Error when logging into CLI of Provder-1 server

[ivyma]

When logging into the P1 server via CLI with any account other than "admin" I get the following error:

"error: couldn't get the user ID"

This repeats several times and then returns to the prompt. Has anyone seen this and what is the fix?

[cciesec2006]

When logging into the P1 server via CLI with any account other than "admin" I get the following error:

"error: couldn't get the user ID"

This repeats several times and then returns to the prompt. Has anyone seen this and what is the fix?

Are you authenticating via SecurID, local account, RADIUS or TACACS?

[Bob_Zimmerman]

Are you authenticating via SecurID, local account, RADIUS or TACACS?

Related, has this ever worked, or is this the first time you're trying to log in to this box with a non-"admin" user?

What OS and version is this?

How did you add the non-"admin" user?

Are you connecting over SSH or locally on the console (either serial or keyboard/video)?

[ivyma]

Radius auth and running R80.10

[jflemingeds]

Radius auth and running R80.10

I think the user none-local or something like that is the user you become when you login with radius. Can you show your /etc/passwd file? Also what shows up in /var/log/messages when you attempt a login?

[ivyma]

To answer your other question I am attempting to login via SSH. The /etc/passwd file is shown below:

admin:x:0:0:Admin:/home/admin:/bin/bash
monitor:x:102:100:Monitor:/home/monitor:/etc/cli.sh
root:x:0:0:root:/root:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
postfix:x:1001:1001:Postfix:/home/postfix:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
pcap:x:77:77::/var/arpwatch:/sbin/nologin
halt:x:7:0:halt:/sbin:/sbin/halt
cp_postgres:x:1008:0:Postgres:/home/cp_postgres:/bin/sh
cpep_user:x:1500:1500::/home/cpep_user:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
_nonlocl:x:96:100:Non-local user:/home/_nonlocl:/etc/cli.sh

[jflemingeds]

To answer your other question I am attempting to login via SSH. The /etc/passwd file is shown below:

admin:x:0:0:Admin:/home/admin:/bin/bash
monitor:x:102:100:Monitor:/home/monitor:/etc/cli.sh
root:x:0:0:root:/root:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
postfix:x:1001:1001:Postfix:/home/postfix:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
pcap:x:77:77::/var/arpwatch:/sbin/nologin
halt:x:7:0:halt:/sbin:/sbin/halt
cp_postgres:x:1008:0:Postgres:/home/cp_postgres:/bin/sh
cpep_user:x:1500:1500::/home/cpep_user:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
_nonlocl:x:96:100:Non-local user:/home/_nonlocl:/etc/cli.sh

That’s it _nonlocl. What does messages say when you login?

[Bob_Zimmerman]

To eliminate the _nonlocl stuff from being a potential problem, I would recommend trying this:

Code:

add user zimmie uid 103 homedir /home/zimmie
set user zimmie gid 0 shell /bin/bash
add rba user zimmie roles adminRole
save config

Replace my username with your own, of course, and you can pick any UID you feel like as long as it isn't already used. This will create a local user with no password (which prevents local authentication from working). Authentication attempts are then passed to the RADIUS or TACACS server. The user needs to exist on the RADIUS/TACACS server (or on an upstream authentication server) for this to work.

In addition to the /var/log/messages file, I would also look at the /var/log/secure and /var/log/auth files. Those both contain data specifically on authentication attempts, and messages in them tend to be more verbose than the equivalent lines in /var/log/messages. The idea is they are only readable by people who already have root privileges, so it's safer to include details which could compromise security, such as specific reasons for authentication failures.

[cciesec2006]

That’s it _nonlocl. What does messages say when you login?

I integrate Cisco ACS radius with R80.10 and it works for me:

add user cciesec uid 0 homedir /home/cciesec

add rba role netread domain-type System all-features

add rba user cciesec roles netread

cciesec is the account defined on the ACS server. It allows me to ssh and log into the R80.10 box.

[Bob_Zimmerman]

I integrate Cisco ACS radius with R80.10 and it works for me:

add user cciesec uid 0 homedir /home/cciesec

add rba role netread domain-type System all-features

add rba user cciesec roles netread

cciesec is the account defined on the ACS server. It allows me to ssh and log into the R80.10 box.

If you do it with a non-zero UID, you can use SSH key authentication, then use sudo (configured in whatever way you want) to elevate to root.