Hi, On Wed, Dec 21, 2022 at 10:55 AM Sumit Bose <[email protected]> wrote: > > Am Tue, Dec 20, 2022 at 07:14:42PM -0600 schrieb Sundar Vadivelu: > > Hi all, > > I am working on a system which does TACACS+ authentication of users with > > pam_tacplus and nss_tacplus libraries > > nss_tacplus: https://github.com/benschumacher/nss_tacplus > > pam_tacplus: https://github.com/kravietz/pam_tacplus > > > > This solution relied on NSCD to be running, since the nss_tacplus only > > implemented getpwnam_r . For getpwuid_r etc it relied on the cached entries > > in nscd. It was working fine until fedora removed NSCD from glibc in FC36 ( > > https://fedoraproject.org/wiki/Changes/RemoveNSCD) > > > > The above write up indicates that SSSD could be used to cover all cacheing > > requirements that was previously provided by NSCD. However I am unable to > > configure SSSD for my use case. > > > > When I tried to link the id_provider as proxy and the proxy_lib_name as > > tacplus, sssd fails to come up. If fails with this error: > > > > > > (2022-12-19 23:32:35): [be[shadowutils]] [sss_load_nss_symbols] (0x0010): > > Library 'libnss_tacplus.so.2' did not provide mandatory symbol > > 'getpwuid_r', error: /lib64/libnss_tacplus.so.2: undefined symbol: > > _nss_tacplus_getpwuid_r. > > Hi, > > it would, of course be possible to make getpwuid_r not mandatory in > proxy_load_nss_symbols(). But I wonder if you know the reason why this > is not implemented in libnss_tacplus.so.2?
nss module uses `tac_author_send()` from protocol lib provided by pam module: https://github.com/kravietz/pam_tacplus/blob/4f91b0de2be88d02984bef8fb0f64c213c650ed9/libtac/lib/author_s.c#L66 From a quick glance it looks like TACACS+ protocol just doesn't support "anything-by-UID". It looks like it's all about "by-name" only: - https://datatracker.ietf.org/doc/html/rfc8907#name-the-authorization-request-p - https://datatracker.ietf.org/doc/html/rfc8907#name-the-authentication-start-pa > I'm asking because to work > properly this requires that the user must be looked up by name first. If > e.g. you call 'ls -al /home' you would only see the UIDs of those users > resolved which where looked up by name before and for all other home > directories only the UID is displayed which at least seems unexpected if > not a bad user experience. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
