Prasun Gera wrote:
    In retrospect saving a copy of nsswitch.conf is a bit overkill. It
    really just needs to save and restore the automount entry in
    /etc/nsswitch.conf, not the whole file.

AFAIR this is already done appropriately in sssd.conf. The service is removed, no files are restored.


I think it should also remove the sssd configuration in addition to
removing it from nssswitch. i.e. Uninstalling the automount should bring
sssd to a clean state as well.


        On Sat, Aug 27, 2016 at 1:49 AM, Mariusz Stolarczyk
        < <>
        < <>>> wrote:

             The /etc/nsswitch.conf was the culprit. Fortunately there is a
             /etc/nsswitch.cof.bak and that did the trick.

             Rob, your suspicion was correct the sudoers line was missing.

             It actually looks like the ipa-client-automount --uninstall
             the nsswitch.conf file to default pre-ipa values.

             Still a bit curious that the ipa-client-automount
             --location=server_mounts did not take on the ipa-server. If
        there is
             a good reason for this behavior I would suggest that the
             ipa-client-automount command would not even start it it was
             executed on the ipa server.

             thanks everyone!


             *From:* Prasun Gera <
             < <>>>
             *Sent:* Friday, August 26, 2016 4:02 PM
             *To:* Rob Crittenden
             *Cc:* m s;
        < <>>
             *Subject:* Re: [Freeipa-users] ipa-client-automount --uninstall
             breaks central sudo on ipa-server
             ipa-client-automount --uninstall was(is?) a bit broken in
        that it
             tries to revert back to an older configuration, but it can
             accidentally revert it to a state before the ipa-client was
             installed (as opposed to the state where automount was
             Check your nssswitch.conf file and compare it to other
        clients on
             which things work fine. You might notice differences.

             On Fri, Aug 26, 2016 at 11:35 AM, Rob Crittenden
             < <>
        < <>>> wrote:

                 m s wrote:

                     Need help restoring central sudo rights on ipa server.

                     How I broke it!!!: I decided to take advantage of the
                     automount feature with a custom location for a couple
                     mounts. When I ran
                     the ipa-client-automount --location=server_mounts it
                     appeared to install
                     correctly but that didn't appear not to work so my
        plan was
                     to manually
                     setup the automount since it is only one machine. So of
                     course I ran the
                     ipa-client-automount --uninstall on the ipa server
        and thats
                     when I lost
                     the sudo rights on the ipa server: superuser not in the
                     sudoers file,
                     this incident will be reported.

                     I have repeated this steps with the same results:

                     Initially sudo works for superuser

                     And after ipa-client-automount
        --location=server_mounts (on
                     the ipa-server)

                     sudo still works

                     but after, ipa-client-automount --uninstall

                     no sudo for superuser on the ipa server but the
                     still has sudo
                     privilages on the clients????


                     My setup is all CentOS 7.2 machines with one ipa
        server and
                     the rest are
                     clients all using ipa version 4.2.0.

                     I had no issues using the ipa-client-automount on
        all my
                     clients to
                     configure network homes and shares as well as
        setting up a
                     with central sudo powers before this happened.

                     1.) Don't be too harsh if it is a BIG NO-NO to run the
                     ipa-client-automount command on the ipa-server

                     2.) Not sure what logs or config files i need to post.

                 I'd confirm that sssd is still configured to do sudo by
                 for sss in the sudoers line in /etc/nssswitch.conf and
                 that sudo is an enabled service in /etc/sssd/sssd.conf,
                 something like:

                 services = nss, sudo, pam, ssh


                 Manage your subscription for the Freeipa-users mailing
                 Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to