On 07/28/2011 06:58 PM, arun scaria wrote:
>
>
> On Thu, Jul 28, 2011 at 2:10 PM, Gowrishankar Rajaiyan <
gsr@redhat.com
If you use "sudoers2ldif" tool provided by the sudo package to convert
an existing /etc/sudoers file to an ldif format, the "!authenticate"
value is used.
/usr/share/doc/sudo-1.7.4p5/sudoers2ldif:
<snip>
# if NOPASSWD: directive found, mark entire entry as not requiring
s/NOPASSWD:\s*// && push @options,"!authenticate";
s/PASSWD:\s*// && push @options,"authenticate";
</snip>
> But this option is found in all the blogs and tutorials as the
> alternative to the NOPASSWD option in the sudoers file. In the current
> implementation of sudo plugin we are doing the pam authentication with
> sudo pam config file. This is done before we query the sssd for
> authentication for sudo. So that the user will be requested password
> even if the !authenticate sudoOption is enabled.
>
IMO expecting a password for a runasuser from a sudorule where
sudoOption is set to !authenticate is not an expected behaviour.