Lxd group with LDAP authentication not working

my understanding is that there is a default group lxd after the LXD installation. Users in the lxd group can run lxc commands without sudo.

my machine is authenticated with a LDAP server and I created a lxd group on the LDAP server too. I prefer to use the lxd group authenticated with the LDAP server. Therefore, I deleted the local lxd group using command groupdel lxd.

Afterwards, if I ran getent group lxd, I can see the users in the LDAP lxd group. However, these users in the LDAP lxd group still needs sudo for each ‘lxc’ commands. Without sudo, it shows the following
cannot open path of the current working directory: Permission denied

I think that I might missed something here. Please help to advice. Million thanks!

Yeah, so what’s going on here is that LXD itself is written in Go and Go doesn’t use libnss so cannot resolve through nss plugins, the snap packaging would also make that pretty hard in the first place.

So now that you’ve removed the lxd group from /etc/group, LXD will not find the group on startup and will only allow the root user to connect. You should be able to confirm that by looking at the owner of /var/snap/lxd/common/lxd/unix.socket. Normally that would be root:lxd but in your case, it’s likely now root:root.

To fix this you may be able to define the LXD group in /etc/group using the same GID as your LDAP group. This should cause no difference to your local users but will allow LXD to find the group and process it correctly.

Ah, another thing that may be causing you issues, snapd is very picky about home directories, it expects them to be /home/<username> if you’re using a different pattern, you’ll run into issues like this.

hello, @stgraber, thanks again for the detailed explanation. I was following your suggestions but hasn’t solved the problem yet. Need further advices. Thanks in advance.

first to clarify, the home directory is /home/cad.

second, without sudo, the error reported by using lxc commands changed. Now it is always
Error: Get "http://unix.socket/1.0": dial unix /var/snap/lxd/common/lxd/unix.socket: connect: permission denied.
For the comparison, it was
cannot open path of the current working directory: Permission denied.
I suspect it has someting to do with an unsuccessful access to /var/snap/lxd/common/lxd/unix.socket using cat command. But I cannot be certain.

Nevetheless, I moved on to try the following.

  1. used getent group lxd to find group id. The output is lxd:*:3144:cad
  2. used groupadd -g 3144 lxd and groupadd -o -g 3144 lxd and got the same output groupadd: group 'lxd' already exists
  3. used getent group | grep lxd and get nothing
  4. manually added lxd:x:3144: and lxd:x:3144:cad to the end of /etc/group, but it still reported error message mentioned above.
  5. I wondered why groupadd didn’t work and I couldn’t find anything in /etc/group. Then I found in /etc/passwd the following

I ran out of ideas how to proceed and try given my limited knowledge. Please advice. Thank you!

You’ll need to restart LXD after having added the lxd group to /etc/group.

Keep an eye on ls -lh /var/snap/lxd/common/lxd/unix.socket once it’s correct, it should turn into root:lxd.

1 Like

I just can’t say enough thanks to you @stgraber !!!

np, glad it worked!