Proxmox User Root?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] greetings another lovely morning little dark here still in this video video we're going to be talking about uh proxmox and setting up a user well a new user anyways here in the Philippines it's February is almost gone and we're working our way towards March so we're getting going to start getting into the hot weather here hoping it stays cool up here in Tatai it's been a little warmer the last couple of days but nothing like down in the valley so there's the clock 5:00 5 in the morning okay let's get going with this uh video [Music] now so in this go around we're going to be using proxmox it's a virtual machine server and we're going to be looking at creating users we took a look at the interface we took a look at the install I made some commentary on whether you actually need this or not in past videos but if you're interested you can go watch them but like I say this time around we're going to be talking about how to create a user this series of videos is not really a tutorial it's more an overview so I'm going to be basically discussing my concept of users and proxmox and we're going to walk through a few experiments I've been playing around with just to see what happens when you do various combinations of user things and proxmox and the hope is this will give everyone some more familiarity with the interface and with the steps needed to create that user prox Mox and that's just the uh next step in the process after that we'll have to look at storage then we'll look at actually creating virtual machines or containers so off we go so let's get right to the subject at hand proxmox user authentication is basically my what I'm calling it so users and proxmox are kind kind of an interesting bag uh well you'll see as we get into it it's not really quite as simple as using say cockpit that be your virtual machine manager first thing to understand about users is there's many different types first type we want to talk about is we're going to call the PVE user or proxmox virtual environment user these are internal to the proxmox cluster which we talked about and we went over the display and we talked about the levels inside of proxmox it like this is internal to the cluster it's uh not a node user and it's based within the cluster uh this is well we'll see we get around to creating it I don't want to get too far ahead of myself our next user type is going to be the Pam or plugable authentication model module this is your basic Linux user the basics install proxmox sits on top of a Debian Linux installation and Pam is the user authentication module used in Linux specifically in De Debian to use this it requires users exist on all nodes within a cluster and authentication is based on existing computer user with password as set up on that computer or aka the node in the cluster and it has to be set up on all nodes lpda or lightweight directory access protocol is another method of authenticating users to use this with proxmox you have to set it up it assumes access to a DSA or directory system agent server which would be where you'd authenticate your [Music] users and and again basically it'll have to be the same across all nodes it's in the cluster ad is active directory this is the Microsoft uh domain controller user authentication it assumes you're part of a Windows domain and if that's the case then you could use this one to authenticate users I don't know if I was clear but authenticating us users is when they log in and they give you a password or other methods of authentication which we'll talk about open ID assumes authentication via an external oath 2 I am not really familiar with this particular method at all I've never used it so it's there I just don't know a lot about it so we've got all these methods these are known as Realms in proxmox e or proxmox talk and if you take a look at this small diagram here proxmox cluster authentication this is PVE this is within the proxmox cluster and if we go down we can see each of the nodes within the cluster has a Pam module if we're using the base install on deian Linux and Pam authentication would have to be at the node level you'd set it up in the cluster but it would be at the node level and each node will need to be the same have the same users this is okay if you've got a couple of nodes but if you start getting four five six seven nodes this can become a royal pain in the rear so to speak so the ldpa ad and open ID on the other hand use a single server or single Source somewhere outside of the proxmox cluster and for lots of nodes they're probably the easier method to use but the like I say they got to be set up externally it's not a component that comes with proxmox so again PVE within the cluster Pam on each of the node computers LD PA ad and open ID or external on our base install we're only going to have PVE and pams because we do not have an external validation or authentication source with this cluster I'm setting up couple things to consider here when creating users you can give permission directly to users I prefer to use group permissions instead of user permissions that way when I create a user I just assign the correct groups to them for what they're supposed to be able to do my guess is on your homeand you will most likely be the only prox MOX user user in such case if you feel comfortable with it feel free to use the root account that's built into proxmox when you start up otherwise you're going to need to create groups with appropriate permissions and a non-root user to do some tasks if your lands are outside of the home this might require additional users for various tasks again like I say if you're on a personal land in the home you're probably going to be the only prox MOX user just because someone needs access to a virtual machine or a container on proxmox does not mean they need they need actual access to either proxmox or the nodes themselves just the containers so you need to put a little thought into who has actual access to the proxmox server which is why I say if it's on a Homeland you're probably going to be it at least I'm it here because no one else is really interested in doing it but yeah give a little thought to who you're actually allowing to use the uh product Bo Mo software all right enough theorizing let's get around to actually plan around okay let's log into our cluster I'm going to log into my cluster logging in a root user and you can see this is pretty much the same as it was last time we were here got our data center and we've got our two nodes I talked about the issues with having two nodes I'm not really worried about it in this case if we go ahead and look in our nodes and our password files we'll see we have our root user but no other user and this should be the same on both nodes so the only Pam authorized user we have right now is our root account if we go up to our data center node under permissions we can find or various menu options for users let's talk about Realms first by default you have Pam and PVE only because that's what's here if you want to add a new realm you need to go up here and you're going to notice you're going to need specific things like a server name and what you're going to need is going to depend on the type of external authentication you want to [Music] use we'll just take a quick look at all these again server name base domain name various things like that you need to set up the authentication method of as external this is the one I've never used before but yeah it's still required require some external stuff like issue a URL okay so realm sync jobs I haven't used yet or played around with once we get things set up I will probably play around with these and come back and visit them later so we've got basically our two Realms PVE and Pam now we can go next one up is the rolls proxmox has a lot of built-in rolls you can see them all here you can assign these roles to either users or groups no we can't edit any of the pre-existing roles but we can create new roles and those we should be able to edit that's a little more in depth probably more than most people are going to want to do uh haven't played around a lot with pools yet that's another area I need to get into groups this is where where we Define our groups and like I say I usually do groups you give it a name and you give it a comment and you will notice we're not adding passwords permissions or anything at this point this just defines a group so you can create as many groups as you want but again there's no permissions or access or anything like that with any of these groups they're just existing here so above that we have two Factor authentication there are various methods available if you're going to use it otherwise it's strictly password single factor I guess you'd call it or if you're using a security token you'd add that here here we can Define our users remember we're all the prox data center level here too so we give a username this is Pam note there's no space for a password when you're using Pam this is assuming that it's an already existing user someplace and we're just using a verification service of some sort now if you notice we go to an PVE user you're going to have passwords that you need to enter Because this is internal to the proxmox server so yes you need to enter a password in this case and we can assign a group to the user and there's our second user our first user didn't have a group so we'll come back to permissions let's go ahead and try and log in as a user this is our PVE user who's validated within P within proxmox itself you see we can log in even though we do do not have much that we can do because said user has no administrative access of any kind all right let's try our Pam user since we created this user with without a password because he doesn't exist in our uh nodes yet you can see we just cannot log in so let's log back in as root oh oops got to change my mode back to Pam because R A Pam user and there we go so if we go to our node we have no user stuff in the menu here so we need to go to the Shell use user ad tacm creates the home directory and our username that creates the user then we need to give him a password that we can actually use to log in with okay important concept here we're going to log back out we're going to log in as RT lenux Pam authentication we got our password and whmo login failed the login failed because we're only validated in one of our nodes the user only exists in the Pam database in one node we need to add them to the other node or we're never going to be able to log in like I say if you've got lots of nodes you might want to consider one of the external authentication methods rather than Pam because it can be a real pain in the ass to monitor to modify a whole bunch of Pam databases on multiple nodes so you can see here are the users in this list but it wasn't in the previous list so let's go ahead and add them here to our second node all right that's done now let's try that login again and there we go again we don't have a lot of permissions here but we can log in Let's uh log back in as wrot and fix the permissions issue I think that should be the next test all right so first thing let's give some permission to the group since that's the way I like to do it we're going to use a forward slash for the whole directory tree group is admin with administrative access and there we have permission set to that group now we're going to edit this user and we're going to add the group admin okay now let's log out and log back in as RT that's retired techie by the way if you didn't know and look at that now we can do some stuff however note that we're not logged into to the node because this is a normal User it's not root user so you're going to have to do the login here yourself or else go in and assign him root permissions in the node which is another video Al together but now we actually have a secondary user we I can play around with his permissions a little with what I want him to be able to do and not do again we have to log back into our nodes which not a big deal I mean if we gave this guy administrative permissions on the Node in the with it it's groups and permissions yeah then might not have to log back in but we can also add pseudo Andor Su we can use to actually get root permissions at this level whoops fat fingers fat fingers um keep forgetting these consoles don't actually work like an actual SSH session like using putty or something you don't have all the keyboard commands but you get used to that one thing I noticed here so we've got a KVM Group which is your V konel virtual machine module oh stop that but you will notice there is no libert group that was just something kind of interesting I noticed while playing around so proxmox is taking the place of libert but KVM is still there and you notice there's no group members in KVM either it's a kind of interesting it also explains a few things about the way prox boox is set up in way it operates also did some poking around in the uh SSH server directory and if you you go into the sdore config file you can find where the root is given permission to log in Via SSH and that's where you go if you wanted to change that to nonot log in that way but we're not going to worry about that at this particular time yeah I did a little poking around the SSH files kind of uh interesting anyway that's pretty much what you need to understand about users all right there we have it that's the pxm the proxmox users in a condensed quick version I'm hoping it helps you understand how the user setup works it can be a little confusing with the Realms external users Pam users PVE users yeah a lot of choices there but I'm hoping you now understand what your choices are and depending on your situation you can figure out the best method for your user authentication in your instance I also talk a little bit about if it's a Home proxmox Server you're probably going to be the only person who actually needs access in which Cas this is all kind of trivial and not very important say it does become important when you get into a larger environment where you have where you're in I guess dedicated or critical services and you do need to have multiple users available then yeah a lot of the stuff becomes important if you're comfortable with it you can uh just go with what proxmox sets up by default like I say if it's on your Homeland Security is not that big an issue I'm a assuming you know who's on your land in my case it's not hard we don't have any houses for two property blocks around us so if anybody gets close enough to use my land the dogs will or my wifi I should say the dogs will set up set off a fit and I'll know they're there but yeah so like I say in my case security is not a big issue I could technically use the root account I probably will for this series it's just on a fundamental level I'm sort of uncomfortable with using root when you don't need to use root and that is one of my complaints about proxmox is it's set up to use root exclusively I've read that there's some things you can't do unless you're logged in as with as root but I've yet to find something I can't do with the user who has full administrative access we'll see as we go along I'm sure I'll find other stuff anyway thank you for watching please remember to uh like let's see like comment subscribe subscribe yeah that's it and we'll see you next time [Music] okay [Music] aah

Info

Channel: RetiredTechie

Views: 441

Rating: undefined out of 5

Keywords: proxmox, VM, Container, Users, Authintication

Id: lb-GAv_iL-g

Channel Id: undefined

Length: 26min 0sec (1560 seconds)

Published: Wed Feb 21 2024