Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 00:41

    github-actions[bot] on gh-pages

    deploy: 4d3e3765bdb1cfda417504c… (compare)

  • 00:39

    Firstyear on issue989

    (compare)

  • 00:36

    Firstyear on master

    Version argument for kanidm and… (compare)

  • 00:36
    Firstyear closed #991
  • Aug 17 11:41

    github-actions[bot] on gh-pages

    deploy: f0e96b9ff5336a12630b593… (compare)

  • Aug 17 11:35

    yaleman on pykanidm-release

    (compare)

  • Aug 17 11:35

    yaleman on master

    Published 0.0.3 of kanidm pytho… (compare)

  • Aug 17 11:35
    yaleman closed #995
  • Aug 17 11:32
    yaleman commented #991
  • Aug 17 09:27
    Firstyear commented #991
  • Aug 17 08:06
    yaleman synchronize #991
  • Aug 17 08:06

    yaleman on issue989

    updates (compare)

  • Aug 17 08:05
    yaleman synchronize #991
  • Aug 17 08:05

    yaleman on issue989

    first commit of this change checkpoint it verks and 2 more (compare)

  • Aug 17 07:57
    yaleman ready_for_review #991
  • Aug 17 07:56
    yaleman review_requested #995
  • Aug 17 07:49
    yaleman labeled #995
  • Aug 17 07:49
    yaleman opened #995
  • Aug 17 07:47

    yaleman on pykanidm-release

    kanidm python 0.0.3 (compare)

  • Aug 17 07:30

    yaleman on pykanidm-release

    Allow disabling networked tests… bumped and updated docs Merge branch 'pykanidm-release'… (compare)

Firstyear
@Firstyear
Loooooolllll
Yeah
@trissylegs When you say you can't authenticate what's the actual logs or symptmos from a login attempt? Can users resolve with getent passwd <name>?
Triss Healy
@trissylegs
# getent passwd nirya                        
nirya:x:1001:1001:Triss Healy:/home/nirya:/usr/bin/zsh
Firstyear
@Firstyear
Okay that's a solid start
Triss Healy
@trissylegs
(Yes I'm using name instead of spn because there's too many names to fix up)
Firstyear
@Firstyear
No that's fine
That's why it's there
I use name as well at home too
the spn thing is meant for future proofing when (if?) i add trusts
Triss Healy
@trissylegs
It's also good for RDM and other weird things.
Firstyear
@Firstyear
Okay, can you show me your /etc/kanidm/unixd config?
Triss Healy
@trissylegs
% cat /etc/kanidm/unixd
# this should be at /etc/kanidm/unixd, and configures kanidm-unixd
# some documentation is here: https://github.com/kanidm/kanidm/blob/master/kanidm_book/src/pam_and_nsswitch.md
pam_allowed_login_groups = ["humans"]
# default_shell = "/bin/bash"
home_prefix = "/home/"
home_attr = "uuid"
home_alias = "name"
uid_attr_map = "name"
gid_attr_map = "name"
Oh this is the message I get:
$ su -l nirya
Password: 
su: Authentication service cannot retrieve authentication info
Firstyear
@Firstyear
can you show me getent group humans?
Triss Healy
@trissylegs
$ getent group humans
humans:x:2001:test_user,nirya
Firstyear
@Firstyear
Which distro?
Triss Healy
@trissylegs
Arch linux. Editing PAM is mostly been guessing because its different to both SUSE and Redhat
Firstyear
@Firstyear
Right
Okay, so the next steps would be

systemctl edit kanidm-unix.service

[Service]
Environment="RUST_LOG=kanidm=debug"

in pam, on lines with pam_kanidm.so, add the option debug

Then restart kanidm-unixd, and try su again.
Youll have more info in journalctl, and it prints more to the TTY from the pam module.
But after that I'll need to see your /etc/pam.d/su and probably other fules.
files*
There is a troubleshooting section here which is honestly what I'm reading XD
Triss Healy
@trissylegs
Yea. I've been through most of that
I think it'll be something in /etc/pam.d
Firstyear
@Firstyear
Yeah, most likely
Pam is really tricky and delicate at the best of times :(
Triss Healy
@trissylegs
Firstyear
@Firstyear
That all looks happy
content of /etc/pam.d/su ?
It may have include statements, so if those are present, can you provide those files too?
Triss Healy
@trissylegs
From what I gathered. Arch linux pam nearly all includes system-login
Firstyear
@Firstyear
Yeah, but better to check what /etc/pam.d/su actually says :P
Triss Healy
@trissylegs
% cat su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session            required        pam_unix.so
password        include         system-auth
pam.d/su-l is identical
Firstyear
@Firstyear
Yeah, that would be the isses, it's not including system-auth for auth/account/session, it's only using pam_unix
So it only allows local accounts.
Triss Healy
@trissylegs
Ahh
Firstyear
@Firstyear
Have a look at /etc/pam.d/sudo
It's content would likely be more alligned to what you want here.
Triss Healy
@trissylegs
% cat sudo       
#%PAM-1.0
auth        include        system-auth
account        include        system-auth
session        include        system-auth
Firstyear
@Firstyear
Yeah, exactly.
It's includidng system auth
Triss Healy
@trissylegs
I'll get systemauth in a gist it's longer
Firstyear
@Firstyear
I think for su and su-l though here, you'll have to be careful because I think that anyone who matches those assertions can SU.
Honestly, I don't use su much, I use sudo,