Open nazariig opened 1 year ago
@adyeung as discussed can you reassign to broadcom.
@jeff-yin can someone from DELL help take a look pls?
@adyeung has this been root-caused to be a TACACS authentication issue? It appears this has more to do with authorization and AFAIK, Dell didn't implement TACACS per-command authorization.
I think this needs to be assigned to @liuh-80 from MSFT
Or, could just be that these errors are due to failed attempts to connect to a server in a configured list of servers. Looks like tacacs_authorization
will try a list of servers via multiple calls to tac_connect_single
. If an unreachable server is tried before a reachable one, the error will be printed.
In that case, might this just be a testbed issue where one of the servers is not reachable, and therefore the error message is legit? @nazariig can you confirm?
BTW, I do not see the configured TACACS+ server in the techdump, so I can't tell if a list of servers was configured. The only TACACS+ server that was configured does not match the server from the error log in this Github ticket.
"TACPLUS_SERVER|10.7.34.20": {
"expireat": 1692672170.9226546,
"ttl": -0.001,
"type": "hash",
"value": {
"priority": "1",
"tcp_port": "49"
}
},
Aug 22 05:36:09.344545 r-leopard-58 ERR useradd[551849]: tac_connect_single: connection failed with 10.213.103.5:49: Transport endpoint is not connected
@nazariig , this seems a network issue, please check if the address 10.213.103.5 is reachable from your testbed first.
And if that IP address is reachable, please check if the tacplus server config and start correctly on that device. also the 49 port does not block by firewall.
Also seems you are running the TACACS test on your own testbed, so please check the sonic-mgmt config files, to make sure the testbed configuration are correct.
This issue was discussed on triage meeting some time back but note was not added to this ticket so adding it here: Nazarii answered that he checked and it is not network issue, configuration files also look OK.
Description
TACACS failed connect server during command authorization:
SONiC TACACS plugin
sonic-buildimage/src/tacacs/bash_tacplus/bash_tacplus.c
code:TACACS API
https://github.com/kravietz/pam_tacplus
code:Steps to reproduce the issue:
Describe the results you received:
Describe the results you expected:
No errors expected
Output of
show version
:Output of
show techsupport
:Additional information you deem important (e.g. issue happens only occasionally):