[Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server
Rob Crittenden
rcritten at redhat.com
Sun Aug 28 15:02:13 UTC 2016
Prasun Gera wrote:
> In retrospect saving a copy of nsswitch.conf is a bit overkill. It
> really just needs to save and restore the automount entry in
> /etc/nsswitch.conf, not the whole file.
AFAIR this is already done appropriately in sssd.conf. The service is
removed, no files are restored.
rob
>
>
> I think it should also remove the sssd configuration in addition to
> removing it from nssswitch. i.e. Uninstalling the automount should bring
> sssd to a clean state as well.
>
> rob
>
>
> On Sat, Aug 27, 2016 at 1:49 AM, Mariusz Stolarczyk
> <zeusuofm at hotmail.com <mailto:zeusuofm at hotmail.com>
> <mailto:zeusuofm at hotmail.com <mailto:zeusuofm at hotmail.com>>> wrote:
>
> The /etc/nsswitch.conf was the culprit. Fortunately there is a
> /etc/nsswitch.cof.bak and that did the trick.
>
>
> Rob, your suspicion was correct the sudoers line was missing.
>
>
> It actually looks like the ipa-client-automount --uninstall
> reverts
> the nsswitch.conf file to default pre-ipa values.
>
>
> Still a bit curious that the ipa-client-automount
> --location=server_mounts did not take on the ipa-server. If
> there is
> a good reason for this behavior I would suggest that the
> ipa-client-automount command would not even start it it was
> executed on the ipa server.
>
>
> thanks everyone!
>
> ms
>
>
> ------------------------------------------------------------------------
> *From:* Prasun Gera <prasun.gera at gmail.com
> <mailto:prasun.gera at gmail.com>
> <mailto:prasun.gera at gmail.com <mailto:prasun.gera at gmail.com>>>
> *Sent:* Friday, August 26, 2016 4:02 PM
> *To:* Rob Crittenden
> *Cc:* m s; freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>
> <mailto:freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>>
> *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall
> breaks central sudo on ipa-server
> ipa-client-automount --uninstall was(is?) a bit broken in
> that it
> tries to revert back to an older configuration, but it can
> accidentally revert it to a state before the ipa-client was
> installed (as opposed to the state where automount was
> installed).
> Check your nssswitch.conf file and compare it to other
> clients on
> which things work fine. You might notice differences.
>
> On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden
> <rcritten at redhat.com <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
>
> m s wrote:
>
> Need help restoring central sudo rights on ipa server.
>
>
> How I broke it!!!: I decided to take advantage of the
> centralized
> automount feature with a custom location for a couple
> mounts. When I ran
> the ipa-client-automount --location=server_mounts it
> appeared to install
> correctly but that didn't appear not to work so my
> plan was
> to manually
> setup the automount since it is only one machine. So of
> course I ran the
> ipa-client-automount --uninstall on the ipa server
> and thats
> when I lost
> the sudo rights on the ipa server: superuser not in the
> sudoers file,
> this incident will be reported.
>
>
> I have repeated this steps with the same results:
>
> Initially sudo works for superuser
>
> And after ipa-client-automount
> --location=server_mounts (on
> the ipa-server)
>
> sudo still works
>
> but after, ipa-client-automount --uninstall
>
> no sudo for superuser on the ipa server but the
> superuser
> still has sudo
> privilages on the clients????
>
>
> background/versions:
>
> My setup is all CentOS 7.2 machines with one ipa
> server and
> the rest are
> clients all using ipa version 4.2.0.
>
> I had no issues using the ipa-client-automount on
> all my
> clients to
> configure network homes and shares as well as
> setting up a
> superuser
> with central sudo powers before this happened.
>
>
> 1.) Don't be too harsh if it is a BIG NO-NO to run the
> ipa-client-automount command on the ipa-server
>
> 2.) Not sure what logs or config files i need to post.
>
>
> I'd confirm that sssd is still configured to do sudo by
> looking
> for sss in the sudoers line in /etc/nssswitch.conf and
> ensure
> that sudo is an enabled service in /etc/sssd/sssd.conf,
> probably
> something like:
>
> services = nss, sudo, pam, ssh
>
> rob
>
> --
> Manage your subscription for the Freeipa-users mailing
> list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>
> <https://www.redhat.com/mailman/listinfo/freeipa-users
> <https://www.redhat.com/mailman/listinfo/freeipa-users>>
> Go to http://freeipa.org for more info on the project
>
>
>
>
>
More information about the Freeipa-users
mailing list