Podman ignores /etc/nsswitch.conf option subid: sss

[mettekou]

Issue Description

I have set up machine y to read user information from a FreeIPA LDAP server with SSSD through /etc/nsswitch.conf, including the option subid: sss. When running a rootless container z as an LDAP user x on machine y, Podman ignores this, looks for /etc/subuid anyway, and fails to find it. The output from journalctl --user -xeu z after running systemctl --user start z ends with:

jan 17 19:12:27 y x[7457]: time="2025-01-17T19:12:27+01:00" level=error msg="Cannot find mappings for user \"x\": open /etc/subuid: no such file or directory"
jan 17 19:12:27 y x[7457]: Error: creating container storage: not enough unused IDs in user namespace
jan 17 19:12:27 y podman[7457]: 2025-01-17 19:12:27.657235779 +0100 CET m=+0.014775567 image pull a96ec3ae544852ab61d95cf8f258671e541640c98a29cccd78d93ea48b8e2df1 z:latest
jan 17 19:12:27 y systemd[2430]: z.service: Main process exited, code=exited, status=125/n/a
jan 17 19:12:27 y systemd[2430]: z.service: Failed with result 'exit-code'.
jan 17 19:12:27 y systemd[2430]: Failed to start Z.

See also #16018 and #16244.

Steps to reproduce the issue

Steps to reproduce the issue

1. Set the option subid: sss in /etc/nsswitch.conf
2. Run a rootless container as an LDAP user with the option --userns=auto or through systemd with UserNS=auto.

Describe the results you received

The container stops with the error message described above.

Describe the results you expected

The subordinate ids are correctly retrieved from SSSD and the container runs without issue.

podman info output

host:
  arch: amd64
  buildahVersion: 1.38.0
  cgroupControllers:
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-1.2.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: unknown'
  cpuUtilization:
    idlePercent: 99.15
    systemPercent: 0.21
    userPercent: 0.65
  cpus: 32
  databaseBackend: sqlite
  distribution:
    distribution: opensuse-tumbleweed
    version: "20250115"
  eventLogger: journald
  freeLocks: 2048
  hostname: poelaert
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1402000003
      size: 1
    uidmap:
    - container_id: 0
      host_id: 1402000003
      size: 1
  kernel: 6.12.9-1-default
  linkmode: dynamic
  logDriver: journald
  memFree: 108878225408
  memTotal: 134978838528
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-1.2.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.1-1.1.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: crun
    package: crun-1.19-1.1.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.19
      commit: db31c42ac46e20b5527f5339dcbf6f023fcd539c
      rundir: /run/user/1402000003/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-20241211.09478d5-1.2.x86_64
    version: |
      pasta 20241211.09478d5-1.2
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1402000003/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 0h 20m 8.00s
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.opensuse.org
  - registry.suse.com
  - docker.io
store:
  configFile: /home/x/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /home/x/.local/share/containers/storage
  graphRootAllocated: 3999508078592
  graphRootUsed: 890437242880
  graphStatus:
    Backing Filesystem: btrfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 0
  runRoot: /run/user/1402000003/containers
  transientStore: false
  volumePath: /home/x/.local/share/containers/storage/volumes
version:
  APIVersion: 5.3.1
  Built: 1733485830
  BuiltTime: Fri Dec  6 12:50:30 2024
  GitCommit: ""
  GoVersion: go1.23.4
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.1

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

This happens on a physical machine running openSUSE Tumbleweed, the latest SSSD 2.10.1, and the latest Podman 5.3.1, not in a virtual environment.

x@y:~> podman version
Client:       Podman Engine
Version:      5.3.1
API Version:  5.3.1
Go Version:   go1.23.4
Built:        Fri Dec  6 12:50:30 2024
OS/Arch:      linux/amd64
x@y:~> uname -a
Linux y 6.12.9-1-default #1 SMP PREEMPT_DYNAMIC Fri Jan 10 08:30:10 UTC 2025 (0ae2136) x86_64 x86_64 x86_64 GNU/Linux
x@y:~> getsubids $USER
0: x 2147549184 65536

Additional information

This issue happens with the option --userns=auto or UserNS=auto in a systemd container definition. Note that getsubids properly reads subordinate ids from the LDAP server, so these are otherwise correctly set up.