From ec972f9470bdf1c865f143a74a267fab4ea55d3d Mon Sep 17 00:00:00 2001
From: irl <iain@learmonth.me>
Date: Sat, 8 Nov 2025 20:59:45 +0000
Subject: [PATCH] feat(baseline): enable with-subid feature for sssd

---
 roles/baseline/tasks/ipaclient.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/roles/baseline/tasks/ipaclient.yml b/roles/baseline/tasks/ipaclient.yml
index 2150f90..e301e96 100644
--- a/roles/baseline/tasks/ipaclient.yml
+++ b/roles/baseline/tasks/ipaclient.yml
@@ -11,11 +11,12 @@
   changed_when: false
 
 - name: FreeIPA Client | PATCH | Apply authselect profile with sssd, sudo, and mkhomedir if not set
-  ansible.builtin.command: authselect select sssd with-sudo with-mkhomedir --force
+  ansible.builtin.command: authselect select sssd with-sudo with-mkhomedir with-subid --force
   when: >
     'Profile ID: sssd' not in _baseline_freeipa_authselect_status.stdout or
     'with-sudo' not in _baseline_freeipa_authselect_status.stdout or
-    'with-mkhomedir' not in _baseline_freeipa_authselect_status.stdout
+    'with-mkhomedir' not in _baseline_freeipa_authselect_status.stdout or
+    'with-subid' not in _baseline_freeipa_authselect_status.stdout
 
 - name: FreeIPA Client | PATCH | Enable oddjobd.service (for with-mkhomedir feature)
   ansible.builtin.systemd_service: