[Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server

Mariusz Stolarczyk zeusuofm at hotmail.com
Sun Aug 28 04:50:34 UTC 2016 

Sorry Rob for not being clear.


I created a special location with a couple of mounts with the webGUI and then applied the command: ipa-client-automount --location=server_mounts on the ipa server. Then I checked the server and the automounts were not available. I had no problems using the command (with a different set of mounts i.e. location) for all the clients. But to be honest I didn't spend too much time trying to fix it before applying the --uninstall which broke global sudo. The command says explicitly "ipa-client"-automount and I was applying it to the server so maybe it is not the intent to be run the ipa server. I can give it another try with a virtual set up in a couple of days to confirm that.


-ms


________________________________
From: Rob Crittenden <rcritten at redhat.com>
Sent: Saturday, August 27, 2016 12:45:06 PM
To: Mariusz Stolarczyk; Prasun Gera
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server

Mariusz Stolarczyk wrote:
> The /etc/nsswitch.conf was the culprit. Fortunately there is a
> /etc/nsswitch.cof.bak and that did the trick.
>
>
> Rob, your suspicion was correct the sudoers line was missing.
>
>
> It actually looks like the ipa-client-automount --uninstall reverts the
> nsswitch.conf file to default pre-ipa values.
>
>
> Still a bit curious that the ipa-client-automount
> --location=server_mounts did not take on the ipa-server. If there is a
> good reason for this behavior I would suggest that the
> ipa-client-automount command would not even start it it was executed on
> the ipa server.

I don't understand this paragraph at all. What does "did not take" mean?
What do you mean by the command doesn't start?

rob

>
>
> thanks everyone!
>
> ms
>
> ------------------------------------------------------------------------
> *From:* Prasun Gera <prasun.gera at gmail.com>
> *Sent:* Friday, August 26, 2016 4:02 PM
> *To:* Rob Crittenden
> *Cc:* m s; freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall breaks
> central sudo on ipa-server
> ipa-client-automount --uninstall was(is?) a bit broken in that it tries
> to revert back to an older configuration, but it can accidentally revert
> it to a state before the ipa-client was installed (as opposed to the
> state where automount was installed). Check your nssswitch.conf file and
> compare it to other clients on which things work fine. You might notice
> differences.
>
> On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     m s wrote:
>
>         Need help restoring central sudo rights on ipa server.
>
>
>         How I broke it!!!: I decided to take advantage of the centralized
>         automount feature with a custom location for a couple mounts.
>         When I ran
>         the ipa-client-automount --location=server_mounts it appeared to
>         install
>         correctly but that didn't appear not to work so my plan was to
>         manually
>         setup the automount since it is only one machine. So of course I
>         ran the
>         ipa-client-automount --uninstall on the ipa server and thats
>         when I lost
>         the sudo rights on the ipa server: superuser not in the sudoers
>         file,
>         this incident will be reported.
>
>
>         I have repeated this steps with the same results:
>
>         Initially sudo works for superuser
>
>         And after ipa-client-automount --location=server_mounts (on the
>         ipa-server)
>
>         sudo still works
>
>         but after, ipa-client-automount --uninstall
>
>         no sudo for superuser on the ipa server but the superuser still
>         has sudo
>         privilages on the clients????
>
>
>         background/versions:
>
>         My setup is all CentOS 7.2 machines with one ipa server and the
>         rest are
>         clients all using ipa version 4.2.0.
>
>         I had no issues using the ipa-client-automount on all my clients to
>         configure network homes and shares as well as setting up a superuser
>         with central sudo powers before this happened.
>
>
>         1.) Don't be too harsh if it is a BIG NO-NO to run the
>         ipa-client-automount command on the ipa-server
>
>         2.) Not sure what logs or config files i need to post.
>
>
>     I'd confirm that sssd is still configured to do sudo by looking for
>     sss in the sudoers line in /etc/nssswitch.conf and ensure that sudo
>     is an enabled service in /etc/sssd/sssd.conf, probably something like:
>
>     services = nss, sudo, pam, ssh
>
>     rob
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     <https://www.redhat.com/mailman/listinfo/freeipa-users>
>     Go to http://freeipa.org for more info on the project
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160828/c1441e94/attachment.htm>

More information about the Freeipa-users mailing list