[PVE+PBS] Both on same Host -> pam

[Ramalama]

Hey @proxmox Team

I find it simply amazing that you can run PVE+PBS on the same host together!
This allows me basically to use the Hosts Storage Pool, that was earlier meant as Backup-Server only for ESXI, to be a Backup-Server for our mixed environment with Proxmox/ESXI Server.
Simply by installing PVE on the Bare-Metal and Virtualize Windows as VM, instead of Windows on Bare-Metal for the Backup Software for ESXI and having PBS for the Proxmox Servers...

However, it's running it's fast, it's almost perfect and i have "almost" no Complains, first time that i need to use PBS btw.

The only small thing that nerves me is:
- I use PAM+TOTP on the PVE-Cluster (the host im talking about is in this Cluster)
- But you cannot configure PAM+TOTP for PBS, if PBS is installed on the PVE-Host
- You cannot disable PAM on PBS either.
+ You can enable PBS+TOTP, but whats the benefit if you cannot disable PAM?

So in the end you cannot enforce TOTP on PBS, if it's installed side by side on the PVE-Host.

It would be cool if the Integration would be better, means PAM on PBS/PVE would be the same. So that PAM+TOTP is exactly the same for both PVE & PBS if its installed on the same Host.
While PVE Realm and PBS Realm are still separate, like now.

It's actually not a big of an issue, but it nerves, because everything else is perfect

Cheers

 

[dcsapak]

- But you cannot configure PAM+TOTP for PBS, if PBS is installed on the PVE-Host

why do you think so? do you get an error when configuring totp for a pam user in this case? this should work independently....

- You cannot disable PAM on PBS either.

you can disable all pam users (even root@pam, though not sure if you'd want that)
they are only disabled then for pbs, not on the whole system

+ You can enable PBS+TOTP, but whats the benefit if you cannot disable PAM?

see above

It would be cool if the Integration would be better, means PAM on PBS/PVE would be the same. So that PAM+TOTP is exactly the same for both PVE & PBS if its installed on the same Host.

while it's technically working, and we wont try to break such systems, on a very deep level pve and pbs are not meant to be installed on the same machine, so
they won't interact in this way (e.g. config files in different places, pve using a clusterfilesystem while pbs using simply local files, etc)

 

[Ramalama]

why do you think so? do you get an error when configuring totp for a pam user in this case? this should work independently....


you can disable all pam users (even root@pam, though not sure if you'd want that)
they are only disabled then for pbs, not on the whole system


see above



while it's technically working, and we wont try to break such systems, on a very deep level pve and pbs are not meant to be installed on the same machine, so
they won't interact in this way (e.g. config files in different places, pve using a clusterfilesystem while pbs using simply local files, etc)

Thanks for the fast reply!

Oh man, this whole thread is now stupid, because it's working now with PAM+TOTP on PBS.

I swear i configured TOTP for pam yesterday on PBS but PBS never asked me for TOTP on Login...
So i thought it's maybe an issue because i have TOTP+PAM already on PVE on the same host....

But i added for confirmation before i reply to you, TOTP for Pam now again on PBS and it's asking for TOTP on Login now...

So i don't know, maybe i was stupid yesterday and added TOTP for PBS, and thought i did it for Pam, or it was a bug.

Sorry for the wrong alarm:-(

Cheers