Lxd-p2c : convert centos 7 VM - cannot su

I’ve installed LXD 4.0.7 by compiling from source on Debian10 host, and used the lxd-p2c binary that comes with the compiling process, to convert some other Debian and Centos 7 hosts (VM/baremetal )
The resulting Debian containers work fine, but on Centos 7 containers, I got problem running su - [user] or sudo su - [user] , something like this :

root@lxdevel1:~# lxc exec dev-mail-mta bash
[root@mta ~]# su - zimbra
Last login: Wed Oct 13 16:11:43 WIB 2021
su: cannot open session: Permission denied
[root@mta ~]# sudo su - zimbra
sudo: pam_open_session: Permission denied
sudo: policy plugin failed session initialization

There’s no log on /var/log/secure in the centos container, or any logs that might be helpful.
/etc/security/limits.conf on LXD host :

  • soft nofile 1048576
  • hard nofile 1048576
    root soft nofile 1048576
    root hard nofile 1048576
  • soft memlock unlimited
  • hard memlock unlimited
  • soft nproc 4194300
  • hard nproc 4194300
    root soft nproc 4194300
    root hard nproc 4194300

and on the Centos 7 container :

zimbra soft nofile 524288
zimbra hard nofile 524288

  • soft nofile 524288
  • hard nofile 524288
  • soft nproc 278528
  • hard nproc 278528

any help would be much appreciated, thank you.

# su - zimbra

I’m not a CentOS user but 2 questions.

The userID zimbra already exists right?

What happens if you just do…

# su zimbra

still permission denied. yes, zimbra user exists

Some says this is something to do with centos PAM or SELinux, but still can’t pinpoint the exact problem