kanidm-unixd PPA package fails to start on debian12, missing tss group? about kanidm HOT 6 OPEN

Random notes I've found how these should be done "right" for problem 1:

• Creating users should be done in postinst, something along adduser --quiet --system --no-create-home --shell /usr/sbin/nologin kanidm
• Running a service as a user should be as easy as specifying User=kanidm
• The magically dissapearing /var/run dir is probably WAI, and should be managed via an entry in /usr/lib/tmpfiles.d/kanidm-unixd.conf consisting of d /var/run/kanidm 0770 kanidm kanidm -, or more secure perms if that'll still work (thinking back to the kanidmd hardening guide)
• Creating the other missing dirs is probably as simple as doing a postinst of mkdir /var/{cache,lib}/kanidm-unixd ... buuuut, that then requires handling uninstall correctly as well, which needs more investigation.

from kanidm.

And finally I think I find the reason why this is so odd. The systemd service uses [DynamicUser] which is new to me! And systemd should be autocreating the cache, runtime and state directories. So that's that mystery solved as well. Modern stuff I didn't now about.

Sadly this makes troubleshooting super hard since you can't just launch the daemon past systemd when systemd is doing something stupid, such as not starting successfully and not logging anything. So I'll pivot back to investigating that part. Eventually it might be a good idea to amend the troubleshooting section in the book to note that you can't just run it yourself, systemd is expected to be the launcher.

from kanidm.

Ok, the error comes from dm_unixd, hence why it's not attributed to kanidm-unixd.service in journald. More good material for the troubleshooting section!

Dec 27 19:27:58 $hostname (dm_unixd)[3258325]: kanidm-unixd.service: Failed to determine supplementary groups: No such process
Dec 27 19:27:58 $hostname (dm_unixd)[3258325]: kanidm-unixd.service: Failed at step GROUP spawning /usr/sbin/kanidm_unixd: No such process
Dec 27 19:27:58 $hostname sudo[3258280]: pam_unix(sudo:session): session closed for user root
Dec 27 19:27:58 $hostname systemd[1]: kanidm-unixd.service: Failed with result 'exit-code'.

Since the only supplementary group mentioned is tss which is not a group my system has, I'm assuming this is all to do with a missing dependency that the deb fails to call out.

from kanidm.

The missing package seems to have been tpm-udev which includes a postinst adduser & addgroup for tss. Pretty sure the server I'm testing on has a TPM, but I guess none of that is autodetected for a server install.

So two things to do here:

1. Add that package, or a more appropriate one as a dependency, taking into account Ubuntu vs. Debian and all that fun.
2. Add more troubleshooting info, so that I wouldn't have gone down the rabbithole that I did.

I can probably do a PR for both, need to just dig a bit deeper if tpm-udev is the right one to do this

from kanidm.

Sooooo yes. Systemd handles all the user/folder creation stuff. The TPM libs are new so that's probably what's missing...

from kanidm.

The dm_unixd thing is systemd being weird - if you do journalctl -u kanidm-unixd instead of grepping the bare journalctl output you'll get the results you need.

from kanidm.