[Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server

Prasun Gera prasun.gera at gmail.com
Sun Aug 28 06:31:07 UTC 2016 

>
> In retrospect saving a copy of nsswitch.conf is a bit overkill. It really
> just needs to save and restore the automount entry in /etc/nsswitch.conf,
> not the whole file.
>
>
I think it should also remove the sssd configuration in addition to
removing it from nssswitch. i.e. Uninstalling the automount should bring
sssd to a clean state as well.


> rob
>
>
>> On Sat, Aug 27, 2016 at 1:49 AM, Mariusz Stolarczyk
>> <zeusuofm at hotmail.com <mailto:zeusuofm at hotmail.com>> wrote:
>>
>>     The /etc/nsswitch.conf was the culprit. Fortunately there is a
>>     /etc/nsswitch.cof.bak and that did the trick.
>>
>>
>>     Rob, your suspicion was correct the sudoers line was missing.
>>
>>
>>     It actually looks like the ipa-client-automount --uninstall reverts
>>     the nsswitch.conf file to default pre-ipa values.
>>
>>
>>     Still a bit curious that the ipa-client-automount
>>     --location=server_mounts did not take on the ipa-server. If there is
>>     a good reason for this behavior I would suggest that the
>>     ipa-client-automount command would not even start it it was
>>     executed on the ipa server.
>>
>>
>>     thanks everyone!
>>
>>     ms
>>
>>     ------------------------------------------------------------
>> ------------
>>     *From:* Prasun Gera <prasun.gera at gmail.com
>>     <mailto:prasun.gera at gmail.com>>
>>     *Sent:* Friday, August 26, 2016 4:02 PM
>>     *To:* Rob Crittenden
>>     *Cc:* m s; freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>>     *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall
>>     breaks central sudo on ipa-server
>>     ipa-client-automount --uninstall was(is?) a bit broken in that it
>>     tries to revert back to an older configuration, but it can
>>     accidentally revert it to a state before the ipa-client was
>>     installed (as opposed to the state where automount was installed).
>>     Check your nssswitch.conf file and compare it to other clients on
>>     which things work fine. You might notice differences.
>>
>>     On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden
>>     <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>
>>         m s wrote:
>>
>>             Need help restoring central sudo rights on ipa server.
>>
>>
>>             How I broke it!!!: I decided to take advantage of the
>>             centralized
>>             automount feature with a custom location for a couple
>>             mounts. When I ran
>>             the ipa-client-automount --location=server_mounts it
>>             appeared to install
>>             correctly but that didn't appear not to work so my plan was
>>             to manually
>>             setup the automount since it is only one machine. So of
>>             course I ran the
>>             ipa-client-automount --uninstall on the ipa server and thats
>>             when I lost
>>             the sudo rights on the ipa server: superuser not in the
>>             sudoers file,
>>             this incident will be reported.
>>
>>
>>             I have repeated this steps with the same results:
>>
>>             Initially sudo works for superuser
>>
>>             And after ipa-client-automount --location=server_mounts (on
>>             the ipa-server)
>>
>>             sudo still works
>>
>>             but after, ipa-client-automount --uninstall
>>
>>             no sudo for superuser on the ipa server but the superuser
>>             still has sudo
>>             privilages on the clients????
>>
>>
>>             background/versions:
>>
>>             My setup is all CentOS 7.2 machines with one ipa server and
>>             the rest are
>>             clients all using ipa version 4.2.0.
>>
>>             I had no issues using the ipa-client-automount on all my
>>             clients to
>>             configure network homes and shares as well as setting up a
>>             superuser
>>             with central sudo powers before this happened.
>>
>>
>>             1.) Don't be too harsh if it is a BIG NO-NO to run the
>>             ipa-client-automount command on the ipa-server
>>
>>             2.) Not sure what logs or config files i need to post.
>>
>>
>>         I'd confirm that sssd is still configured to do sudo by looking
>>         for sss in the sudoers line in /etc/nssswitch.conf and ensure
>>         that sudo is an enabled service in /etc/sssd/sssd.conf, probably
>>         something like:
>>
>>         services = nss, sudo, pam, ssh
>>
>>         rob
>>
>>         --
>>         Manage your subscription for the Freeipa-users mailing list:
>>         https://www.redhat.com/mailman/listinfo/freeipa-users
>>         <https://www.redhat.com/mailman/listinfo/freeipa-users>
>>         Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160828/43d933c4/attachment.htm>

More information about the Freeipa-users mailing list