Chapter 39. Managing subID ranges manually

In a containerized environment, sometimes an IdM user needs to assign subID ranges manually. The following instructions help you to manage the subID ranges.

39.1. Generating subID ranges using IdM CLI

As an Identity Management (IdM) administrator, you can generate a subID range and assign it to IdM users.

Prerequisites

  • The IdM users exist.
  • You have obtained an IdM admin ticket-granting ticket (TGT). See Using kinit to log in to IdM manually for more details.
  • You have root access to the IdM host where you are executing the procedure.

Procedure

  1. Check for existing subID ranges: 

    # ipa subid-find

  2. In case a subID range does not exist, select one of the following options:

    • Generate and assign a subID range to an IdM user: 

      # ipa subid-generate --owner=idmuser

Added subordinate id "359dfcef-6b76-4911-bd37-bb5b66b8c418"

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Description: auto-assigned subid
  Owner: idmuser
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

    • Generate and assign subID ranges to all IdM users: 

      # /usr/libexec/ipa/ipa-subids --all-users

Found 2 user(s) without subordinate ids
  Processing user 'user4' (1/2)
  Processing user 'user5' (2/2)
Updated 2 user(s)
The ipa-subids command was successful

  3. [Optional] Assign subID ranges to new IdM users by default: 

    # ipa config-mod --user-default-subid=True

Verification

  1. Verify that the user has a subID range assigned: 

    # ipa subid-find --owner=idmuser

1 subordinate id matched

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Owner: idmuser
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

Number of entries returned 1

39.2. Generating subID ranges using IdM WebUI interface

You can generate a subID range and assign it to a user in the IdM WebUI interface.

Prerequisites

Procedure

  1. In the IdM WebUI interface expand the Subordinate IDs tab and choose Subordinate IDs option.
  2. When the Subordinate IDs interface appears, click the Add button in the upper-right corner of the interface. The window “Add subid” appears.
  3. In the window “Add subid” choose an owner, which is the user you want to assign a subID range.
  4. Click the Add button.

Verification

  1. Check the table under the Subordinate IDs tab. A new record should appear and the owner is the user to which you assign the subID range.

39.3. Managing existing subID ranges using IdM CLI

You can search for subID ranges and display information about particular one if needed. Assuming, the username jsmith exists on an ipa server.

Prerequisites

  • An IdM user exists.

Procedure

  1. To display the details about subID range when you know a unique ID hash, enter the following command: 

    # ipa subid-show 359dfcef-6b76-4911-bd37-bb5b66b8c418

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Owner: jsmith
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

  2. To find the details for the subID range when you have a subID from that range, you can use the following command: 

    # ipa subid-match --subuid=2147483648

1 subordinate id matched

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Owner: uid=jsmith
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

Number of entries returned 1

39.4. Listing subID ranges using the getsubid command

To list the subID ranges, for example, for the user1 in IdM environment, follow the instruction below.

Prerequisites

  • The user1 exists in IdM.
  • The shadow-utils-subid package is installed.

Procedure

  1. Include subid: sss record into /etc/nsswitch.conf file.

    Note that you can provide only one value for the subid field. Setting the subid field to the sss value tells the utils to use the subID ranges from the IdM settings. The file value or no value sets the utils to use the subID ranges from the /etc/subuid and /etc/subgid files.

  2. List the subID range for a user: 

    # getsubids user1
0: user1 2147483648 65536