Contact us
ArticlesRocky Linux

Sudo Prompts for a Password Despite a NOPASSWD Rule in FreeIPA

freeiparocky linuxsssdsudotroubleshooting

Ahmer M.
Customer Support Engineer

Jun 26, 2026

Introduction

On Rocky Linux hosts that get sudo rules from FreeIPA (IdM) through SSSD, a command can show as NOPASSWD in sudo -l but still prompt for a password when you run it.

Problem

sudo -l lists the command as NOPASSWD, but running it prompts anyway. On service accounts or hosts with !visiblepw, it fails with sudo: a password is required.

Symptoms

sudo -l
    (ALL : ALL) NOPASSWD: /bin/su, tcpdump, top, du, df

sudo tcpdump
sudo: a password is required

Resolution

The rule lists commands by bare name (tcpdump) instead of absolute path. Define each command by its full path.

  1. Find the absolute path. Run as root, since /usr/sbin is often not in a user's PATH:
readlink -f "$(command -v tcpdump)"
# /usr/sbin/tcpdump
  1. As an IdM admin (kinit admin), replace the bare-name entry with the full path:
ipa sudocmd-add /usr/sbin/tcpdump
ipa sudorule-add-allow-command rule_name --sudocmds=/usr/sbin/tcpdump
ipa sudorule-remove-allow-command rule_name --sudocmds=tcpdump
  1. Add the no-password option if the rule lacks it (the IdM equivalent of NOPASSWD):
ipa sudorule-add-option rule_name --sudooption='!authenticate'
  1. Refresh the client cache and verify:
sudo sss_cache -R
sudo -l
sudo tcpdump

Root Cause

sudo -l prints the rule's stored command string verbatim. At run time, sudo matches the command by absolute path, so a bare name never matches /usr/sbin/tcpdump. No NOPASSWD entry applies, so sudo asks for a password.

If It Still Prompts

  • The rule lacks the !authenticate option (step 3).
  • The rule is assigned to a group, not the user: ipa sudorule-find --user=<user> returns nothing. Check each group with ipa sudorule-find --group=<group>.
  • The SSSD sudo responder is off: confirm sudo is in the services line of /etc/sssd/sssd.conf, then run authselect enable-feature with-sudo.
  • On sudo 1.8.23 and later, sudo runs PAM even for no-password rules, so a broken PAM stack prompts.

Notes

After any rule change, run sudo sss_cache -R (or restart sssd) so the client does not serve stale rules.

List a user's effective rules, including group-inherited ones: sudo -ll -U user@example.com.

References & related articles

sudoers(5): command matching

FreeIPA: Sudo rule management

Red Hat: Granting sudo access to an IdM user

Listing All Sudo Rules for a FreeIPA User