Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 42. Managing subID ranges manually

In a containerized environment, sometimes an IdM user needs to assign subID ranges manually. The following instructions describe how to manage the subID ranges.

42.1. Generating subID ranges using IdM CLI
Copiar enlace

As an Identity Management (IdM) administrator, you can generate a subID range and assign it to IdM users.

Prerequisites

  • The IdM users exist.
  • You have obtained an IdM admin ticket-granting ticket (TGT). See Using kinit to log in to IdM manually for more details.
  • You have root access to the IdM host where you are executing the procedure.

Procedure

  1. Optional: Check for existing subID ranges: 

    # ipa subid-find
    Copy to Clipboard Toggle word wrap

  2. If a subID range does not exist, select one of the following options:

    • Generate and assign a subID range to an IdM user: 

      # ipa subid-generate --owner=idmuser

Added subordinate id "359dfcef-6b76-4911-bd37-bb5b66b8c418"

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Description: auto-assigned subid
  Owner: idmuser
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536
      Copy to Clipboard Toggle word wrap

    • Generate and assign subID ranges to all IdM users: 

      # /usr/libexec/ipa/ipa-subids --all-users

Found 2 user(s) without subordinate ids
  Processing user 'user4' (1/2)
  Processing user 'user5' (2/2)
Updated 2 user(s)
The ipa-subids command was successful
      Copy to Clipboard Toggle word wrap

  3. Optional: Assign subID ranges to new IdM users by default: 

    # ipa config-mod --user-default-subid=True
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the user has a subID range assigned: 

    # ipa subid-find --owner=idmuser

1 subordinate id matched

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Owner: idmuser
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

Number of entries returned 1
    Copy to Clipboard Toggle word wrap

42.2. Generating subID ranges using IdM WebUI interface
Copiar enlace

As an Identity Management (IdM) administrator, you can generate a subID range and assign it to a user in the IdM WebUI interface.

Prerequisites

Procedure

  1. In the IdM WebUI interface expand the Subordinate IDs tab and choose the Subordinate IDs option.
  2. When the Subordinate IDs interface appears, click the Add button in the upper-right corner of the interface. The Add subid window appears.
  3. In the Add subid window choose an owner, that is the user to whom you want to assign a subID range.
  4. Click the Add button.

Verification

  • View the table under the Subordinate IDs tab. A new record shows in the table. The owner is the user to whom you assigned the subID range.

42.3. Viewing subID information about IdM users by using IdM CLI
Copiar enlace

As an Identity Management (IdM) user, you can search for IdM user subID ranges and view the related information.

Prerequisites

Procedure

  • To view the details about a subID range:

    • If you know the unique ID hash of the Identity Management (IdM) user that is the owner of the range: 

      $ ipa subid-show 359dfcef-6b76-4911-bd37-bb5b66b8c418

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Owner: idmuser
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536
      Copy to Clipboard Toggle word wrap

    • If you know a specific subID from that range: 

      $ ipa subid-match --subuid=2147483670

1 subordinate id matched

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Owner: uid=idmuser
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

Number of entries returned 1
      Copy to Clipboard Toggle word wrap

42.4. Listing subID ranges using the getsubid command
Copiar enlace

As a system administrator, you can use the command line to list the subID ranges of Identity Management (IdM) or local users.

Prerequisites

  • The idmuser user exists in IdM.
  • The shadow-utils-subid package is installed.
  • You can edit the /etc/nsswitch.conf file.

Procedure

  1. Open the /etc/nsswitch.conf file and configure the shadow-utils utility to use IdM subID ranges by setting the subid variable to the sss value: 

    [...]
subid: sss
    Copy to Clipboard Toggle word wrap
    Note

    You can provide only one value for the subid field. Setting the subid field to the file value or no value instead of sss configures the shadow-utils utility to use the subID ranges from the /etc/subuid and /etc/subgid files.

  2. List the subID range for an IdM user: 

    $ getsubids idmuser
0: idmuser 2147483648 65536
    Copy to Clipboard Toggle word wrap

    The first value, 2147483648, indicates the subID range start. The second value, 65536, indicates the size of the range.

Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat