On Wed, Dec 15, 2021 at 10:24 AM tizo <tizone(a)gmail.com> wrote:
Just another problem of my lab about IPA trusting AD (but very close
to
the end). We have this trust relation between IPA and AD. The IPA server is
installed on a Rocky Linux 8, and its domain is idmpru.xx.xx. The AD server
is a Samba AD DC 4.14 installed on a Rocky Linux 8 too, and its domain is
adtest.xx.xx.
Everything is working pretty well right now: AD users can login to Windows
clients (joined to AD domain), and can also login to Ubuntu clients (joined
to IPA domain). Besides, users in Windows clients can mount samba shares
that are configured in another server, a file server. This file server
(smbshare.adtest.xx.xx) is joined to both IPA and AD domains, and the
shares are also configured as NFS (nfsv4) exports (to let users using
Ubuntu clients mount them over NFS). Before configuring automount, I was
testing to mount one of the exports from Ubuntu with root user (as I have
tried in others IPA installations without problem), as follows:
# mount -t nfs -o vers=4,sec=krb5p smbshare.adtest.xx.xx:/prueba_share
/tmp/pru/
mount.nfs: access denied by server while mounting
smbshare.adtest.xx.xx:/prueba_share
After several tests and investigation, I could determine that the file
/var/lib/sss/pubconf/krb5.include.d/domain_realm_idmpru_xx_xx was causing
the problem. If I delete it, the previous command works all right. But
after rebooting the Ubuntu client, the file is regenerated again.
So I was wondering what this file is for, if I can delete it without any
problem, and, in that case, how to avoid it being regenerated. The content
of it is:
[domain_realm]
.adtest.xx.xx = ADTEST.XX.XX
adtest.xx.xx = ADTEST.XX.XX
[capaths]
ADTEST.XX.XX = {
IDMPRU.XX.XX = ADTEST.XX.XX
}
IDMPRU.XX.XX = {
ADTEST.XX.XX = ADTEST.XX.XX
}
Thanks very much,
tizo
Workaround: if I add the following manual entry to the section domain_realm
of /etc/krb5.conf file, it works without having to remove
/var/lib/sss/pubconf/krb5.include.d/domain_realm_idmpru_xx_xx:
smbshare.adtest.xx.xx = IDMPRU.XX.XX