Skip to content

Commit a11b33b

Browse files
liuh-80liuh-80
authored
Write error message to syslog when add user failed or connect to TACACS server failed. (#16240) (#17081)
Write error message to syslog when add user failed or connect to TACACS server failed. Why I did it With these messages, we can downgrade TACACS server with issue to lower priority. Work item tracking Microsoft ADO: 24667696 How I did it Write error message to syslog when add user failed or connect to TACACS server failed. How to verify it Pass all UT. Manually verify error message generated.
1 parent 0e5bac9 commit a11b33b

File tree

2 files changed

+20
-15
lines changed

2 files changed

+20
-15
lines changed

src/tacacs/nss/patch/0001-Modify-user-map-profile.patch

+18-13
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,9 @@ Subject: [PATCH] Modify user map profile
1818
debian/changelog | 11 +
1919
debian/control | 11 +-
2020
debian/libnss-tacplus.symbols | 1 -
21-
nss_tacplus.c | 1018 +++++++++++++++------------------
21+
nss_tacplus.c | 1015 +++++++++++++++------------------
2222
tacplus_nss.conf | 91 ++-
23-
8 files changed, 527 insertions(+), 613 deletions(-)
23+
8 files changed, 525 insertions(+), 612 deletions(-)
2424

2525
diff --git a/Makefile.am b/Makefile.am
2626
index 293951e..b33c455 100644
@@ -1083,7 +1083,7 @@ index 79e62b9..ecfa0b0 100644
10831083
tac_add_attrib(attr, "service", tac_service);
10841084
if(tac_protocol[0])
10851085
tac_add_attrib(attr, "protocol", tac_protocol);
1086-
@@ -598,34 +659,9 @@ lookup_tacacs_user(struct pwbuf *pb)
1086+
@@ -598,52 +659,25 @@ lookup_tacacs_user(struct pwbuf *pb)
10871087
{
10881088
struct areply arep;
10891089
int ret = 1, done = 0;
@@ -1119,11 +1119,17 @@ index 79e62b9..ecfa0b0 100644
11191119
for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
11201120
arep.msg = NULL;
11211121
arep.attr = NULL;
1122-
@@ -636,14 +672,13 @@ lookup_tacacs_user(struct pwbuf *pb)
1123-
syslog(LOG_WARNING, "%s: failed to connect TACACS+ server %s,"
1124-
" ret=%d: %m", nssname, tac_srv[srvr].addr ?
1125-
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
1122+
arep.status = TAC_PLUS_AUTHOR_STATUS_ERROR; /* if author_send fails */
1123+
tac_fd = connect_tacacs(&attr, srvr);
1124+
if (tac_fd < 0) {
1125+
- if(debug)
1126+
- syslog(LOG_WARNING, "%s: failed to connect TACACS+ server %s,"
1127+
- " ret=%d: %m", nssname, tac_srv[srvr].addr ?
1128+
- tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
11261129
- tac_free_attrib(&attr);
1130+
+ syslog(LOG_ERR, "%s: failed to connect TACACS+ server %s,"
1131+
+ " ret=%d: %m", nssname, tac_srv[srvr].addr ?
1132+
+ tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
11271133
continue;
11281134
}
11291135
- ret = tac_author_send(tac_fd, pb->name, "", tac_rhost, attr);
@@ -1137,7 +1143,7 @@ index 79e62b9..ecfa0b0 100644
11371143
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", ret,
11381144
pb->name);
11391145
}
1140-
@@ -668,14 +703,11 @@ lookup_tacacs_user(struct pwbuf *pb)
1146+
@@ -668,14 +702,11 @@ lookup_tacacs_user(struct pwbuf *pb)
11411147
if(arep.status == AUTHOR_STATUS_PASS_ADD ||
11421148
arep.status == AUTHOR_STATUS_PASS_REPL) {
11431149
ret = got_tacacs_user(arep.attr, pb);
@@ -1154,7 +1160,7 @@ index 79e62b9..ecfa0b0 100644
11541160
done = 1; /* break out of loop after arep cleanup */
11551161
}
11561162
else {
1157-
@@ -685,6 +717,10 @@ lookup_tacacs_user(struct pwbuf *pb)
1163+
@@ -685,6 +716,10 @@ lookup_tacacs_user(struct pwbuf *pb)
11581164
" invalid (%d)", nssname,
11591165
tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name,
11601166
arep.status);
@@ -1165,7 +1171,7 @@ index 79e62b9..ecfa0b0 100644
11651171
}
11661172
if(arep.msg)
11671173
free(arep.msg);
1168-
@@ -692,30 +728,12 @@ lookup_tacacs_user(struct pwbuf *pb)
1174+
@@ -692,30 +727,12 @@ lookup_tacacs_user(struct pwbuf *pb)
11691175
tac_free_attrib(&arep.attr);
11701176
}
11711177

@@ -1198,7 +1204,7 @@ index 79e62b9..ecfa0b0 100644
11981204
*
11991205
* We try the lookup to the tacacs server first. If we can't make a
12001206
* connection to the server for some reason, we also try looking up
1201-
@@ -730,20 +748,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
1207+
@@ -730,20 +747,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
12021208
int result;
12031209
struct pwbuf pbuf;
12041210

@@ -1233,7 +1239,7 @@ index 79e62b9..ecfa0b0 100644
12331239
/* marshal the args for the lower level functions */
12341240
pbuf.name = (char *)name;
12351241
pbuf.pw = pw;
1236-
@@ -751,126 +774,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
1242+
@@ -751,126 +773,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
12371243
pbuf.buflen = buflen;
12381244
pbuf.errnop = errnop;
12391245

@@ -1468,4 +1474,3 @@ index bb4eb1e..7cb756f 100644
14681474
+# many_to_one=y
14691475
--
14701476
2.7.4
1471-

src/tacacs/nss/patch/0010-Send-remote-address-in-TACACS-authorization-message.patch

+2-2
Original file line numberDiff line numberDiff line change
@@ -113,8 +113,8 @@ index 2de00a6..048745a 100644
113113

114114
for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
115115
arep.msg = NULL;
116-
@@ -748,7 +823,7 @@ lookup_tacacs_user(struct pwbuf *pb)
117-
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
116+
@@ -747,7 +822,7 @@ lookup_tacacs_user(struct pwbuf *pb)
117+
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
118118
continue;
119119
}
120120
- ret = tac_author_send(tac_fd, pb->name, "", "", attr);

0 commit comments

Comments
 (0)