[Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server
Prasun Gera
prasun.gera at gmail.com
Fri Aug 26 23:02:56 UTC 2016
ipa-client-automount --uninstall was(is?) a bit broken in that it tries to
revert back to an older configuration, but it can accidentally revert it to
a state before the ipa-client was installed (as opposed to the state where
automount was installed). Check your nssswitch.conf file and compare it to
other clients on which things work fine. You might notice differences.
On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden <rcritten at redhat.com>
wrote:
> Mariusz Stolarczyk wrote:
>
>> Need help restoring central sudo rights on ipa server.
>>
>>
>> How I broke it!!!: I decided to take advantage of the centralized
>> automount feature with a custom location for a couple mounts. When I ran
>> the ipa-client-automount --location=server_mounts it appeared to install
>> correctly but that didn't appear not to work so my plan was to manually
>> setup the automount since it is only one machine. So of course I ran the
>> ipa-client-automount --uninstall on the ipa server and thats when I lost
>> the sudo rights on the ipa server: superuser not in the sudoers file,
>> this incident will be reported.
>>
>>
>> I have repeated this steps with the same results:
>>
>> Initially sudo works for superuser
>>
>> And after ipa-client-automount --location=server_mounts (on the
>> ipa-server)
>>
>> sudo still works
>>
>> but after, ipa-client-automount --uninstall
>>
>> no sudo for superuser on the ipa server but the superuser still has sudo
>> privilages on the clients????
>>
>>
>> background/versions:
>>
>> My setup is all CentOS 7.2 machines with one ipa server and the rest are
>> clients all using ipa version 4.2.0.
>>
>> I had no issues using the ipa-client-automount on all my clients to
>> configure network homes and shares as well as setting up a superuser
>> with central sudo powers before this happened.
>>
>>
>> 1.) Don't be too harsh if it is a BIG NO-NO to run the
>> ipa-client-automount command on the ipa-server
>>
>> 2.) Not sure what logs or config files i need to post.
>>
>
> I'd confirm that sssd is still configured to do sudo by looking for sss in
> the sudoers line in /etc/nssswitch.conf and ensure that sudo is an enabled
> service in /etc/sssd/sssd.conf, probably something like:
>
> services = nss, sudo, pam, ssh
>
> rob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160826/d69ec081/attachment.htm>
More information about the Freeipa-users
mailing list