I add ubuntu 20 lxd to freeipa. Error show, When i try to log in as freeipa user
lxd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=xxxx
lxd: pam_unix(sssd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=xxxx.
There is no error When i add user on lxd(ubuntu) and login as This user.
Pretty simple, this is the first topic you opened, keep posting on this one, don’t open duplicate topics or they’ll get closed
You not getting an answer doesn’t mean we’re ignoring you, it may just mean that we don’t know or are otherwise occupied. We’re not experts on sssd.
Your config shows that your container has up to 1000000000 uid/gid, it looks like you’re somehow trying to use something past that range. This won’t work and you need to configure sssd to have it not do that. Look at the sssd documentation for ways to do this.
I’m not familiar with the IPA backend but for the AD backend, they have ldap_idmap_range_min, ldap_idmap_range_max, ldap_idmap_range_size, min_id and max_id that are all designed to handle this.
If there’s no mechanism to remap uid/gid for the ipa backend, then you’d either need the sssd folks to add it there too or change the server side of your freeipa deployment to not use such crazy-high uid/gid in the first place.
Containers must shared uids and gids with the rest of the system, so it’s not currently possible for a container to get a full uint32 uid/gid range.
Well, you do have an alternative which is to make the container privileged, that will get it the entire uid/gid range and will fix issues like this, but at the cost of almost non-existent security.
ok thanks. then this is open. i read sssd doc. and add this variable in sssd. but it’s not read it.
Then i think how to increase lxd uid/gid from host for lxd if i setting imap.security to true and set base to 2000000000. it’s working or what? and if not how to reset it back?
yes Thank you Stgraber thank you thank you. It’s working without any problem.
i set base to 1000000 and size to 2000000000.
Who to create a new profile at put it as my standard. Should i create a new asking for that.
No i do not do it for all lxd. some lxd is not allow for user to login.
but if create custome profile i should add :
row.idmap.size 2000000000
row.idmap.base 1000000
or what?