On 07/28/2011 06:58 PM, arun scaria wrote:
>
>
> On Thu, Jul 28, 2011 at 2:10 PM, Gowrishankar Rajaiyan <gsr@redhat.com

> <mailto:gsr@redhat.com>> wrote:
>
>     On 07/28/2011 07:22 AM, arun scaria wrote:
>      > Hi all,
>      > I'v created my write-up on SUDO responder/cache behavior at
>      >
>     https://fedorahosted.org/sssd/wiki/DesignDocs/SudoSupport/SudoResponderCacheBehavior.
>      > I'd love to hear your opinion on it. Please take a review and
>     comment.
>      >
>
>     One question:
>     How do we plan to include "sudoOption=!authenticate" (where
>     !authenticate=NOPASSWD) in a sudorule during offline?
>
> The option !authenticate is not specified anywhere in the standard sudo
> schema at http://www.gratisoft.us/sudo/man/1.8.1/sudoers.ldap.man.html.

If you use "sudoers2ldif" tool provided by the sudo package to convert
an existing /etc/sudoers file to an ldif format, the "!authenticate"
value is used.

/usr/share/doc/sudo-1.7.4p5/sudoers2ldif:
<snip>
    # if NOPASSWD: directive found, mark entire entry as not requiring
    s/NOPASSWD:\s*// && push @options,"!authenticate";
    s/PASSWD:\s*// && push @options,"authenticate";
</snip>

> But this option is found in all the blogs and tutorials as the
> alternative to the NOPASSWD option in the sudoers file. In the current
> implementation of sudo plugin we are doing the  pam authentication with
> sudo pam config file. This is done before we query the sssd for
> authentication for sudo. So that the user will be requested password
> even if the !authenticate  sudoOption is enabled.
>

IMO expecting a password for a runasuser from a sudorule where
sudoOption is set to !authenticate is not an expected behaviour.

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel