Podman and SSSD + setresgid failed [22][Invalid argument]

[sabareesh15]

I have an environment as below.

VM Host + Podman + MariaDB Inside Podman
I have added the VM host to the domain I can confirm all AD operations are working (like Authentication, Group Memberships (id and getent). Then while creating the podman container, I also mounted /var/lib/sss mount point, so that inside the container, the group membership commands (id and getent) are working. But the authentication is failing with below error.

[mysql@m86zxa41b ~]$ mysql -u psvijay1@<domain.com>
[mariadb] Password:
ERROR 1045 (28000): Access denied for user 'psvijay1@<domain.com>'@'localhost' (using password: NO)

[root@m86zxa50c mysql]# cat /etc/pam.d/mysql

auth required pam_sss.so
auth requisite pam_user_map.so audit debug
account sufficient pam_sss.so
account required pam_permit.so audit debug

From /var/lib/sssd/krb5_child.log file:

(2024-11-08 12:07:15): [krb5_child[149]] [unpack_buffer] (0x0100): [RID#4] cmd [241 (auth)] uid [645626244] gid [1382000513] validate [true] enterprise principal [true] offline [false] UPN [psvijay1@]
(2024-11-08 12:07:15): [krb5_child[149]] [unpack_buffer] (0x2000): [RID#4] No old ccache
(2024-11-08 12:07:15): [krb5_child[149]] [unpack_buffer] (0x0100): [RID#4] ccname: [FILE:/tmp/krb5cc_645626244_XXXXXX] old_ccname: [not set] keytab: [not set]
(2024-11-08 12:07:15): [krb5_child[149]] [check_keytab_name] (0x0400): [RID#4] Missing krb5_keytab option for domain, looking for default one
(2024-11-08 12:07:15): [krb5_child[149]] [check_keytab_name] (0x0400): [RID#4] krb5_kt_default_name() returned: FILE:/etc/krb5.keytab
(2024-11-08 12:07:15): [krb5_child[149]] [check_keytab_name] (0x0400): [RID#4] krb5_child will default to: /etc/krb5.keytab
(2024-11-08 12:07:15): [krb5_child[149]] [check_use_fast] (0x0100): [RID#4] Not using FAST.
(2024-11-08 12:07:15): [krb5_child[149]] [k5c_precreate_ccache] (0x4000): [RID#4] Recreating ccache
(2024-11-08 12:07:15): [krb5_child[149]] [become_user] (0x0200): [RID#4] Trying to become user [645626244][1382000513].
(2024-11-08 12:07:15): [krb5_child[149]] [become_user] (0x0020): [RID#4] setresgid failed [22][Invalid argument].
(2024-11-08 12:07:15): [krb5_child[149]] [main] (0x0020): [RID#4] become_user failed.
(2024-11-08 12:07:15): [krb5_child[149]] [main] (0x0020): [RID#4] krb5_child failed!

[root@m86zxa41a ~]# cat /etc/subuid
admin1a:100000:65536
ct4tagnt:165536:65536
dbanhn40dev:231072:2000000 --> The container is running under this user
#dbanhn42dev:296608:65536

[root@m86zxa41a ~]#
[root@m86zxa41a ~]#
[root@m86zxa41a ~]# cat /etc/subgid
admin1a:100000:65536
ct4tagnt:165536:65536
dbanhn40dev:231072:2000000 --> The container is running under this user
#dbanhn42dev:296608:65536

[dbanhn40dev@m86zxa41a ~]$ podman unshare cat /proc/self/uid_map
0 1002 1
1 231072 65536

So I got to know the uid/gid limit issue, so I tried to change these ranges as below, but no luck.

[dbanhn40dev@m86zxa41a ~]$
[dbanhn40dev@m86zxa41a ~]$ podman system migrate
stopped d094483eb20f79ca059aab7af77d5998e88b041a4ccfdc4d3629266405e89829
[dbanhn40dev@m86zxa41a ~]$
[dbanhn40dev@m86zxa41a ~]$
[dbanhn40dev@m86zxa41a ~]$ podman ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d094483eb20f repository.adp.net:5002/mdb-es/him-tst:2.6 /usr/lib/systemd/... 46 hours ago Up 6 seconds nhn40dev-mariadb
[dbanhn40dev@m86zxa41a ~]$ podman unshare cat /proc/self/uid_map
0 1002 1
1 231072 2000000
[dbanhn40dev@m86zxa41a ~]$

Can you please suggest me on this issue ?

Best Regards,
Sabareesh

[Luap99]

looks like it needs access to gid 1,382,000,513, but you only added 2,000,000 gids to the mapping.

[sabivijayan]

looks like it needs access to gid 1,382,000,513, but you only added 2,000,000 gids to the mapping.

Thank you @Luap99, with the new limit (1,382,000,513) in /etc/subgid, its is working as expected !