Sorry Rob for not being clear.

I created a special location with a couple of mounts with the webGUI and then 
applied the command: ipa-client-automount --location=server_mounts on the ipa 
server. Then I checked the server and the automounts were not available. I had 
no problems using the command (with a different set of mounts i.e. location) 
for all the clients. But to be honest I didn't spend too much time trying to 
fix it before applying the --uninstall which broke global sudo. The command 
says explicitly "ipa-client"-automount and I was applying it to the server so 
maybe it is not the intent to be run the ipa server. I can give it another try 
with a virtual set up in a couple of days to confirm that.


From: Rob Crittenden <>
Sent: Saturday, August 27, 2016 12:45:06 PM
To: Mariusz Stolarczyk; Prasun Gera
Subject: Re: [Freeipa-users] ipa-client-automount --uninstall breaks central 
sudo on ipa-server

Mariusz Stolarczyk wrote:
> The /etc/nsswitch.conf was the culprit. Fortunately there is a
> /etc/nsswitch.cof.bak and that did the trick.
> Rob, your suspicion was correct the sudoers line was missing.
> It actually looks like the ipa-client-automount --uninstall reverts the
> nsswitch.conf file to default pre-ipa values.
> Still a bit curious that the ipa-client-automount
> --location=server_mounts did not take on the ipa-server. If there is a
> good reason for this behavior I would suggest that the
> ipa-client-automount command would not even start it it was executed on
> the ipa server.

I don't understand this paragraph at all. What does "did not take" mean?
What do you mean by the command doesn't start?


> thanks everyone!
> ms
> ------------------------------------------------------------------------
> *From:* Prasun Gera <>
> *Sent:* Friday, August 26, 2016 4:02 PM
> *To:* Rob Crittenden
> *Cc:* m s;
> *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall breaks
> central sudo on ipa-server
> ipa-client-automount --uninstall was(is?) a bit broken in that it tries
> to revert back to an older configuration, but it can accidentally revert
> it to a state before the ipa-client was installed (as opposed to the
> state where automount was installed). Check your nssswitch.conf file and
> compare it to other clients on which things work fine. You might notice
> differences.
> On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden <
> <>> wrote:
>     m s wrote:
>         Need help restoring central sudo rights on ipa server.
>         How I broke it!!!: I decided to take advantage of the centralized
>         automount feature with a custom location for a couple mounts.
>         When I ran
>         the ipa-client-automount --location=server_mounts it appeared to
>         install
>         correctly but that didn't appear not to work so my plan was to
>         manually
>         setup the automount since it is only one machine. So of course I
>         ran the
>         ipa-client-automount --uninstall on the ipa server and thats
>         when I lost
>         the sudo rights on the ipa server: superuser not in the sudoers
>         file,
>         this incident will be reported.
>         I have repeated this steps with the same results:
>         Initially sudo works for superuser
>         And after ipa-client-automount --location=server_mounts (on the
>         ipa-server)
>         sudo still works
>         but after, ipa-client-automount --uninstall
>         no sudo for superuser on the ipa server but the superuser still
>         has sudo
>         privilages on the clients????
>         background/versions:
>         My setup is all CentOS 7.2 machines with one ipa server and the
>         rest are
>         clients all using ipa version 4.2.0.
>         I had no issues using the ipa-client-automount on all my clients to
>         configure network homes and shares as well as setting up a superuser
>         with central sudo powers before this happened.
>         1.) Don't be too harsh if it is a BIG NO-NO to run the
>         ipa-client-automount command on the ipa-server
>         2.) Not sure what logs or config files i need to post.
>     I'd confirm that sssd is still configured to do sudo by looking for
>     sss in the sudoers line in /etc/nssswitch.conf and ensure that sudo
>     is an enabled service in /etc/sssd/sssd.conf, probably something like:
>     services = nss, sudo, pam, ssh
>     rob
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     <>
>     Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to