Hello, last year I set up a FreeIPA installation. It works very well! I lately discovered a problem with /etc/subuid and /etc/subgid used by rootless Podman (may be also Docker) containers. During setup we decided to start the UID range exactly at 100.000. We picked that for no real reason other than we wanted a round number... We thought it would make sense and din't give it a second though. What we did not know at that time is: The /etc/subuid and /etc/subgid system used by rootless Podman (may be also Docker) containers also starts exactly with uid 100.000. So now if we would add users to /etc/subuid and /etc/subgid those users would be allowed using UID/GID fro the FreeIPA range. This requires attention each time a user is added to /etc/subuid and /etc/subgid and therefore can lead to potential security issues. We use configuration management for setting up our systems but we would prefer if we could achieve a safe default. We would like to fix this without reinstalling FreeIPA. We have already a number of hosts, users and certificates enrolled. I am now looking for a way to move the FreeIPA UID range to a different area, e.g. 10.000 - 20.000. We run 3 replicas connected to each other. I found the ipa comands 'idrange-add' and 'idrange-del' and wonder if I could use those to 1. add a new range at 10.000 2. Update UIDs of existing users 3. remove the old range at 100.000. I am a bit hesitant trying this without understanding what complications I could run in. Do you have any suggestions? Best Friedrich Schäuffelhut _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
