Prasun Gera wrote:
In retrospect saving a copy of nsswitch.conf is a bit overkill. It
really just needs to save and restore the automount entry in
/etc/nsswitch.conf, not the whole file.
AFAIR this is already done appropriately in sssd.conf. The service is
removed, no files are restored.
rob
I think it should also remove the sssd configuration in addition to
removing it from nssswitch. i.e. Uninstalling the automount should bring
sssd to a clean state as well.
rob
On Sat, Aug 27, 2016 at 1:49 AM, Mariusz Stolarczyk
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
The /etc/nsswitch.conf was the culprit. Fortunately there is a
/etc/nsswitch.cof.bak and that did the trick.
Rob, your suspicion was correct the sudoers line was missing.
It actually looks like the ipa-client-automount --uninstall
reverts
the nsswitch.conf file to default pre-ipa values.
Still a bit curious that the ipa-client-automount
--location=server_mounts did not take on the ipa-server. If
there is
a good reason for this behavior I would suggest that the
ipa-client-automount command would not even start it it was
executed on the ipa server.
thanks everyone!
ms
------------------------------------------------------------------------
*From:* Prasun Gera <[email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>>
*Sent:* Friday, August 26, 2016 4:02 PM
*To:* Rob Crittenden
*Cc:* m s; [email protected]
<mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>
*Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall
breaks central sudo on ipa-server
ipa-client-automount --uninstall was(is?) a bit broken in
that it
tries to revert back to an older configuration, but it can
accidentally revert it to a state before the ipa-client was
installed (as opposed to the state where automount was
installed).
Check your nssswitch.conf file and compare it to other
clients on
which things work fine. You might notice differences.
On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden
<[email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>> wrote:
m s wrote:
Need help restoring central sudo rights on ipa server.
How I broke it!!!: I decided to take advantage of the
centralized
automount feature with a custom location for a couple
mounts. When I ran
the ipa-client-automount --location=server_mounts it
appeared to install
correctly but that didn't appear not to work so my
plan was
to manually
setup the automount since it is only one machine. So of
course I ran the
ipa-client-automount --uninstall on the ipa server
and thats
when I lost
the sudo rights on the ipa server: superuser not in the
sudoers file,
this incident will be reported.
I have repeated this steps with the same results:
Initially sudo works for superuser
And after ipa-client-automount
--location=server_mounts (on
the ipa-server)
sudo still works
but after, ipa-client-automount --uninstall
no sudo for superuser on the ipa server but the
superuser
still has sudo
privilages on the clients????
background/versions:
My setup is all CentOS 7.2 machines with one ipa
server and
the rest are
clients all using ipa version 4.2.0.
I had no issues using the ipa-client-automount on
all my
clients to
configure network homes and shares as well as
setting up a
superuser
with central sudo powers before this happened.
1.) Don't be too harsh if it is a BIG NO-NO to run the
ipa-client-automount command on the ipa-server
2.) Not sure what logs or config files i need to post.
I'd confirm that sssd is still configured to do sudo by
looking
for sss in the sudoers line in /etc/nssswitch.conf and
ensure
that sudo is an enabled service in /etc/sssd/sssd.conf,
probably
something like:
services = nss, sudo, pam, ssh
rob
--
Manage your subscription for the Freeipa-users mailing
list:
https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>
<https://www.redhat.com/mailman/listinfo/freeipa-users
<https://www.redhat.com/mailman/listinfo/freeipa-users>>
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
