我想请求帮助解决我在 Proxmox 家庭实验室中遇到的问题。我有一个 FreeIPA 域lab.ads1031.local,其中驻留着一个ads1031UID 为 的用户1000001。我想以该用户的身份登录在 Proxmox 下运行的 LXC 容器。容器的 ID 是104。
以下是我目前所做的:
将这些行放在我的 Proxmox 主机上的 /etc/subuid 中:
root:100000:65536 root:5000000:2500000在我的 Proxmox 主机上的 /etc/subgid 中放置了类似的行:
root:100000:65536 root:5000000:2500000在我的 Proxmox 主机上将这些行添加到 /etc/pve/lxc/104.conf :
lxc.idmap = u 5000000 5000000 2500000 lxc.idmap = g 5000000 5000000 2500000 lxc.idmap = u 0 100000 65536 lxc.idmap = g 0 100000 65536
当我尝试以 ads1031 身份登录容器时,无法登录。我在 journalctl 中看到以下消息:
Jan 20 09:20:42 dragonegg login[91]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=ads1031
Jan 20 09:20:42 dragonegg login[91]: pam_sss(login:auth): received for user ads1031: 4 (System error)
Jan 20 09:20:44 dragonegg login[91]: FAILED LOGIN 1 FROM tty1 FOR ads1031, Authentication failure
Jan 20 09:21:02 dragonegg dbus-broker-launch[66]: Activation request for 'org.freedesktop.login1' failed.
Jan 20 09:21:02 dragonegg login[91]: pam_systemd(login:session): Failed to create session: Could not activate remote peer.
我还查看了 /var/log/sssd/sssd_lab.ads1031.local 以寻找线索,发现了以下内容:
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [krb5_auth_prepare_ccache_name] (0x1000): No ccache file for user [[email protected]] found.
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [get_server_status] (0x1000): Status of server 'dragonutil.lab.ads1031.local' is 'working'
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [get_port_status] (0x1000): Port status of port 389 for server 'dragonutil.lab.ads1031.local' is 'working'
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [get_server_status] (0x1000): Status of server 'dragonutil.lab.ads1031.local' is 'working'
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [be_resolve_server_process] (0x0200): Found address for server dragonutil.lab.ads1031.local: [10.0.0.15] TTL 1200
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [sss_domain_get_state] (0x1000): Domain lab.ads1031.local is Active
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [97]
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [child_handler_setup] (0x2000): Signal handler set up for pid [97]
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [write_pipe_handler] (0x0400): All data has been sent!
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [parse_krb5_child_response] (0x0020): message too short.
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [krb5_auth_done] (0x0040): Could not parse child response [22]: Invalid argument
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [check_wait_queue] (0x1000): Wait queue for user [[email protected]] is empty.
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [krb5_auth_queue_done] (0x0040): krb5_auth_recv failed with: 22
(Mon Jan 20 09:20:42 2020) [sssd[be[lab.ads1031.local]]] [ipa_pam_auth_handler_krb5_done] (0x0040): KRB5 auth failed [22]: Invalid argument
当然,这促使我检查 krb5_child.log,在那里我发现了以下内容:
(Mon Jan 20 09:20:42 2020) [[sssd[krb5_child[97]]]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/[email protected]]
(Mon Jan 20 09:20:42 2020) [[sssd[krb5_child[97]]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/[email protected] in keytab.
(Mon Jan 20 09:20:42 2020) [[sssd[krb5_child[97]]]] [match_principal] (0x1000): Principal matched to the sample (host/[email protected]).
(Mon Jan 20 09:20:42 2020) [[sssd[krb5_child[97]]]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
(Mon Jan 20 09:20:42 2020) [[sssd[krb5_child[97]]]] [become_user] (0x0200): Trying to become user [1000001][1000001].
(Mon Jan 20 09:20:42 2020) [[sssd[krb5_child[97]]]] [become_user] (0x0020): setresgid failed [22][Invalid argument].
(Mon Jan 20 09:20:42 2020) [[sssd[krb5_child[97]]]] [main] (0x0020): become_user failed.
(Mon Jan 20 09:20:42 2020) [[sssd[krb5_child[97]]]] [main] (0x0020): krb5_child failed!
不幸的是,从现在起,我不知所措。我希望得到有关如何进行的建议。
我尝试添加selinux_provider=none我的/etc/sssd/sssd.conf 根据此 StackExchange 帖子,但那篇文章并不是专门讨论我的问题,而且步骤也没有帮助。
此主题在 servethehome.com 上提到“需要对容器配置文件进行一些小的编辑”,但它似乎没有提供必要的编辑。如果该编辑与我在 中所做的编辑相符/etc/pve/lxc/104.conf,那么...它没有帮助。
答案1
我解决了这个问题。这也是 ID10T 的一个问题。
请注意,我的用户 ID 是 1,000,0001。我试图映射 ID 5,000,000,这大于 1,000,000。将 5 更改为 1 解决了该问题。