diff --git a/roles/baseline/tasks/ipaclient.yml b/roles/baseline/tasks/ipaclient.yml
index 2150f90..e301e96 100644
--- a/roles/baseline/tasks/ipaclient.yml
+++ b/roles/baseline/tasks/ipaclient.yml
@@ -11,11 +11,12 @@
   changed_when: false
 
 - name: FreeIPA Client | PATCH | Apply authselect profile with sssd, sudo, and mkhomedir if not set
-  ansible.builtin.command: authselect select sssd with-sudo with-mkhomedir --force
+  ansible.builtin.command: authselect select sssd with-sudo with-mkhomedir with-subid --force
   when: >
     'Profile ID: sssd' not in _baseline_freeipa_authselect_status.stdout or
     'with-sudo' not in _baseline_freeipa_authselect_status.stdout or
-    'with-mkhomedir' not in _baseline_freeipa_authselect_status.stdout
+    'with-mkhomedir' not in _baseline_freeipa_authselect_status.stdout or
+    'with-subid' not in _baseline_freeipa_authselect_status.stdout
 
 - name: FreeIPA Client | PATCH | Enable oddjobd.service (for with-mkhomedir feature)
   ansible.builtin.systemd_service: