Re: [lxc-users] setgid error inside container

Mon, 24 Jul 2017 09:05:07 -0700 

I figured this out. LXD could use the range I listed below in subuid and 
subgid, but the container itself was still limited to 65000ish ID's. I just set 
security.idmap.isolated and security.idmap.size in my profile and restarted my 
containers and I was able to log in with my network credentials.

On 07/20/2017 11:09 AM, Joshua Schaeffer wrote:
> Hey guys,
>
> I'm trying to setup my subuid and subgid parameters correctly and I'm clearly 
> doing something wrong as I keep getting "setgid: Invalid argument" when I try 
> to su to my user. I have all my accounts in LDAP and I've connected my 
> container to my infrastruture. It can see users, authenticate with LDAP, 
> Kerberos, etc, I just can't login due to the uid/gid mapping. I'm on LXD 
> 2.15, all my end users have uid's/gid's between 100,000 and 199,999. The LXD 
> container is running under a local user called "lxduser" on the host.
>
>     root@bllldap01:~# getent passwd jschaeffer
>     jschaeffer:*:100000:100000:Joshua Schaeffer:/home/jschaeffer:/bin/bash
>
>     root@bllldap01:~# ldapwhoami -Q
>     dn:uid=jschaeffer,ou=end users,ou=people,dc=appendata,dc=net
>
>     root@bllldap01:~# ldapsearch -LLLQ -b "uid=jschaeffer,ou=End 
> Users,ou=People,dc=appendata,dc=net" -s base
>     dn: uid=jschaeffer,ou=End Users,ou=People,dc=appendata,dc=net
>     objectClass: top
>     objectClass: account
>     objectClass: posixAccount
>     uid: jschaeffer
>     cn: Joshua Schaeffer
>     homeDirectory: /home/jschaeffer
>     loginShell: /bin/bash
>     gecos: Joshua Schaeffer
>     gidNumber: 100000
>     uidNumber: 100000
>
> When I try to actually log into the users I get the setgid error:
>
>     root@bllldap01:~# su - jschaeffer
>     setgid: Invalid argument
>
> Here is my /etc/subuid and /etc/subgid files on the LXD host:
>
>     lxduser@blllxd01:~$ cat /etc/sub{uid,gid}
>     lxd:100000:1000000
>     root:100000:1000000
>     lxduser:1065536:1000000
>     lxd:100000:1000000
>     root:100000:1000000
>     lxduser:1065536:1000000
>
> I've restarted lxd.service and restarted all my containers after I made this 
> change. My understanding is, from my uid/gid files, that user 100,000 inside 
> the container should be mapped to 200,000 outside the container. Any help 
> would be appreciated.
>
> Thanks,
> Joshua Schaeffer


_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users

Reply via email to