Solaris 11.3 installation assist

[rickosteen]

Hello, I was able to get Oracle to help me get the source code compiled, but need some insight regarding the PAM properties in general. The files that created do not end up with the same filename extensions as what is in the example.
Here's what I have:
-rw-r--r-- 1 root root 1730 Nov 12 03:19 support.h
-rw-r--r-- 1 root root 3797 Nov 12 03:20 config.h.in~
-rw-r--r-- 1 root root 4170 Nov 12 03:29 config.h
-rw-r--r-- 1 root root 2913 Nov 12 12:17 configure.ac
-rw-r--r-- 1 root root 36257 Nov 12 12:18 aclocal.m4
-rwxr-xr-x 1 root root 427892 Nov 12 12:18 configure
-rw-r--r-- 1 root root 3797 Nov 12 12:18 config.h.in
drwxr-xr-x 2 root root 9 Nov 12 12:18 autom4te.cache
drwxr-xr-x 2 root root 15 Nov 12 12:18 config
-rw-r--r-- 1 root root 57727 Nov 12 12:18 Makefile.in
-rwxr-xr-x 1 root root 62229 Nov 12 12:19 config.status
-rw-r--r-- 1 root root 53949 Nov 12 12:19 Makefile
-rw-r--r-- 1 root root 275 Nov 12 12:19 libtac.pc
-rw-r--r-- 1 root root 1683 Nov 12 12:19 pam_tacplus.spec
-rw-r--r-- 1 root root 23 Nov 12 12:19 stamp-h1
-rwxr-xr-x 1 root root 292507 Nov 12 12:19 libtool
-rw-r--r-- 1 root root 43509 Nov 12 12:19 config.log
-rw-r--r-- 1 root root 907 Nov 12 12:19 libtac.la
-rw-r--r-- 1 root root 33664 Nov 12 12:19 pam_tacplus_la-pam_tacplus.o
-rw-r--r-- 1 root root 330 Nov 12 12:19 pam_tacplus_la-pam_tacplus.lo
-rw-r--r-- 1 root root 19580 Nov 12 12:19 pam_tacplus_la-support.o
-rw-r--r-- 1 root root 318 Nov 12 12:19 pam_tacplus_la-support.lo
drwxr-xr-x 2 root root 4 Nov 12 12:19 .deps
-rw-r--r-- 1 root root 1394 Nov 12 12:19 pam_tacplus.la
drwxr-xr-x 2 root root 13 Nov 12 12:19 .libs

thanks,
RickO

[jeroennijhof]

You will find the library in the directory .libs

[rickosteen]

Thanks! It looks like I'm missing three files according to the example. Below is the list of files in the .libs dir.

root@HPlaptop:~/Downloads/pam_tacplus-master/.libs# ls -lart
total 500
-rwxr-xr-x 1 root root 86364 Nov 12 12:19 libtac.so.2.0.0
lrwxrwxrwx 1 root root 15 Nov 12 12:19 libtac.so.2 -> libtac.so.2.0.0
lrwxrwxrwx 1 root root 15 Nov 12 12:19 libtac.so -> libtac.so.2.0.0
-rw-r--r-- 1 root root 908 Nov 12 12:19 libtac.lai
lrwxrwxrwx 1 root root 12 Nov 12 12:19 libtac.la -> ../libtac.la
-rw-r--r-- 1 root root 33692 Nov 12 12:19 pam_tacplus_la-pam_tacplus.o
-rw-r--r-- 1 root root 19652 Nov 12 12:19 pam_tacplus_la-support.o
-rwxr-xr-x 1 root root 49296 Nov 12 12:19 pam_tacplus.so
-rw-r--r-- 1 root root 53932 Nov 12 12:19 pam_tacplus.a
-rw-r--r-- 1 root root 976 Nov 12 12:19 pam_tacplus.lai
lrwxrwxrwx 1 root root 17 Nov 12 12:19 pam_tacplus.la -> ../pam_tacplus.la
drwxr-xr-x 2 root root 13 Nov 12 12:19 .
drwxr-xr-x 8 root root 45 Nov 17 12:00 ..

[rickosteen]

I was assisted by someone at Oracle to just do the "make install" as the next step. Below are the last few lines of the output:
rm -f /usr/local/lib/security/pam_tacplus.la
rm -f /usr/local/lib/security/pam_tacplus.a
/usr/bin/ginstall -c -d /usr/local/share/doc/pam_tacplus
/usr/bin/ginstall -c -m 644 sample.pam /usr/local/share/doc/pam_tacplus
root@HPlaptop:~/Downloads/pam_tacplus-master#

thanks....now to configure the PAM module.

[rickosteen]

Need some help here please:
I tried keeping it simple to just authenticate a user to login. Am I missing something specific? The ACS/TACACS server showed no attempts. Thanks

root@HPlaptop:/etc/pam.d# cat login

Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

PAM configuration

login service (explicit because of pam_dial_auth)

auth required pam_tacplus.so debug server=1.1.1.1 secret=password timeout=20
auth definitive pam_user_policy.so.1
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_auth.so.1
auth required pam_unix_cred.so.1
auth required pam_dial_auth.so.1
root@HPlaptop:/etc/pam.d#

[rickosteen]

I was able to get "login" to start attempting to authenticate but would not. The ACS/TACACS server was reporting that the RSA server showed the password to be good, but afterwards the log would show "permission denied".
If there's a way to set level 15 access, would that only be on the tacacs server side?
Attached is log with names and ip addresses changed to protect the innocent...:)
thanks for an assistance,
RickO
pam_debuglog2.txt

[rickosteen]

I think it's working but not sure because of the two different messages. Thoughts?? Bueler, anyone??
root@HPlaptop:~# login rosteen
Password:
No utmpx entry. You must exec "login" from the lowest level "shell".

and

Nov 24 05:48:56 HPlaptop PAM-tacplus[3267]: [ID 702911 auth.debug] tac_login='pap'
Nov 24 05:48:56 HPlaptop login[3267]: [ID 862818 auth.debug] _pam_account: [start] called (pam_tacplus v1.3.8)
Nov 24 05:48:56 HPlaptop login[3267]: [ID 981185 auth.debug] _pam_account: tac_srv_no=1
Nov 24 05:48:56 HPlaptop login[3267]: [ID 637559 auth.debug] _pam_account: username [rosteen] obtained
Nov 24 05:48:56 HPlaptop login[3267]: [ID 606173 auth.debug] _pam_account: tty [pts/3] obtained
Nov 24 05:48:56 HPlaptop login[3267]: [ID 938223 auth.debug] _pam_account: rhost [unknown] obtained
Nov 24 05:48:56 HPlaptop PAM-tacplus[3267]: [ID 702911 auth.error] ACC: TACACS+ protocol type not configured (IGNORED)
Nov 24 05:48:56 HPlaptop login[3267]: [ID 716788 auth.debug] _pam_account: connected with fd=3 (srv 0)
Nov 24 05:48:56 HPlaptop login[3267]: [ID 794262 auth.debug] _pam_account: [start] for [rosteen] sent

[rickosteen]

Attaching the tacacs pam files inside a tar archive for anyone wanting to tryout tacacs+ on a Solaris 11.3 server.
I will post the /etc/pam.d files soon.

tacplus-solaris11-3.zip