[sudo-users] Prompted for password when NOPASSWD specified
john.boxall at bmo.com
Wed Feb 29 13:04:13 EST 2012
On a RHEL 5.6 system with sudo 1.7.2p1 we are experiencing unexpected behaviour when attempting "sudo /bin/su - user1".
user1 is an Active Directory service account that is not allowed to be logged in locally and is managed by Quest Authentication Services vasd daemon (4.0.3-78). The account is used as the administration account for the installation and administration of some third party software. The users that can login are also managed by QAS. The lines below are from the QAS section of /etc/sudoers, which is controled by an AD group policy object:
# VGP (vgp_sudoext) Sudoers Section Start ( DO NOT EDIT! )
%groupX ALL=(root) NOPASSWD: /bin/su - user1
%groupX ALL=(root) ALL
# VGP (vgp_sudoext) Sudoers Section End
No other lines/parameters have been changed above the VGP/QAS section from the default RH build.
When a member (userX) of a valid group (groupX) logs in and attempts to run the above command they are asked for the AD password of the user1 account. We are expecting from the first line of the above section that userX would not be prompted for any password.
However, if we temporarily comment out the second line (using visudo), userX can execute the command and becomes logged in as user1.
The original order of the above lines was reversed and the same behaviour was experienced.
What needs to be changed in order to allow users to login and su to the user1 account?
More information about the sudo-users