I have the strangest issue... might be a huge oversight.. who knows!!
I am trying to configure a user to use sudo with no password, here is my sudoers configuration file
root@isha:~# egrep -v "^$|^#" /etc/sudoers
root ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL
root@isha:~#
I login with user "kenneth", which is on the wheel group, but it requires password...
kenneth@isha:~$ id -a
uid=100(kenneth) gid=10(staff) groups=10(staff),100(wheel)
kenneth@isha:~$ roles
root
kenneth@isha:~$ sudo -n su -
sudo: a password is required
so I check creating a new user called "ragnor", adding it to wheel as well, I added it to the root role too just in case, (I thought that was the cause at some point) but it works flawlessly..
ragnor@isha:~$ id -a
uid=101(ragnor) gid=10(staff) groups=10(staff),100(wheel)
ragnor@isha:~$ roles
root
ragnor@isha:~$ sudo su -
Oracle Corporation SunOS 5.11 11.2 June 2014
You have new mail.
root@isha:~#
I also tried commenting out the "root ALL=(ALL) ALL" on sudoers, same results.
-n The -n (non-interactive) option prevents sudo
from prompting the user for a password. If a
password is required for the command to run,
sudo will display an error message and exit.
I can't truss sudo -- edit: (you did say run this as root :)m, as root it did open /etc/sudoers )
kenneth@isha:~$ truss -f -t open sudo -l
truss: cannot trace set-id or unreadable object file: /usr/bin/sudo
However if it was not using /etc/sudoers it would not work for "ragnor".
There is an easy way of showing it is indeed reading the /etc/sudoers config file
root@isha:~# egrep -v "^$|^#" /etc/sudoers
root ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL
kenneth ALL=(ALL) NOPASSWD: /usr/bin/su
root@isha:~# exit
logout
kenneth@isha:~$ sudo -l
User kenneth may run the following commands on this host:
(ALL) NOPASSWD: ALL
(ALL) NOPASSWD: /usr/bin/su
(ALL) ALL
kenneth@isha:~$
This must have something to do with RBAC.... root being a role and not a user.. not sure.
---------- Post updated at 01:41 AM ---------- Previous update was at 01:32 AM ----------
Ok found it...
When a user is specified during installation a few things happen, it gets the "root" role and so on, but it also creates the following file
root@isha:/# cat /etc/sudoers.d/svc-system-config-user
kenneth ALL=(ALL) ALL
So sudo was hitting this rule before hitting the NOPASSWD one.., removing that file did the magic.. funny one.