ID mapping for AD/LDAP users in instances

System Version: 25.04.1

My goal: Allow AD users in LXC to write to disk mounted to instance based on ACLs defined in TrueNAS host.

Key config:






So, to summarise those screenshots, I have configured AD in TrueNAS. I have built a user in my AD, and given that user rwx permissions to a dataset via the ACL editor in TrueNAS. I have mounted that dataset to my instance (running Debian 12), joined the instance to the domain via realmd, and adjusted the sssd.conf file to map the uid/gids exactly as is configured (by default) in TrueNAS. That is, my pbsbackup@DOMAIN user has the same UID in both TrueNAS and my domain member instance LXC.

Now, when I attempt to map the uid to the instance:

“[EPERM] Users provided by a directory service must be modified through the identity provider (LDAP server or domain controller).”

I’m still a novice when it comes to id mapping, LXCs, and Linux in general, so maybe my approach here isn’t ideal. Firstly, is what I’m trying to do logical, or even possible? If not, what are the recommended steps to achieve what I’m aiming for here? Is there a solution that avoids having to mount SMB/NFS shares into the instance?

My understanding of this is that you’re not expected to be able to idmap AD users for instances. This is due to design decisions around how far to integrate the host and containers. You’d need to use a local user account.