[Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server
Rob Crittenden
rcritten at redhat.com
Sat Aug 27 19:49:49 UTC 2016
Prasun Gera wrote:
> I had created a bug for this
> https://bugzilla.redhat.com/show_bug.cgi?id=1276153, and there was an
> existing bug report too
> (https://bugzilla.redhat.com/show_bug.cgi?id=1141799), but that's been
> marked as wontfix. Since this trips multiple people, I would like to
> propose reopening it.
The upstream ticket is still open,
https://fedorahosted.org/freeipa/ticket/4543 , it just really hasn't
seemed to affect that many people which is why it is being considered a
low priority to fix.
In retrospect saving a copy of nsswitch.conf is a bit overkill. It
really just needs to save and restore the automount entry in
/etc/nsswitch.conf, not the whole file.
rob
>
> On Sat, Aug 27, 2016 at 1:49 AM, Mariusz Stolarczyk
> <zeusuofm at hotmail.com <mailto:zeusuofm at hotmail.com>> wrote:
>
> The /etc/nsswitch.conf was the culprit. Fortunately there is a
> /etc/nsswitch.cof.bak and that did the trick.
>
>
> Rob, your suspicion was correct the sudoers line was missing.
>
>
> It actually looks like the ipa-client-automount --uninstall reverts
> the nsswitch.conf file to default pre-ipa values.
>
>
> Still a bit curious that the ipa-client-automount
> --location=server_mounts did not take on the ipa-server. If there is
> a good reason for this behavior I would suggest that the
> ipa-client-automount command would not even start it it was
> executed on the ipa server.
>
>
> thanks everyone!
>
> ms
>
> ------------------------------------------------------------------------
> *From:* Prasun Gera <prasun.gera at gmail.com
> <mailto:prasun.gera at gmail.com>>
> *Sent:* Friday, August 26, 2016 4:02 PM
> *To:* Rob Crittenden
> *Cc:* m s; freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall
> breaks central sudo on ipa-server
> ipa-client-automount --uninstall was(is?) a bit broken in that it
> tries to revert back to an older configuration, but it can
> accidentally revert it to a state before the ipa-client was
> installed (as opposed to the state where automount was installed).
> Check your nssswitch.conf file and compare it to other clients on
> which things work fine. You might notice differences.
>
> On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>
> m s wrote:
>
> Need help restoring central sudo rights on ipa server.
>
>
> How I broke it!!!: I decided to take advantage of the
> centralized
> automount feature with a custom location for a couple
> mounts. When I ran
> the ipa-client-automount --location=server_mounts it
> appeared to install
> correctly but that didn't appear not to work so my plan was
> to manually
> setup the automount since it is only one machine. So of
> course I ran the
> ipa-client-automount --uninstall on the ipa server and thats
> when I lost
> the sudo rights on the ipa server: superuser not in the
> sudoers file,
> this incident will be reported.
>
>
> I have repeated this steps with the same results:
>
> Initially sudo works for superuser
>
> And after ipa-client-automount --location=server_mounts (on
> the ipa-server)
>
> sudo still works
>
> but after, ipa-client-automount --uninstall
>
> no sudo for superuser on the ipa server but the superuser
> still has sudo
> privilages on the clients????
>
>
> background/versions:
>
> My setup is all CentOS 7.2 machines with one ipa server and
> the rest are
> clients all using ipa version 4.2.0.
>
> I had no issues using the ipa-client-automount on all my
> clients to
> configure network homes and shares as well as setting up a
> superuser
> with central sudo powers before this happened.
>
>
> 1.) Don't be too harsh if it is a BIG NO-NO to run the
> ipa-client-automount command on the ipa-server
>
> 2.) Not sure what logs or config files i need to post.
>
>
> I'd confirm that sssd is still configured to do sudo by looking
> for sss in the sudoers line in /etc/nssswitch.conf and ensure
> that sudo is an enabled service in /etc/sssd/sssd.conf, probably
> something like:
>
> services = nss, sudo, pam, ssh
>
> rob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
> Go to http://freeipa.org for more info on the project
>
>
>
More information about the Freeipa-users
mailing list