On Wed, Nov 15, 2023 at 11:11:44AM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On Срд, 15 ліс 2023, Sam Morris via FreeIPA-users wrote: > > I've just installed a Fedora 39 system and joined it to my IPA domain. > > > > I've found that when an IPA user connects with SSH, they can't launch > > podman rootless containers, nor can they create scope units. > > > > Local users are unaffected, hence I thought I'd post here in the hope > > that someone else can reproduce the error and/or can suggest additional > > troubleshooting steps. > > Do you have subordinate IDs allocated for these IPA users? > > This works for me: > > $ cat /etc/redhat-release Fedora release 39 (Thirty Nine) > $ sudo authselect current > Profile ID: sssd > Enabled features: > - with-sudo > - with-mkhomedir > - with-subid > - with-gssapi > $ grep subid /etc/nsswitch.conf > subid: sss > $ ipa subid-find --owner abokovoy > ------------------------ > 1 subordinate id matched > ------------------------ > Unique ID: ad0dad02-99bf-43ef-8594-d8cd20be882b > Owner: abokovoy > SubUID range start: 2147483648 > SubUID range size: 65536 > SubGID range start: 2147483648 > SubGID range size: 65536 > ---------------------------- > Number of entries returned 1 > ---------------------------- > $ systemd-run --user --scope echo hello > Running scope as unit: run-r6261964e99b24d22a61a033ac7bdb461.scope > hello > > And in the journal I see: > > systemd[2471]: Started run-r6261964e99b24d22a61a033ac7bdb461.scope - > /usr/bin/echo hello. > > podman also works with the systemd-based containers in rootless mode.
Thanks. My configuration is exactly the same as yours: subid NSS module enabled and I have a subid range configured for my user. I just created a new IPA user in order to troubleshoot this and systemd-run --user --scope works for the new user! So there is some difference between my main user and a freshly created user that prevents podman and systemd-run --user --scope from working. I'll update <https://bugzilla.redhat.com/show_bug.cgi?id=2249514> with this info... -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
