AD + SSSD
If you have host in the AD with the SSSD then your root user can be any user from the domain. So
%groupname ALL=(ALL) NOPASSWD:ALL
would actually give permissions to all users from the “groupname” to become any AD user they want, and if they’re SSH’ng the localhost then, they would have Kerberos ticket as well. It is not actually that evident, but Active Directory is an identity provider, so if you are superuser on the host – you can be AD user on the host.