Just another problem of my lab about IPA trusting AD (but very close to the end). We have this trust relation between IPA and AD. The IPA server is installed on a Rocky Linux 8, and its domain is idmpru.xx.xx. The AD server is a Samba AD DC 4.14 installed on a Rocky Linux 8 too, and its domain is adtest.xx.xx.  

Everything is working pretty well right now: AD users can login to Windows clients (joined to AD domain), and can also login to Ubuntu clients (joined to IPA domain). Besides, users in Windows clients can mount samba shares that are configured in another server, a file server. This file server (smbshare.adtest.xx.xx) is joined to both IPA and AD domains, and the shares are also configured as NFS (nfsv4) exports (to let users using Ubuntu clients mount them over NFS). Before configuring automount, I was testing to mount one of the exports from Ubuntu with root user (as I have tried in others IPA installations without problem), as follows:

# mount -t nfs -o vers=4,sec=krb5p smbshare.adtest.xx.xx:/prueba_share /tmp/pru/
mount.nfs: access denied by server while mounting smbshare.adtest.xx.xx:/prueba_share

After several tests and investigation, I could determine that the file /var/lib/sss/pubconf/krb5.include.d/domain_realm_idmpru_xx_xx was causing the problem. If I delete it, the previous command works all right. But after rebooting the Ubuntu client, the file is regenerated again.

So I was wondering what this file is for, if I can delete it without any problem, and, in that case, how to avoid it being regenerated. The content of it is:

[domain_realm]
.adtest.xx.xx = ADTEST.XX.XX
adtest.xx.xx = ADTEST.XX.XX
[capaths]
ADTEST.XX.XX = {
  IDMPRU.XX.XX = ADTEST.XX.XX
}
IDMPRU.XX.XX = {
  ADTEST.XX.XX = ADTEST.XX.XX
}

Thanks very much,

tizo