I have ActiveDirectory users created with rol Administrator but when I try to open a node shell with these users I get the error "Connection failed (Error 403: Permission check failed (realm != pam)) "
"Connection failed (Error 403: Permission check failed (realm != pam))" when I try to open node shell with ActiveDirectory user
- Thread starter Enrique Garcia Polo
- Start date
what do you mean with you can do it with ssh?
I have the same issue, I have a new Realm (from SSO/authenik) that should have the ability to login to the hosts shell or even do host updates over the webui. Not possible with highest permissions I set to the user in this realm.
I have the same issue, I have a new Realm (from SSO/authenik) that should have the ability to login to the hosts shell or even do host updates over the webui. Not possible with highest permissions I set to the user in this realm.
Gotta say that while this option might have some security implications it would be very useful and handy.
I as an example am using proxmox for a small project and usually access my ct's over this shell.
However now I would like to authenticate via authentik(-realm) instead of root@pam since this would be more comfortable (it still involves the second factor but no login-credentials if I am already logged into the authentik server).
I as an example am using proxmox for a small project and usually access my ct's over this shell.
However now I would like to authenticate via authentik(-realm) instead of root@pam since this would be more comfortable (it still involves the second factor but no login-credentials if I am already logged into the authentik server).
+1
i would realy like having shell, even if i need to enable it first. my server isnt public (no ports exposed) so i dont need to care as much about security
i would realy like having shell, even if i need to enable it first. my server isnt public (no ports exposed) so i dont need to care as much about security
You could join your PVE server itself to the Active Directory domain at the OS level instead of the PVE GUI. There's at least two ways to go about that (samba and sssd) and a number of tutorials out there about how to join Debian to AD. I think if you were to do that the pam realm would work for all users.
But do you really want people to be able to log into the host? Seems like a bad idea.
But do you really want people to be able to log into the host? Seems like a bad idea.
comment out every line thats
in /usr/share/perl5/PVE/API2/Nodes.pm (Reboot Requred)
and you will get a login prompt instead of an error. (you will only be able to login as an local user)
EDIT:
Same thing as before but automated (creates a backup too), tested on pve 8.0
Perl:
raise_perm_exc("realm $realm != pam") if $realm ne 'pam';and you will get a login prompt instead of an error. (you will only be able to login as an local user)
EDIT:
Same thing as before but automated (creates a backup too), tested on pve 8.0
Bash:
#!/bin/bash
# Define backup directory
backup_dir="$HOME/pve-backup"
# Create backup directory if it doesn't exist
mkdir -p "$backup_dir"
# Get current date and time
datetime=$(date +"%Y%m%d%H%M%S")
# Backup file
cp /usr/share/perl5/PVE/API2/Nodes.pm "$backup_dir/nodes.pm.$datetime-bak"
# Comment out lines containing "!= pam"
sed -i '/!= pam/s/^/# /' /usr/share/perl5/PVE/API2/Nodes.pm
echo "Backup created and lines commented out."
# Restart services
systemctl restart pvedaemon.service pveproxy.service
echo "Services restarted."
Last edited:
I'm the only one with access to my server, I just have SSO, so I don't need to log in everywhere. I'm using OpenID and I don't have any Windows servers/machines, I could do it via LDAP but just disabling the check is way simpler
Took me quite some time to find the right thread - also using SSO here.
This patch should not only be applied to PVE but PBS too. AND: PBS is also missing setting a realm as default.
The script by @Games_Crack does not work for PBS, since those files do not exist.
This patch should not only be applied to PVE but PBS too. AND: PBS is also missing setting a realm as default.
The script by @Games_Crack does not work for PBS, since those files do not exist.