Proxmox User Management- Proxmox VE authentication server Rumi, May 4, 2018 Command Line Tool Most users will simply use the GUI to manage users. But there is also a full featured command line tool called pveum (short for “Proxmox VE User Manager”). Please note that all Proxmox VE command line tools are wrappers around the API, so you can also access those function through the REST API. Here are some simple usage examples. To show help type: pveum or (to show detailed help about a specific command) pveum help useradd Create a new user: pveum useradd testuser@pve -comment "Just a test" Set or Change the password (not all realms support that): pveum passwd testuser@pve Disable a user: pveum usermod testuser@pve -enable 0 Create a new group: pveum groupadd testgroup Create a new role: pveum roleadd PVE_Power-only -privs "VM.PowerMgmt VM.Console" Real World Examples Administrator Group One of the most wanted features was the ability to define a group of users with full administrator rights (without using the root account). Define the group: pveum groupadd admin -comment "System Administrators" Then add the permission: pveum aclmod / -group admin -role Administrator You can finally add users to the new admin group: pveum usermod testuser@pve -group admin Auditors You can give read only access to users by assigning the PVEAuditor role to users or groups. Example1: Allow user joe@pve to see everything pveum aclmod / -user joe@pve -role PVEAuditor Example1: Allow user joe@pve to see all virtual machines pveum aclmod /vms -user joe@pve -role PVEAuditor Delegate User Management If you want to delegate user management to user joe@pve you can do that with: pveum aclmod /access -user joe@pve -role PVEUserAdmin User joe@pve can now add and remove users, change passwords and other user attributes. This is a very powerful role, and you most likely want to limit that to selected realms and groups. The following example allows joe@pve to modify users within realm pve if they are members of group customers: pveum aclmod /access/realm/pve -user joe@pve -role PVEUserAdmin pveum aclmod /access/groups/customers -user joe@pve -role PVEUserAdmin Administrations Proxmox Proxmox
Please excuse my noob questions. I am still having a problem understanding the difference between testuser@pve and testuser@pam both created by pveum and any user created by root with adduser. Is there any way that a user created by root with adduser can be granted the administrator, or any role in Proxmox? What is the difference between pam users and pve users created with pveum and why would you use one over the other for any particular purpose?
pam is OS system users and pve belongs to Proxmox Vitual Environment’s own user schema. Proxmox support both the user database support. You can use either.
As a followup to my previous question; I have created my 1st user account with adduser user from root but I am not able to add that user to the admin account with pveum usermod user@pam -group admin update user failed: error during cfs-locked ‘file-user_cfg’ operation: no such user (‘user@pam’) cat /etc/passwd reveals user does exist user:x:1000:1000:,,,:/home/user:/bin/bash It seems as though there is some difference between an user created with adduser and one created with pveum useradd
The commands exhibited in this post are based on PVE users. Proxmox has 2 different authentication system through it’s webgui. PAM is native server os authentication method (with lesser proxmox role) and there’s another authentication mode through PVE (Proxmox Virtual Enviornment) itself. You can assign different role based virtual machine control to users.
so “adduser testuser” from an ssh root session should create a testuser@pam account? it does not seem to do that. what am I missing?
You’re once again creating a SSH session user (PAM)- the post is about creating a PVE user- not a PAM user. As I replied you back, that PVE users have profile privilege on accessing and managing Proxmox users- such as a user can be an Admin or a user can be just an user.