445 update pam nsswitch md (#451)

FAQ.md

@@ -101,4 +101,16 @@ Additionally, it's worth noting that most of these other database would violate
 desires to keep the language as Rust and may require external configuration or daemons which
 may not be possible to test.
 
+## How PAM/nsswitch Work
 
+Linux and BSD clients can resolve identities from Kanidm into accounts via PAM and nsswitch. 
+
+Name Service Switch (NSS) is used for connecting the computers with different data sources to resolve name-service information.
+By adding the nsswitch libraries to /etc/nsswitch.conf, we are telling NSS to lookup password info and group identities in Kanidm:
+
+    passwd: compat kanidm
+    group: compat kanidm
+
+When a service like sudo, sshd, su etc. wants to authenticate someone, it opens the pam.d config of that service, 
+then performs authentication according to the modules defined in the pam.d config. 
+For example, if you run `ls -al /etc/pam.d /usr/etc/pam.d` in SUSE, you can see the services and their respective pam.d config. 

kanidm_book/src/installing_the_server.md

@@ -107,7 +107,7 @@ for example) then you can validate with this command.
 If these verifications pass you can now use these certificates with Kanidm. To put the certificates
 in place you can use a shell container that mounts the volume such as:
 
-    docker run --rm -i -t -v kanidmd:/data -v /my/host/path/work:/work opensuse/leap:latest cp /work/* /data/
+    docker run --rm -i -t -v kanidmd:/data -v /my/host/path/work:/work opensuse/leap:latest /bin/sh -c "cp /work/* /data/"
 
 OR for a shell into the volume:
 

kanidm_book/src/pam_and_nsswitch.md

@@ -39,7 +39,9 @@ You can check the privileged tasks daemon is running with
 > it provides supporting kanidm's capabilities.
 
 Both unixd daemons use the connection configuration from /etc/kanidm/config. This is the covered in
-client_tools. You can also configure some details of the unixd daemons in /etc/kanidm/unixd.
+[client_tools](./client_tools.md#kandim-configuration). 
+
+You can also configure some unixd specific options with the file /etc/kanidm/unixd.
 
     pam_allowed_login_groups = ["posix_group"]
     default_shell = "/bin/bash"
@@ -100,7 +102,9 @@ When the daemon is running you can add the nsswitch libraries to /etc/nsswitch.c
     passwd: compat kanidm
     group: compat kanidm
 
-You can then test that a posix extended user is able to be resolved with:
+You can [create a user](./accounts_and_groups.md#creating-accounts) then [enable posix feature on the user](./posix_accounts.md#enabling-posix-attributes-on-accounts).
+
+You can then test that the posix extended user is able to be resolved with:
 
     $ getent passwd <account name>
     $ getent passwd testunix
@@ -112,6 +116,10 @@ You can also do the same for groups.
     $ getent group testgroup
     testgroup:x:2439676479:testunix
 
+> **HINT** Remember to also create unix password with something like 
+> `kanidm account posix set_password --name idm_admin demo_user`. 
+> Otherwise there will be no credential for the account to authenticate. 
+ 
 ## PAM
 
 > **WARNING:** Modifications to pam configuration *may* leave your system in a state