2

Using FreeIPA for sudoers rules and I am attempting to create what would be the same as standard sudoers line(s) of:

user ALL=(ALL) NOPASSWD:ALL
group ALL=(ALL) NOPASSWD:ALL

to allow a specific user or group to execute any/all commands without being prompted for their password.

This is not a duplicate of the below mentioned as my goal is circumvent the password prompt (use NOPASSWD). I already know how to setup for ALL commands.

Adding '!authenticate' option does not seem to work either (see below):

 tester@server:~$ ipa sudorule-find ANY
-------------------
1 Sudo Rule matched
-------------------
  Rule name: ANY
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  Users: tester
  External User: user
  Sudo Option: !authenticate
----------------------------
Number of entries returned 1
----------------------------
tester@server:~$ 
tester@nvamgtwiki01:~$ sudo cat /etc/sudoers
[sudo] password for tester:
Alex
  • 21
  • 1
  • 3
  • 1
    Possible duplicate of [Using FreeIPA for centralized sudo - how to specify ALL commands?](https://serverfault.com/questions/560234/using-freeipa-for-centralized-sudo-how-to-specify-all-commands) – ginerama Nov 27 '19 at 16:36
  • @alex, could you please paste here your `sudorule-add` arguments? – Alexey Vazhnov Dec 02 '19 at 16:34

1 Answers1

6

You are probably looking for something along the lines:

ipa sudorule-add ANY \
    --hostcat=all \
    --cmdcat=all \
    --runasusercat=all \
    --runasgroupcat=all

ipa sudorule-add-user ANY \
    --users=user --groups=group

ipa sudorule-add-option ANY \
    --sudooption='!authenticate'

The last command is the NOPASSWD part.

DISCLAIMER: Please review. The rule above may allow more than you expect.

Tomek
  • 2,950
  • 1
  • 15
  • 9
  • For anyone else looking at this, whilst this didn't work for the original poster it worked for my setup. – ricekab Jun 08 '21 at 09:38