Skip to content.

A Note About Website Navigation

Skip to main menu.

For users of screen readers, depending on the screen resolution, the two checkboxes are for opening and closing the side menus that appear to the left and right side of the screen. This is designed both for large screens and for mobile devices with a touch screen. Checking either the main menu or sidebar checkboxes causes the menu to open from the left or right side of the screen, respectively. Clearing the checkox in either the main menu or sidebar closes the menu. The checkboxes are visible to screen readers such as JAWS and NVDA for Windows, Voiceover for Mac, and Orca screen reader for Linux. When a screen reader says "clickable" for both main menu and sidebar, that is for the respective checkboxes. End of explaination.

Viewing Single Blog Post

Pro Tip for Proxmox Users: Using Linux Containers (LXC) For Testing The Ability To Join Linux to an Active Directory?

Short Version

When creating Linux containers for the purpos of joining them to an Active Directory Domain Controller, make sure the checkbox after the "Unprivileged Container" is unchecked. The "unprivileged container" checkbox is after the "Hostname" edit box. Unprivileged Linux containers won't be able to join to an Active Directory. Essentially, I forgot to uncheck the "Unprivileged Container" and wasted hours of my time, but I consider time well spent when learning the hard way.

Proxmox has "Unprivileged Container" checked by default when creating a new Linux container. That option cannot be changed once a Linux container is created, so the Linux container will have to be deleted in order to start from scratch with "Unprivileged Container" unchecked.

Skip ahead to Long Version section for more details.

Who Is This Article For?

This article is for anyone who has experience with Proxmox. Proxmox is a Linux distribution and it comes with a web interface for running and managing virtual machines and Linux containers. This link will take you to the web page that explains how virtual machines and Linux containers work. The "long version" also mentions SSSD when I was troubleshooting issues while attempting to log into an Active Directory. System Security Services Daemon (SSSD, for short) is what enrolls a Linux client to an Active Directory. A "daemon" in Linux is another name for "services" in Windows that runs in the background. This article is intended for advanced Linux users only.

Long Version

I wanted to see if I can implement Active Directory functionality without needing Windows Server operating system. A software called "Samba" lets me do just that, so I followed instructions on getting Samba's Active Directory Domain Controller (AD-DC, for short) up and running. I set this up in a privileged Linux container. The reason why Linux containers need to have privileges is because when I did a search for "setresgid failed [22][Invalid argument]" (without quotes) in StartPage, I came across a page in GitHub titled Cannot log in with Active Directory users via SSSD on Proxmox #3153. That was when I created a new Linux container and I forgot to uncheck the "Unprivileged Container" checkbox. I did a lot of troubleshooting when I looked into /var/log/sssd/sssd_graysonpeddie.lan.log and /var/log/sssd/krb5_child.log. graysonpeddie.lan is my local domain name for my home network. This web page explains how to setup a Linux client for joining to a Samba domain. From what I have learned, if I execute an id command in my Linux client:

gpeddie@ubuntu-desktop1:~$ id
uid=1451201106(gpeddie) gid=1451201104(grayson peddie) groups=1451201104(grayson peddie),1451200513(domain users)

According to the GitHub page that I linked earlier, the maximum user ID and group ID (UID and GID for short) is 65536 for an unprivileged Linux container. Within the issue page, the max UID and GID can be changed to 1000000000 or something higher. However, as this is for experienced Linux users who know the inner workings of Linux containers, the moral of the story is that "Unprivileged Container" needs to be unchecked in order for domain joining to work.

Warning

Bear in mind that privileged containers are not safe for businesses when it comes to attackers exploiting privileged Linux containers. And yes, it's all about vulnerabilities and exploits when it comes to escaping Linux containers and causing damage to the host; however, for homelab purposes, a privileged Linux container is fine for my needs. If you are concerned about the security of Linux containers, spin up virtual machines instead of Linux containers in Proxmox. Of course, depending on your security hygiene, virtual machines can be as unsafe as privileged and unprivileged Linux containers if you do not have security precautions in place. For more details, learn more about privileged and unprivileged containers.

Article published: 2022-09-22 06:27

Categories: The World of Computers, Computers, Information Technology,

About Grayson Peddie

Hello! I am a web developer and I have a passion for the world of Information Technology. I currently hold 4 CompTIA certificates (A+, Network+, Security+, and CySA+) including Cisco's CCNA (Cisco Certified Network Associate) certificate. Speaking of web development, I am a web accessibility enthusiast. I make sure that users of screen readers and keyboard users who cannot use a mouse can be able to access my website with just only the keyboard. Plus, I have learned a whole lot about Web Content Accessibility Guidelines.

So what are my hobbies? Aside from web development, I watch Star Trek: The Next Generation from time to time during the nights. I listen to music from the likes of David Arkenstone, Yanni, Checkfield, Cucso, Looreena McKennitt, Clannad, 2002, Enya, and even soundtrack from EPCOT Center (1982-1994), Tomorrowland, WALL-E, and TRON: Legacy. Oh, yes! Tomorrowland, TRON: Legacy, and WALL-E are the three movies I watch during Friday nights and every Friday night is my pizza night. I'm an optimist who likes to see what kind of future the world would look like. That's why I follow The Venus Project on Twitter (here's the website to The Venus Project. I do have a lot to cover in my introductory article in my website, so if you want to go in-depth and know more about me, that is the article to visit.