Basically I only want particular users to know the root password, but I also want power users to be able to run certain commands with root privileges. All admins for this box will be authenticating initially through winbind (I do have a backdoor account in case winbind goes wonky)
I want members of the "domain admins" group to be prompted for the root password but have unrestricted sudo access, while members of the "JSNNUsers" group be able to execute the list of commands I've specified, being prompted only for their own password (in case they leave themselves logged in and someone comes up behind them before the console times out, 15 minutes).
I know I can change this behavior on a per-user basis by doing something like:
Defaults:targetUser targetpw
But I was interested in getting it to work work when specifying a group with a space in it. I'd rather not create a second group since all domain admins should be allowed root access to this box and the AD side may not necessarily remember to add them to an additional group when new domain admins are created (not to mention it seems redundant).
I got around the space issue in the actual rule itself by escaping the space:
%domain\ admins ALL=(ALL) PASSWD: ALL
But apparently this doesn't also work for changing defaults.
So it basically boils down to this: how do I change the default behavior for the "domain admins" group's password prompt without changing it so that everybody is prompted for the root password.
- Joel