<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta name="Generator" content="Microsoft Exchange Server"> <style></style> </head> <body> <meta content="text/html; charset=UTF-8"> <style type="text/css" style="">  </style> <div dir="ltr"> <div id="x_divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif"> Sorry Rob for not being clear. I created a special location with a couple of mounts with the webGUI and then applied the command: ipa-client-automount --location=server_mounts on the ipa server. Then I checked the server and the automounts were not available. I had no problems using the command (with a different set of mounts i.e. location) for all the clients. But to be honest I didn't spend too much time trying to fix it before applying the --uninstall which broke global sudo. The command says explicitly "ipa-client"-automount and I was applying it to the server so maybe it is not the intent to be run the ipa server. I can give it another try with a virtual set up in a couple of days to confirm that. -ms </div> <hr tabindex="-1" style="display:inline-block; width:98%"> <div id="x_divRplyFwdMsg" dir="ltr">From: Rob Crittenden <rcritten@redhat.com> Sent: Saturday, August 27, 2016 12:45:06 PM To: Mariusz Stolarczyk; Prasun Gera Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] ipa-client-automount --uninstall breaks central sudo on ipa-server <div> </div> </div> </div> <div class="PlainText">Mariusz Stolarczyk wrote: > The /etc/nsswitch.conf was the culprit. Fortunately there is a > /etc/nsswitch.cof.bak and that did the trick. > > > Rob, your suspicion was correct the sudoers line was missing. > > > It actually looks like the ipa-client-automount --uninstall reverts the > nsswitch.conf file to default pre-ipa values. > > > Still a bit curious that the ipa-client-automount > --location=server_mounts did not take on the ipa-server. If there is a > good reason for this behavior I would suggest that the > ipa-client-automount command would not even start it it was executed on > the ipa server. I don't understand this paragraph at all. What does "did not take" mean? What do you mean by the command doesn't start? rob > > > thanks everyone! > > ms > > ------------------------------------------------------------------------ > *From:* Prasun Gera <prasun.gera@gmail.com> > *Sent:* Friday, August 26, 2016 4:02 PM > *To:* Rob Crittenden > *Cc:* m s; freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall breaks > central sudo on ipa-server > ipa-client-automount --uninstall was(is?) a bit broken in that it tries > to revert back to an older configuration, but it can accidentally revert > it to a state before the ipa-client was installed (as opposed to the > state where automount was installed). Check your nssswitch.conf file and > compare it to other clients on which things work fine. You might notice > differences. > > On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden <rcritten@redhat.com > <<a href="mailto:rcritten@redhat.com">mailto:rcritten@redhat.com</a>>> wrote: > > m s wrote: > > Need help restoring central sudo rights on ipa server. > > > How I broke it!!!: I decided to take advantage of the centralized > automount feature with a custom location for a couple mounts. > When I ran > the ipa-client-automount --location=server_mounts it appeared to > install > correctly but that didn't appear not to work so my plan was to > manually > setup the automount since it is only one machine. So of course I > ran the > ipa-client-automount --uninstall on the ipa server and thats > when I lost > the sudo rights on the ipa server: superuser not in the sudoers > file, > this incident will be reported. > > > I have repeated this steps with the same results: > > Initially sudo works for superuser > > And after ipa-client-automount --location=server_mounts (on the > ipa-server) > > sudo still works > > but after, ipa-client-automount --uninstall > > no sudo for superuser on the ipa server but the superuser still > has sudo > privilages on the clients???? > > > background/versions: > > My setup is all CentOS 7.2 machines with one ipa server and the > rest are > clients all using ipa version 4.2.0. > > I had no issues using the ipa-client-automount on all my clients to > configure network homes and shares as well as setting up a superuser > with central sudo powers before this happened. > > > 1.) Don't be too harsh if it is a BIG NO-NO to run the > ipa-client-automount command on the ipa-server > > 2.) Not sure what logs or config files i need to post. > > > I'd confirm that sssd is still configured to do sudo by looking for > sss in the sudoers line in /etc/nssswitch.conf and ensure that sudo > is an enabled service in /etc/sssd/sssd.conf, probably something like: > > services = nss, sudo, pam, ssh > > rob > > -- > Manage your subscription for the Freeipa-users mailing list: > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>> > Go to <a href="http://freeipa.org">http://freeipa.org</a> for more info on the project > > </div> </body> </html>