docs: update kanidm troubleshooting with nscd restart

Add troubleshooting tips discovered during testing:
- kanidm-unix status command for checking connectivity
- nscd restart required after config changes
- Direct PAM auth test with kanidm-unix auth-test

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/user-management.md

@@ -153,12 +153,41 @@ kanidm group posix set ssh-users --gidnumber 68000
    systemctl status kanidm-unixd
    ```
 
-2. Check client can reach server:
+2. Check unixd can reach server:
+   ```bash
+   kanidm-unix status
+   # Should show: system: online, Kanidm: online
+   ```
+
+3. Check client can reach server:
    ```bash
    curl -s https://auth.home.2rjus.net/status
    ```
 
-3. Check user has POSIX enabled on server:
+4. Check user has POSIX enabled on server:
    ```bash
    kanidm person get <username>
    ```
+
+5. Restart nscd to clear stale cache:
+   ```bash
+   systemctl restart nscd
+   ```
+
+### Changes not taking effect after deployment
+
+NixOS uses nsncd (a Rust reimplementation of nscd) for NSS caching. After deploying
+kanidm-unixd config changes, you may need to restart both services:
+
+```bash
+systemctl restart kanidm-unixd
+systemctl restart nscd
+```
+
+### Test PAM authentication directly
+
+Use the kanidm-unix CLI to test PAM auth without SSH:
+
+```bash
+kanidm-unix auth-test --name <username>
+```