[Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server
Mariusz Stolarczyk
zeusuofm at hotmail.com
Sun Aug 28 04:50:34 UTC 2016
Sorry Rob for not being clear.
I created a special location with a couple of mounts with the webGUI and then applied the command: ipa-client-automount --location=server_mounts on the ipa server. Then I checked the server and the automounts were not available. I had no problems using the command (with a different set of mounts i.e. location) for all the clients. But to be honest I didn't spend too much time trying to fix it before applying the --uninstall which broke global sudo. The command says explicitly "ipa-client"-automount and I was applying it to the server so maybe it is not the intent to be run the ipa server. I can give it another try with a virtual set up in a couple of days to confirm that.
-ms
________________________________
From: Rob Crittenden <rcritten at redhat.com>
Sent: Saturday, August 27, 2016 12:45:06 PM
To: Mariusz Stolarczyk; Prasun Gera
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server
Mariusz Stolarczyk wrote:
> The /etc/nsswitch.conf was the culprit. Fortunately there is a
> /etc/nsswitch.cof.bak and that did the trick.
>
>
> Rob, your suspicion was correct the sudoers line was missing.
>
>
> It actually looks like the ipa-client-automount --uninstall reverts the
> nsswitch.conf file to default pre-ipa values.
>
>
> Still a bit curious that the ipa-client-automount
> --location=server_mounts did not take on the ipa-server. If there is a
> good reason for this behavior I would suggest that the
> ipa-client-automount command would not even start it it was executed on
> the ipa server.
I don't understand this paragraph at all. What does "did not take" mean?
What do you mean by the command doesn't start?
rob
>
>
> thanks everyone!
>
> ms
>
> ------------------------------------------------------------------------
> *From:* Prasun Gera <prasun.gera at gmail.com>
> *Sent:* Friday, August 26, 2016 4:02 PM
> *To:* Rob Crittenden
> *Cc:* m s; freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall breaks
> central sudo on ipa-server
> ipa-client-automount --uninstall was(is?) a bit broken in that it tries
> to revert back to an older configuration, but it can accidentally revert
> it to a state before the ipa-client was installed (as opposed to the
> state where automount was installed). Check your nssswitch.conf file and
> compare it to other clients on which things work fine. You might notice
> differences.
>
> On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> m s wrote:
>
> Need help restoring central sudo rights on ipa server.
>
>
> How I broke it!!!: I decided to take advantage of the centralized
> automount feature with a custom location for a couple mounts.
> When I ran
> the ipa-client-automount --location=server_mounts it appeared to
> install
> correctly but that didn't appear not to work so my plan was to
> manually
> setup the automount since it is only one machine. So of course I
> ran the
> ipa-client-automount --uninstall on the ipa server and thats
> when I lost
> the sudo rights on the ipa server: superuser not in the sudoers
> file,
> this incident will be reported.
>
>
> I have repeated this steps with the same results:
>
> Initially sudo works for superuser
>
> And after ipa-client-automount --location=server_mounts (on the
> ipa-server)
>
> sudo still works
>
> but after, ipa-client-automount --uninstall
>
> no sudo for superuser on the ipa server but the superuser still
> has sudo
> privilages on the clients????
>
>
> background/versions:
>
> My setup is all CentOS 7.2 machines with one ipa server and the
> rest are
> clients all using ipa version 4.2.0.
>
> I had no issues using the ipa-client-automount on all my clients to
> configure network homes and shares as well as setting up a superuser
> with central sudo powers before this happened.
>
>
> 1.) Don't be too harsh if it is a BIG NO-NO to run the
> ipa-client-automount command on the ipa-server
>
> 2.) Not sure what logs or config files i need to post.
>
>
> I'd confirm that sssd is still configured to do sudo by looking for
> sss in the sudoers line in /etc/nssswitch.conf and ensure that sudo
> is an enabled service in /etc/sssd/sssd.conf, probably something like:
>
> services = nss, sudo, pam, ssh
>
> rob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
> Go to http://freeipa.org for more info on the project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160828/c1441e94/attachment.htm>
More information about the Freeipa-users
mailing list