set_eugid: setegid(1057400001) - Set SUID/SGID-Range for LXC-Container

Hello everyone,

Since I'm using FreeIPA as my authentication provider with some fairly high UIDs/GIDs, I'm assuming these are the reasons i'm running into this issue.

can I just set something like this in my /etc/pve/$ctid.conf?
Code:
lxc.id_map = u 0 100000 1059900000
lxc.id_map = g 0 100000 1059900000

I am kind of confused by suid/sgid and setting them in the Container configs.

Greetings,

Johannes.

Error messages for reference:
systemd-journal:
Code:
Dez 30 15:03:00 jmb-mail-02 postfix/local[11369]: fatal: set_eugid: setegid(1057400001): Invalid argument
Dez 30 15:19:06 jmb-mail-02 login[11434]: pam_sss(login:auth): authentication failure; logname=root uid=0 euid=0 tty=pts/2 ruser= rhost= user=johannes

sssd kerberos child log:
Code:
(2021-12-30 15:19:06): [krb5_child[11441]] [become_user] (0x0020): setresgid failed [22][Invalid argument].
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [main] (0x0400): krb5_child started.
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [unpack_buffer] (0x1000): total buffer size: [147]
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [unpack_buffer] (0x0100): cmd [241 (auth)] uid [1057400001] gid [1057400001] validate [true] enterprise principal [false] offline [false] UPN [johannes@VJ.HOME]
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [unpack_buffer] (0x2000): No old ccache
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_1057400001_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab]
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [k5c_precreate_ccache] (0x4000): Recreating ccache
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/jmb-mail-02.vj.home@VJ.HOME]
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [find_principal_in_keytab] (0x4000): Trying to find principal host/jmb-mail-02.vj.home@VJ.HOME in keytab.
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [match_principal] (0x1000): Principal matched to the sample (host/jmb-mail-02.vj.home@VJ.HOME).
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [become_user] (0x0200): Trying to become user [1057400001][1057400001].
   *  (2021-12-30 15:19:06): [krb5_child[11441]] [become_user] (0x0020): setresgid failed [22][Invalid argument].
********************** BACKTRACE DUMP ENDS HERE *********************************
 
Last edited:
Setting up FreeIPA on Proxmox/LXC now and running into the same issue. Because the UID/GID is greater than 65536, you will have this exact problem.

My attempt was to change FreeIPA's id range to 20000-50000. Not ideal I suppose, but it worked. I haven't messed around with changing the mappings for each container, which I guess is another (better?) solution.

The easiest way to change the default id range is when you install FreeIPA server. If you're doing it after the fact, there's a bunch of stuff that needs changing.

After the fact, you need to create a new range, modify all your UID's and GID's so that they fit in the new range (including the Default SMB Group, which doesn't show up in the GUI - you need to modify that through LDAP), and change dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config so that the dnaNextValue and dnaMaxValue align with the new range.

PITA. If anyone has a better solution - please share.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!