Hi,
On Wed, Dec 21, 2022 at 10:55 AM Sumit Bose <sbose(a)redhat.com> wrote:
Am Tue, Dec 20, 2022 at 07:14:42PM -0600 schrieb Sundar Vadivelu:
> Hi all,
> I am working on a system which does TACACS+ authentication of users with
> pam_tacplus and nss_tacplus libraries
> nss_tacplus:
https://github.com/benschumacher/nss_tacplus
> pam_tacplus:
https://github.com/kravietz/pam_tacplus
>
> This solution relied on NSCD to be running, since the nss_tacplus only
> implemented getpwnam_r . For getpwuid_r etc it relied on the cached entries
> in nscd. It was working fine until fedora removed NSCD from glibc in FC36 (
>
https://fedoraproject.org/wiki/Changes/RemoveNSCD)
>
> The above write up indicates that SSSD could be used to cover all cacheing
> requirements that was previously provided by NSCD. However I am unable to
> configure SSSD for my use case.
>
> When I tried to link the id_provider as proxy and the proxy_lib_name as
> tacplus, sssd fails to come up. If fails with this error:
>
>
> (2022-12-19 23:32:35): [be[shadowutils]] [sss_load_nss_symbols] (0x0010):
> Library 'libnss_tacplus.so.2' did not provide mandatory symbol
> 'getpwuid_r', error: /lib64/libnss_tacplus.so.2: undefined symbol:
> _nss_tacplus_getpwuid_r.
Hi,
it would, of course be possible to make getpwuid_r not mandatory in
proxy_load_nss_symbols(). But I wonder if you know the reason why this
is not implemented in libnss_tacplus.so.2?
nss module uses `tac_author_send()` from protocol lib provided by pam module:
https://github.com/kravietz/pam_tacplus/blob/4f91b0de2be88d02984bef8fb0f6...
From a quick glance it looks like TACACS+ protocol just doesn't
support "anything-by-UID".
It looks like it's all about "by-name" only:
-
https://datatracker.ietf.org/doc/html/rfc8907#name-the-authorization-requ...
-
https://datatracker.ietf.org/doc/html/rfc8907#name-the-authentication-sta...
I'm asking because to work
properly this requires that the user must be looked up by name first. If
e.g. you call 'ls -al /home' you would only see the UIDs of those users
resolved which where looked up by name before and for all other home
directories only the UID is displayed which at least seems unexpected if
not a bad user experience.