Mariusz Stolarczyk wrote:
The /etc/nsswitch.conf was the culprit. Fortunately there is a
/etc/nsswitch.cof.bak and that did the trick.


Rob, your suspicion was correct the sudoers line was missing.


It actually looks like the ipa-client-automount --uninstall reverts the
nsswitch.conf file to default pre-ipa values.


Still a bit curious that the ipa-client-automount
--location=server_mounts did not take on the ipa-server. If there is a
good reason for this behavior I would suggest that the
ipa-client-automount command would not even start it it was executed on
the ipa server.

I don't understand this paragraph at all. What does "did not take" mean? What do you mean by the command doesn't start?

rob



thanks everyone!

ms

------------------------------------------------------------------------
*From:* Prasun Gera <prasun.g...@gmail.com>
*Sent:* Friday, August 26, 2016 4:02 PM
*To:* Rob Crittenden
*Cc:* m s; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall breaks
central sudo on ipa-server
ipa-client-automount --uninstall was(is?) a bit broken in that it tries
to revert back to an older configuration, but it can accidentally revert
it to a state before the ipa-client was installed (as opposed to the
state where automount was installed). Check your nssswitch.conf file and
compare it to other clients on which things work fine. You might notice
differences.

On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    m s wrote:

        Need help restoring central sudo rights on ipa server.


        How I broke it!!!: I decided to take advantage of the centralized
        automount feature with a custom location for a couple mounts.
        When I ran
        the ipa-client-automount --location=server_mounts it appeared to
        install
        correctly but that didn't appear not to work so my plan was to
        manually
        setup the automount since it is only one machine. So of course I
        ran the
        ipa-client-automount --uninstall on the ipa server and thats
        when I lost
        the sudo rights on the ipa server: superuser not in the sudoers
        file,
        this incident will be reported.


        I have repeated this steps with the same results:

        Initially sudo works for superuser

        And after ipa-client-automount --location=server_mounts (on the
        ipa-server)

        sudo still works

        but after, ipa-client-automount --uninstall

        no sudo for superuser on the ipa server but the superuser still
        has sudo
        privilages on the clients????


        background/versions:

        My setup is all CentOS 7.2 machines with one ipa server and the
        rest are
        clients all using ipa version 4.2.0.

        I had no issues using the ipa-client-automount on all my clients to
        configure network homes and shares as well as setting up a superuser
        with central sudo powers before this happened.


        1.) Don't be too harsh if it is a BIG NO-NO to run the
        ipa-client-automount command on the ipa-server

        2.) Not sure what logs or config files i need to post.


    I'd confirm that sssd is still configured to do sudo by looking for
    sss in the sudoers line in /etc/nssswitch.conf and ensure that sudo
    is an enabled service in /etc/sssd/sssd.conf, probably something like:

    services = nss, sudo, pam, ssh

    rob

    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    <https://www.redhat.com/mailman/listinfo/freeipa-users>
    Go to http://freeipa.org for more info on the project



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to