amd64 simple library for TACACS+ accounting
ii libtac2 1.4.0-cl3eau1 amd64 TACACS+ protocol library
ii libtac2-bin 1.4.0-cl3eau1 amd64 TACACS+ client program
ii libtacplus-map1 1.0.0-cl3eau1 amd64 Library for mapping TACACS+ users without local /etc/passwd entries
ii tacplus-client 1.0.0-cl3eau1 all This meta-package provides packages to implement TACACS+ clients

I installed it by just doing an 'apt-get install tacplus-client' after enabling the early release features. After installing it and adding the server and TACACS key to /etc/tacplus-servers and /etc/tacplus-nss.conf files I restarted the auditd service (sudo systemctl restart auditd) and tried to authenticate.

Thanks.

--Ehsan
Userlevel 3
That all looks right, but for some reason, PAM isn't using tacplus. Debugging PAM itself is painful.

logged in as root, (*not* entering your password, unless you consider it a throwaway, just '^C' if you get a password prompt), can you run 'strace -vtf -s128 -o /tmp/z /bin/login yourtacacslogin', and then email /tmp/z to me at olson@cumulusnetworks.com?

Also the output from 'grep -C4 tacplus /etc/pam.d/*'. It's possible that there is something wrong with placement of the tacplus lines.

I won't be able to look at it until tomorrow, most likely, I have a council meeting to attend this evening.
Thanks Dave. I have send the files to your email from my corporate email account.

--Ehsan
Userlevel 3
For posterity, we partly resolved this in email, and I implemented a number of fixes to the early access packages that were available with CL 3.1. Those fixes, and some additional features (primarily per-command authorization) are available in CL 3.2.
Userlevel 1
While it seems as though TACACS+ is configured correctly, we are having a problem authenticating initially to our Cumulus switches. If we create a user local to the switch and/or authenticate to one of our enterprise devices (Cisco), only then can we authenticate to the Cumulus box successfully.
Example:
  • login directly to Cumulus switch via TACACS with username johndoe - Fail
  • create a local username (johndoe) on Cumulus switch and login via TACACS - Successful
  • successfully authenticate to a enterprise Cisco switch via TACACS with username johndoe, then log into the Cumulus switch (via TACACS) without a local username - Successful
"Include=/etc/tacplus_servers login=login protocol=ssh service=shell" is configured on the common-account, common-auth
Userlevel 3
It sounds like you may be using the upstream libpam-tacplus., B. If you are on CL 3.2 or later, please install the client-tacplus metapackage, to get all the tacacs functionality. The login= service= protocol= lines in the PAM files are no longer needed. I should remove those in the CL version of the package.

After you install and get things configured, try the 'sudo getent passwd sometacacsuser' test. If you can't get that to work, login won't work either. So if it doesn't work, enable debug as documented in the user guide and see if you can figure out what is wrong. If not, post some followup info and I'll see if I can help.

If you are on 3.0 or 3.1, upgrade to 3.2; has lots of fixes. If you are on 2.5.x, getting tacacs to work is still possible, but much harder.
Userlevel 1
It sounds like you may be using the upstream libpam-tacplus., B. If you are on CL 3.2 or later, ...Thanks Dave.

Tacplus-client was already installed and was at the newest version, at the time we conducted the tests.

I was able to get a successful response with the getent command, however the problem still exists.

johndoe@cumulus-switch:~$ dpkg -l \*tac\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-============================-===================-===================-==============================================================
ii audisp-tacplus 1.0.0-cl3u3 armel audisp module for TACACS+ accounting
ii dtach 0.8-2.1 armel emulates the detach/attach feature of screen
ii libnss-tacplus 1.0.1-cl3u3 armel NSS module for TACACS+ authentication without local passwd ent
ii libpam-tacplus 1.4.0-cl3u2 armel PAM module for using TACACS+ as an authentication service
ii libsimple-tacacct1 1.0.0-cl3u2 armel simple library for TACACS+ accounting
ii libtac2 1.4.0-cl3u2 armel TACACS+ protocol library
ii libtac2-bin 1.4.0-cl3u2 armel TACACS+ client program
ii libtacplus-map1 1.0.0-cl3u2 armel Library for mapping TACACS+ users without local /etc/passwd en
ii tacplus-auth 1.0.0-cl3u2 armel Front end command for TACACS+ per-command authorization
ii tacplus-client 1.0.1-cl3u2 all This meta-package provides packages to implement TACACS+ clien

johndoe@cumulus-switch~# apt-get install tacplus-client
Reading package lists... Done
Building dependency tree
Reading state information... Done
tacplus-client is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

johndoe@cumulus-switch:~# sudo getent passwd someuser test
someuser❌1016:1001:TACACS+ mapped user at privilege level 15,,,:/home/tacacs15:/bin/bash
Userlevel 3
It sounds like you may be using the upstream libpam-tacplus., B. If you are on CL 3.2 or later, ...Good. Communication with the server is working, and all the basic code paths are working. Add debug=1 to /etc/tacplus_servers, start a 'tail -f /var/log/syslog' from another ssh session on the switch, and then try to login. If there isn't anything that immediately points to the problem in that tail -f output, paste it here up through the failed login attempt, and I hope I'll be able to spot the problem, or at least suggest something else to try.
Userlevel 1
It sounds like you may be using the upstream libpam-tacplus., B. If you are on CL 3.2 or later, ...Hey Dave,
The "debug=1" was already added to the file at the time of testing.
The below logs show:
    A few (2) failed authentications to the Cumulus switch Then I successfully authenticated (not shown here) to a Cisco device on our network Then went back to the Cumulus switch and was able to successfully authenticate, but only after logging into the Cisco device
Failed Attempt
2017-04-25T13:42:29.608984+00:00 Switch-C sshd[20466]: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:42:29.609580+00:00 Switch-C sshd[20466]: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:42:35.409986+00:00 Switch-C dhcrelay: send_packet: No such device
2017-04-25T13:42:35.410779+00:00 Switch-C dhcrelay: send_packet: No such device
2017-04-25T13:42:35.891034+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server x.x.x.x replies user someuser invalid (16)
2017-04-25T13:42:36.177994+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server y.y.y.y replies user someuser invalid (16)
2017-04-25T13:42:36.178591+00:00 Switch-C sshd[20466]: Invalid user someuser from x.x.x.x
2017-04-25T13:42:36.179101+00:00 Switch-C sshd[20466]: input_userauth_request: invalid user someuser [preauth]
2017-04-25T13:42:44.268827+00:00 Switch-C systemd[1]: Starting Monitor system resources (cpu, memory, disk)...
2017-04-25T13:42:44.270045+00:00 Switch-C systemd[1]: Started Monitor system resources (cpu, memory, disk).
2017-04-25T13:42:44.276386+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:42:44.277021+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:42:44.277516+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:42:46.280057+00:00 Switch-C dhcrelay: send_packet: No such device
2017-04-25T13:42:46.281061+00:00 Switch-C dhcrelay: send_packet: No such device
2017-04-25T13:42:49.989835+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server x.x.x.x replies user someuser invalid (16)
2017-04-25T13:42:50.276721+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server y.y.y.y replies user someuser invalid (16)
2017-04-25T13:42:50.569399+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server x.x.x.x replies user someuser invalid (16)
2017-04-25T13:42:50.854689+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server y.y.y.y replies user someuser invalid (16)
2017-04-25T13:42:50.855264+00:00 Switch-C sshd[20466]: pam_unix(sshd:auth): check pass; user unknown
2017-04-25T13:42:50.855710+00:00 Switch-C sshd[20466]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=laptop.somedomain.com
2017-04-25T13:42:52.659333+00:00 Switch-C sshd[20466]: Failed password for invalid user someuser from x.x.x.x port 52574 ssh2
2017-04-25T13:42:55.127329+00:00 Switch-C dhcrelay: send_packet: No such device
2017-04-25T13:42:55.128283+00:00 Switch-C dhcrelay: send_packet: No such device
2017-04-25T13:43:04.308297+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server x.x.x.x replies user someuser invalid (16)
2017-04-25T13:43:04.595290+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server y.y.y.y replies user someuser invalid (16)
2017-04-25T13:43:04.887678+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server x.x.x.x replies user someuser invalid (16)
2017-04-25T13:43:05.172679+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server y.y.y.y replies user someuser invalid (16)
2017-04-25T13:43:05.173244+00:00 Switch-C sshd[20466]: pam_unix(sshd:auth): check pass; user unknown
2017-04-25T13:43:07.004074+00:00 Switch-C dhcrelay: send_packet: No such device
2017-04-25T13:43:07.005018+00:00 Switch-C dhcrelay: send_packet: No such device
2017-04-25T13:43:07.373523+00:00 Switch-C sshd[20466]: Failed password for invalid user someuser from x.x.x.x port 52574 ssh2
2017-04-25T13:43:19.796282+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server x.x.x.x replies user someuser invalid (16)
2017-04-25T13:43:20.081101+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server y.y.y.y replies user someuser invalid (16)
2017-04-25T13:43:20.371897+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server x.x.x.x replies user someuser invalid (16)
2017-04-25T13:43:20.658925+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server y.y.y.y replies user someuser invalid (16)
2017-04-25T13:43:20.661064+00:00 Switch-C sshd[20466]: pam_unix(sshd:auth): check pass; user unknown
2017-04-25T13:43:22.582994+00:00 Switch-C sshd[20466]: Failed password for invalid user someuser from x.x.x.x port 52574 ssh2
2017-04-25T13:43:32.645592+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server x.x.x.x replies user someuser invalid (16)
2017-04-25T13:43:32.930446+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server y.y.y.y replies user someuser invalid (16)
2017-04-25T13:43:33.220150+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server x.x.x.x replies user someuser invalid (16)
2017-04-25T13:43:33.506533+00:00 Switch-C sshd[20466]: nss_tacplus: TACACS+ server y.y.y.y replies user someuser invalid (16)
2017-04-25T13:43:33.507123+00:00 Switch-C sshd[20466]: pam_unix(sshd:auth): check pass; user unknown
2017-04-25T13:43:35.213887+00:00 Switch-C sshd[20466]: Failed password for invalid user someuser from x.x.x.x port 52574 ssh2
2017-04-25T13:43:47.563351+00:00 Switch-C systemd[1]: Starting Monitor system resources (cpu, memory, disk)...
2017-04-25T13:43:47.565148+00:00 Switch-C systemd[1]: Started Monitor system resources (cpu, memory, disk).

Successful attempt after authenticating to a Cisco device on our network
2017-04-25T13:43:47.571962+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:43:47.572613+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:43:47.573144+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:44:26.254511+00:00 Switch-C sshd[20482]: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:26.255634+00:00 Switch-C sshd[20482]: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:40.314167+00:00 Switch-C sshd[20482]: nss_tacplus: TACACS+ server x.x.x.x successful for user someuser. local lookup no match
2017-04-25T13:44:50.265259+00:00 Switch-C sshd[20482]: nss_tacplus: TACACS+ server x.x.x.x successful for user someuser. local lookup no match
2017-04-25T13:44:50.265823+00:00 Switch-C PAM-tacplus[20482]: 2 servers defined
2017-04-25T13:44:50.266309+00:00 Switch-C PAM-tacplus[20482]: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:50.266752+00:00 Switch-C PAM-tacplus[20482]: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:50.267418+00:00 Switch-C PAM-tacplus[20482]: tac_service='shell'
2017-04-25T13:44:50.267878+00:00 Switch-C PAM-tacplus[20482]: tac_protocol='ssh'
2017-04-25T13:44:50.268379+00:00 Switch-C PAM-tacplus[20482]: tac_prompt=''
2017-04-25T13:44:50.268829+00:00 Switch-C PAM-tacplus[20482]: tac_login='login'
2017-04-25T13:44:50.272558+00:00 Switch-C sshd[20482]: pam_sm_authenticate: called (pam_tacplus v1.3.8)
2017-04-25T13:44:50.274554+00:00 Switch-C sshd[20482]: pam_sm_authenticate: user [someuser] obtained
2017-04-25T13:44:50.277883+00:00 Switch-C sshd[20482]: tacacs_get_password: called
2017-04-25T13:44:50.279651+00:00 Switch-C sshd[20482]: tacacs_get_password: obtained password
2017-04-25T13:44:50.281576+00:00 Switch-C sshd[20482]: pam_sm_authenticate: password obtained
2017-04-25T13:44:50.283662+00:00 Switch-C sshd[20482]: pam_sm_authenticate: tty [ssh] obtained
2017-04-25T13:44:50.285626+00:00 Switch-C sshd[20482]: pam_sm_authenticate: rhost [laptop.somedomain.com] obtained
2017-04-25T13:44:50.288801+00:00 Switch-C sshd[20482]: find_tac_server: trying srv 0
2017-04-25T13:44:50.559494+00:00 Switch-C sshd[20482]: tacacs status: TAC_PLUS_AUTHEN_STATUS_GETPASS
2017-04-25T13:44:50.560501+00:00 Switch-C sshd[20482]: tac_auth_converse: tac_cont_send called
2017-04-25T13:44:50.843753+00:00 Switch-C sshd[20482]: tacacs status: TAC_PLUS_AUTHEN_STATUS_PASS
2017-04-25T13:44:50.844937+00:00 Switch-C sshd[20482]: find_tac_server: active srv 0
2017-04-25T13:44:50.845462+00:00 Switch-C sshd[20482]: pam_sm_authenticate: exit with pam status: 0
2017-04-25T13:44:51.237225+00:00 Switch-C sshd[20482]: nss_tacplus: TACACS+ server x.x.x.x successful for user someuser. local lookup no match
2017-04-25T13:44:51.238132+00:00 Switch-C PAM-tacplus[20482]: 2 servers defined
2017-04-25T13:44:51.240068+00:00 Switch-C PAM-tacplus[20482]: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:51.242319+00:00 Switch-C PAM-tacplus[20482]: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:51.244377+00:00 Switch-C PAM-tacplus[20482]: tac_service='shell'
2017-04-25T13:44:51.246450+00:00 Switch-C PAM-tacplus[20482]: tac_protocol='ssh'
2017-04-25T13:44:51.248484+00:00 Switch-C PAM-tacplus[20482]: tac_prompt=''
2017-04-25T13:44:51.250101+00:00 Switch-C PAM-tacplus[20482]: tac_login='login'
2017-04-25T13:44:51.250922+00:00 Switch-C sshd[20482]: pam_sm_acct_mgmt: called (pam_tacplus v1.3.8)
2017-04-25T13:44:51.251877+00:00 Switch-C sshd[20482]: do_tac_connect: reconnecting to server
2017-04-25T13:44:51.332248+00:00 Switch-C sshd[20482]: talk_tac_server: sent authorization request
2017-04-25T13:44:51.527671+00:00 Switch-C sshd[20482]: pam_sm_acct_mgmt: user [someuser] successfully authorized
2017-04-25T13:44:51.528308+00:00 Switch-C sshd[20482]: pam_sm_acct_mgmt: returned attribute 'PRIV_LVL(=15)' from server
2017-04-25T13:44:51.631938+00:00 Switch-C sshd[20482]: Accepted password for someuser from x.x.x.x port 52579 ssh2
2017-04-25T13:44:51.638280+00:00 Switch-C PAM-tacplus[20482]: 2 servers defined
2017-04-25T13:44:51.639983+00:00 Switch-C PAM-tacplus[20482]: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:51.641376+00:00 Switch-C PAM-tacplus[20482]: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:51.643145+00:00 Switch-C PAM-tacplus[20482]: tac_service='shell'
2017-04-25T13:44:51.645259+00:00 Switch-C PAM-tacplus[20482]: tac_protocol='ssh'
2017-04-25T13:44:51.646982+00:00 Switch-C PAM-tacplus[20482]: tac_prompt=''
2017-04-25T13:44:51.648311+00:00 Switch-C PAM-tacplus[20482]: tac_login='login'
2017-04-25T13:44:51.650102+00:00 Switch-C sshd[20482]: pam_sm_setcred: called (pam_tacplus v1.3.8)
2017-04-25T13:44:52.029504+00:00 Switch-C sshd[20482]: nss_tacplus: TACACS+ server x.x.x.x successful for user someuser. local lookup no match
2017-04-25T13:44:52.319194+00:00 Switch-C sshd[20482]: nss_tacplus: TACACS+ server x.x.x.x successful for user someuser. local lookup no match
2017-04-25T13:44:52.609680+00:00 Switch-C sshd[20482]: nss_tacplus: TACACS+ server x.x.x.x successful for user someuser. local lookup no match
2017-04-25T13:44:52.610282+00:00 Switch-C PAM-tacplus[20482]: 2 servers defined
2017-04-25T13:44:52.610742+00:00 Switch-C PAM-tacplus[20482]: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:52.611206+00:00 Switch-C PAM-tacplus[20482]: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:52.611663+00:00 Switch-C PAM-tacplus[20482]: tac_service='shell'
2017-04-25T13:44:52.612124+00:00 Switch-C PAM-tacplus[20482]: tac_protocol='ssh'
2017-04-25T13:44:52.612594+00:00 Switch-C PAM-tacplus[20482]: tac_prompt=''
2017-04-25T13:44:52.613213+00:00 Switch-C PAM-tacplus[20482]: tac_login='login'
2017-04-25T13:44:52.613703+00:00 Switch-C sshd[20482]: _pam_account: [start] called (pam_tacplus v1.3.8)
2017-04-25T13:44:52.614271+00:00 Switch-C sshd[20482]: _pam_account: username [someuser] obtained
2017-04-25T13:44:52.614782+00:00 Switch-C sshd[20482]: _pam_account: tty [ssh] obtained
2017-04-25T13:44:52.615295+00:00 Switch-C sshd[20482]: _pam_account: rhost [laptop.somedomain.com] obtained
2017-04-25T13:44:52.704351+00:00 Switch-C sshd[20482]: _pam_account: connected with fd=5 (srv 0)
2017-04-25T13:44:52.896569+00:00 Switch-C sshd[20482]: _pam_account: [start] for [someuser] sent
2017-04-25T13:44:52.903900+00:00 Switch-C audisp-tacplus: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:52.905374+00:00 Switch-C audisp-tacplus: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:52.918334+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:52.920166+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:52.921700+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:44:52.929973+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:52.930629+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:52.931212+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:44:52.977818+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:52.978520+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:52.979102+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:44:53.017546+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:53.018275+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:53.018803+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:44:53.027017+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:53.027742+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:53.028287+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:44:53.065703+00:00 Switch-C sshd[20482]: pam_unix(sshd:session): session opened for user someuser by (uid=0)
2017-04-25T13:44:53.356146+00:00 Switch-C sshd[20482]: nss_tacplus: TACACS+ server x.x.x.x successful for user someuser. local lookup no match
2017-04-25T13:44:53.647160+00:00 Switch-C sshd[20482]: nss_tacplus: TACACS+ server x.x.x.x successful for user someuser. local lookup no match
2017-04-25T13:44:53.938060+00:00 Switch-C sshd[20482]: nss_tacplus: TACACS+ server x.x.x.x successful for user someuser. local lookup no match
2017-04-25T13:44:54.044465+00:00 Switch-C PAM-tacplus[20514]: 2 servers defined
2017-04-25T13:44:54.046612+00:00 Switch-C PAM-tacplus[20514]: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:54.049138+00:00 Switch-C PAM-tacplus[20514]: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:54.051517+00:00 Switch-C PAM-tacplus[20514]: tac_service='shell'
2017-04-25T13:44:54.054048+00:00 Switch-C PAM-tacplus[20514]: tac_protocol='ssh'
2017-04-25T13:44:54.056466+00:00 Switch-C PAM-tacplus[20514]: tac_prompt=''
2017-04-25T13:44:54.058906+00:00 Switch-C PAM-tacplus[20514]: tac_login='login'
2017-04-25T13:44:54.061246+00:00 Switch-C sshd[20514]: pam_sm_setcred: called (pam_tacplus v1.3.8)
2017-04-25T13:44:54.625120+00:00 Switch-C sshd[20482]: nss_tacplus: TACACS+ server x.x.x.x successful for user someuser. local lookup no match
2017-04-25T13:44:54.822499+00:00 Switch-C -bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:54.823659+00:00 Switch-C -bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:58.094384+00:00 Switch-C systemd[1]: Starting Monitor system resources (cpu, memory, disk)...
2017-04-25T13:44:58.094987+00:00 Switch-C systemd[1]: Started Monitor system resources (cpu, memory, disk).
2017-04-25T13:44:58.101226+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:44:58.102253+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:44:58.102861+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.003428+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:45:02.004190+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:45:02.004721+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.011739+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:45:02.012581+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:45:02.013244+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.057066+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:45:02.057777+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:45:02.058335+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.095761+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:45:02.096394+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:45:02.096861+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.103618+00:00 Switch-C bash: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:45:02.104240+00:00 Switch-C bash: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:45:02.104715+00:00 Switch-C bash: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.138851+00:00 Switch-C CRON[20558]: pam_unix(cron:session): session opened for user root by (uid=0)
2017-04-25T13:45:02.144824+00:00 Switch-C logrotate: nss_tacplus: server[0] { addr=x.x.x.x, key='xxxxxxx' }
2017-04-25T13:45:02.145465+00:00 Switch-C logrotate: nss_tacplus: server[1] { addr=y.y.y.y, key='xxxxxxx' }
2017-04-25T13:45:02.146013+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.146506+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.147010+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.147496+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.148001+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.148487+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.149253+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.149924+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.150573+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.151233+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.151900+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.153546+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.155454+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.155990+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.156461+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.156937+00:00 Switch-C logrotate: nss_tacplus: uid 0 < min_uid 1001, don't lookup
2017-04-25T13:45:02.161593+00:00 Switch-C CRON[20558]: (root) END ( /usr/sbin/logrotate /etc/logrotate.conf)
2017-04-25T13:45:02.167982+00:00 Switch-C CRON[20558]: pam_unix(cron:session): session closed for user root
Userlevel 3
This from the cumulus:
   Invalid user someuser from x.x.x.x
means that the tacacs server did not consider "someuser" to be valid. Why it would work after you logged in from some other device, I don't know. Perhaps the server is set up for some kind of first use authentication from a known device on a new account?

Do you have log access to the tacacs server, and/or access to see it's configuration? It would be interesting to see what the server logs show for the failed access from cumulus, the successful access from another device, and then the successful access from cumulus.

What is the tacacs server, by the way? I don't think I asked earlier, and I don't see it in your posting (I may have missed it).

I don't think this can be anything we do differently from our tacacs client, but the server logs might indicate something.

Reply