kanidm-pam-client #34

Merged

torjus merged 4 commits from kanidm-pam-client into master 2026-02-08 14:14:53 +00:00

Conversation 0 Commits 4 Files Changed 9 +362 -20

torjus commented 2026-02-08 14:07:18 +00:00

Owner

Copy Link

Summary

Enable Kanidm PAM/NSS integration for central authentication on NixOS hosts.

Changes

New module: system/kanidm-client.nix

• homelab.kanidm.enable = true enables PAM/NSS client
• Configures short usernames (torjus instead of torjus@home.2rjus.net)
• Creates home directory symlinks (/home/torjus → UUID-based dir)
• Default: connects to auth.home.2rjus.net, allows ssh-users group

Server config: services/kanidm/default.nix

• Base groups (admins, users, ssh-users) remain declarative
• Users now managed imperatively via kanidm CLI

Documentation: docs/user-management.md

• Full CLI workflows for creating users and groups
• POSIX attribute setup (passwords, UID/GID)
• Troubleshooting guide (nscd restarts, cache invalidation)

Other

• Added kanidm_1_8 CLI to devshell

Enabled Hosts

• testvm01, testvm02, testvm03 (test tier)

Tested

• User/group resolution via getent
• SSH login with Kanidm unix passwords
• Imperative user/group creation workflow
• Home directory symlinks

## Summary Enable Kanidm PAM/NSS integration for central authentication on NixOS hosts. ### Changes **New module: `system/kanidm-client.nix`** - `homelab.kanidm.enable = true` enables PAM/NSS client - Configures short usernames (`torjus` instead of `torjus@home.2rjus.net`) - Creates home directory symlinks (`/home/torjus` → UUID-based dir) - Default: connects to auth.home.2rjus.net, allows `ssh-users` group **Server config: `services/kanidm/default.nix`** - Base groups (admins, users, ssh-users) remain declarative - Users now managed imperatively via `kanidm` CLI **Documentation: `docs/user-management.md`** - Full CLI workflows for creating users and groups - POSIX attribute setup (passwords, UID/GID) - Troubleshooting guide (nscd restarts, cache invalidation) **Other** - Added `kanidm_1_8` CLI to devshell ### Enabled Hosts - testvm01, testvm02, testvm03 (test tier) ### Tested - User/group resolution via `getent` - SSH login with Kanidm unix passwords - Imperative user/group creation workflow - Home directory symlinks

torjus added 14 commits 2026-02-08 14:07:18 +00:00

system: add kanidm PAM/NSS client module ... 1d7eec7ad3

Add homelab.kanidm.enable option for central authentication via Kanidm.
The module configures:
- PAM/NSS integration with kanidm-unixd
- Client connection to auth.home.2rjus.net
- Login authorization for ssh-users group

Enable on testvm01-03 for testing.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

flake: add kanidm to devshell ... 189cfc890c

Add kanidm_1_8 CLI for administering the Kanidm server.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

system: fix kanidm PAM user mismatch ... bab59665fd

Configure uid_attr_map and gid_attr_map to use short names instead of
SPN format. This fixes SSH failing with "PAM user mismatch" because
getent returned "torjus@home.2rjus.net" instead of "torjus".

Also add user-management documentation.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

system: fix kanidm unixd config structure for v1.8 ... 64dc10c6cd

Kanidm 1.8 requires:
- version = "2" at top level
- pam_allowed_login_groups inside [kanidm] section

The NixOS module also requires pam_allowed_login_groups at top level,
so we provide it at both places.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

system: revert kanidm config to minimal for debugging 74cdfae596

kanidm-client: use short names instead of SPN format ... ad144bb574

Configure uid_attr_map and gid_attr_map to "name" to return short
usernames (torjus) instead of SPN format (torjus@home.2rjus.net).
This fixes "PAM user mismatch" errors with SSH authentication.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs: update kanidm troubleshooting with nscd restart ... d6606d3f53

Add troubleshooting tips discovered during testing:
- kanidm-unix status command for checking connectivity
- nscd restart required after config changes
- Direct PAM auth test with kanidm-unix auth-test

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

kanidm-client: use short name for home directory ... 44e146eedd

Set home_attr = "name" to use /home/torjus instead of
/home/torjus@home.2rjus.net for user home directories.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

kanidm-client: use home_alias for symlink to short name ... 97c0b3f7a2

Use home_alias instead of home_attr - this creates a symlink from
/home/torjus to the actual home directory, providing a convenient
short path without breaking the underlying storage.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs: add home directory and enabled hosts info ... dd9571d83a

- Document UUID-based home directories with symlinks
- List currently enabled hosts (testvm01-03)
- Add cache-invalidate command to troubleshooting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs: switch to imperative user/group management ... 71a41d83ef

Replace declarative NixOS provisioning examples with full CLI workflows.
POSIX users and groups are now managed entirely via kanidm CLI, which
allows setting all attributes (including UNIX passwords) in one step.

Declarative provisioning may still be used for OIDC clients later.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

kanidm: remove declarative user provisioning ... 264d26c2b3

Keep base groups (admins, users, ssh-users) provisioned declaratively
but manage regular users via the kanidm CLI. This allows setting POSIX
attributes and passwords in a single workflow.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs: add verified user creation example ... 264862879d

Add complete example workflow and note password minimum (10 chars).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs: add verified group creation example ... 6a36ab4776

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

torjus added 1 commit 2026-02-08 14:09:07 +00:00

docs: update auth-system-replacement plan with PAM/NSS progress ... 45a5a10881

- Mark PAM/NSS client module as complete
- Mark documentation as complete
- Update provisioning approach (declarative groups, imperative users)
- Add details on client module and verified functionality
- Update next steps

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

torjus force-pushed kanidm-pam-client from 45a5a10881 to b66e38ba72 2026-02-08 14:13:12 +00:00 Compare

torjus force-pushed kanidm-pam-client from b66e38ba72 to 9ed09c9a9c 2026-02-08 14:14:38 +00:00 Compare

torjus merged commit 19cb61ebbc into master 2026-02-08 14:14:53 +00:00

torjus deleted branch kanidm-pam-client 2026-02-08 14:14:53 +00:00

torjus referenced this issue from a commit 2026-02-08 14:14:55 +00:00

Merge pull request 'kanidm-pam-client' (#34) from kanidm-pam-client into master

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

torjus

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: torjus/nixos-servers#34