search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.87k stars 13.94k forks source link

Kanidm client doesn't create home directories when `home_prefix` is set #348806

Open muradbu opened 4 days ago

muradbu commented 4 days ago

Describe the bug

When home_prefix is set to anything other than /home/, user's home dirs don't get created. This causes users created with Kanidm to chdir to / when they login via ssh.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Install Kanidm server on another machine
  2. Install Kanidm UNIX client and set home_prefix to any other location than /home/
{
  services.kanidm = {
    enablePam = true;
    clientSettings = {
      uri = "https://idm.example.com";
    };
    unixSettings = {
      default_shell = "${pkgs.bashInteractive}/bin/bash";
      home_alias = "name";
      home_attr = "uuid";
      home_prefix = "/mnt/disk1/"; # this points to an xfs formatted partition on another block device mounted on /mnt/disk1
      pam_allowed_login_groups = [ "pamgroup" ];
    };
  };

  security.wrappers.kanidm_ssh_authorizedkeys = {
    owner = "root";
    group = "root";
    source = "${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys";
  };

  services.openssh = {
    enable = true;
    authorizedKeysCommand = "/run/wrappers/bin/kanidm_ssh_authorizedkeys %u";
    authorizedKeysCommandUser = "nobody";
    settings = {
      GSSAPIAuthentication = false;
      KerberosAuthentication = false;
      PasswordAuthentication = false;
      PermitEmptyPasswords = false;
      PermitRootLogin = "no";
      PubkeyAuthentication = true;
      UsePAM = true;
      X11Forwarding = false;
    };
  };
}

  1. Create a POSIX user, group and add a ssh key

    kanidm login -D idm_admin
kanidm person create <name> <display name>
kanidm person posix set <name>
kanidm person ssh add-publickey <name> "mykey" "<PUBKEY>"
kanidm group create pamgroup
kanidm group posix set pamgroup
kanidm group add-member pamgroup <name>

  2. Try to ssh ssh <name>@idm.example.com and observe the message

Expected behavior

When home_prefix is set to anything other than /home/ kanidm-unixd-tasks should create the user's home dir in the location specified in home_prefix. Additionally when home_mount_prefix = "<path>" is set it should create a symlink which points to home_prefix.

Screenshots

CleanShot 2024-10-15 at 16 37 56@2x CleanShot 2024-10-15 at 16 46 29@2x

Additional context

When home_prefix is unset it defaults to creating home dirs in /home which works just fine.

I've also reproduced the issue with a minimal config in a freshly installed arm64 NixOS VM with 2 virtual disks attached where one is ext4 and another xfs.

I've opened an issue in upstream: https://github.com/kanidm/kanidm/issues/3105

Kanidm logs after ssh login:

$ sudo journalctl -xeu kanidm-unixd
Oct 15 16:58:11 nixos kanidm_unixd[9460]: 00000000-0000-0000-0000-000000000000 INFO     i [info]: Server started ...
Oct 15 16:58:21 nixos kanidm_unixd[9460]: 00000000-0000-0000-0000-000000000000 INFO     i [info]: User has not specified a shell, using default
Oct 15 16:58:21 nixos kanidm_unixd[9460]: 00000000-0000-0000-0000-000000000000 ERROR    🚨 [error]: Error -> Some(Ok(Error("Os { code: 2, kind: NotFound, message: \"No such file or directory\" }")))
Oct 15 16:58:21 nixos kanidm_unixd[9460]: 00000000-0000-0000-0000-000000000000 ERROR    🚨 [error]: Task client error occurred; error = Custom { kind: Other, error: "oh no!" }
Oct 15 16:58:21 nixos kanidm_unixd[9460]: 00000000-0000-0000-0000-000000000000 ERROR    🚨 [error]: Error -> Some(Ok(Error("Os { code: 2, kind: NotFound, message: \"No such file or directory\" }")))
Oct 15 16:58:21 nixos kanidm_unixd[9460]: 00000000-0000-0000-0000-000000000000 ERROR    🚨 [error]: Task client error occurred; error = Custom { kind: Other, error: "oh no!" }

$ sudo journalctl -xeu kanidm-unixd-tasks
Oct 15 17:00:17 nixos kanidm_unixd_tasks[9605]: 00000000-0000-0000-0000-000000000000 INFO     i [info]: Server started ...
Oct 15 17:00:17 nixos kanidm_unixd_tasks[9605]: 00000000-0000-0000-0000-000000000000 INFO     i [info]: Attempting to connect to kanidm_unixd ...
Oct 15 17:00:17 nixos kanidm_unixd_tasks[9605]: 00000000-0000-0000-0000-000000000000 INFO     i [info]: Found kanidm_unixd, waiting for tasks ...
Oct 15 17:00:24 nixos kanidm_unixd_tasks[9605]: 00000000-0000-0000-0000-000000000000 ERROR    🚨 [error]: Error -> None
Oct 15 17:00:24 nixos kanidm_unixd_tasks[9605]: 00000000-0000-0000-0000-000000000000 INFO     i [info]: Attempting to connect to kanidm_unixd ...
Oct 15 17:00:24 nixos kanidm_unixd_tasks[9605]: 00000000-0000-0000-0000-000000000000 INFO     i [info]: Found kanidm_unixd, waiting for tasks ...

Notify maintainers

@erictapen @Flakebi @adamcstephens

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.6.48, NixOS, 24.05 (Uakari), 24.05.4469.6e99f2a27d60`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.18.5`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

Add a :+1: reaction to issues you find important.

adamcstephens commented 3 days ago

I don't use unixd so won't be much help here. I'd be happy to review any potential fixes though.

muradbu commented 7 hours ago

Apparently this should be fixed with https://github.com/kanidm/kanidm/pull/3113