[Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server
Prasun Gera
prasun.gera at gmail.com
Sun Aug 28 06:31:07 UTC 2016
>
> In retrospect saving a copy of nsswitch.conf is a bit overkill. It really
> just needs to save and restore the automount entry in /etc/nsswitch.conf,
> not the whole file.
>
>
I think it should also remove the sssd configuration in addition to
removing it from nssswitch. i.e. Uninstalling the automount should bring
sssd to a clean state as well.
> rob
>
>
>> On Sat, Aug 27, 2016 at 1:49 AM, Mariusz Stolarczyk
>> <zeusuofm at hotmail.com <mailto:zeusuofm at hotmail.com>> wrote:
>>
>> The /etc/nsswitch.conf was the culprit. Fortunately there is a
>> /etc/nsswitch.cof.bak and that did the trick.
>>
>>
>> Rob, your suspicion was correct the sudoers line was missing.
>>
>>
>> It actually looks like the ipa-client-automount --uninstall reverts
>> the nsswitch.conf file to default pre-ipa values.
>>
>>
>> Still a bit curious that the ipa-client-automount
>> --location=server_mounts did not take on the ipa-server. If there is
>> a good reason for this behavior I would suggest that the
>> ipa-client-automount command would not even start it it was
>> executed on the ipa server.
>>
>>
>> thanks everyone!
>>
>> ms
>>
>> ------------------------------------------------------------
>> ------------
>> *From:* Prasun Gera <prasun.gera at gmail.com
>> <mailto:prasun.gera at gmail.com>>
>> *Sent:* Friday, August 26, 2016 4:02 PM
>> *To:* Rob Crittenden
>> *Cc:* m s; freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
>> *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall
>> breaks central sudo on ipa-server
>> ipa-client-automount --uninstall was(is?) a bit broken in that it
>> tries to revert back to an older configuration, but it can
>> accidentally revert it to a state before the ipa-client was
>> installed (as opposed to the state where automount was installed).
>> Check your nssswitch.conf file and compare it to other clients on
>> which things work fine. You might notice differences.
>>
>> On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>
>> m s wrote:
>>
>> Need help restoring central sudo rights on ipa server.
>>
>>
>> How I broke it!!!: I decided to take advantage of the
>> centralized
>> automount feature with a custom location for a couple
>> mounts. When I ran
>> the ipa-client-automount --location=server_mounts it
>> appeared to install
>> correctly but that didn't appear not to work so my plan was
>> to manually
>> setup the automount since it is only one machine. So of
>> course I ran the
>> ipa-client-automount --uninstall on the ipa server and thats
>> when I lost
>> the sudo rights on the ipa server: superuser not in the
>> sudoers file,
>> this incident will be reported.
>>
>>
>> I have repeated this steps with the same results:
>>
>> Initially sudo works for superuser
>>
>> And after ipa-client-automount --location=server_mounts (on
>> the ipa-server)
>>
>> sudo still works
>>
>> but after, ipa-client-automount --uninstall
>>
>> no sudo for superuser on the ipa server but the superuser
>> still has sudo
>> privilages on the clients????
>>
>>
>> background/versions:
>>
>> My setup is all CentOS 7.2 machines with one ipa server and
>> the rest are
>> clients all using ipa version 4.2.0.
>>
>> I had no issues using the ipa-client-automount on all my
>> clients to
>> configure network homes and shares as well as setting up a
>> superuser
>> with central sudo powers before this happened.
>>
>>
>> 1.) Don't be too harsh if it is a BIG NO-NO to run the
>> ipa-client-automount command on the ipa-server
>>
>> 2.) Not sure what logs or config files i need to post.
>>
>>
>> I'd confirm that sssd is still configured to do sudo by looking
>> for sss in the sudoers line in /etc/nssswitch.conf and ensure
>> that sudo is an enabled service in /etc/sssd/sssd.conf, probably
>> something like:
>>
>> services = nss, sudo, pam, ssh
>>
>> rob
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> <https://www.redhat.com/mailman/listinfo/freeipa-users>
>> Go to http://freeipa.org for more info on the project
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160828/43d933c4/attachment.htm>
More information about the Freeipa-users
mailing list