Podman and SSSD + setresgid failed [22][Invalid argument] #24510
sabareesh15
started this conversation in
General
Replies: 1 comment 1 reply
-
|
looks like it needs access to gid |
Beta Was this translation helpful? Give feedback.
1 reply
-
Thank you @Luap99, with the new limit (1,382,000,513) in /etc/subgid, its is working as expected ! |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I have an environment as below.
VM Host + Podman + MariaDB Inside Podman
I have added the VM host to the domain I can confirm all AD operations are working (like Authentication, Group Memberships (id and getent). Then while creating the podman container, I also mounted /var/lib/sss mount point, so that inside the container, the group membership commands (id and getent) are working. But the authentication is failing with below error.
[mysql@m86zxa41b ~]$ mysql -u psvijay1@<domain.com>
[mariadb] Password:
ERROR 1045 (28000): Access denied for user 'psvijay1@<domain.com>'@'localhost' (using password: NO)
[root@m86zxa50c mysql]# cat /etc/pam.d/mysql
auth required pam_sss.so
auth requisite pam_user_map.so audit debug
account sufficient pam_sss.so
account required pam_permit.so audit debug
From /var/lib/sssd/krb5_child.log file:
(2024-11-08 12:07:15): [krb5_child[149]] [unpack_buffer] (0x0100): [RID#4] cmd [241 (auth)] uid [645626244] gid [1382000513] validate [true] enterprise principal [true] offline [false] UPN [psvijay1@]
(2024-11-08 12:07:15): [krb5_child[149]] [unpack_buffer] (0x2000): [RID#4] No old ccache
(2024-11-08 12:07:15): [krb5_child[149]] [unpack_buffer] (0x0100): [RID#4] ccname: [FILE:/tmp/krb5cc_645626244_XXXXXX] old_ccname: [not set] keytab: [not set]
(2024-11-08 12:07:15): [krb5_child[149]] [check_keytab_name] (0x0400): [RID#4] Missing krb5_keytab option for domain, looking for default one
(2024-11-08 12:07:15): [krb5_child[149]] [check_keytab_name] (0x0400): [RID#4] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
(2024-11-08 12:07:15): [krb5_child[149]] [check_keytab_name] (0x0400): [RID#4] krb5_child will default to: /etc/krb5.keytab
(2024-11-08 12:07:15): [krb5_child[149]] [check_use_fast] (0x0100): [RID#4] Not using FAST.
(2024-11-08 12:07:15): [krb5_child[149]] [k5c_precreate_ccache] (0x4000): [RID#4] Recreating ccache
(2024-11-08 12:07:15): [krb5_child[149]] [become_user] (0x0200): [RID#4] Trying to become user [645626244][1382000513].
(2024-11-08 12:07:15): [krb5_child[149]] [become_user] (0x0020): [RID#4] setresgid failed [22][Invalid argument].
(2024-11-08 12:07:15): [krb5_child[149]] [main] (0x0020): [RID#4] become_user failed.
(2024-11-08 12:07:15): [krb5_child[149]] [main] (0x0020): [RID#4] krb5_child failed!
[root@m86zxa41a ~]# cat /etc/subuid
admin1a:100000:65536
ct4tagnt:165536:65536
dbanhn40dev:231072:2000000 --> The container is running under this user
#dbanhn42dev:296608:65536
[root@m86zxa41a ~]#
[root@m86zxa41a ~]#
[root@m86zxa41a ~]# cat /etc/subgid
admin1a:100000:65536
ct4tagnt:165536:65536
dbanhn40dev:231072:2000000 --> The container is running under this user
#dbanhn42dev:296608:65536
[dbanhn40dev@m86zxa41a ~]$ podman unshare cat /proc/self/uid_map
0 1002 1
1 231072 65536
So I got to know the uid/gid limit issue, so I tried to change these ranges as below, but no luck.
[dbanhn40dev@m86zxa41a ~]$
[dbanhn40dev@m86zxa41a ~]$ podman system migrate
stopped d094483eb20f79ca059aab7af77d5998e88b041a4ccfdc4d3629266405e89829
[dbanhn40dev@m86zxa41a ~]$
[dbanhn40dev@m86zxa41a ~]$
[dbanhn40dev@m86zxa41a ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d094483eb20f repository.adp.net:5002/mdb-es/him-tst:2.6 /usr/lib/systemd/... 46 hours ago Up 6 seconds nhn40dev-mariadb
[dbanhn40dev@m86zxa41a ~]$ podman unshare cat /proc/self/uid_map
0 1002 1
1 231072 2000000
[dbanhn40dev@m86zxa41a ~]$
Can you please suggest me on this issue ?
Best Regards,
Sabareesh
Beta Was this translation helpful? Give feedback.
All reactions