[Solved] useradd refuses to create a user when LXD is configured with subuid/subgid

[klipkyle]

Recently, I followed the LXD setup instructions: https://www.funtoo.org/LXD

One of the steps is creating /etc/subuid and /etc/subgid and giving root very large ranges.  From my understanding, this sets up unprivileged containers.  I.e. "root" inside of a container is actually an unprivileged user inside the defined range in subuid.

However, when I tried to add a temporary test user today, I got hung up trying to solve an ancillary problem:

kyle@perkins ~ $ sudo useradd -m -g users -G lp,audio,cdrom,video,plugdev -u 1111 test
useradd: Can't get unique subordinate UID range
useradd: can't create subordinate user IDs

useradd also exits with exit code 16, which is undocumented in its man page.  (Slightly annoying)

It turns out that useradd attempts to modify subuid and subgid to allocate individual "extra" subranges for each user.  Of course this is configurable in login.defs.

#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN			 1000
UID_MAX			60000
# System accounts
SYS_UID_MIN		  101
SYS_UID_MAX		  999
# Extra per user uids
SUB_UID_MIN		   100000
SUB_UID_MAX		600100000
SUB_UID_COUNT		    65536

#
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN			 1000
GID_MAX			60000
# System accounts
SYS_GID_MIN		  101
SYS_GID_MAX		  999
# Extra per user group ids
SUB_GID_MIN		   100000
SUB_GID_MAX		600100000
SUB_GID_COUNT		    65536

So, my questions are:

• Considering LXD handles privilege management, should unprivileged users have a subrange at all?
• What is the best way to bring useradd to a usable state again?  Ideally, I would like to disable adding a subrange.  (I tried setting SUB_UID_COUNT to 0.)  However, I suppose I can mess around with the ranges.

[klipkyle]

Thank you!

This was fixed in FL-6773.  The additional patch disables subuid/subgid modifications in the useradd command.  Problem solved.

[bcowan]

Thats exactly how I had fixed mine, with login.defs. Just change the SUB_UID_MAX  and SUB_GID_MAX

UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               101
SYS_UID_MAX               999
# Extra per user uids
SUB_UID_MIN                100000
SUB_UID_MAX             2000000000
SUB_UID_COUNT               65536

#
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               101
SYS_GID_MAX               999
# Extra per user group ids
SUB_GID_MIN                100000
SUB_GID_MAX             20000000000
SUB_GID_COUNT               65536

 

[drobbins]

OK, interesting, this means that as you found, the defaults in login.defs are not wonderful.

From the useradd man page (see bolded part):

SUB_GID_MIN (number), SUB_GID_MAX (number), SUB_GID_COUNT (number)
           If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate group IDs) allocate SUB_GID_COUNT unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user.

So this means, when you created /etc/subuid, you magically enabled useradd to try to start assigning subuid ranges to new users. And by default, its subuid range conflicts with the one in our LXD docs -- LXD eats up this range.

There is no point for useradd to be assigning subuids and subgids to new users it creates by default. It's a cool feature if you need it, I guess, but it should be off by default.

So /etc/login.defs should have SUB_GID_COUNT and SUB_UID_COUNT set to 0 by default.

Also see bcowan's bug report and my response here: https://bugs.funtoo.org/browse/FL-6773

 

 

[drobbins]

I've added this documentation on subuids and subgids to the wiki, linked under the main LXD page:

https://www.funtoo.org/LXD/What_are_subuids_and_subgids%3F#How_Does_LXD_Use_Subuids.3F

[klipkyle]

On 10/20/2019 at 9:09 PM, drobbins said:

So /etc/login.defs should have SUB_GID_COUNT and SUB_UID_COUNT set to 0 by default.

I tried setting those variables to 0, but useradd still complains even though the ranges have plenty of subuids/subgids to allocate.  Maybe shadow-utils doesn't support this configuration?

kyle@perkins ~ $ sudo useradd -m -g users -G lp,audio,cdrom,video,plugdev -u 1112 test2
Password: 
useradd: Can't get unique subordinate UID range
useradd: can't create subordinate user IDs

#
# Min/max values for automatic uid selection in useradd(8)
#
UID_MIN			 1000
UID_MAX			60000
# System accounts
SYS_UID_MIN		  101
SYS_UID_MAX		  999
# Extra per user uids
SUB_UID_MIN		   100000
SUB_UID_MAX	       2000000000
SUB_UID_COUNT			0

#
# Min/max values for automatic gid selection in groupadd(8)
#
GID_MIN			 1000
GID_MAX			60000
# System accounts
SYS_GID_MIN		  101
SYS_GID_MAX		  999
# Extra per user group ids
SUB_GID_MIN		   100000
SUB_GID_MAX	       2000000000
SUB_GID_COUNT			0

 

[drobbins]

If the man page is correct, then this should work.