New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
create a service-account named root not possible? #2728
Comments
Sudoers can be linked to kanidm users or groups, I'd recommend creating a user specific to your use case and one or more sudoers groups and adding the user to that. You don't need to add the user locally, because that's what Kanidm and the PAM/NSS integrations are for 😄 |
so no need to add the user locally, great :-) But how is the connection of the user/group to sudoers done? Does it mean the group created in kanidm must be added locally to sudoers file? Or is sudoers a capability returned by kanidm? |
You add it to the local sudoers config, we haven't written a sudo plugin yet (see #240) For example if you have a file at
Which gives the |
got the kanidm-unixd on my server running. My user in kanidm
but using
what am I possibly missing? |
Best to check the server logs as well at that point |
@yaleman ah forgot the server logs
so the account is not member of the group which I just tried to fix but that gave me another issue: can login with the client to server but when issuing a command it claims no valid auth token found
While login the server logs tells me
but when trying to query the ssh keys server logs sez
no idea what happens here, as the query for ssh key worked yesterday without issues |
This error means you haven't run "kanidm person|service-account posix set", so they have no posix attributes, so they won't work on your system. That's what the error is telling you, is that there are no posix account attributes. |
thanks that worked to successfully run |
You're arguments are the wrong way around. -D/--name is "who is performing the action" and the positional arg is "who to perform the action on". So right now you are "me" performing a list-publickey on "idm_admin". |
ups thanks for the hint :-) That way it works and I get the keys. But still my testserver does not let me in using that key. Added
to the testserver ssh config and restarted the service. But upon login attempt I get
and auth.log tells me
tought that the user doesn't need to exist locally and all is handled via PAM/nsswitch? |
If you do "getent passwd me" does it show your account? |
nope just empty reply on testserver (Debian 12) |
Then your nsswitch is not configured correctly, so you should investigate that. |
my nsswitch.conf looks like that
|
You're module is typod as "kanDIm" not "kanIDm". :) |
@Firstyear
or should I better open a new issue here? |
What distro is this? This looks like a pam configuration error, because that's in unix_chkpwd, not a kanidm module which means your pam config is wrong. |
@Firstyear |
@yaleman Do you know what pam files we need to check on debian here? |
I'm trying to use kanidm to manage the SSH pubkeys. Login on my test-server is with root (I know not best-practise ,-)
So I thought I create a service account "root" and then add the ssh public keys to it. But it seems that account ID root cannot be created, always get "SchemaViolation(InvalidAttributeSyntax("name")" error.
Then I saw the POSIX options and thought I could create a user with another account id than root (me in my case) and set
--gidnumer 0
but that seems also not possible. Gives me "GidOverlapsSystemMin(1000)" error.I can understand that for security reasons root or gid 0 is not allowed. But what is the best way then? Create a "normal" account-id and have to add this account-id to every server as local user and add it to sudoers as well?
The text was updated successfully, but these errors were encountered: