From b444817e17b325edea19c01a1927d7563e93022b Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Tue, 30 May 2023 14:54:11 -0700 Subject: [PATCH] [TACACS] Stop authorization after user being rejected by server. (#14249) Stop authorization after user being rejected by server. #### Why I did it Fix nss_tacplus bug: after user being rejected by one TACACS+ server, nss_tacplus will try with next TACACS+ server. ##### Work item tracking - Microsoft ADO :15276692 #### How I did it Check authorization result, stop authorization after user being rejected by server. #### How to verify it Pass all E2E test. Create new UT: https://github.com/sonic-net/sonic-mgmt/pull/8345 #### Description for the changelog Stop authorization after user being rejected by server. #### Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU. --- .../patch/0001-Modify-user-map-profile.patch | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/src/tacacs/nss/patch/0001-Modify-user-map-profile.patch b/src/tacacs/nss/patch/0001-Modify-user-map-profile.patch index 971f1f682f71..8bab6cb99717 100644 --- a/src/tacacs/nss/patch/0001-Modify-user-map-profile.patch +++ b/src/tacacs/nss/patch/0001-Modify-user-map-profile.patch @@ -10,6 +10,7 @@ Subject: [PATCH] Modify user map profile * Added "many_to_one" mode, create one local user for many TACACS+ users which has the same privilege. * Modified configuration parse and file to adapt to the new user map profile. +* Stop authorization after user being rejected by server. --- Makefile.am | 4 +- Makefile.in | 2 +- @@ -17,9 +18,9 @@ Subject: [PATCH] Modify user map profile debian/changelog | 11 + debian/control | 11 +- debian/libnss-tacplus.symbols | 1 - - nss_tacplus.c | 1004 +++++++++++++++++++---------------------- - tacplus_nss.conf | 91 ++-- - 8 files changed, 518 insertions(+), 608 deletions(-) + nss_tacplus.c | 1018 +++++++++++++++------------------ + tacplus_nss.conf | 91 ++- + 8 files changed, 527 insertions(+), 613 deletions(-) diff --git a/Makefile.am b/Makefile.am index 293951e..b33c455 100644 @@ -1153,7 +1154,18 @@ index 79e62b9..ecfa0b0 100644 done = 1; /* break out of loop after arep cleanup */ } else { -@@ -692,30 +724,12 @@ lookup_tacacs_user(struct pwbuf *pb) +@@ -685,6 +717,10 @@ lookup_tacacs_user(struct pwbuf *pb) + " invalid (%d)", nssname, + tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name, + arep.status); ++ ++ if (arep.status == TAC_PLUS_AUTHOR_STATUS_FAIL) { ++ done = 1; /* break out of loop after server reject user */ ++ } + } + if(arep.msg) + free(arep.msg); +@@ -692,30 +728,12 @@ lookup_tacacs_user(struct pwbuf *pb) tac_free_attrib(&arep.attr); } @@ -1186,7 +1198,7 @@ index 79e62b9..ecfa0b0 100644 * * We try the lookup to the tacacs server first. If we can't make a * connection to the server for some reason, we also try looking up -@@ -730,20 +744,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw, +@@ -730,20 +748,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw, int result; struct pwbuf pbuf; @@ -1221,7 +1233,7 @@ index 79e62b9..ecfa0b0 100644 /* marshal the args for the lower level functions */ pbuf.name = (char *)name; pbuf.pw = pw; -@@ -751,126 +770,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw, +@@ -751,126 +774,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw, pbuf.buflen = buflen; pbuf.errnop = errnop;