Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 42. Managing subID ranges manually
In a containerized environment, sometimes an IdM user needs to assign subID ranges manually. The following instructions describe how to manage the subID ranges.
42.1. Generating subID ranges using IdM CLI
As an Identity Management (IdM) administrator, you can generate a subID range and assign it to IdM users.
Prerequisites
- The IdM users exist.
-
You have obtained an IdM
adminticket-granting ticket (TGT). See Using kinit to log in to IdM manually for more details. -
You have
rootaccess to the IdM host where you are executing the procedure.
Procedure
Optional: Check for existing subID ranges:
# ipa subid-findIf a subID range does not exist, select one of the following options:
Generate and assign a subID range to an IdM user:
# ipa subid-generate --owner=idmuser Added subordinate id "359dfcef-6b76-4911-bd37-bb5b66b8c418" Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418 Description: auto-assigned subid Owner: idmuser SubUID range start: 2147483648 SubUID range size: 65536 SubGID range start: 2147483648 SubGID range size: 65536Generate and assign subID ranges to all IdM users:
# /usr/libexec/ipa/ipa-subids --all-users Found 2 user(s) without subordinate ids Processing user 'user4' (1/2) Processing user 'user5' (2/2) Updated 2 user(s) The ipa-subids command was successful
Optional: Assign subID ranges to new IdM users by default:
# ipa config-mod --user-default-subid=True
Verification
Verify that the user has a subID range assigned:
# ipa subid-find --owner=idmuser 1 subordinate id matched Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418 Owner: idmuser SubUID range start: 2147483648 SubUID range size: 65536 SubGID range start: 2147483648 SubGID range size: 65536 Number of entries returned 1
42.2. Generating subID ranges using IdM WebUI interface
As an Identity Management (IdM) administrator, you can generate a subID range and assign it to a user in the IdM WebUI interface.
Prerequisites
- The IdM user exists.
-
You have obtained an IdM
adminKerberos ticket (TGT). See Logging in to IdM in the Web UI: Using a Kerberos ticket for more details. -
You have
rootaccess to the IdM host where you are executing the procedure.
Procedure
- In the IdM WebUI interface expand the Subordinate IDs tab and choose the Subordinate IDs option.
- When the Subordinate IDs interface appears, click the Add button in the upper-right corner of the interface. The Add subid window appears.
- In the Add subid window choose an owner, that is the user to whom you want to assign a subID range.
- Click the Add button.
Verification
- View the table under the Subordinate IDs tab. A new record shows in the table. The owner is the user to whom you assigned the subID range.
42.3. Viewing subID information about IdM users by using IdM CLI
As an Identity Management (IdM) user, you can search for IdM user subID ranges and view the related information.
Prerequisites
- You have configured a subID range on the IdM client. For more information, see Generating subID ranges using IdM CLI.
- You have obtained an IdM user ticket-granting ticket (TGT). See Using kinit to log in to IdM manually for more details.
Procedure
To view the details about a subID range:
If you know the unique ID hash of the Identity Management (IdM) user that is the owner of the range:
$ ipa subid-show 359dfcef-6b76-4911-bd37-bb5b66b8c418 Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418 Owner: idmuser SubUID range start: 2147483648 SubUID range size: 65536 SubGID range start: 2147483648 SubGID range size: 65536If you know a specific subID from that range:
$ ipa subid-match --subuid=2147483670 1 subordinate id matched Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418 Owner: uid=idmuser SubUID range start: 2147483648 SubUID range size: 65536 SubGID range start: 2147483648 SubGID range size: 65536 Number of entries returned 1
42.4. Listing subID ranges using the getsubid command
As a system administrator, you can use the command line to list the subID ranges of Identity Management (IdM) or local users.
Prerequisites
- The idmuser user exists in IdM.
-
The
shadow-utils-subidpackage is installed. -
You can edit the
/etc/nsswitch.conffile.
Procedure
Open the
/etc/nsswitch.conffile and configure theshadow-utilsutility to use IdM subID ranges by setting thesubidvariable to thesssvalue:[...] subid: sssNoteYou can provide only one value for the
subidfield. Setting thesubidfield to thefilevalue or no value instead ofsssconfigures theshadow-utilsutility to use the subID ranges from the/etc/subuidand/etc/subgidfiles.List the subID range for an IdM user:
$ getsubids idmuser 0: idmuser 2147483648 65536The first value, 2147483648, indicates the subID range start. The second value, 65536, indicates the size of the range.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}