Comments (19)
yaleman
commented on June 2, 2024
root is one of two disallowed usernames. You can't create a user with gid 0 because that'd overlap with root and not work anyway.
But what is the best way then? Create a "normal" account-id and have to add this account-id to every server as local user and add it to sudoers as well?
Sudoers can be linked to kanidm users or groups, I'd recommend creating a user specific to your use case and one or more sudoers groups and adding the user to that. You don't need to add the user locally, because that's what Kanidm and the PAM/NSS integrations are for ๐
from kanidm.
jahlives
commented on June 2, 2024
I'd recommend creating a user specific to your use case and one or more sudoers groups and adding the user to that
so no need to add the user locally, great :-) But how is the connection of the user/group to sudoers done? Does it mean the group created in kanidm must be added locally to sudoers file? Or is sudoers a capability returned by kanidm?
from kanidm.
yaleman
commented on June 2, 2024
You add it to the local sudoers config, we haven't written a sudo plugin yet (see #240)
For example if you have a file at /etc/sudoers.d/kanidm:
%[email protected] ALL=(ALL:ALL) ALL
Which gives the fancy_sudo_users group from the Kanidm domain kanidm.example.com sudo access.
from kanidm.
jahlives
commented on June 2, 2024
got the kanidm-unixd on my server running. My user in kanidm me has ssh public-keys
kanidm service-account ssh list-publickeys me
test-key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVCEjdE8zMZD7KYq88uQm7oi[...]
but using kanidm_ssh_authorizedkeys to test if there are keys return an empty response set
kanidm_ssh_authorizedkeys -d me
2024-04-30T05:21:41.679899Z DEBUG kanidm_ssh_authorizedkeys: Starting authorized keys tool ...
2024-04-30T05:21:41.680451Z DEBUG kanidm_unix_common::unix_config: Attempting to load configuration from "/etc/kanidm/unixd"
2024-04-30T05:21:41.680713Z DEBUG kanidm_unix_common::unix_config: Successfully opened configuration file "/etc/kanidm/unixd"
2024-04-30T05:21:41.681101Z DEBUG kanidm_ssh_authorizedkeys: Using kanidm_unixd socket path: "/var/run/kanidm-unixd/sock"
2024-04-30T05:21:41.681905Z DEBUG kanidm_unix_common::client: Attempting to send request -> SshKey(me)
2024-04-30T05:21:41.683103Z DEBUG kanidm_unix_common::client: Response -> SshKeys([])
what am I possibly missing?
from kanidm.
yaleman
commented on June 2, 2024
Best to check the server logs as well at that point
from kanidm.
jahlives
commented on June 2, 2024
@yaleman ah forgot the server logs
[error]: Failed to start unix user token -> InvalidAccountState("Missing class: posixaccount") | event_tag_id: 1
so the account is not member of the group which I just tried to fix but that gave me another issue: can login with the client to server but when issuing a command it claims no valid auth token found
kanidm login -D idm_admin
Enter password:
Login Success for [email protected]
kanidm service-account ssh list-publickeys --name me idm_admin
2024-05-01T05:13:32.943979Z ERROR kanidm_cli::common: No valid authentication tokens found for me.
Would you like to login again? yes
2024-05-01T05:13:36.889048Z ERROR kanidm_cli::session: Error during authentication init phase: AuthenticationFailed
While login the server logs tells me
handle_request [ 363ยตs | 0.00% / 100.00% ]
2024-05-01T05:12:39.694014832Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO โโ request [ 363ยตs | 29.50% / 100.00% ] method: POST | uri: /v1/auth | version: HTTP/1.1
2024-05-01T05:12:39.694023706Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO โโ auth [ 198ยตs | 54.50% ]
2024-05-01T05:12:39.694028863Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO โ โโ ๏ฝ [info]: Begin auth event | event_tag_id: 10 | sessionid: None | req: AuthRequest { step: Init2 { username: "idm_admin", issue: Token, privileged: false } }
2024-05-01T05:12:39.694034555Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO โ โโ ๏ฝ [info]: Initiating Authentication Session | event_tag_id: 10 | username: idm_admin | issue: Token | privileged: false | uuid: 00000000-0000-0000-0000-000000000018
2024-05-01T05:12:39.694040755Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO โ โโ ๏ฝ [info]: Account does not have any passkeys | event_tag_id: 10
2024-05-01T05:12:39.694045606Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO โ โโ ๏ฝ [info]: Sending auth result | event_tag_id: 10 | res: Ok(AuthResult { sessionid: 00000000-6631-cf47-2956-d7b0b2217e62, state: AuthState::Choose([Password]) })
2024-05-01T05:12:39.694065672Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO โโ auth_session_state_management [ 58.1ยตs | 16.00% ] inter: Ok(AuthResult { sessionid: 00000000-6631-cf47-2956-d7b0b2217e62, state: AuthState::Choose([Password]) })
2024-05-01T05:12:39.694072896Z 89553cff-34bd-4e4f-b197-22b0776bf344 INFO โโ ๏ฝ [info]: | latency: 369.919ยตs | status_code: 200 | kopid: "89553cff-34bd-4e4f-b197-22b0776bf344" | msg: "response sent"
2024-05-01T05:12:39.695046092Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO handle_request [ 213ยตs | 0.00% / 100.00% ]
2024-05-01T05:12:39.695071570Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO โโ request [ 213ยตs | 59.83% / 100.00% ] method: POST | uri: /v1/auth | version: HTTP/1.1
2024-05-01T05:12:39.695079308Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO โโ auth [ 55.7ยตs | 26.20% ]
2024-05-01T05:12:39.695087778Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO โ โโ ๏ฝ [info]: Begin auth event | event_tag_id: 10 | sessionid: Some(00000000-6631-cf47-2956-d7b0b2217e62) | req: AuthRequest { step: Begin(Password) }
2024-05-01T05:12:39.695093313Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO โ โโ ๏ฝ [info]: Sending auth result | event_tag_id: 10 | res: Ok(AuthResult { sessionid: 00000000-6631-cf47-2956-d7b0b2217e62, state: AuthState::Continue([Password]) })
2024-05-01T05:12:39.695098513Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO โโ auth_session_state_management [ 29.7ยตs | 13.97% ] inter: Ok(AuthResult { sessionid: 00000000-6631-cf47-2956-d7b0b2217e62, state: AuthState::Continue([Password]) })
2024-05-01T05:12:39.695103577Z 2c1ac90b-f63c-4f6a-8913-90e0dad15d37 INFO โโ ๏ฝ [info]: | latency: 220.586ยตs | status_code: 200 | kopid: "2c1ac90b-f63c-4f6a-8913-90e0dad15d37" | msg: "response sent"
2024-05-01T05:12:55.417893510Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO handle_request [ 19.0ms | 0.00% / 100.00% ]
2024-05-01T05:12:55.417934718Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO โโ request [ 19.0ms | 1.64% / 100.00% ] method: POST | uri: /v1/auth | version: HTTP/1.1
2024-05-01T05:12:55.417942744Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO โโ auth [ 18.7ms | 98.32% ]
2024-05-01T05:12:55.417947696Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO โ โโ ๏ฝ [info]: Begin auth event | event_tag_id: 10 | sessionid: Some(00000000-6631-cf47-2956-d7b0b2217e62) | req: AuthRequest { step: Cred(Password(_)) }
2024-05-01T05:12:55.417953047Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO โ โโ ๏ฝ [info]: Handler::Password -> Result::Success | event_tag_id: 10
2024-05-01T05:12:55.417958214Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO โ โโ ๏ฝ [info]: Issuing Token session (ReadWrite) 6967b242-eed2-47ca-8fbf-e74de5fe3b6c for [email protected] 00000000-0000-0000-0000-000000000018 | event_tag_id: 10
2024-05-01T05:12:55.417965203Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO โ โโ ๏ฝ [info]: Sending auth result | event_tag_id: 10 | res: Ok(AuthResult { sessionid: 00000000-6631-cf47-2956-d7b0b2217e62, state: AuthState::Success(Token) })
2024-05-01T05:12:55.417970575Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO โโ auth_session_state_management [ 7.66ยตs | 0.04% ] inter: Ok(AuthResult { sessionid: 00000000-6631-cf47-2956-d7b0b2217e62, state: AuthState::Success(Token) })
2024-05-01T05:12:55.417993379Z 0fbe2fe3-035b-41f4-bc81-9933701b3ed4 INFO โโ ๏ฝ [info]: | latency: 19.080643ms | status_code: 200 | kopid: "0fbe2fe3-035b-41f4-bc81-9933701b3ed4" | msg: "response sent"
but when trying to query the ssh keys server logs sez
2024-05-01T05:13:36.850806619Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO handle_request [ 607ยตs | 0.00% / 100.00% ]
2024-05-01T05:13:36.850883105Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO โโ request [ 607ยตs | 32.17% / 100.00% ] method: POST | uri: /v1/auth | version: HTTP/1.1
2024-05-01T05:13:36.850898849Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO โโ auth [ 400ยตs | 65.88% ]
2024-05-01T05:13:36.850914798Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO โ โโ ๏ฝ [info]: Begin auth event | event_tag_id: 10 | sessionid: None | req: AuthRequest { step: Init2 { username: "me", issue: Token, privileged: false } }
2024-05-01T05:13:36.850933618Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO โ โโ ๏ฝ [info]: Initiating Authentication Session | event_tag_id: 10 | username: me | issue: Token | privileged: false | uuid: 8fbbf82d-2a26-4a1d-a26d-d4cf91be79a8
2024-05-01T05:13:36.850953628Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO โ โโ ๏ฝ [info]: Account does not have any passkeys | event_tag_id: 10
2024-05-01T05:13:36.850965191Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO โ โโ ๏ฝ [info]: account has no available credentials | event_tag_id: 10
2024-05-01T05:13:36.851003704Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO โ โโ ๏ฝ [info]: Authentication Session Unable to begin | event_tag_id: 10
2024-05-01T05:13:36.851015446Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO โ โโ ๏ฝ [info]: Sending auth result | event_tag_id: 10 | res: Ok(AuthResult { sessionid: 00000000-6631-cf80-32aa-12f3321dadfc, state: AuthState::Denied("invalid credential state") })
2024-05-01T05:13:36.851031768Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO โโ auth_session_state_management [ 11.8ยตs | 1.95% ] inter: Ok(AuthResult { sessionid: 00000000-6631-cf80-32aa-12f3321dadfc, state: AuthState::Denied("invalid credential state") })
2024-05-01T05:13:36.851051126Z d85b0345-87fd-485c-b3b2-fec00f1be2ac INFO โโ ๏ฝ [info]: | latency: 626.802ยตs | status_code: 200 | kopid: "d85b0345-87fd-485c-b3b2-fec00f1be2ac" | msg: "response sent"
no idea what happens here, as the query for ssh key worked yesterday without issues
from kanidm.
Firstyear
commented on June 2, 2024
[error]: Failed to start unix user token -> InvalidAccountState("Missing class: posixaccount") | event_tag_id: 1
This error means you haven't run "kanidm person|service-account posix set", so they have no posix attributes, so they won't work on your system. That's what the error is telling you, is that there are no posix account attributes.
from kanidm.
jahlives
commented on June 2, 2024
This error means you haven't run "kanidm person|service-account posix set"
thanks that worked to successfully run kanidm_ssh_authorizedkeys me on the client. But still I wonder why it claims the tokens of idm_admin are invalid directly after successful login
from kanidm.
Firstyear
commented on June 2, 2024
kanidm service-account ssh list-publickeys --name me idm_admin
You're arguments are the wrong way around. -D/--name is "who is performing the action" and the positional arg is "who to perform the action on".
So right now you are "me" performing a list-publickey on "idm_admin".
from kanidm.
jahlives
commented on June 2, 2024
You're arguments are the wrong way around. -D/--name is "who is performing the action"
ups thanks for the hint :-) That way it works and I get the keys. But still my testserver does not let me in using that key. Added
UsePAM yes
AuthorizedKeysCommand /usr/sbin/kanidm_ssh_authorizedkeys %u
AuthorizedKeysCommandUser nobody
PasswordAuthentication no
to the testserver ssh config and restarted the service. But upon login attempt I get
ssh [email protected] -i ~/.ssh/id_rsa
[email protected]: Permission denied (publickey).
and auth.log tells me
Invalid user me from 10.66.100.17 port 46606
tought that the user doesn't need to exist locally and all is handled via PAM/nsswitch?
from kanidm.
Firstyear
commented on June 2, 2024
If you do "getent passwd me" does it show your account?
from kanidm.
jahlives
commented on June 2, 2024
If you do "getent passwd me" does it show your account?
nope just empty reply on testserver (Debian 12)
from kanidm.
Firstyear
commented on June 2, 2024
Then your nsswitch is not configured correctly, so you should investigate that.
from kanidm.
jahlives
commented on June 2, 2024
my nsswitch.conf looks like that
passwd: files systemd compat kandim
group: files systemd compat kandim
shadow: files systemd
gshadow: files systemd
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
from kanidm.
Firstyear
commented on June 2, 2024
You're module is typod as "kanDIm" not "kanIDm". :)
from kanidm.
Related Issues (20)
- Passkey enrollment UI button does nothing HOT 3
- Disconnect between setting up the server and client in the QuickStart guide HOT 2
- Clarify error message when group doesn't exist while adding scope map HOT 2
- Improve unixd resilence to infrastructure issues
- Restore from backup an other host not working HOT 3
- Can't login to instance due to token serialisation issue HOT 3
- Logout fails with "unable to access token public key"
- build: Add feature switches for conditional vendoring of dependencies HOT 1
- kanidm cli logs on debug level HOT 2
- Comparing Kanidm with other services HOT 2
- Package binaries for AUR HOT 1
- Building clients from AUR fails on orca compilation HOT 5
- New person accounts not being added to dynamic groups HOT 12
- Horizontal scroll bar missing from otp url box, causing potential miss copy/paste
- Can't sign out properly HOT 9
- Allow bindaddress to be a unix socket HOT 1
- Option to disable self managing displayname, name, and legal name
- forward_auth support in kanidm HOT 12
- oauth2 authorization code can be exchanged for access token multiple times HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kanidm.