Chapter 37. Managing subID ranges manually

In a containerized environment, sometimes an IdM user needs to assign subID ranges manually. The following instructions help you to manage the subID ranges.

37.1. Generating subID ranges using IdM CLI

You can generate a subID range and assign it to a user manually. Assuming, the username jsmith exists on an ipa server.

Prerequisites

Procedure

  1. Check for existing subID ranges:

    # ipa subid-find

  2. In case the subID range does not exist, generate and assign the new subID range to a user by entering the following command: 

    # ipa subid-generate --owner=jsmith

Added subordinate id "359dfcef-6b76-4911-bd37-bb5b66b8c418"

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Description: auto-assigned subid
  Owner: jsmith
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

  3. Alternatively, generate and assign the new subID ranges to all users: 

    # /usr/libexec/ipa/ipa-subids --all-users

Found 2 user(s) without subordinate ids
  Processing user 'user4' (1/2)
  Processing user 'user5' (2/2)
Updated 2 user(s)
The ipa-subids command was successful

Note, that to assign subID ranges to the new IdM users by default, enable the following option: 

# ipa config-mod --user-default-subid=True

Verification

  1. To verify if the user has the subID range assigned, enter the following command: 

    # ipa subid-find --owner=jsmith

1 subordinate id matched

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Owner: jsmith
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

Number of entries returned 1

37.2. Generating subID ranges using IdM WebUI interface

You can generate a subID range and assign it to a user in the IdM WebUI interface.

Prerequisites

Procedure

  1. In the IdM WebUI interface expand the Subordinate IDs tab and choose Subordinate IDs option.
  2. When the Subordinate IDs interface appears, click the Add button in the upper-right corner of the interface. The window “Add subid” appears.
  3. In the window “Add subid” choose an owner, which is the user you want to assign a subID range.
  4. Click the Add button.

Verification

  1. Check the table under the Subordinate IDs tab. A new record should appear and the owner is the user to which you assign the subID range.

37.3. Managing existing subID ranges using IdM CLI

You can search for subID ranges and display information about particular one if needed. Assuming, the username jsmith exists on an ipa server.

Prerequisites

  • An IdM user exists.

Procedure

  1. To display the details about subID range when you know a unique ID hash, enter the following command: 

    # ipa subid-show 359dfcef-6b76-4911-bd37-bb5b66b8c418

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Owner: jsmith
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

  2. To find the details for the subID range when you have a subID from that range, you can use the following command: 

    # ipa subid-match --subuid=2147483648

1 subordinate id matched

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Owner: uid=jsmith
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

Number of entries returned 1

37.4. Listing subID ranges using the getsubid command

To list the subID ranges, for example, for the user1 in IdM environment, follow the instruction below.

Prerequisites

  • The user1 exists in IdM.
  • The shadow-utils-subid package is installed.

Procedure

  1. Include subid: sss record into /etc/nsswitch.conf file.

    Note that you can provide only one value for the subid field. Setting the subid field to the sss value tells the utils to use the subID ranges from the IdM settings. The file value or no value sets the utils to use the subID ranges from the /etc/subuid and /etc/subgid files.

  2. List the subID range for a user: 

    # getsubids user1
0: user1 2147483648 65536