On to, 30 huhti 2020, Sam Morris via FreeIPA-users wrote:
If you've tried to use container engines such as podman, and
other
tools that rely on newuidmap/newgidmap for the configuration of user
namespaces on systems where users are defined in FreeIPA, you've
probably had to create entries in /etc/subuid and /etc/subgid manually.
I created a PAM module that automatically creates /etc/subuid and
/etc/subgid entries when a user logs in. It can be found at
<
https://github.com/yrro/pam_subuid>. It's pretty rudimentary, but it
does work on my machines; I hope other users of FreeIPA may find it
useful, and maybe even send bug reports and pull requests. :)
I hope this isn't considered spamming--I created it in order to use it
as a stopgap measure until shadow/sssd/FreeIPA are able to manage
subordinate user/group IDs themselves.
Thanks Sam, please look at
https://github.com/shadow-maint/shadow/issues/154 where we discuss a
future improvements in this area.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland