Comments (6)
Random notes I've found how these should be done "right" for problem 1:
- Creating users should be done in
postinst
, something alongadduser --quiet --system --no-create-home --shell /usr/sbin/nologin kanidm
- Running a service as a user should be as easy as specifying
User=kanidm
- The magically dissapearing /var/run dir is probably WAI, and should be managed via an entry in
/usr/lib/tmpfiles.d/kanidm-unixd.conf
consisting ofd /var/run/kanidm 0770 kanidm kanidm -
, or more secure perms if that'll still work (thinking back to the kanidmd hardening guide) - Creating the other missing dirs is probably as simple as doing a postinst of
mkdir /var/{cache,lib}/kanidm-unixd
... buuuut, that then requires handling uninstall correctly as well, which needs more investigation.
from kanidm.
And finally I think I find the reason why this is so odd. The systemd service uses [DynamicUser]
which is new to me! And systemd should be autocreating the cache, runtime and state directories. So that's that mystery solved as well. Modern stuff I didn't now about.
Sadly this makes troubleshooting super hard since you can't just launch the daemon past systemd when systemd is doing something stupid, such as not starting successfully and not logging anything. So I'll pivot back to investigating that part. Eventually it might be a good idea to amend the troubleshooting section in the book to note that you can't just run it yourself, systemd is expected to be the launcher.
from kanidm.
Ok, the error comes from dm_unixd
, hence why it's not attributed to kanidm-unixd.service
in journald. More good material for the troubleshooting section!
Dec 27 19:27:58 $hostname (dm_unixd)[3258325]: kanidm-unixd.service: Failed to determine supplementary groups: No such process
Dec 27 19:27:58 $hostname (dm_unixd)[3258325]: kanidm-unixd.service: Failed at step GROUP spawning /usr/sbin/kanidm_unixd: No such process
Dec 27 19:27:58 $hostname sudo[3258280]: pam_unix(sudo:session): session closed for user root
Dec 27 19:27:58 $hostname systemd[1]: kanidm-unixd.service: Failed with result 'exit-code'.
Since the only supplementary group mentioned is tss
which is not a group my system has, I'm assuming this is all to do with a missing dependency that the deb fails to call out.
from kanidm.
The missing package seems to have been tpm-udev
which includes a postinst adduser
& addgroup
for tss
. Pretty sure the server I'm testing on has a TPM, but I guess none of that is autodetected for a server install.
So two things to do here:
- Add that package, or a more appropriate one as a dependency, taking into account Ubuntu vs. Debian and all that fun.
- Add more troubleshooting info, so that I wouldn't have gone down the rabbithole that I did.
I can probably do a PR for both, need to just dig a bit deeper if tpm-udev
is the right one to do this
from kanidm.
Sooooo yes. Systemd handles all the user/folder creation stuff. The TPM libs are new so that's probably what's missing...
from kanidm.
The dm_unixd
thing is systemd being weird - if you do journalctl -u kanidm-unixd
instead of grepping the bare journalctl
output you'll get the results you need.
from kanidm.
Related Issues (20)
- SSSD Compatibility HOT 2
- Password length complaint unclear HOT 10
- Brave web browser unreliably prompting for Passkey/Yubikey Webauthn HOT 26
- FR: kanidm system oauth2 set-origin HOT 1
- Enforce account policy on login
- Traefik example not working due to missing serversTransport ability via labels HOT 8
- kanidm-unixd-clients fail to install on rocky linux 9 and centos stream 9 because can't detect installed tpm2-tss and tpm2-tools HOT 4
- Add "dn" to virtual ldap attributes
- Security Keys not enrolled for a PIN can fail in unhelpful ways HOT 3
- [FEATURE] Profile OIC and Email updating via the Web UI HOT 1
- OAuth2 JWT-Secured Authorization Request support (RFC9101)
- Online Backup: Cleanup fails due to wrong RegExp HOT 3
- insert_tagged_hsm_key doesn't cache the hsm key HOT 1
- RFC8252 - OAuth2.0 for Native apps HOT 6
- Can't modify groups or create with a manager
- LDAP login doesn't work with Nextcloud HOT 6
- SQLite Write-Ahead Logging might make page size immutable HOT 3
- Traefik, Kanidm, and HTTP Header Authentication HOT 6
- Deb build-chain is dependent on marvinpinto/action-automatic-releases which is likely to break soon
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kanidm.