The /etc/nsswitch.conf was the culprit. Fortunately there is a 
/etc/nsswitch.cof.bak and that did the trick.

Rob, your suspicion was correct the sudoers line was missing.

It actually looks like the ipa-client-automount --uninstall reverts the 
nsswitch.conf file to default pre-ipa values.

Still a bit curious that the ipa-client-automount --location=server_mounts did 
not take on the ipa-server. If there is a good reason for this behavior I would 
suggest that the ipa-client-automount command would not even start it it was 
executed on the ipa server.

thanks everyone!


From: Prasun Gera <>
Sent: Friday, August 26, 2016 4:02 PM
To: Rob Crittenden
Cc: m s;
Subject: Re: [Freeipa-users] ipa-client-automount --uninstall breaks central 
sudo on ipa-server

ipa-client-automount --uninstall was(is?) a bit broken in that it tries to 
revert back to an older configuration, but it can accidentally revert it to a 
state before the ipa-client was installed (as opposed to the state where 
automount was installed). Check your nssswitch.conf file and compare it to 
other clients on which things work fine. You might notice differences.

On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden 
<<>> wrote:
m s wrote:
Need help restoring central sudo rights on ipa server.

How I broke it!!!: I decided to take advantage of the centralized
automount feature with a custom location for a couple mounts. When I ran
the ipa-client-automount --location=server_mounts it appeared to install
correctly but that didn't appear not to work so my plan was to manually
setup the automount since it is only one machine. So of course I ran the
ipa-client-automount --uninstall on the ipa server and thats when I lost
the sudo rights on the ipa server: superuser not in the sudoers file,
this incident will be reported.

I have repeated this steps with the same results:

Initially sudo works for superuser

And after ipa-client-automount --location=server_mounts (on the ipa-server)

sudo still works

but after, ipa-client-automount --uninstall

no sudo for superuser on the ipa server but the superuser still has sudo
privilages on the clients????


My setup is all CentOS 7.2 machines with one ipa server and the rest are
clients all using ipa version 4.2.0.

I had no issues using the ipa-client-automount on all my clients to
configure network homes and shares as well as setting up a superuser
with central sudo powers before this happened.

1.) Don't be too harsh if it is a BIG NO-NO to run the
ipa-client-automount command on the ipa-server

2.) Not sure what logs or config files i need to post.

I'd confirm that sssd is still configured to do sudo by looking for sss in the 
sudoers line in /etc/nssswitch.conf and ensure that sudo is an enabled service 
in /etc/sssd/sssd.conf, probably something like:

services = nss, sudo, pam, ssh


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to