I use kerberose authentication. All user has one shared Home$ in the docker file  So the foodprint in docker is very small and only databases are outside (bind mount) so I think it is more secure then to use ssh on the host for chui application (cached Kerberos ticket are in the container)

Hello Robert 

I found a new way

set owner root to file /usr/sbin/sshd
set the SID bit (chmod 4755) of file /usr/sbin/sshd
start the SSD daemon with  /usr/sbin/sshd

But I have a other problem if I stop the iris-container iris is not realy shutdown (files: database.lck are still there) 

Hello Robert 

I can say it is not a bad idea I have done this by a customer because they still use terminal application I have also include keberos and use the same userid as the host (create kerberos user in the docker user database with same uid)  for each terminal user. So you have the userid on the host in the docker and in IRIS (cached Kerberos login and authorization over LDAPS)

the benfit of this configuration

.) the cached kerberos ticket is only in the container

.) all files and system access is done with one userid (security)

.) in case the user gets a shell (with should not possible in my setup the user is still in the container shell and not in the host shell

In my setup iris is still running as irisowner and I start ssh server outside with docker exec (i don't find a better solution yet)