Menu Close

Chapter 29. Managing subID ranges manually

In a containerized environment, sometimes an IdM user needs to assign subID ranges manually. The following instructions help you to manage the subID ranges.

29.1. Generating subID ranges using IdM CLI

You can generate a subID range and assign it to a user manually. Assuming, the username jsmith exists on an ipa server.

Prerequisites

Procedure

  1. Check for existing subID ranges:

    # ipa subid-find

  2. In case the subID range does not exist, generate and assign the new subID range to a user by entering the following command:

    # ipa subid-generate --owner=jsmith
    
    Added subordinate id "359dfcef-6b76-4911-bd37-bb5b66b8c418"
    
      Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
      Description: auto-assigned subid
      Owner: jsmith
      SubUID range start: 2147483648
      SubUID range size: 65536
      SubGID range start: 2147483648
      SubGID range size: 65536
  3. Alternatively, generate and assign the new subID ranges to all users:

    # /usr/libexec/ipa/ipa-subids --all-users
    
    Found 2 user(s) without subordinate ids
      Processing user 'user4' (1/2)
      Processing user 'user5' (2/2)
    Updated 2 user(s)
    The ipa-subids command was successful

Note, that to assign subID ranges to the new IdM users by default, enable the following option:

# ipa config-mod --user-default-subid=True

Verification

  1. To verify if the user has the subID range assigned, enter the following command:

    # ipa subid-find --owner=jsmith
    
    1 subordinate id matched
    
      Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
      Owner: jsmith
      SubUID range start: 2147483648
      SubUID range size: 65536
      SubGID range start: 2147483648
      SubGID range size: 65536
    
    Number of entries returned 1

29.2. Generating subID ranges using IdM WebUI interface

You can generate a subID range and assign it to a user in the IdM WebUI interface.

Prerequisites

Procedure

  1. In the IdM WebUI interface expand the Subordinate IDs tab and choose Subordinate IDs option.
  2. When the Subordinate IDs interface appears, click the Add button in the top-right corner of the interface. The window “Add subid” appears.
  3. In the window “Add subid” choose an owner, which is the user you want to assign a subID range.
  4. Click the Add button.

Verification

  1. Check the table under the Subordinate IDs tab. A new record should appear and the owner is the user to which you assign the subID range.

29.3. Managing existing subID ranges using IdM CLI

You can search for subID ranges and display information about particular one if needed. Assuming, the username jsmith exists on an ipa server.

Prerequisites

  • An IdM user exists.

Procedure

  1. To display the details about subID range when you know a unique ID hash, enter the following command:

    # ipa subid-show 359dfcef-6b76-4911-bd37-bb5b66b8c418
    
      Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
      Owner: jsmith
      SubUID range start: 2147483648
      SubUID range size: 65536
      SubGID range start: 2147483648
      SubGID range size: 65536
  2. To find the details for the subID range when you have a subID from that range, you can use the following command:

    # ipa subid-match --subuid=2147483648
    
    1 subordinate id matched
    
      Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
      Owner: uid=jsmith
      SubUID range start: 2147483648
      SubUID range size: 65536
      SubGID range start: 2147483648
      SubGID range size: 65536
    
    Number of entries returned 1

29.4. Listing subID ranges using the getsubid command

To list the subID ranges, for example, for the user1 in IdM environment, follow the instruction below.

Prerequisites

  • The user1 exists in IdM.
  • The shadow-utils-subid package is installed.

Procedure

  1. Include subid: sss record into /etc/nsswitch.conf file.

    Note that you can provide only one value for the subid field. Setting the subid field to the sss value tells the utils to use the subID ranges from the IdM settings. The file value or no value sets the utils to use the subID ranges from the /etc/subuid and /etc/subgid files.

  2. List the subID range for a user:

    # getsubids user1
    0: user1 2147483648 65536