Getting older, not necessarily wiser!
When dealing with users in Proxmox there are a few items to be aware of that could be considered, at least in my opinion, somewhat non standard. The first is the concept of Realms. And no, this has noting to do with fantasy gaming. We can consider Realms to be various methods of authenticating and validating user. We will need to first understand this concept before moving forward with user creation.
The second concept that needs to be embraced is the multi step User creation process. That is to say to completely setup a user you need to visit more than one of the main tree menu items. Lucky for us they are all in one spot.
And one final note before moving forward. The Users we are discussing are at the Proxmox Datacenter level. That is to say we are not creating Users for any individual Virtual Machine (VM) or Containers. Each VM and/or Container will be handling their own users. So when creating Proxmox users consider carefully. Just because someone needs access to a VM, does not mean they need access to the Proxmox server itself.
Realms should more appropriately be called authentication or validation methods, because that is what they are. It is important to remember that Proxmox is designed for an enterprise environment. And each such network is likely to have varying methods of authenticating users. For example authenticating in a Windows Active Directory network is different from authenticating in a Linux NFS network, which might also be different from authentication on a specific machine. Luckily there is not a wide variety of options out there. And you are unlikely to run into more than one or two of them.
PAM Realm: This is the standard means of authentication on Linux. Think of user accounts on a desktop Linux box. Authentication of individual is handled via PAM (Pluggable Authentication Module).
PVE Realm: This is the method used by the Poxmox VE program to authenticate users for the Proxmox server, irrespective of underlying machine or network architecture.
LDPA Relem: LDPA (Lightweight Directory Access Protocol) is an open standard for authentication of users. LDPA requires a DSA (Directory System Agent) server be present on the network to authenticate users.
AD Realm: This is Microsoft Active Directory Service. It will require a Microsoft Domain Server ND Active Directory setup.
OpenID: OpenID Connect uses the OATH2 protocol. It authenticates users through an external authorization service.
Note: For a standard Linux installation, the default root user is part of the PAM Realm. That is to say the root user is the administrator for the entire server, not just Proxmox, just like any other Linux installation. Note that the root user is active (not disabled) in a standard Proxmox install.
Permissions can be handled in one of two ways, or as a hybrid model. This is up to the administrator of the server. Basically permissions can be assigned to individual Users, and they can also be assigned to Groups.
If you do not have many Proxmox system users, then assigning permissions directly to Users is probably eh easiest and least complicated method. If there are going to be a large number of Users, then it might be best to assign permissions at the Group level, then place users in the Groups they need for access.
For example, lets say you have ten users, but only three of them require administrative access. You can either directly assign all three users administrative permissions directly, or you can create a administrative group and add the three users that need admin rights to that group. if one of the admin users should no longer have access, you just remove him for the group.
Using Groups involves a few extra steps initially, but will give one much finer control over User access.
To create a Group we start at the Datacenter tree menu to the left of the screen. We then chose Permissions the tree menu to the left, then Groups under that. I will be writing these tree menu navigation as follows; Datacenter > Permissions > Groups.
Please note these are not System groups, they are Proxmox application groups.
You will then need to click on the Create button towards the top left of the information window. You can assign a name and a description here. Permissions will be another step in the process we have not gotten too yet.
To create a user, we need to select the Datacenter > Permissions > Users from the tree menu. The Add button is located towards the top left of the information window.
The User creation box is a little more complex than the Group creation box was. We need a user name, then a Realm. If the User exists on the underlying Linux system, I would recommend using the PAM realm.
If you are using Groups, you can add them here. There are also boxes for expiration (of the user account), enabled, comment, First and last name, and email address. Most of these boxes are optional.
Once done, select the Add button at the bottom of the window. to create the user. Note the same form is used to edit Users also.
Note we have defined a user in Proxmox. Even though we selected PAM, this will not create a user in Linux. We can do that with the useradd command from the shell (note if you click on your Proxmox install name in the tree menu, there will be a shell option available).
Porxomx does not give you the ability to assign a password, that has to come from the specific realm. So we will need to add a password for our user though the Shell, using the passwd command. At this point you will be able to log into Proxmox with your user. However you have no rights, so are limited in what can be done.
Now lets go to the Datacenter > Permissions menu. From here we can finally assign permissions to our groups and users. They just need to exist first.
Selecting the Add > Group Permission, we get a new window that lets us define a path (for simplicity here I will assign the root as the path), the group (one we have already created), and the permission level (I will chose administrator in this case).
Or we can add the permission directly to the User instead of the group. This will depend on how you decided to manage permissions.
If we log back into system as the new user, we have a lot more options available because we have administrative permissions (assigned either directly to the user or to a group the user is part of).
User credentials come from the different realms available. In our case PAM is local to our server. However if we were part of a Windows domain, we would need our credentials set in the domain server.
As a general guide, your process you might look like this (if you are using groups for permissions);
Any way you look at it, if you want multiple Proxmox users, each will be a multi step process.
In this post we have taken a look at Proxmox user creation and permissions. This is one of the items that was not obvious to me when I started this exercise. It is my hope that if other people are having issues with Proxmox users, this short guide will help them out. Once you understand how it works in Proxmox, it is not that hard, and does make some sense.