create a service-account named root not possible?

[jahlives]

I'm trying to use kanidm to manage the SSH pubkeys. Login on my test-server is with root (I know not best-practise ,-)
So I thought I create a service account "root" and then add the ssh public keys to it. But it seems that account ID root cannot be created, always get "SchemaViolation(InvalidAttributeSyntax("name")" error.

kanidm service-account create --name idm_admin  root "admin" idm_admin
2024-04-27T18:10:38.116111Z ERROR kanidm_cli: HTTP Error: 400 Bad Request SchemaViolation(InvalidAttributeSyntax("name")) "767bb8c7-d706-46f7-8c5f-f905020b8dcf"

Then I saw the POSIX options and thought I could create a user with another account id than root (me in my case) and set --gidnumer 0 but that seems also not possible. Gives me "GidOverlapsSystemMin(1000)" error.

kanidm service-account posix set --name idm_admin me --gidnumber 0
2024-04-27T18:11:26.413790Z ERROR kanidm_cli: Internal Server Error in response:" GidOverlapsSystemMin(1000)" "f651d742-cca2-4cff-b6c0-b6465914a37e"

I can understand that for security reasons root or gid 0 is not allowed. But what is the best way then? Create a "normal" account-id and have to add this account-id to every server as local user and add it to sudoers as well?

[yaleman]

root is one of two disallowed usernames. You can't create a user with gid 0 because that'd overlap with root and not work anyway.

But what is the best way then? Create a "normal" account-id and have to add this account-id to every server as local user and add it to sudoers as well?

Sudoers can be linked to kanidm users or groups, I'd recommend creating a user specific to your use case and one or more sudoers groups and adding the user to that. You don't need to add the user locally, because that's what Kanidm and the PAM/NSS integrations are for 😄

[jahlives]

I'd recommend creating a user specific to your use case and one or more sudoers groups and adding the user to that

so no need to add the user locally, great :-) But how is the connection of the user/group to sudoers done? Does it mean the group created in kanidm must be added locally to sudoers file? Or is sudoers a capability returned by kanidm?

[yaleman]

You add it to the local sudoers config, we haven't written a sudo plugin yet (see #240)

For example if you have a file at /etc/sudoers.d/kanidm:

%fancy_sudo_users@kanidm.example.com ALL=(ALL:ALL) ALL

Which gives the fancy_sudo_users group from the Kanidm domain kanidm.example.com sudo access.

[jahlives]

got the kanidm-unixd on my server running. My user in kanidm me has ssh public-keys

kanidm service-account ssh list-publickeys me
test-key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVCEjdE8zMZD7KYq88uQm7oi[...]

but using kanidm_ssh_authorizedkeys to test if there are keys return an empty response set

kanidm_ssh_authorizedkeys -d me
2024-04-30T05:21:41.679899Z DEBUG kanidm_ssh_authorizedkeys: Starting authorized keys tool ...
2024-04-30T05:21:41.680451Z DEBUG kanidm_unix_common::unix_config: Attempting to load configuration from "/etc/kanidm/unixd"
2024-04-30T05:21:41.680713Z DEBUG kanidm_unix_common::unix_config: Successfully opened configuration file "/etc/kanidm/unixd"
2024-04-30T05:21:41.681101Z DEBUG kanidm_ssh_authorizedkeys: Using kanidm_unixd socket path: "/var/run/kanidm-unixd/sock"
2024-04-30T05:21:41.681905Z DEBUG kanidm_unix_common::client: Attempting to send request -> SshKey(me)
2024-04-30T05:21:41.683103Z DEBUG kanidm_unix_common::client: Response -> SshKeys([])

what am I possibly missing?

[yaleman]

Best to check the server logs as well at that point

[jahlives]

@yaleman ah forgot the server logs

[error]: Failed to start unix user token -> InvalidAccountState("Missing class: posixaccount") | event_tag_id: 1

so the account is not member of the group which I just tried to fix but that gave me another issue: can login with the client to server but when issuing a command it claims no valid auth token found

kanidm login -D idm_admin
Enter password: 
Login Success for idm_admin@idm.rm-rf.ch
kanidm service-account ssh list-publickeys --name me idm_admin
2024-05-01T05:13:32.943979Z ERROR kanidm_cli::common: No valid authentication tokens found for me.
Would you like to login again? yes
2024-05-01T05:13:36.889048Z ERROR kanidm_cli::session: Error during authentication init phase: AuthenticationFailed

While login the server logs tells me

handle_request [ 363µs | 0.00% / 100.00% ]
2024-05-01T05:12:39.694014832Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO     ┕━ request [ 363µs | 29.50% / 100.00% ] method: POST | uri: /v1/auth | version: HTTP/1.1
2024-05-01T05:12:39.694023706Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO        ┝━ auth [ 198µs | 54.50% ]
2024-05-01T05:12:39.694028863Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO        │  ┝━ ｉ [info]: Begin auth event | event_tag_id: 10 | sessionid: None | req: AuthRequest { step: Init2 { username: "idm_admin", issue: Token, privileged: false } }
2024-05-01T05:12:39.694034555Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO        │  ┝━ ｉ [info]: Initiating Authentication Session | event_tag_id: 10 | username: idm_admin | issue: Token | privileged: false | uuid: 00000000-0000-0000-0000-000000000018
2024-05-01T05:12:39.694040755Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO        │  ┝━ ｉ [info]: Account does not have any passkeys | event_tag_id: 10
2024-05-01T05:12:39.694045606Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO        │  ┕━ ｉ [info]: Sending auth result | event_tag_id: 10 | res: Ok(AuthResult { sessionid: 00000000-6631-cf47-2956-d7b0b2217e62, state: AuthState::Choose([Password]) })
2024-05-01T05:12:39.694065672Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO        ┝━ auth_session_state_management [ 58.1µs | 16.00% ] inter: Ok(AuthResult { sessionid: 00000000-6631-cf47-2956-d7b0b2217e62, state: AuthState::Choose([Password]) })
2024-05-01T05:12:39.694072896Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO        ┕━ ｉ [info]:  | latency: 369.919µs | status_code: 200 | kopid: "89553cff-34bd-4e4f-b197-22b0776bf344" | msg: "response sent"
2024-05-01T05:12:39.695046092Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO     handle_request [ 213µs | 0.00% / 100.00% ]
2024-05-01T05:12:39.695071570Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO     ┕━ request [ 213µs | 59.83% / 100.00% ] method: POST | uri: /v1/auth | version: HTTP/1.1
2024-05-01T05:12:39.695079308Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO        ┝━ auth [ 55.7µs | 26.20% ]
2024-05-01T05:12:39.695087778Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO        │  ┝━ ｉ [info]: Begin auth event | event_tag_id: 10 | sessionid: Some(00000000-6631-cf47-2956-d7b0b2217e62) | req: AuthRequest { step: Begin(Password) }
2024-05-01T05:12:39.695093313Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO        │  ┕━ ｉ [info]: Sending auth result | event_tag_id: 10 | res: Ok(AuthResult { sessionid: 00000000-6631-cf47-2956-d7b0b2217e62, state: AuthState::Continue([Password]) })
2024-05-01T05:12:39.695098513Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO        ┝━ auth_session_state_management [ 29.7µs | 13.97% ] inter: Ok(AuthResult { sessionid: 00000000-6631-cf47-2956-d7b0b2217e62, state: AuthState::Continue([Password]) })
2024-05-01T05:12:39.695103577Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO        ┕━ ｉ [info]:  | latency: 220.586µs | status_code: 200 | kopid: "2c1ac90b-f63c-4f6a-8913-90e0dad15d37" | msg: "response sent"
2024-05-01T05:12:55.417893510Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO     handle_request [ 19.0ms | 0.00% / 100.00% ]
2024-05-01T05:12:55.417934718Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO     ┕━ request [ 19.0ms | 1.64% / 100.00% ] method: POST | uri: /v1/auth | version: HTTP/1.1
2024-05-01T05:12:55.417942744Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO        ┝━ auth [ 18.7ms | 98.32% ]
2024-05-01T05:12:55.417947696Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO        │  ┝━ ｉ [info]: Begin auth event | event_tag_id: 10 | sessionid: Some(00000000-6631-cf47-2956-d7b0b2217e62) | req: AuthRequest { step: Cred(Password(_)) }
2024-05-01T05:12:55.417953047Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO        │  ┝━ ｉ [info]: Handler::Password -> Result::Success | event_tag_id: 10
2024-05-01T05:12:55.417958214Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO        │  ┝━ ｉ [info]: Issuing Token session (ReadWrite) 6967b242-eed2-47ca-8fbf-e74de5fe3b6c for idm_admin@idm.rm-rf.ch 00000000-0000-0000-0000-000000000018 | event_tag_id: 10
2024-05-01T05:12:55.417965203Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO        │  ┕━ ｉ [info]: Sending auth result | event_tag_id: 10 | res: Ok(AuthResult { sessionid: 00000000-6631-cf47-2956-d7b0b2217e62, state: AuthState::Success(Token) })
2024-05-01T05:12:55.417970575Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO        ┝━ auth_session_state_management [ 7.66µs | 0.04% ] inter: Ok(AuthResult { sessionid: 00000000-6631-cf47-2956-d7b0b2217e62, state: AuthState::Success(Token) })
2024-05-01T05:12:55.417993379Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO        ┕━ ｉ [info]:  | latency: 19.080643ms | status_code: 200 | kopid: "0fbe2fe3-035b-41f4-bc81-9933701b3ed4" | msg: "response sent"

but when trying to query the ssh keys server logs sez

2024-05-01T05:13:36.850806619Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO     handle_request [ 607µs | 0.00% / 100.00% ]
2024-05-01T05:13:36.850883105Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO     ┕━ request [ 607µs | 32.17% / 100.00% ] method: POST | uri: /v1/auth | version: HTTP/1.1
2024-05-01T05:13:36.850898849Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO        ┝━ auth [ 400µs | 65.88% ]
2024-05-01T05:13:36.850914798Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO        │  ┝━ ｉ [info]: Begin auth event | event_tag_id: 10 | sessionid: None | req: AuthRequest { step: Init2 { username: "me", issue: Token, privileged: false } }
2024-05-01T05:13:36.850933618Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO        │  ┝━ ｉ [info]: Initiating Authentication Session | event_tag_id: 10 | username: me | issue: Token | privileged: false | uuid: 8fbbf82d-2a26-4a1d-a26d-d4cf91be79a8
2024-05-01T05:13:36.850953628Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO        │  ┝━ ｉ [info]: Account does not have any passkeys | event_tag_id: 10
2024-05-01T05:13:36.850965191Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO        │  ┝━ ｉ [info]: account has no available credentials | event_tag_id: 10
2024-05-01T05:13:36.851003704Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO        │  ┝━ ｉ [info]: Authentication Session Unable to begin | event_tag_id: 10
2024-05-01T05:13:36.851015446Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO        │  ┕━ ｉ [info]: Sending auth result | event_tag_id: 10 | res: Ok(AuthResult { sessionid: 00000000-6631-cf80-32aa-12f3321dadfc, state: AuthState::Denied("invalid credential state") })
2024-05-01T05:13:36.851031768Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO        ┝━ auth_session_state_management [ 11.8µs | 1.95% ] inter: Ok(AuthResult { sessionid: 00000000-6631-cf80-32aa-12f3321dadfc, state: AuthState::Denied("invalid credential state") })
2024-05-01T05:13:36.851051126Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO        ┕━ ｉ [info]:  | latency: 626.802µs | status_code: 200 | kopid: "d85b0345-87fd-485c-b3b2-fec00f1be2ac" | msg: "response sent"

no idea what happens here, as the query for ssh key worked yesterday without issues

[Firstyear]

[error]: Failed to start unix user token -> InvalidAccountState("Missing class: posixaccount") | event_tag_id: 1

This error means you haven't run "kanidm person|service-account posix set", so they have no posix attributes, so they won't work on your system. That's what the error is telling you, is that there are no posix account attributes.

[jahlives]

This error means you haven't run "kanidm person|service-account posix set"

thanks that worked to successfully run kanidm_ssh_authorizedkeys me on the client. But still I wonder why it claims the tokens of idm_admin are invalid directly after successful login

[Firstyear]

kanidm service-account ssh list-publickeys --name me idm_admin

You're arguments are the wrong way around. -D/--name is "who is performing the action" and the positional arg is "who to perform the action on".

So right now you are "me" performing a list-publickey on "idm_admin".

[jahlives]

You're arguments are the wrong way around. -D/--name is "who is performing the action"

ups thanks for the hint :-) That way it works and I get the keys. But still my testserver does not let me in using that key. Added

UsePAM yes
AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u
AuthorizedKeysCommandUser nobody
PasswordAuthentication no

to the testserver ssh config and restarted the service. But upon login attempt I get

ssh me@10.55.0.7 -i ~/.ssh/id_rsa
me@10.55.0.7: Permission denied (publickey).

and auth.log tells me

Invalid user me from 10.66.100.17 port 46606

tought that the user doesn't need to exist locally and all is handled via PAM/nsswitch?

[Firstyear]

If you do "getent passwd me" does it show your account?

[jahlives]

If you do "getent passwd me" does it show your account?

nope just empty reply on testserver (Debian 12)

[Firstyear]

Then your nsswitch is not configured correctly, so you should investigate that.

[jahlives]

my nsswitch.conf looks like that

passwd:         files systemd compat kandim
group:          files systemd compat kandim
shadow:         files systemd
gshadow:        files systemd

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

[Firstyear]

You're module is typod as "kanDIm" not "kanIDm". :)

[jahlives]

@Firstyear
thanks for the hint with the typo. Have not seen it though I checked the lines several times :-)
Now I'm one step further getent passwd me returns value. But can still not login and auth.log now sez

2024-05-23T07:42:07.253658+00:00 mx02 unix_chkpwd[2920]: could not obtain user info (me)
2024-05-23T07:42:07.256399+00:00 mx02 sshd[2916]: fatal: Access denied for user me by PAM account configuration [preauth]

or should I better open a new issue here?

[Firstyear]

What distro is this? This looks like a pam configuration error, because that's in unix_chkpwd, not a kanidm module which means your pam config is wrong.

[jahlives]

@Firstyear
it's a debian 12 and I used the deb packages here from git. According to docs here the pam should be configured by the package. Therefore I did not touch pam config but only nsswitch config where I placed my typo :-)

[Firstyear]

@yaleman Do you know what pam files we need to check on debian here?