set_eugid: setegid(1057400001) - Set SUID/SGID-Range for LXC-Container

[JmbFountain]

Hello everyone,

Since I'm using FreeIPA as my authentication provider with some fairly high UIDs/GIDs, I'm assuming these are the reasons i'm running into this issue.

can I just set something like this in my /etc/pve/$ctid.conf?

lxc.id_map = u 0 100000 1059900000
lxc.id_map = g 0 100000 1059900000

I am kind of confused by suid/sgid and setting them in the Container configs.

Greetings,

Johannes.

Error messages for reference:
systemd-journal:

Dez 30 15:03:00 jmb-mail-02 postfix/local[11369]: fatal: set_eugid: setegid(1057400001): Invalid argument
Dez 30 15:19:06 jmb-mail-02 login[11434]: pam_sss(login:auth): authentication failure; logname=root uid=0 euid=0 tty=pts/2 ruser= rhost= user=johannes

sssd kerberos child log:

(2021-12-30 15:19:06): [krb5_child[11441]] [become_user] (0x0020): setresgid failed [22][Invalid argument].
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [main] (0x0400): krb5_child started.
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [unpack_buffer] (0x1000): total buffer size: [147]
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [unpack_buffer] (0x0100): cmd [241 (auth)] uid [1057400001] gid [1057400001] validate [true] enterprise principal [false] offline [false] UPN [johannes@VJ.HOME]
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [unpack_buffer] (0x2000): No old ccache
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1057400001_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab]
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [k5c_precreate_ccache] (0x4000): Recreating ccache
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/jmb-mail-02.vj.home@VJ.HOME]
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [find_principal_in_keytab] (0x4000): Trying to find principal host/jmb-mail-02.vj.home@VJ.HOME in keytab.
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [match_principal] (0x1000): Principal matched to the sample (host/jmb-mail-02.vj.home@VJ.HOME).
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [become_user] (0x0200): Trying to become user [1057400001][1057400001].
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [become_user] (0x0020): setresgid failed [22][Invalid argument].
********************** BACKTRACE DUMP ENDS HERE *********************************

 

[vtex]

Setting up FreeIPA on Proxmox/LXC now and running into the same issue. Because the UID/GID is greater than 65536, you will have this exact problem.

My attempt was to change FreeIPA's id range to 20000-50000. Not ideal I suppose, but it worked. I haven't messed around with changing the mappings for each container, which I guess is another (better?) solution.

The easiest way to change the default id range is when you install FreeIPA server. If you're doing it after the fact, there's a bunch of stuff that needs changing.

After the fact, you need to create a new range, modify all your UID's and GID's so that they fit in the new range (including the Default SMB Group, which doesn't show up in the GUI - you need to modify that through LDAP), and change dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config so that the dnaNextValue and dnaMaxValue align with the new range.

PITA. If anyone has a better solution - please share.

 

[alatteri]

I modify /etc/subuid to be
root:100000:10000065536