This is a draft document that was built and uploaded automatically. It may document beta software and be incomplete or even incorrect. Use this document at your own risk.
cron and atpam_apparmor| Revision History | |
|---|---|
| 2026-06-23 | |
Himmelblau integrates Microsoft Entra ID authentication with Linux authentication services. This chapter describes the system configuration needed on openSUSE Leap: installing the required packages, enabling the PAM module, enabling NSS lookups, configuring the Entra ID domain and starting the Himmelblau services.
Install the Himmelblau daemon, PAM module and NSS module:
>sudozypper install himmelblau pam-himmelblau libnss_himmelblau2
To allow Entra ID users to sign in over SSH, also install the SSH configuration package:
>sudozypper install himmelblau-sshd-config
The following procedure configures openSUSE Leap to resolve and authenticate Entra ID users through Himmelblau.
Edit /etc/himmelblau/himmelblau.conf and set the primary Entra ID
domain in the [global] section:
[global] domain = example.com
Add Himmelblau to the system PAM configuration:
>sudopam-config --add --himmelblau
Edit /etc/nsswitch.conf and add himmelblau to the
passwd, group and shadow
databases. Keep the existing sources for your system and append
himmelblau. For example:
passwd: files systemd himmelblau group: files systemd himmelblau shadow: files systemd himmelblau
Enable and start the Himmelblau services:
>sudosystemctl enable --now himmelblaud himmelblaud-tasks
If you installed himmelblau-sshd-config, restart the SSH daemon:
>sudosystemctl restart sshd.service
After the system is configured, an Entra ID user can sign in locally or, when SSH support is installed, over SSH. The first successful sign-in may register the device with Entra ID and prompt for the authentication factors required by your tenant policy.
Check that the daemons are running:
>sudosystemctl status himmelblaud himmelblaud-tasks
Check that the Himmelblau daemon is reachable:
>sudoaad-tool status
Verify that NSS can resolve an Entra ID user:
>getent passwd USER>id USER
For troubleshooting, inspect the system journal:
>sudojournalctl -u himmelblaud -u himmelblaud-tasks
If pam_allow_groups is not configured, all users from the configured Entra
ID domain can authenticate. To restrict access, add a comma-separated list of allowed user
principal names and Entra ID group object IDs to
/etc/himmelblau/himmelblau.conf:
[global] pam_allow_groups = user@example.com,00000000-1111-2222-3333-444444444444
Restart both Himmelblau services after changing the configuration:
>sudosystemctl restart himmelblaud himmelblaud-tasks
To allow Himmelblau to evaluate Intune compliance policy locally, enable policy processing in
/etc/himmelblau/himmelblau.conf:
[global] apply_policy = true
Restart both Himmelblau services after changing the configuration:
>sudosystemctl restart himmelblaud himmelblaud-tasks