You need something like this:

But for TACACS. The problem is, TACACS is an authentication protocol, not
a diretory lookup protocol.

Basically, the user information needs to be able to be looked up at anytime.
Seperate from user authentication.

Think, when I do "ls -l" what translates the UID on the files into an
account name?

This is why, even for Microsoft ADS, they have Kerberos for
authentication and LDAP
for user accounts and pretty much everything else.

Even for Kerberos, you can authenticate, but all other account
information needs to
be available to the machine. So, for Kerberos installs, you don't
need the /etc/shadow
file, but you still need the /etc/passwd file. Unless you locate the
information somewhere else, where it is readily availabe, ie. NIS or LDAP.

On 8/4/06, Gary Schlachter wrote:
> Asif,
> Thank you for your offer. However, I fear you just answered my
> question. Your comment:
> "Also make sure you do have a local user account and it is not
> locked.
> You must need a local account even though the authentication is
> done
> thru tacacs server. "
> is exactly what is was trying to avoid. I was wanting to NOT
> have a local account on the server. I am trying to have sshd use the
> local account as defined on the TACACS server. I was hoping there was a
> way to configure OpenSSH to not look for a local account. I am able to
> authenticate perfectly if the local account is created on the server.
> Gary

And, did Guloka think the Ulus were too ugly to save?