FreeIPA sudoers rule – how to add NOPASSWD for ALL commands (no prompt for password)

freeipasudo

Using FreeIPA for sudoers rules and I am attempting to create what would be the same as standard sudoers line(s) of:

user ALL=(ALL) NOPASSWD:ALL
group ALL=(ALL) NOPASSWD:ALL

to allow a specific user or group to execute any/all commands without being prompted for their password.

This is not a duplicate of the below mentioned as my goal is circumvent the password prompt (use NOPASSWD). I already know how to setup for ALL commands.

Adding '!authenticate' option does not seem to work either (see below):

 tester@server:~$ ipa sudorule-find ANY
-------------------
1 Sudo Rule matched
-------------------
  Rule name: ANY
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  Users: tester
  External User: user
  Sudo Option: !authenticate
----------------------------
Number of entries returned 1
----------------------------
tester@server:~$ 
tester@nvamgtwiki01:~$ sudo cat /etc/sudoers
[sudo] password for tester:

Best Answer

You are probably looking for something along the lines:

ipa sudorule-add ANY \
    --hostcat=all \
    --cmdcat=all \
    --runasusercat=all \
    --runasgroupcat=all

ipa sudorule-add-user ANY \
    --users=user --groups=group

ipa sudorule-add-option ANY \
    --sudooption='!authenticate'

The last command is the NOPASSWD part.

DISCLAIMER: Please review. The rule above may allow more than you expect.

Related Topic