Merge branch '516-final-stages' into stage

Author: cumulusAnia

content/cumulus-linux-516/System-Configuration/Authentication-Authorization-and-Accounting/TACACS.md

@@ -140,7 +140,9 @@ You can configure the following optional TACACS+ settings:
 <!-- vale on -->
 - The users you do not want to send to the TACACS+ server for authentication; for example, local user accounts that exist on the switch, such as the cumulus user.
 - A separate home directory for each TACACS+ user when the TACACS+ user first logs in. By default, the switch uses the home directory in the mapping accounts in `/etc/passwd`. If the home directory does not exist, the `mkhomedir_helper` program creates it. This option does not apply to accounts with restricted shells (users mapped to a TACACS privilege level that has enforced per-command authorization).
-
+  {{%notice note%}}
+When you enable a separate home directory and the TACACS user exists and has connected before, the user home directory already exists under `tacacs_template_user`. Therefore, when adding a local user, the user does not have permissions or ownership of the home directory.
+{{%/notice%}}
 <!-- - The output debugging information level through syslog(3) to use for troubleshooting. You can specify a value between 0 and 2. The default is 0. A value of 1 enables debug logging. A value of 2 increases the verbosity of some debug logs.
 
   {{%notice note%}}
@@ -725,3 +727,7 @@ If you configure multiple TACACS+ servers, both *authentication* and *authorizat
 {{%notice note%}}
 The TACACS+ client implementation that forwards or retries a request with an alternate TACACS+ server after receiving a failure (FAIL) response is not compliant with the behavior defined in {{<exlink url="https://datatracker.ietf.org/doc/html/rfc8907" text="RFC 8907">}}.
 {{%/notice%}}
+
+### Local Fallback and User Home Directory
+
+To avoid home directory permission issues, NVIDIA recommends you do not configure local fallback authentication and enable a home directory for a user.