Prasun Gera wrote:
I had created a bug for this, and there was an
existing bug report too
(, but that's been
marked as wontfix. Since this trips multiple people, I would like to
propose reopening it.

The upstream ticket is still open, , it just really hasn't seemed to affect that many people which is why it is being considered a low priority to fix.

In retrospect saving a copy of nsswitch.conf is a bit overkill. It really just needs to save and restore the automount entry in /etc/nsswitch.conf, not the whole file.


On Sat, Aug 27, 2016 at 1:49 AM, Mariusz Stolarczyk
< <>> wrote:

    The /etc/nsswitch.conf was the culprit. Fortunately there is a
    /etc/nsswitch.cof.bak and that did the trick.

    Rob, your suspicion was correct the sudoers line was missing.

    It actually looks like the ipa-client-automount --uninstall reverts
    the nsswitch.conf file to default pre-ipa values.

    Still a bit curious that the ipa-client-automount
    --location=server_mounts did not take on the ipa-server. If there is
    a good reason for this behavior I would suggest that the
    ipa-client-automount command would not even start it it was
    executed on the ipa server.

    thanks everyone!


    *From:* Prasun Gera <
    *Sent:* Friday, August 26, 2016 4:02 PM
    *To:* Rob Crittenden
    *Cc:* m s; <>
    *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall
    breaks central sudo on ipa-server
    ipa-client-automount --uninstall was(is?) a bit broken in that it
    tries to revert back to an older configuration, but it can
    accidentally revert it to a state before the ipa-client was
    installed (as opposed to the state where automount was installed).
    Check your nssswitch.conf file and compare it to other clients on
    which things work fine. You might notice differences.

    On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden
    < <>> wrote:

        m s wrote:

            Need help restoring central sudo rights on ipa server.

            How I broke it!!!: I decided to take advantage of the
            automount feature with a custom location for a couple
            mounts. When I ran
            the ipa-client-automount --location=server_mounts it
            appeared to install
            correctly but that didn't appear not to work so my plan was
            to manually
            setup the automount since it is only one machine. So of
            course I ran the
            ipa-client-automount --uninstall on the ipa server and thats
            when I lost
            the sudo rights on the ipa server: superuser not in the
            sudoers file,
            this incident will be reported.

            I have repeated this steps with the same results:

            Initially sudo works for superuser

            And after ipa-client-automount --location=server_mounts (on
            the ipa-server)

            sudo still works

            but after, ipa-client-automount --uninstall

            no sudo for superuser on the ipa server but the superuser
            still has sudo
            privilages on the clients????


            My setup is all CentOS 7.2 machines with one ipa server and
            the rest are
            clients all using ipa version 4.2.0.

            I had no issues using the ipa-client-automount on all my
            clients to
            configure network homes and shares as well as setting up a
            with central sudo powers before this happened.

            1.) Don't be too harsh if it is a BIG NO-NO to run the
            ipa-client-automount command on the ipa-server

            2.) Not sure what logs or config files i need to post.

        I'd confirm that sssd is still configured to do sudo by looking
        for sss in the sudoers line in /etc/nssswitch.conf and ensure
        that sudo is an enabled service in /etc/sssd/sssd.conf, probably
        something like:

        services = nss, sudo, pam, ssh


        Manage your subscription for the Freeipa-users mailing list:
        Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to