noted! and lesson learned the hard way thanks @nazunalika
Yes, we have the mentioned packages installed, i.e.,
rpm -qa | grep "realmd\|sssd\|oddjob\|oddjob-mkhomedir\|adcli\|samba-common-tools\|krb5-workstation" | sort
adcli-0.8.2-12.el8.x86_64
krb5-workstation-1.18.2-14.el8.x86_64
oddjob-0.34.7-1.el8.x86_64
oddjob-mkhomedir-0.34.7-1.el8.x86_64
python3-sssdconfig-2.6.2-4.el8_6.1.noarch
realmd-0.16.3-23.el8.x86_64
samba-common-tools-4.15.5-8.el8_6.x86_64
sssd-2.6.2-4.el8_6.1.x86_64
sssd-ad-2.6.2-4.el8_6.1.x86_64
sssd-client-2.6.2-4.el8_6.1.x86_64
sssd-common-2.6.2-4.el8_6.1.x86_64
sssd-common-pac-2.6.2-4.el8_6.1.x86_64
sssd-dbus-2.6.2-4.el8_6.1.x86_64
sssd-ipa-2.6.2-4.el8_6.1.x86_64
sssd-kcm-2.6.2-4.el8_6.1.x86_64
sssd-krb5-2.6.2-4.el8_6.1.x86_64
sssd-krb5-common-2.6.2-4.el8_6.1.x86_64
sssd-ldap-2.6.2-4.el8_6.1.x86_64
sssd-nfs-idmap-2.5.2-2.el8_5.4.x86_64
sssd-proxy-2.6.2-4.el8_6.1.x86_64
sssd-tools-2.6.2-4.el8_6.1.x86_64
No, it is seem to be already configured with AD Support.
cat /etc/crypto-policies/config
DEFAULT:AD-SUPPORT
and
ls -lah /proc/sys/crypto/fips_enabled
-r--r--r-- 1 root root 0 Aug 9 00:34 /proc/sys/crypto/fips_enabled
not sure what this means but yeah if we should tune/tweak anything please suggest.
so currently we tried running
getent passwd username
for a few AD users and they all seem to be returning the info,
bsukhadia:*:1517601129:1517600514:Bhavik Sukhadia:/home/FRACTAL.COM/bsukhadia:/bin/bash
However, another strange problem we are observing is with the NFS v4 mounts with sec=krb5
- the mounts are visible in df -hT
output but when switching the user to AD user account the df -hT
command is not showing the mounted disk.
And when I traced the command execution further I learned that has something to do with,
stat("/run/user/0/gvfs", 0x7ffd161496b0) = -1 EACCES (Permission denied)
stat("/fs/shows", 0x7ffd16149e10) = -1 EACCES (Permission denied)
/fs/shows
mounted with type nfs4 (rw,relatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.x.x,local_lock=none,addr=192.168.x.x)
ls -lah /run/user/969/
ls: cannot access '/run/user/969/gvfs': Permission denied
total 0
drwx------ 7 lightdm lightdm 180 Aug 9 01:05 .
drwxr-xr-x 3 root root 60 Aug 9 01:05 ..
srw-rw-rw- 1 lightdm lightdm 0 Aug 9 01:05 bus
drwx------ 3 lightdm lightdm 60 Aug 9 01:05 dbus-1
drwx------ 2 lightdm lightdm 60 Aug 9 01:05 dconf
d????????? ? ? ? ? ? gvfs
srw-rw-rw- 1 lightdm lightdm 0 Aug 9 01:05 pipewire-0
drwx------ 2 lightdm lightdm 80 Aug 9 01:05 pulse
drwxr-xr-x 2 lightdm lightdm 80 Aug 9 01:05 systems
And at the moment I am a bit clueless as to how I fix this if this is causing non-root users to not see the mounted disks when running df -hT
- which is an immediate debugging step for us to see the mounts in AD users accounts.
Any thoughts will be very helpful.
Thanks,
Bhavik