[Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server

Rob Crittenden rcritten at redhat.com
Sat Aug 27 19:49:49 UTC 2016 

Prasun Gera wrote:
> I had created a bug for this
> https://bugzilla.redhat.com/show_bug.cgi?id=1276153, and there was an
> existing bug report too
> (https://bugzilla.redhat.com/show_bug.cgi?id=1141799), but that's been
> marked as wontfix. Since this trips multiple people, I would like to
> propose reopening it.

The upstream ticket is still open, 
https://fedorahosted.org/freeipa/ticket/4543 , it just really hasn't 
seemed to affect that many people which is why it is being considered a 
low priority to fix.

In retrospect saving a copy of nsswitch.conf is a bit overkill. It 
really just needs to save and restore the automount entry in 
/etc/nsswitch.conf, not the whole file.

rob

>
> On Sat, Aug 27, 2016 at 1:49 AM, Mariusz Stolarczyk
> <zeusuofm at hotmail.com <mailto:zeusuofm at hotmail.com>> wrote:
>
>     The /etc/nsswitch.conf was the culprit. Fortunately there is a
>     /etc/nsswitch.cof.bak and that did the trick.
>
>
>     Rob, your suspicion was correct the sudoers line was missing.
>
>
>     It actually looks like the ipa-client-automount --uninstall reverts
>     the nsswitch.conf file to default pre-ipa values.
>
>
>     Still a bit curious that the ipa-client-automount
>     --location=server_mounts did not take on the ipa-server. If there is
>     a good reason for this behavior I would suggest that the
>     ipa-client-automount command would not even start it it was
>     executed on the ipa server.
>
>
>     thanks everyone!
>
>     ms
>
>     ------------------------------------------------------------------------
>     *From:* Prasun Gera <prasun.gera at gmail.com
>     <mailto:prasun.gera at gmail.com>>
>     *Sent:* Friday, August 26, 2016 4:02 PM
>     *To:* Rob Crittenden
>     *Cc:* m s; freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>     *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall
>     breaks central sudo on ipa-server
>     ipa-client-automount --uninstall was(is?) a bit broken in that it
>     tries to revert back to an older configuration, but it can
>     accidentally revert it to a state before the ipa-client was
>     installed (as opposed to the state where automount was installed).
>     Check your nssswitch.conf file and compare it to other clients on
>     which things work fine. You might notice differences.
>
>     On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden
>     <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>
>         m s wrote:
>
>             Need help restoring central sudo rights on ipa server.
>
>
>             How I broke it!!!: I decided to take advantage of the
>             centralized
>             automount feature with a custom location for a couple
>             mounts. When I ran
>             the ipa-client-automount --location=server_mounts it
>             appeared to install
>             correctly but that didn't appear not to work so my plan was
>             to manually
>             setup the automount since it is only one machine. So of
>             course I ran the
>             ipa-client-automount --uninstall on the ipa server and thats
>             when I lost
>             the sudo rights on the ipa server: superuser not in the
>             sudoers file,
>             this incident will be reported.
>
>
>             I have repeated this steps with the same results:
>
>             Initially sudo works for superuser
>
>             And after ipa-client-automount --location=server_mounts (on
>             the ipa-server)
>
>             sudo still works
>
>             but after, ipa-client-automount --uninstall
>
>             no sudo for superuser on the ipa server but the superuser
>             still has sudo
>             privilages on the clients????
>
>
>             background/versions:
>
>             My setup is all CentOS 7.2 machines with one ipa server and
>             the rest are
>             clients all using ipa version 4.2.0.
>
>             I had no issues using the ipa-client-automount on all my
>             clients to
>             configure network homes and shares as well as setting up a
>             superuser
>             with central sudo powers before this happened.
>
>
>             1.) Don't be too harsh if it is a BIG NO-NO to run the
>             ipa-client-automount command on the ipa-server
>
>             2.) Not sure what logs or config files i need to post.
>
>
>         I'd confirm that sssd is still configured to do sudo by looking
>         for sss in the sudoers line in /etc/nssswitch.conf and ensure
>         that sudo is an enabled service in /etc/sssd/sssd.conf, probably
>         something like:
>
>         services = nss, sudo, pam, ssh
>
>         rob
>
>         --
>         Manage your subscription for the Freeipa-users mailing list:
>         https://www.redhat.com/mailman/listinfo/freeipa-users
>         <https://www.redhat.com/mailman/listinfo/freeipa-users>
>         Go to http://freeipa.org for more info on the project
>
>
>

More information about the Freeipa-users mailing list