Skip to main content
Himmelblau is distributed as RPM packages for Fedora and RHEL-compatible distributions. Download them from the Himmelblau downloads page and install locally with dnf.

Supported versions

DistributionVersion
Fedora41, 42, 43
Rocky Linux8, 9, 10
RHEL and compatible8, 9, 10

Installation

Download the RPM packages for your distribution from the downloads page, then install them with dnf: 
sudo dnf install \
  ./himmelblau-<version>.rpm \
  ./himmelblau-sshd-config-<version>.rpm \
  ./himmelblau-sso-<version>.rpm \
  ./nss-himmelblau-<version>.rpm \
  ./pam-himmelblau-<version>.rpm
Replace <version> with the version string from the downloaded filenames.

Post-installation setup

Disable nscd

The Name Service Cache Daemon (nscd) conflicts with Himmelblau’s NSS module. Stop and mask it: 
sudo systemctl stop nscd
sudo systemctl disable nscd
sudo systemctl mask nscd

Configure NSS

Edit /etc/nsswitch.conf and add himmelblau to the passwd, group, and shadow databases: 
passwd:     sss files himmelblau
group:      sss files himmelblau
shadow:     sss files himmelblau
Verify a user resolves correctly after starting the daemon: 
getent passwd user@your-tenant.onmicrosoft.com

Configure PAM

Using authselect

Fedora and RHEL use authselect to manage PAM profiles. Himmelblau ships an authselect integration in the pam-himmelblau package. After installation, apply the profile: 
sudo authselect select himmelblau --force
This configures the standard password-auth and system-auth PAM profiles to include the Himmelblau modules.

Manual PAM configuration

If you are not using authselect, you can manually add the Himmelblau modules to your PAM stacks. A minimal example for /etc/pam.d/system-auth: 
# /etc/pam.d/common-auth
auth        required      pam_env.so
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_himmelblau.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        required      pam_deny.so

# /etc/pam.d/common-account
account    [default=1 ignore=ignore success=ok] pam_localuser.so
account    sufficient    pam_himmelblau.so ignore_unknown_user
account    sufficient    pam_unix.so
account    required      pam_deny.so

# /etc/pam.d/common-session
session optional    pam_systemd.so
session required    pam_limits.so
session optional    pam_himmelblau.so
session optional    pam_unix.so try_first_pass

# /etc/pam.d/common-password
password    sufficient    pam_himmelblau.so ignore_unknown_user
password    sufficient    pam_unix.so use_authtok nullok shadow try_first_pass
password    required      pam_deny.so
Only modify PAM configuration files directly if you understand the syntax. An incorrect PAM stack can prevent all users from logging in. Test changes in a separate session before closing your current one.

SELinux

Himmelblau ships with an SELinux policy module that allows the daemon and PAM/NSS modules to operate correctly under enforcing mode. The policy is included in the main himmelblau package and is loaded automatically at install time. You do not need to disable SELinux or switch to permissive mode to use Himmelblau. If you encounter AVC denials after installation, check that the package’s policy module loaded successfully: 
sudo semodule -l | grep himmelblau
For a complete reference on PAM and NSS configuration, see PAM & NSS setup.

Build docs developers (and LLMs) love

Get started for freeTalk to us