I had created a bug for this https://bugzilla.redhat.com/show_bug.cgi?id=1276153, and there was an existing bug report too (https://bugzilla.redhat.com/show_bug.cgi?id=1141799), but that's been marked as wontfix. Since this trips multiple people, I would like to propose reopening it.
On Sat, Aug 27, 2016 at 1:49 AM, Mariusz Stolarczyk <[email protected]> wrote: > The /etc/nsswitch.conf was the culprit. Fortunately there is a > /etc/nsswitch.cof.bak and that did the trick. > > > Rob, your suspicion was correct the sudoers line was missing. > > > It actually looks like the ipa-client-automount --uninstall reverts the > nsswitch.conf file to default pre-ipa values. > > > Still a bit curious that the ipa-client-automount --location=server_mounts > did not take on the ipa-server. If there is a good reason for this behavior > I would suggest that the ipa-client-automount command would not even > start it it was executed on the ipa server. > > > thanks everyone! > ms > > ------------------------------ > *From:* Prasun Gera <[email protected]> > *Sent:* Friday, August 26, 2016 4:02 PM > *To:* Rob Crittenden > *Cc:* m s; [email protected] > *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall breaks > central sudo on ipa-server > > ipa-client-automount --uninstall was(is?) a bit broken in that it tries to > revert back to an older configuration, but it can accidentally revert it to > a state before the ipa-client was installed (as opposed to the state where > automount was installed). Check your nssswitch.conf file and compare it to > other clients on which things work fine. You might notice differences. > > On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden <[email protected]> > wrote: > >> m s wrote: >> >>> Need help restoring central sudo rights on ipa server. >>> >>> >>> How I broke it!!!: I decided to take advantage of the centralized >>> automount feature with a custom location for a couple mounts. When I ran >>> the ipa-client-automount --location=server_mounts it appeared to install >>> correctly but that didn't appear not to work so my plan was to manually >>> setup the automount since it is only one machine. So of course I ran the >>> ipa-client-automount --uninstall on the ipa server and thats when I lost >>> the sudo rights on the ipa server: superuser not in the sudoers file, >>> this incident will be reported. >>> >>> >>> I have repeated this steps with the same results: >>> >>> Initially sudo works for superuser >>> >>> And after ipa-client-automount --location=server_mounts (on the >>> ipa-server) >>> >>> sudo still works >>> >>> but after, ipa-client-automount --uninstall >>> >>> no sudo for superuser on the ipa server but the superuser still has sudo >>> privilages on the clients???? >>> >>> >>> background/versions: >>> >>> My setup is all CentOS 7.2 machines with one ipa server and the rest are >>> clients all using ipa version 4.2.0. >>> >>> I had no issues using the ipa-client-automount on all my clients to >>> configure network homes and shares as well as setting up a superuser >>> with central sudo powers before this happened. >>> >>> >>> 1.) Don't be too harsh if it is a BIG NO-NO to run the >>> ipa-client-automount command on the ipa-server >>> >>> 2.) Not sure what logs or config files i need to post. >>> >> >> I'd confirm that sssd is still configured to do sudo by looking for sss >> in the sudoers line in /etc/nssswitch.conf and ensure that sudo is an >> enabled service in /etc/sssd/sssd.conf, probably something like: >> >> services = nss, sudo, pam, ssh >> >> rob >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
