Hi all, I am working on a system which does TACACS+ authentication of users with pam_tacplus and nss_tacplus libraries nss_tacplus: https://github.com/benschumacher/nss_tacplus pam_tacplus: https://github.com/kravietz/pam_tacplus
This solution relied on NSCD to be running, since the nss_tacplus only implemented getpwnam_r . For getpwuid_r etc it relied on the cached entries in nscd. It was working fine until fedora removed NSCD from glibc in FC36 ( https://fedoraproject.org/wiki/Changes/RemoveNSCD)
The above write up indicates that SSSD could be used to cover all cacheing requirements that was previously provided by NSCD. However I am unable to configure SSSD for my use case.
When I tried to link the id_provider as proxy and the proxy_lib_name as tacplus, sssd fails to come up. If fails with this error:
(2022-12-19 23:32:35): [be[shadowutils]] [sss_load_nss_symbols] (0x0010): Library 'libnss_tacplus.so.2' did not provide mandatory symbol 'getpwuid_r', error: /lib64/libnss_tacplus.so.2: undefined symbol: _nss_tacplus_getpwuid_r.
Is there any way to use sssd with the above mentioned nss_tacplus library? By this I mean can sssd be configured to do getpwnam only using the nss_tacplus, at which time it could cache the passwd details of the user, and use the cache for the other APIs like getpwuid etc?
_________________________________________________
Am Tue, Dec 20, 2022 at 07:14:42PM -0600 schrieb Sundar Vadivelu:
Hi all, I am working on a system which does TACACS+ authentication of users with pam_tacplus and nss_tacplus libraries nss_tacplus: https://github.com/benschumacher/nss_tacplus pam_tacplus: https://github.com/kravietz/pam_tacplus
This solution relied on NSCD to be running, since the nss_tacplus only implemented getpwnam_r . For getpwuid_r etc it relied on the cached entries in nscd. It was working fine until fedora removed NSCD from glibc in FC36 ( https://fedoraproject.org/wiki/Changes/RemoveNSCD)
The above write up indicates that SSSD could be used to cover all cacheing requirements that was previously provided by NSCD. However I am unable to configure SSSD for my use case.
When I tried to link the id_provider as proxy and the proxy_lib_name as tacplus, sssd fails to come up. If fails with this error:
(2022-12-19 23:32:35): [be[shadowutils]] [sss_load_nss_symbols] (0x0010): Library 'libnss_tacplus.so.2' did not provide mandatory symbol 'getpwuid_r', error: /lib64/libnss_tacplus.so.2: undefined symbol: _nss_tacplus_getpwuid_r.
Hi,
it would, of course be possible to make getpwuid_r not mandatory in proxy_load_nss_symbols(). But I wonder if you know the reason why this is not implemented in libnss_tacplus.so.2? I'm asking because to work properly this requires that the user must be looked up by name first. If e.g. you call 'ls -al /home' you would only see the UIDs of those users resolved which where looked up by name before and for all other home directories only the UID is displayed which at least seems unexpected if not a bad user experience.
bye, Sumit
Is there any way to use sssd with the above mentioned nss_tacplus library? By this I mean can sssd be configured to do getpwnam only using the nss_tacplus, at which time it could cache the passwd details of the user, and use the cache for the other APIs like getpwuid etc?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi,
On Wed, Dec 21, 2022 at 10:55 AM Sumit Bose sbose@redhat.com wrote:
Am Tue, Dec 20, 2022 at 07:14:42PM -0600 schrieb Sundar Vadivelu:
Hi all, I am working on a system which does TACACS+ authentication of users with pam_tacplus and nss_tacplus libraries nss_tacplus: https://github.com/benschumacher/nss_tacplus pam_tacplus: https://github.com/kravietz/pam_tacplus
This solution relied on NSCD to be running, since the nss_tacplus only implemented getpwnam_r . For getpwuid_r etc it relied on the cached entries in nscd. It was working fine until fedora removed NSCD from glibc in FC36 ( https://fedoraproject.org/wiki/Changes/RemoveNSCD)
The above write up indicates that SSSD could be used to cover all cacheing requirements that was previously provided by NSCD. However I am unable to configure SSSD for my use case.
When I tried to link the id_provider as proxy and the proxy_lib_name as tacplus, sssd fails to come up. If fails with this error:
(2022-12-19 23:32:35): [be[shadowutils]] [sss_load_nss_symbols] (0x0010): Library 'libnss_tacplus.so.2' did not provide mandatory symbol 'getpwuid_r', error: /lib64/libnss_tacplus.so.2: undefined symbol: _nss_tacplus_getpwuid_r.
Hi,
it would, of course be possible to make getpwuid_r not mandatory in proxy_load_nss_symbols(). But I wonder if you know the reason why this is not implemented in libnss_tacplus.so.2?
nss module uses `tac_author_send()` from protocol lib provided by pam module: https://github.com/kravietz/pam_tacplus/blob/4f91b0de2be88d02984bef8fb0f64c2...
From a quick glance it looks like TACACS+ protocol just doesn't support "anything-by-UID".
It looks like it's all about "by-name" only: - https://datatracker.ietf.org/doc/html/rfc8907#name-the-authorization-request... - https://datatracker.ietf.org/doc/html/rfc8907#name-the-authentication-start-...
I'm asking because to work properly this requires that the user must be looked up by name first. If e.g. you call 'ls -al /home' you would only see the UIDs of those users resolved which where looked up by name before and for all other home directories only the UID is displayed which at least seems unexpected if not a bad user experience.
sssd-users@lists.fedorahosted.org
-
Alexey Tikhonov -
Sumit Bose -
Sundar Vadivelu