Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2434: Enabling sudo for users on a smart-card-only machine.

Centrify Identity Service, Mac Edition ,  

15 March,18 at 05:42 PM

Question:

Is it possible to enable sudo for users on a smart-card-only machine?


Answer: 

Yes. For machines that are solely smart-card-required - the only way to do this is to set the "nopasswd" flag for specified users.
  • When the per-user "Smart card required to log in" setting is checked in ADUC (as opposed to the per-machine GP setting), the user's password is deleted from Active Directory, so no password exists to be entered.
  • The ‘passwd’ flag in sudoers is set to prevent users from leaving their workstation and then another person coming and using sudo on the system.
     
  • With smart cards, the ideal situation is whenever the user leaves the workstation; they will also take the smartcard with them (this event can be set to auto-lock the system via group policy).

See also:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.