FreeIPA in LXD/LXC containers - cannot switch user

Question

The Setup consists of one FreeIPA-Server and one Client, which both reside in unprivileged LXD-Containers on the same Host. Both containers and the host machine run Ubuntu 16.04. All Settings are basically FreeIPA defaults, as generated by ipa-server-install or ipa-client-install, respectively.

It is not possible to switch to a user that was created in the FreeIPA directory:

# su testuser setgid: Invalid argument

# sudo -s -u testuser sudo: unable to change to runas gid: Invalid argument sudo: unable to change to runas gid: Invalid argument root is not in the sudoers file. This incident will be reported

(root is in sudoers and is able to do the command above with local users.)

testuser is a valid User within the Realm, is able to kinit, and is also recognized by both systems: # id testuser uid=161200001(testuser) gid=161200001(testuser) groups=161200001(testuser)

sudo does not seem to produce any relevant entries in auth.log, su however does:

su[1887]: Successful su for testuser by root

su[1887]: + ??? root:testuser

su[1887]: bad group ID `161200001' for user `testuser': Invalid argument

A Google search only brought up cygwin+sshd issues for the invalid argument error, which seemed unfitting. The ID range picked by FreeIPA is under Linux' UID limit of 2^32, even with the container offset of 100.000. What could be the problem here? Any ideas where to dig further?

Edit 1: The same Server/Client constellation works fine in two VirtualBox-machines.

Edit 2: I think I narrowed the cause down to the IPA client in a container, the issue persists when running against an IPA server outside LXD.

Answer 1

Solved it! Sharing the solution, just in case somebody else with the same problem stumbles upon this thread.

In the default configuration, LXD / the Host-System does not allocate enough UIDs/GIDs to its containers, so that you cannot effectively become a user with an ID as high as picked by FreeIPA randomly.

The files /etc/subuid and /etc/subgid have entries that read root:100000:65536, which note the IDs that LXD will effectively use at the time of writing. Host UIDs/GIDs in the range of 100000-165536 get mapped to container IDs from 0-65536. The container, trying to use ID 161200001 in my case, is far over that boundary.

Based on this article https://insights.ubuntu.com/2015/10/30/nested-containers-in-lxd/ , I modified the mapped IDs, and specified which IDs FreeIPA may use. Changes to the sub*id-files might only work before initialising a container.

Specifically, this config worked:

LXD Host:

/etc/subuid: root:5000000:2500000

/etc/subgid: root:5000000:2500000

LXD Container with FreeIPA-Server:

initialise the server with ipa-server-install --idstart=1000000 --idmax=2000000

Here, the directory IDs range from 1.000.000 - 2.000.000, whereas the client has 2.500.000 IDs available. Due to the offset of 5.000.000, the host may also join that FreeIPA directory. Adjust the numbers as desired, YMMV.