On to, 30 huhti 2020, Sam Morris via FreeIPA-users wrote:
If you've tried to use container engines such as podman, and other tools that rely on newuidmap/newgidmap for the configuration of user namespaces on systems where users are defined in FreeIPA, you've probably had to create entries in /etc/subuid and /etc/subgid manually.
I created a PAM module that automatically creates /etc/subuid and /etc/subgid entries when a user logs in. It can be found at https://github.com/yrro/pam_subuid. It's pretty rudimentary, but it does work on my machines; I hope other users of FreeIPA may find it useful, and maybe even send bug reports and pull requests. :)
I hope this isn't considered spamming--I created it in order to use it as a stopgap measure until shadow/sssd/FreeIPA are able to manage subordinate user/group IDs themselves.
Thanks Sam, please look at https://github.com/shadow-maint/shadow/issues/154 where we discuss a future improvements in this area.