Ssh error on lxd

I add ubuntu 20 lxd to freeipa. Error show, When i try to log in as freeipa user
lxd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=xxxx

lxd: pam_unix(sssd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=xxxx.
There is no error When i add user on lxd(ubuntu) and login as This user.

I try to change subuid and subgid for parent host for lxd.
add lxd:100000:1000000000 in /etc/subuid /subgid it’s not help much.

my uid from freeip is 1157000001
but i can’t change my container to take this rang. how to change container dubuid/subgid

Can you show lxc config show --expanded NAME-OF-CONTAINER from the host and cat /proc/self/uid_map from within the container.

In my experience, setting min_id in sssd.conf can help make it use slightly less crazy uid/gid.

i just confuse which one is open and which one you close and it’s not the same i have many lxd and different errror

i wrote error and you just close it.

i try to get help. what should i do

which one is open now?

Sorry i asked. how to delete all ?

Pretty simple, this is the first topic you opened, keep posting on this one, don’t open duplicate topics or they’ll get closed :slight_smile:

You not getting an answer doesn’t mean we’re ignoring you, it may just mean that we don’t know or are otherwise occupied. We’re not experts on sssd.

Your config shows that your container has up to 1000000000 uid/gid, it looks like you’re somehow trying to use something past that range. This won’t work and you need to configure sssd to have it not do that. Look at the sssd documentation for ways to do this.

I’m not familiar with the IPA backend but for the AD backend, they have ldap_idmap_range_min, ldap_idmap_range_max, ldap_idmap_range_size, min_id and max_id that are all designed to handle this.

If there’s no mechanism to remap uid/gid for the ipa backend, then you’d either need the sssd folks to add it there too or change the server side of your freeipa deployment to not use such crazy-high uid/gid in the first place.

Containers must shared uids and gids with the rest of the system, so it’s not currently possible for a container to get a full uint32 uid/gid range.

Well, you do have an alternative which is to make the container privileged, that will get it the entire uid/gid range and will fix issues like this, but at the cost of almost non-existent security.

ok thanks. then this is open. i read sssd doc. and add this variable in sssd. but it’s not read it.
Then i think how to increase lxd uid/gid from host for lxd if i setting to true and set base to 2000000000. it’s working or what? and if not how to reset it back?

You can try something like:

  • lxc config set NAME security.idmap.isolated true
  • lxc config set NAME security.idmap.base 1000000
  • lxc config set NAME security.idmap.size 10000000000
  • lxc restart NAME

But that may be rejected due to potential conflicts.

Can i test it for only one lxd not for all lxd in my host?

Yes, NAME above is the name of a container.

yes Thank you Stgraber thank you thank you. It’s working without any problem.
i set base to 1000000 and size to 2000000000.
Who to create a new profile at put it as my standard. Should i create a new asking for that.

If you want it to apply to all instances, current and future, set those keys in your default profile with lxc profile set default KEY VALUE.

Alternatively you could create a dedicated profile for this but you’ll then need to apply it to any affected instances.

No i do not do it for all lxd. some lxd is not allow for user to login.
but if create custome profile i should add :
row.idmap.size 2000000000
row.idmap.base 1000000
or what?

i try another container and say

  • lxc config set NAME security.idmap.isolated true
    Error: Failed to get ID map: Not enough uid/gid available for the container