Question about configuring nso 4.1(system install) via CLI
Below is part of some info on this subject that I sent to Nick off-list a couple of weeks ago, that may be useful for general consumption.
Regarding the documentation, there is always room for improvement, and in fact a more comprehensive deployment guide was on the roadmap to be shipped with 4.1, but didn't make it to the release. However it is nearing completion, and Klacke Wikström actually posted a preliminary version of it to service_orchestration just the other day - did you see it? Otherwise I can send it to you directly.
This document discusses user and group setup for the PAM case in a bit more detail than the information given by the installer, but you need to realize that with PAM, "user management" is moved outside of NSO - by default to the user configuration of the Linux OS (/etc/passwd, 'adduser' shell command etc), but PAM can also be used for remote authentication schemes like RADIUS/LDAP/TACACS (although using "external" authentication is probably preferrable for those). The AAA chapter in the Admin Guide discusses the NSO-specific setup both for "local" and PAM authentication.
Regarding the PAM setup in relation to upgrading from earlier versions, PAM is only the default, and only applied for the initial system install on a given host (as stated in the CHANGES file). It is controlled by ncs.conf and the AAA configuration in CDB as described in the Admin Guide, and neither of those are modified when you install 4.1 "alongside" a system install of an earlier version and do a normal upgrade to 4.1. I.e. the system will continue to run with "local" users as it did before the upgrade, and while our recommendation now is to use PAM instead, the customer is certainly not forced to do it - and if desired, the conversion can be done at any point in time, and need not be tied to the upgrade.