Hello Robert 

I can say it is not a bad idea I have done this by a customer because they still use terminal application I have also include keberos and use the same userid as the host (create kerberos user in the docker user database with same uid)  for each terminal user. So you have the userid on the host in the docker and in IRIS (cached Kerberos login and authorization over LDAPS)

the benfit of this configuration

.) the cached kerberos ticket is only in the container

.) all files and system access is done with one userid (security)

.) in case the user gets a shell (with should not possible in my setup the user is still in the container shell and not in the host shell

In my setup iris is still running as irisowner and I start ssh server outside with docker exec (i don't find a better solution yet)