From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: Proxmox VE user list <pve-user@lists.proxmox.com>,
Mariusz Suchodolski <mariusz.suchodolski@suzuki.com.pl>
Subject: Re: [PVE-User] Host console access with realm different from PAM
Date: Mon, 27 Mar 2023 13:35:05 +0200 [thread overview]
Message-ID: <df84fabc-45d3-f894-d75b-cb74bfd04afc@proxmox.com> (raw)
In-Reply-To: <00b801d95d72$79ee3710$6dcaa530$@suzuki.com.pl>
Hi,
Am 23/03/2023 um 11:30 schrieb Mariusz Suchodolski:
> Is custom realm <-> pam mapping in plans?
Not sure what you mean here exactly..
>
> We've setup Azure AD authentication but attempting to connect to one of the
> virtualization hosts yields the following message when attempting to access
> console:
>
> Connection failed (Error 403: Permission check failed (realm aad ! = pam) )
Yeah, this is a bit of an odd virtual limitations, and I'd be open to drop
those is-realm-pam checks completely; having Sys.Console and password of a
system user (root, or some ldap exposed system user) for login into the shell
is really enough.
As we try to avoid doing ACL changes with potential implications on a rolling
package update, I'd prefer doing this on the next major release, e.g. PVE 8.0
this year; as there we can add a more prominent entry in the changelogs "noteable
changes" section.
I checked quickly, but it doesn't seem we have a request for this logged in our
bugzilla (#2170 is sounding close but effectively wants something different), so
you could open a enhancement request to keep track of this at:
https://bugzilla.proxmox.com/
- Thomas
prev parent reply other threads:[~2023-03-27 11:35 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-23 10:30 Mariusz Suchodolski
2023-03-27 11:35 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=df84fabc-45d3-f894-d75b-cb74bfd04afc@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=mariusz.suchodolski@suzuki.com.pl \
--cc=pve-user@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal