<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} .ms-cui-menu {background-color:#ffffff;border:1px rgb(171, 171, 171) solid;font-family:'Segoe UI WPC','Segoe UI',Tahoma,'Microsoft Sans Serif',Verdana,sans-serif;font-size:10pt;color:rgb(51, 51, 51);} .ms-cui-menusection-title {display:none;} .ms-cui-ctl {vertical-align:text-top;text-decoration:none;color:rgb(51, 51, 51);} .ms-cui-ctl-on {background-color:rgb(234, 236, 237);opacity: 0.8;} .ms-cui-img-cont-float {display:inline-block;margin-top:2px} .ms-cui-smenu-inner {padding-top:0px;} .ms-owa-paste-option-icon {margin: 2px 4px 0px 4px;vertical-align:sub;padding-bottom: 2px;display:inline-block;} .ms-rtePasteFlyout-option:hover {background-color:rgb(234, 236, 237) !important;opacity:1 !important;} .ms-rtePasteFlyout-option {padding:8px 4px 8px 4px;outline:none;} .ms-cui-menusection {float:left; width:85px;height:24px;overflow:hidden}.wf {speak:none; font-weight:normal; font-variant:normal; text-transform:none; -webkit-font-smoothing:antialiased; vertical-align:middle; display:inline-block;}.wf-family-owa {font-family:'o365Icons'}@font-face { font-family:'o365IconsIE8'; src:url('prem/15.0.898.11/resources/styles/office365icons.ie8.eot?#iefix') format('embedded-opentype'), url('prem/15.0.898.11/resources/styles/office365icons.ie8.woff') format('woff'), url('prem/15.0.898.11/resources/styles/office365icons.ie8.ttf') format('truetype'); font-weight:normal; font-style:normal;}@font-face { font-family:'o365IconsMouse'; src:url('prem/15.0.898.11/resources/styles/office365icons.mouse.eot?#iefix') format('embedded-opentype'), url('prem/15.0.898.11/resources/styles/office365icons.mouse.woff') format('woff'), url('prem/15.0.898.11/resources/styles/office365icons.mouse.ttf') format('truetype'); font-weight:normal; font-style:normal;}.wf-family-owa {font-family:'o365IconsMouse'}.ie8 .wf-family-owa {font-family:'o365IconsIE8'}.ie8 .wf-owa-play-large:before {content:'\e254';}.notIE8 .wf-owa-play-large:before {content:'\e054';}.ie8 .wf-owa-play-large {color:#FFFFFF/*$WFWhiteColor*/;}.notIE8 .wf-owa-play-large {border-color:#FFFFFF/*$WFWhiteColor*/; width:1.4em; height:1.4em; border-width:.1em; border-style:solid; border-radius:.8em; text-align:center; box-sizing:border-box; -moz-box-sizing:border-box; padding:0.1em; color:#FFFFFF/*$WFWhiteColor*/;}.ie8 .wf-size-play-large {width:40px; height:40px; font-size:30px}.notIE8 .wf-size-play-large {width:40px; height:40px; font-size:30px}--></style>
</head>
<body>
<div style="font-size:10pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p><span style="font-size: 11pt;">Greetings,</span></p>
<p><br type="_moz" style="font-size: 11pt;">
</p>
<p><span style="font-size: 11pt;">I am attempting to integrate my tac_plus solution with AD using PAM. I have tried numerous iterations I found online with no luck. I am listing my config below, the krb5.conf seems to pass which I will also list. Any assistance
is greatly appreciated.</span></p>
<p><br type="_moz" style="font-size: 11pt;">
</p>
<p><span style="font-size: 11pt;"><strong>AD Credentials Test using kerberos:</strong><br type="_moz">
</span></p>
<p><br type="_moz" style="font-size: 11pt;">
</p>
<p><span style="font-size: 11pt;">[root@pam.d]# kinit Dan<br>
Password for Dan@domain:</span></p>
<p><span style="font-size: 11pt;"><br>
[root@pam.d]# klist<br>
Ticket cache: FILE:/tmp/krb5cc_0<br>
Default principal: Dan@domain<br>
<br>
Valid starting Expires Service principal<br>
03/20/14 10:00:50 03/20/14 20:00:56 krbtgt/domain<br>
renew until 03/27/14 10:00:50<br>
<br>
</span></p>
<p><span style="font-size: 11pt;"><strong>Configuration</strong>:<br type="_moz">
</span></p>
<p><br style="font-size: 11pt;">
</p>
<p></p>
<div>
<div name="divtagdefaultwrapper" style="font-family: calibri,arial,helvetica,sans-serif; margin: 0px;">
<font style="font-size: 11pt;">/etc/tac_plus.conf<br>
<br>
key = "TestKey"<br>
accounting file = /var/log/tac.acct.log<br>
# authentication users not appearing elsewhere via<br>
# the file /etc/passwd<br>
#default authentication = file /etc/passwd<br>
<br>
<br>
# A group that can change some limited configuration on switchports<br>
# related to host-side network configuration<br>
<br>
group = Admin {<br>
# login = file /etc/passwd<br>
# or authenticated via PAM:<br>
# login = PAM<br>
service = exec {<br>
priv-lvl = 15<br>
}<br>
}<br>
<br>
user = dan {<br>
login = PAM<br>
member = Admin<br>
}<br>
<br>
<br>
/etc/pam.d/tac_plus<br>
<br>
auth required pam_env.so<br>
auth sufficient pam_unix.so nullok try_first_pass<br>
auth requisite pam_succeed_if.so uid >= 500 quiet<br>
auth sufficient pam_krb5.so use_first_pass<br>
auth required pam_deny.so<br>
<br>
account required pam_unix.so broken_shadow<br>
account sufficient pam_localuser.so<br>
account sufficient pam_succeed_if.so uid < 500 quiet<br>
account [default=bad success=ok user_unknown=ignore] pam_krb5.so<br>
account required pam_permit.so<br>
<br>
password requisite pam_cracklib.so try_first_pass retry=3<br>
password sufficient pam_unix.so md5 shadow nullok try_first_pass<br>
use_authtok<br>
password sufficient pam_krb5.so use_authtok<br>
password required pam_deny.so<br>
<br>
session optional pam_keyinit.so revoke<br>
session required pam_limits.so<br>
session [success=1 default=ignore] pam_succeed_if.so service in<br>
crond quiet use_uid<br>
session required pam_unix.so<br>
session optional pam_krb5.so<br>
<br>
<br>
/etc/krb5.conf<br>
<br>
default = FILE:/var/log/krb5libs.log<br>
kdc = FILE:/var/log/krb5kdc.log<br>
admin_server = FILE:/var/log/kadmind.log<br>
<br>
[libdefaults]<br>
default_realm = domain_name<br>
dns_lookup_realm = false<br>
dns_lookup_kdc = false<br>
ticket_lifetime = 24h<br>
renew_lifetime = 7d<br>
forwardable = true<br>
<br>
[realms]<br>
domain_name = {<br>
kdc = x.x.x.x<br>
admin_server = x.x.x.x<br>
}<br>
<br>
[domain_realm]<br>
domain_name = domain_name<br>
<br>
<br>
Thanks,<br>
<br>
Danny<br>
</font></div>
</div>
</div>
</body>
</html>