Am Wed, Dec 15, 2021 at 01:35:49PM -0300 schrieb tizo via FreeIPA-users:
On Wed, Dec 15, 2021 at 10:24 AM tizo <tizone(a)gmail.com>
wrote:
> Just another problem of my lab about IPA trusting AD (but very close to
> the end). We have this trust relation between IPA and AD. The IPA server is
> installed on a Rocky Linux 8, and its domain is idmpru.xx.xx. The AD server
> is a Samba AD DC 4.14 installed on a Rocky Linux 8 too, and its domain is
> adtest.xx.xx.
>
> Everything is working pretty well right now: AD users can login to Windows
> clients (joined to AD domain), and can also login to Ubuntu clients (joined
> to IPA domain). Besides, users in Windows clients can mount samba shares
> that are configured in another server, a file server. This file server
> (smbshare.adtest.xx.xx) is joined to both IPA and AD domains, and the
> shares are also configured as NFS (nfsv4) exports (to let users using
> Ubuntu clients mount them over NFS). Before configuring automount, I was
> testing to mount one of the exports from Ubuntu with root user (as I have
> tried in others IPA installations without problem), as follows:
>
> # mount -t nfs -o vers=4,sec=krb5p smbshare.adtest.xx.xx:/prueba_share
> /tmp/pru/
> mount.nfs: access denied by server while mounting
> smbshare.adtest.xx.xx:/prueba_share
>
> After several tests and investigation, I could determine that the file
> /var/lib/sss/pubconf/krb5.include.d/domain_realm_idmpru_xx_xx was causing
> the problem. If I delete it, the previous command works all right. But
> after rebooting the Ubuntu client, the file is regenerated again.
>
> So I was wondering what this file is for, if I can delete it without any
> problem, and, in that case, how to avoid it being regenerated. The content
> of it is:
>
> [domain_realm]
> .adtest.xx.xx = ADTEST.XX.XX
> adtest.xx.xx = ADTEST.XX.XX
> [capaths]
> ADTEST.XX.XX = {
> IDMPRU.XX.XX = ADTEST.XX.XX
> }
> IDMPRU.XX.XX = {
> ADTEST.XX.XX = ADTEST.XX.XX
> }
>
> Thanks very much,
>
> tizo
>
Workaround: if I add the following manual entry to the section domain_realm
of /etc/krb5.conf file, it works without having to remove
/var/lib/sss/pubconf/krb5.include.d/domain_realm_idmpru_xx_xx:
smbshare.adtest.xx.xx = IDMPRU.XX.XX
Hi,
this is expected in your setup. The default entries in the[domain_realm]
section tell libkrb5 that a service from the DNS domain adtest.xx.xx
belongs to the Kerberos realm ADTEST.XX.XX. But since you want to use
IDMPRU.XX.XX to access the fileserver you have to tell this explicitly.
Instead of adding your line to
/var/lib/sss/pubconf/krb5.include.d/domain_realm_idmpru_xx_xx it should
be possible to add it directly to /etc/krb5.conf in the [domain_realm]
section of create a config snippet in /etc/krb5.conf.d.
Why do you not add the fileserver to the IPA DNS domain and only join to
IPA? AD user should be able to access it due to the trust with IPA.
bye,
Sumit
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure