Write error message to syslog when add user failed or connect to TACACS server failed. (#16240) (#17081)

Write error message to syslog when add user failed or connect to TACACS server failed.

Why I did it
With these messages, we can downgrade TACACS server with issue to lower priority.

Work item tracking
Microsoft ADO: 24667696
How I did it
Write error message to syslog when add user failed or connect to TACACS server failed.

How to verify it
Pass all UT.
Manually verify error message generated.
This commit is contained in:
Hua Liu 2023-11-06 23:07:10 +08:00 committed by GitHub
parent 0e5bac9821
commit a11b33b6ca
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 15 deletions

View File

@ -18,9 +18,9 @@ Subject: [PATCH] Modify user map profile
debian/changelog | 11 +
debian/control | 11 +-
debian/libnss-tacplus.symbols | 1 -
nss_tacplus.c | 1018 +++++++++++++++------------------
nss_tacplus.c | 1015 +++++++++++++++------------------
tacplus_nss.conf | 91 ++-
8 files changed, 527 insertions(+), 613 deletions(-)
8 files changed, 525 insertions(+), 612 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 293951e..b33c455 100644
@ -1083,7 +1083,7 @@ index 79e62b9..ecfa0b0 100644
tac_add_attrib(attr, "service", tac_service);
if(tac_protocol[0])
tac_add_attrib(attr, "protocol", tac_protocol);
@@ -598,34 +659,9 @@ lookup_tacacs_user(struct pwbuf *pb)
@@ -598,52 +659,25 @@ lookup_tacacs_user(struct pwbuf *pb)
{
struct areply arep;
int ret = 1, done = 0;
@ -1119,11 +1119,17 @@ index 79e62b9..ecfa0b0 100644
for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
arep.msg = NULL;
arep.attr = NULL;
@@ -636,14 +672,13 @@ lookup_tacacs_user(struct pwbuf *pb)
syslog(LOG_WARNING, "%s: failed to connect TACACS+ server %s,"
" ret=%d: %m", nssname, tac_srv[srvr].addr ?
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
arep.status = TAC_PLUS_AUTHOR_STATUS_ERROR; /* if author_send fails */
tac_fd = connect_tacacs(&attr, srvr);
if (tac_fd < 0) {
- if(debug)
- syslog(LOG_WARNING, "%s: failed to connect TACACS+ server %s,"
- " ret=%d: %m", nssname, tac_srv[srvr].addr ?
- tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
- tac_free_attrib(&attr);
+ syslog(LOG_ERR, "%s: failed to connect TACACS+ server %s,"
+ " ret=%d: %m", nssname, tac_srv[srvr].addr ?
+ tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
continue;
}
- ret = tac_author_send(tac_fd, pb->name, "", tac_rhost, attr);
@ -1137,7 +1143,7 @@ index 79e62b9..ecfa0b0 100644
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", ret,
pb->name);
}
@@ -668,14 +703,11 @@ lookup_tacacs_user(struct pwbuf *pb)
@@ -668,14 +702,11 @@ lookup_tacacs_user(struct pwbuf *pb)
if(arep.status == AUTHOR_STATUS_PASS_ADD ||
arep.status == AUTHOR_STATUS_PASS_REPL) {
ret = got_tacacs_user(arep.attr, pb);
@ -1154,7 +1160,7 @@ index 79e62b9..ecfa0b0 100644
done = 1; /* break out of loop after arep cleanup */
}
else {
@@ -685,6 +717,10 @@ lookup_tacacs_user(struct pwbuf *pb)
@@ -685,6 +716,10 @@ lookup_tacacs_user(struct pwbuf *pb)
" invalid (%d)", nssname,
tac_ntop(tac_srv[srvr].addr->ai_addr), pb->name,
arep.status);
@ -1165,7 +1171,7 @@ index 79e62b9..ecfa0b0 100644
}
if(arep.msg)
free(arep.msg);
@@ -692,30 +728,12 @@ lookup_tacacs_user(struct pwbuf *pb)
@@ -692,30 +727,12 @@ lookup_tacacs_user(struct pwbuf *pb)
tac_free_attrib(&arep.attr);
}
@ -1198,7 +1204,7 @@ index 79e62b9..ecfa0b0 100644
*
* We try the lookup to the tacacs server first. If we can't make a
* connection to the server for some reason, we also try looking up
@@ -730,20 +748,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
@@ -730,20 +747,25 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
int result;
struct pwbuf pbuf;
@ -1233,7 +1239,7 @@ index 79e62b9..ecfa0b0 100644
/* marshal the args for the lower level functions */
pbuf.name = (char *)name;
pbuf.pw = pw;
@@ -751,126 +774,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
@@ -751,126 +773,13 @@ enum nss_status _nss_tacplus_getpwnam_r(const char *name, struct passwd *pw,
pbuf.buflen = buflen;
pbuf.errnop = errnop;
@ -1468,4 +1474,3 @@ index bb4eb1e..7cb756f 100644
+# many_to_one=y
--
2.7.4

View File

@ -113,8 +113,8 @@ index 2de00a6..048745a 100644
for(srvr=0; srvr < tac_srv_no && !done; srvr++) {
arep.msg = NULL;
@@ -748,7 +823,7 @@ lookup_tacacs_user(struct pwbuf *pb)
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
@@ -747,7 +822,7 @@ lookup_tacacs_user(struct pwbuf *pb)
tac_ntop(tac_srv[srvr].addr->ai_addr) : "unknown", tac_fd);
continue;
}
- ret = tac_author_send(tac_fd, pb->name, "", "", attr);