[lxc-users] [lxc-devel] id + sssd does not work properly in unprivileged container

Tamas Papp tompos at martos.bme.hu
Mon May 9 15:27:41 UTC 2016

On 05/06/2016 10:48 AM, Tamas Papp wrote:
> On 01/07/2016 02:15 PM, Tamas Papp wrote:
>> hi,
>> First of all I want to declare, that I'm not sure it really because 
>> of an unprivileged container...but I have not found other difference 
>> yet.
>> Ordinary users are coming from ldap servers. On clients sss is 
>> configured properly, everything works properly so far.
>> Recently I deployed a container, however not with pure privileged LXC 
>> (running as root), but LXD (unprivileged).
>> Now one thing does not work and it makes things messed up.
>> this works: id USER
>> this not: id (running as USER)
>> The second one does not reflects user ldap groups.
>> Obviously the same happens for example if I want to use sudo or 
>> something else, that depends on the user's ldap group.
>> I have strace outputs, I see difference, but no reason.
>> Any idea? To me it looks like a kind of weird bug.
> hi,
> First time I sent it to the devel list, but maybe it would be better 
> here: did anybody else face this behaviour?
> If I set 'security.privileged: true', it is working fine.

I think I have it.

By default IPA (ldap server) assign high uids and gids to users and 
groups, high means 400.000.000+. Don't ask me why.
Modifying /etc/subuid and /etc/subgid to something like this helped a 
lot, now it's OK:


*I don't know, whether a nested container works properly.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160509/f3f05bc3/attachment.html>

More information about the lxc-users mailing list