[PVE-User] Host console access with realm different from PAM

[PVE-User] Host console access with realm different from PAM

[Mariusz Suchodolski]

Hello,

 

Is custom realm <-> pam mapping in plans?

 

We've setup Azure AD authentication but attempting to connect to one of the
virtualization hosts yields the following message when attempting to access
console:

Connection failed (Error 403: Permission check failed (realm aad ! = pam) )

 

MS.

 

Re: [PVE-User] Host console access with realm different from PAM

[Thomas Lamprecht]

Hi,

Am 23/03/2023 um 11:30 schrieb Mariusz Suchodolski:
> Is custom realm <-> pam mapping in plans?

Not sure what you mean here exactly..

> 
> We've setup Azure AD authentication but attempting to connect to one of the
> virtualization hosts yields the following message when attempting to access
> console:
> 
> Connection failed (Error 403: Permission check failed (realm aad ! = pam) )

Yeah, this is a bit of an odd virtual limitations, and I'd be open to drop
those is-realm-pam checks completely; having Sys.Console and password of a
system user (root, or some ldap exposed system user) for login into the shell
is really enough.

As we try to avoid doing ACL changes with potential implications on a rolling
package update, I'd prefer doing this on the next major release, e.g. PVE 8.0
this year; as there we can add a more prominent entry in the changelogs "noteable
changes" section.

I checked quickly, but it doesn't seem we have a request for this logged in our
bugzilla (#2170 is sounding close but effectively wants something different), so
you could open a enhancement request to keep track of this at:

https://bugzilla.proxmox.com/

- Thomas