Unable to use netd with tacacs auth

I enabled TACACS per https://docs.cumulusnetworks.com/display/DOCS/TACACS+Plus , and am able to log into the device with my TACACS auth info. However, I've been unable to get netd to actually allow me to execute anything. Per the docs, I updated /etc/netd.conf to have:

users_with_edit = root, cumulus, tacacs0
groups_with_edit = netedit, tacacs
users_with_show = root, cumulus, tacacs0
groups_with_show = netshow, tacacs

(my user gets mapped to tacacs0)

Then I restarted netd. I still get "user does not have permission to make networking changes" when I try to execute a command like "net add routing route".

The default netd logs are fairly useless, and I didn't see any obvious knobs to turn on verbose logging.... however, netd is just python, so I was able to add my own tracing:
2017-06-26T20:32:34.802095+00:00 cumulus netd: INFO: pid 15869 uid 1001 gid 1001
2017-06-26T20:32:34.802436+00:00 cumulus netd: INFO: RXed: user myuser, command '/usr/bin/net add routing route'
2017-06-26T20:32:34.806276+00:00 cumulus netd: DEBUG: mapped uid 1001 to user myuser
2017-06-26T20:32:34.806545+00:00 cumulus netd: DEBUG: users with edit: {'cumulus': True, 'tacacs0': True, 'root': True}
2017-06-26T20:32:34.806791+00:00 cumulus netd: DEBUG: groups with edit: tacacs
2017-06-26T20:32:34.807020+00:00 cumulus netd: DEBUG: users in group tacacs: []
2017-06-26T20:32:34.807232+00:00 cumulus netd: DEBUG: groups with edit: netedit
2017-06-26T20:32:34.807486+00:00 cumulus netd: DEBUG: users in group netedit: []

uid 1001 is the tacacs0 user, so that part makes sense. The issue seems to come from the pwd.getpwuid call. This seems to use /var/run/tacacs_client_map to map uid 1001 to my actual tacacs username (myuser). Then, netd tries to look up the actual username in the config... only to fail.

Has anyone configured netd successfully here? Having to list every possible user in netd.conf defeats the purpose of having tacacs configured in the first place.

This is a Cumulus VX instance, and I am running nclu 1.0-cl3u8

4 replies

Userlevel 3
There was a bug in nclu looking up of groups when there were multiple groups, in some cases. I think that was fixed in 3.3. After that, I think it was fixed. You have the 3.3 version.

You should be adding your tacacs login name, not tacacs0, for users. I've tested this and it works well for me. If you are allowing group tacacs for everything, you shouldn't need to add to the users list.

As I recall, if you edit netd to set the default log level to DEBUG, you'll get more useful info on what netd thinks is happening with permissions.

I just re-tested, and there is still a problem with groups, and with name lookup with that version of nclu.

olsont@superm-redxp-02:mgmt-vrf:~$ grep tacacs /etc/netd.conf  groups_with_show = netshow,tacacs  olsont@superm-redxp-02:mgmt-vrf:~$ id  uid=1016(olsont) gid=1001(tacacs) groups=1001(tacacs)  olsont@superm-redxp-02:mgmt-vrf:~$ groups  tacacs  olsont@superm-redxp-02:mgmt-vrf:~$ net show version  user tacacs15 does not have permission to run show commands  ### restart netd here in another window; I think the last restart was before I enabled tacacs clients  olsont@superm-redxp-02:mgmt-vrf:~$ net show version  user olsont does not have permission to run show commands  ### restart again after adding olsont   olsont@superm-redxp-02:mgmt-vrf:~$ grep olsont /etc/netd.conf  users_with_show = root, cumulus, olsont  olsont@superm-redxp-02:mgmt-vrf:~$ net show version  NCLU_VERSION=1.0  DISTRIB_ID="Cumulus Linux"  DISTRIB_RELEASE=3.3.2~1497558383.6a15ffe  DISTRIB_DESCRIPTION="Cumulus Linux 3.3.2~1497558383.6a15ffe"       so it's clear something is still wrong with the group lookup in nclu.  I'll file a bug.

Ah, if I'm supposed to be adding my tacacs login name to the config, then the documentation is definitely wrong:

> For the above command to enable TACACS+ privilege level 0 users to run the net show commands, edit the file /etc/netd.conf and add tacacs0 to the users_with_show line.

Enabling DEBUG logging didn't really seem to give me any additional output, but it was easy enough to just log the extra information.

Userlevel 3
Thanks for pointing that out. That was the case originally, but I never got the docs updated. I'll get them fixed.
Userlevel 3
Sorry for the mixup here. I updated the docs. https://docs.cumulusnetworks.com/display/DOCS/TACACS+Plus#TACACSPlus-CommandOptions