From ad144bb574a36d0a3164c5a6263a14143d5b008e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sun, 8 Feb 2026 14:22:31 +0100
Subject: [PATCH] kanidm-client: use short names instead of SPN format

Configure uid_attr_map and gid_attr_map to "name" to return short
usernames (torjus) instead of SPN format (torjus@home.2rjus.net).
This fixes "PAM user mismatch" errors with SSH authentication.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 system/kanidm-client.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/system/kanidm-client.nix b/system/kanidm-client.nix
index bae7956..7cc99a9 100644
--- a/system/kanidm-client.nix
+++ b/system/kanidm-client.nix
@@ -30,6 +30,10 @@ in
 
       unixSettings = {
         pam_allowed_login_groups = cfg.allowedLoginGroups;
+        # Use short names (torjus) instead of SPN format (torjus@home.2rjus.net)
+        # This prevents "PAM user mismatch" errors with SSH
+        uid_attr_map = "name";
+        gid_attr_map = "name";
       };
     };
   };