Unable to use netd with tacacs auth

  • 1
  • Problem
  • Updated 9 months ago
I enabled TACACS per https://docs.cumulusnetworks.com/display/DOCS/TACACS+Plus , and am able to log into the device with my TACACS auth info.  However, I've been unable to get netd to actually allow me to execute anything.   Per the docs, I updated /etc/netd.conf to have:

    users_with_edit = root, cumulus, tacacs0 
    groups_with_edit = netedit, tacacs
    users_with_show = root, cumulus, tacacs0
    groups_with_show = netshow, tacacs

(my user gets mapped to tacacs0)

Then I restarted netd.   I still get "user <myuser> does not have permission to make networking changes" when I try to execute a command like "net add routing route".

The default netd logs are fairly useless, and I didn't see any obvious knobs to turn on verbose logging.... however, netd is just python, so I was able to add my own tracing:
2017-06-26T20:32:34.802095+00:00 cumulus netd:    INFO:  pid 15869 uid 1001 gid 1001
2017-06-26T20:32:34.802436+00:00 cumulus netd:    INFO:  RXed: user myuser, command '/usr/bin/net add routing route'
2017-06-26T20:32:34.806276+00:00 cumulus netd:   DEBUG:  mapped uid 1001 to user myuser
2017-06-26T20:32:34.806545+00:00 cumulus netd:   DEBUG:  users with edit: {'cumulus': True, 'tacacs0': True, 'root': True}
2017-06-26T20:32:34.806791+00:00 cumulus netd:   DEBUG:  groups with edit: tacacs
2017-06-26T20:32:34.807020+00:00 cumulus netd:   DEBUG:  users in group tacacs: []
2017-06-26T20:32:34.807232+00:00 cumulus netd:   DEBUG:  groups with edit: netedit
2017-06-26T20:32:34.807486+00:00 cumulus netd:   DEBUG:  users in group netedit: []

uid 1001 is the tacacs0 user, so that part makes sense.  The issue seems to come from the pwd.getpwuid call.  This seems to use /var/run/tacacs_client_map to map uid 1001 to my actual tacacs username (myuser).  Then, netd tries to look up the actual username in the config... only to fail.

Has anyone configured netd successfully here?  Having to list every possible user in netd.conf defeats the purpose of having tacacs configured in the first place.

This is a Cumulus VX instance, and I am running nclu 1.0-cl3u8
Photo of Brian Rak

Brian Rak

  • 100 Points 100 badge 2x thumb

Posted 9 months ago

  • 1
Photo of Dave Olson

Dave Olson, MTS

  • 1,010 Points 1k badge 2x thumb
There was a bug in nclu looking up of groups when there were multiple groups, in some cases.  I think that was fixed in 3.3.  After that, I think it was fixed.  You have the 3.3 version.

You should be adding your tacacs login name, not tacacs0, for users.  I've tested this and it works well for me.  If you are allowing group tacacs for everything, you shouldn't need to add to the users list.

As I recall, if you edit netd to set the default log level to DEBUG, you'll get more useful info on what netd thinks is happening with permissions.

I just re-tested, and there is still a problem with groups, and with name lookup with that version of nclu.

olsont@superm-redxp-02:mgmt-vrf:~$ grep tacacs /etc/netd.conf
groups_with_show = netshow,tacacs
olsont@superm-redxp-02:mgmt-vrf:~$ id
uid=1016(olsont) gid=1001(tacacs) groups=1001(tacacs)
olsont@superm-redxp-02:mgmt-vrf:~$ groups
olsont@superm-redxp-02:mgmt-vrf:~$ net show version
user tacacs15 does not have permission to run show commands
### restart netd here in another window; I think the last restart was before I enabled tacacs clients
olsont@superm-redxp-02:mgmt-vrf:~$ net show version
user olsont does not have permission to run show commands
### restart again after adding olsont 
olsont@superm-redxp-02:mgmt-vrf:~$ grep olsont /etc/netd.conf
users_with_show = root, cumulus, olsont
olsont@superm-redxp-02:mgmt-vrf:~$ net show version
DISTRIB_ID="Cumulus Linux"
DISTRIB_DESCRIPTION="Cumulus Linux 3.3.2~1497558383.6a15ffe" 
so it's clear something is still wrong with the group lookup in nclu.  I'll file a bug.
Photo of Brian Rak

Brian Rak

  • 100 Points 100 badge 2x thumb
Ah, if I'm supposed to be adding my tacacs login name to the config, then the documentation is definitely wrong:

>  For the above command to enable TACACS+ privilege level 0 users to run the net show commands, edit the file /etc/netd.conf and add tacacs0 to the users_with_show line.

Enabling DEBUG logging didn't really seem to give me any additional output, but it was easy enough to just log the extra information.
Photo of Dave Olson

Dave Olson, MTS

  • 1,010 Points 1k badge 2x thumb
Thanks for pointing that out.  That was the case originally, but I never got the docs updated.  I'll get them fixed.
Photo of Pete B

Pete B, Official Rep

  • 2,774 Points 2k badge 2x thumb