> > In retrospect saving a copy of nsswitch.conf is a bit overkill. It really > just needs to save and restore the automount entry in /etc/nsswitch.conf, > not the whole file. > > I think it should also remove the sssd configuration in addition to removing it from nssswitch. i.e. Uninstalling the automount should bring sssd to a clean state as well.
> rob > > >> On Sat, Aug 27, 2016 at 1:49 AM, Mariusz Stolarczyk >> <[email protected] <mailto:[email protected]>> wrote: >> >> The /etc/nsswitch.conf was the culprit. Fortunately there is a >> /etc/nsswitch.cof.bak and that did the trick. >> >> >> Rob, your suspicion was correct the sudoers line was missing. >> >> >> It actually looks like the ipa-client-automount --uninstall reverts >> the nsswitch.conf file to default pre-ipa values. >> >> >> Still a bit curious that the ipa-client-automount >> --location=server_mounts did not take on the ipa-server. If there is >> a good reason for this behavior I would suggest that the >> ipa-client-automount command would not even start it it was >> executed on the ipa server. >> >> >> thanks everyone! >> >> ms >> >> ------------------------------------------------------------ >> ------------ >> *From:* Prasun Gera <[email protected] >> <mailto:[email protected]>> >> *Sent:* Friday, August 26, 2016 4:02 PM >> *To:* Rob Crittenden >> *Cc:* m s; [email protected] <mailto:[email protected]> >> *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall >> breaks central sudo on ipa-server >> ipa-client-automount --uninstall was(is?) a bit broken in that it >> tries to revert back to an older configuration, but it can >> accidentally revert it to a state before the ipa-client was >> installed (as opposed to the state where automount was installed). >> Check your nssswitch.conf file and compare it to other clients on >> which things work fine. You might notice differences. >> >> On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden >> <[email protected] <mailto:[email protected]>> wrote: >> >> m s wrote: >> >> Need help restoring central sudo rights on ipa server. >> >> >> How I broke it!!!: I decided to take advantage of the >> centralized >> automount feature with a custom location for a couple >> mounts. When I ran >> the ipa-client-automount --location=server_mounts it >> appeared to install >> correctly but that didn't appear not to work so my plan was >> to manually >> setup the automount since it is only one machine. So of >> course I ran the >> ipa-client-automount --uninstall on the ipa server and thats >> when I lost >> the sudo rights on the ipa server: superuser not in the >> sudoers file, >> this incident will be reported. >> >> >> I have repeated this steps with the same results: >> >> Initially sudo works for superuser >> >> And after ipa-client-automount --location=server_mounts (on >> the ipa-server) >> >> sudo still works >> >> but after, ipa-client-automount --uninstall >> >> no sudo for superuser on the ipa server but the superuser >> still has sudo >> privilages on the clients???? >> >> >> background/versions: >> >> My setup is all CentOS 7.2 machines with one ipa server and >> the rest are >> clients all using ipa version 4.2.0. >> >> I had no issues using the ipa-client-automount on all my >> clients to >> configure network homes and shares as well as setting up a >> superuser >> with central sudo powers before this happened. >> >> >> 1.) Don't be too harsh if it is a BIG NO-NO to run the >> ipa-client-automount command on the ipa-server >> >> 2.) Not sure what logs or config files i need to post. >> >> >> I'd confirm that sssd is still configured to do sudo by looking >> for sss in the sudoers line in /etc/nssswitch.conf and ensure >> that sudo is an enabled service in /etc/sssd/sssd.conf, probably >> something like: >> >> services = nss, sudo, pam, ssh >> >> rob >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> <https://www.redhat.com/mailman/listinfo/freeipa-users> >> Go to http://freeipa.org for more info on the project >> >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
