<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">In retrospect saving a copy of nsswitch.conf is a bit overkill. It really just needs to save and restore the automount entry in /etc/nsswitch.conf, not the whole file.<br>
<br></blockquote><div><br></div><div><div style="font-size:12.8px">I think it should also remove the sssd configuration in addition to removing it from nssswitch. i.e. Uninstalling the automount should bring sssd to a clean state as well.</div><div class="" style="font-size:12.8px"><div id=":pj" class="" tabindex="0"><img class="" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif" style=""></div></div></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
rob<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span class="">
<br>
On Sat, Aug 27, 2016 at 1:49 AM, Mariusz Stolarczyk<br></span><span class="">
<<a href="mailto:zeusuofm@hotmail.com" target="_blank">zeusuofm@hotmail.com</a> <mailto:<a href="mailto:zeusuofm@hotmail.com" target="_blank">zeusuofm@hotmail.com</a>>> wrote:<br>
<br>
The /etc/nsswitch.conf was the culprit. Fortunately there is a<br>
/etc/nsswitch.cof.bak and that did the trick.<br>
<br>
<br>
Rob, your suspicion was correct the sudoers line was missing.<br>
<br>
<br>
It actually looks like the ipa-client-automount --uninstall reverts<br>
the nsswitch.conf file to default pre-ipa values.<br>
<br>
<br>
Still a bit curious that the ipa-client-automount<br>
--location=server_mounts did not take on the ipa-server. If there is<br>
a good reason for this behavior I would suggest that the<br>
ipa-client-automount command would not even start it it was<br>
executed on the ipa server.<br>
<br>
<br>
thanks everyone!<br>
<br>
ms<br>
<br></span><span class="">
------------------------------<wbr>------------------------------<wbr>------------<br>
*From:* Prasun Gera <<a href="mailto:prasun.gera@gmail.com" target="_blank">prasun.gera@gmail.com</a><br></span>
<mailto:<a href="mailto:prasun.gera@gmail.com" target="_blank">prasun.gera@gmail.com</a>><wbr>><span class=""><br>
*Sent:* Friday, August 26, 2016 4:02 PM<br>
*To:* Rob Crittenden<br></span>
*Cc:* m s; <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> <mailto:<a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.c<wbr>om</a>><br>
*Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall<span class=""><br>
breaks central sudo on ipa-server<br>
ipa-client-automount --uninstall was(is?) a bit broken in that it<br>
tries to revert back to an older configuration, but it can<br>
accidentally revert it to a state before the ipa-client was<br>
installed (as opposed to the state where automount was installed).<br>
Check your nssswitch.conf file and compare it to other clients on<br>
which things work fine. You might notice differences.<br>
<br>
On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden<br></span><div><div class="h5">
<<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
<br>
m s wrote:<br>
<br>
Need help restoring central sudo rights on ipa server.<br>
<br>
<br>
How I broke it!!!: I decided to take advantage of the<br>
centralized<br>
automount feature with a custom location for a couple<br>
mounts. When I ran<br>
the ipa-client-automount --location=server_mounts it<br>
appeared to install<br>
correctly but that didn't appear not to work so my plan was<br>
to manually<br>
setup the automount since it is only one machine. So of<br>
course I ran the<br>
ipa-client-automount --uninstall on the ipa server and thats<br>
when I lost<br>
the sudo rights on the ipa server: superuser not in the<br>
sudoers file,<br>
this incident will be reported.<br>
<br>
<br>
I have repeated this steps with the same results:<br>
<br>
Initially sudo works for superuser<br>
<br>
And after ipa-client-automount --location=server_mounts (on<br>
the ipa-server)<br>
<br>
sudo still works<br>
<br>
but after, ipa-client-automount --uninstall<br>
<br>
no sudo for superuser on the ipa server but the superuser<br>
still has sudo<br>
privilages on the clients????<br>
<br>
<br>
background/versions:<br>
<br>
My setup is all CentOS 7.2 machines with one ipa server and<br>
the rest are<br>
clients all using ipa version 4.2.0.<br>
<br>
I had no issues using the ipa-client-automount on all my<br>
clients to<br>
configure network homes and shares as well as setting up a<br>
superuser<br>
with central sudo powers before this happened.<br>
<br>
<br>
1.) Don't be too harsh if it is a BIG NO-NO to run the<br>
ipa-client-automount command on the ipa-server<br>
<br>
2.) Not sure what logs or config files i need to post.<br>
<br>
<br>
I'd confirm that sssd is still configured to do sudo by looking<br>
for sss in the sudoers line in /etc/nssswitch.conf and ensure<br>
that sudo is an enabled service in /etc/sssd/sssd.conf, probably<br>
something like:<br>
<br>
services = nss, sudo, pam, ssh<br>
<br>
rob<br>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/freeipa-users</a><br>
<<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailma<wbr>n/listinfo/freeipa-users</a>><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br>
<br>
<br>
<br>
</div></div></blockquote>
<br>
</blockquote></div><br></div></div>