[Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server

Sat Aug 27 15:29:58 UTC 2016

I had created a bug for this
https://bugzilla.redhat.com/show_bug.cgi?id=1276153, and there was an
existing bug report too (https://bugzilla.redhat.com/show_bug.cgi?id=1141799),
but that's been marked as wontfix. Since this trips multiple people, I
would like to propose reopening it.

On Sat, Aug 27, 2016 at 1:49 AM, Mariusz Stolarczyk <zeusuofm at hotmail.com>
wrote:

> The /etc/nsswitch.conf was the culprit. Fortunately there is a
> /etc/nsswitch.cof.bak and that did the trick.
>
>
> Rob, your suspicion was correct the sudoers line was missing.
>
>
> It actually looks like the ipa-client-automount --uninstall reverts the
> nsswitch.conf file to default pre-ipa values.
>
>
> Still a bit curious that the ipa-client-automount --location=server_mounts
> did not take on the ipa-server. If there is a good reason for this behavior
> I would suggest that the ipa-client-automount command would not even
> start it it was executed on the ipa server.
>
>
> thanks everyone!
> ms
>
> ------------------------------
> *From:* Prasun Gera <prasun.gera at gmail.com>
> *Sent:* Friday, August 26, 2016 4:02 PM
> *To:* Rob Crittenden
> *Cc:* m s; freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall breaks
> central sudo on ipa-server
>
> ipa-client-automount --uninstall was(is?) a bit broken in that it tries to
> revert back to an older configuration, but it can accidentally revert it to
> a state before the ipa-client was installed (as opposed to the state where
> automount was installed). Check your nssswitch.conf file and compare it to
> other clients on which things work fine. You might notice differences.
>
> On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden <rcritten at redhat.com>
> wrote:
>
>> m s wrote:
>>
>>> Need help restoring central sudo rights on ipa server.
>>>
>>>
>>> How I broke it!!!: I decided to take advantage of the centralized
>>> automount feature with a custom location for a couple mounts. When I ran
>>> the ipa-client-automount --location=server_mounts it appeared to install
>>> correctly but that didn't appear not to work so my plan was to manually
>>> setup the automount since it is only one machine. So of course I ran the
>>> ipa-client-automount --uninstall on the ipa server and thats when I lost
>>> the sudo rights on the ipa server: superuser not in the sudoers file,
>>> this incident will be reported.
>>>
>>>
>>> I have repeated this steps with the same results:
>>>
>>> Initially sudo works for superuser
>>>
>>> And after ipa-client-automount --location=server_mounts (on the
>>> ipa-server)
>>>
>>> sudo still works
>>>
>>> but after, ipa-client-automount --uninstall
>>>
>>> no sudo for superuser on the ipa server but the superuser still has sudo
>>> privilages on the clients????
>>>
>>>
>>> background/versions:
>>>
>>> My setup is all CentOS 7.2 machines with one ipa server and the rest are
>>> clients all using ipa version 4.2.0.
>>>
>>> I had no issues using the ipa-client-automount on all my clients to
>>> configure network homes and shares as well as setting up a superuser
>>> with central sudo powers before this happened.
>>>
>>>
>>> 1.) Don't be too harsh if it is a BIG NO-NO to run the
>>> ipa-client-automount command on the ipa-server
>>>
>>> 2.) Not sure what logs or config files i need to post.
>>>
>>
>> I'd confirm that sssd is still configured to do sudo by looking for sss
>> in the sudoers line in /etc/nssswitch.conf and ensure that sudo is an
>> enabled service in /etc/sssd/sssd.conf, probably something like:
>>
>> services = nss, sudo, pam, ssh
>>
>> rob
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160827/2f64071e/attachment.htm>