Can't add users anymore by using useradd

Question

Whenever I do

# useradd -N --gid 1003 -s /bin/ksh --uid <some UID starting with 10027> --home /home/<someuser> <someuser>

useradd just refuses to add any user and prints instead:

useradd: Can't get unique secondary UID range
useradd: can't find subordinate user range

And just to tell you, the /etc/passwd is 9056 lines long.

What could be the problem?

Do you have any custom limits on UID range? defined in /etc/login.defs UID_MIN,UID_MAX ? — VenkatC, Nov 01 '15 at 16:53
No. They are 1000 and 60000 respectively as it came with my distro. — tildearrow, Nov 01 '15 at 16:56
What OS are you running? are you in a container environment? check for subuid/gid definitions or files /etc/subuid, /etc/subgid — VenkatC, Nov 01 '15 at 17:01
Ubuntu 14.04. uname: Linux server 3.19.0-28-lowlatency #30~14.04.1-Ubuntu SMP PREEMPT Tue Sep 1 10:24:39 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux — tildearrow, Nov 01 '15 at 17:04
And no I am not. And how do I check that? I opened /etc/subuid and the highest value was 600016544. — tildearrow, Nov 01 '15 at 17:05
what are the values of SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT in /etc/login.defs? — VenkatC, Nov 01 '15 at 17:08
Thanks. Can you paste outputs of /etc/subuid and /etc/subgid files? from the error message, it looks like useradd exhausted the range of sub uid's and it's unable to create new user — VenkatC, Nov 01 '15 at 17:16
"And just to tell you, the /etc/passwd is 9056 lines long.", and you expect that this machine should have thousands of users? if this is surprising to you then that's likely the key to the whole situation. — Theophrastus, Nov 01 '15 at 17:55
@Theophrastus, what's wrong with having 9056 (or more) users on a system? not uncommon with, say, a mail server. or a large corporate or university or govt etc server that uses the organisation's LDAP or AD server for account info. not all of those users will be logged in or using services on the machine at the same time. — cas, Nov 02 '15 at 00:47
@cas of course nothing is wrong with it if that meets with the expectation for that machine. i've got over 23,000 on the box i'm scribbling this on. yet the way the poster posed it, it sounded like that was an unexpected state; and therefore coming to could certainly prove a key to the solution. — Theophrastus, Nov 03 '15 at 04:20

score 2 · Accepted Answer · edited Sep 29 '22 at 04:43

As per useradd(8), it creates SUB_UID_COUNT secondary uid range reserved for each user

SUB_UID_MIN (number), SUB_UID_MAX (number), SUB_UID_COUNT (number)
If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs) allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user.
The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are respectively 100000, 600100000 and 10000.

Looks like you reached that default limit and therefore useradd is failing.

score 0 · Answer 2 · edited Sep 29 '22 at 04:30

useradd is complaining that it cannot allocate a subordinate UID range for the new user because the allowed UID range is exhausted. As you indicated, you have a lot of users in your system, and the default values configured in login.defs can't handle that.

Subordinate UID/GID files are used to set up UID/GID mappings for user namespaces (see subuid(5), subgid(5), newuidmap(1), and newgidmap(1) ).

In my case, I had 10000+ UIDs in my system, and useradd was failing with exactly the same error. I didn't want useradd to manage the subuid and subgid databases as I don't need to configure any custom ID mappings, so I've disabled this feature. This can be done by removing the /etc/subuid and /etc/subgid files.

For recent versions of shadow utilities (since 4.9 or so), setting SUB_UID_COUNT 0 and SUB_GID_COUNT 0 in your /etc/login.defs also works. See login.defs(5) for details.

Can't add users anymore by using useradd

2 Answers2