Ubuntu Authentication


#1

Hello,

I’ve read the documentation on https://docs.software-univention.de/domain-4.1.html#ext-dom-ubuntu, but this adds the computer to the domain.

Is there a way to only use the authentication without adding the computer to the domain?
We have applications and systems that do use the authentication only and are working fine (atlassian jira and Confluence, Sonatype Nexus, Netgear readyNAS …)

I have a mix of Ubuntu server 14.04 and 16.04 and after running the whole script i can get a list of users with getent passwd, but can’t login as one of the users.

Auth.log shows;
Feb 7 08:05:40 su-tst-01 login[1086]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=ubuntuuser
Feb 7 08:05:40 su-tst-01 login[1086]: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=ubuntuuser
Feb 7 08:05:40 su-tst-01 login[1086]: pam_sss(login:auth): received for user ubuntuuser: 4 (System error)
Feb 7 08:05:43 su-tst-01 login[1086]: FAILED LOGIN (1) on ‘/dev/tty1’ FOR ‘ubuntuuser’, Authentication failure

That account in the getent passwd list shows as;
ubuntuuser:*:2010:5001:Ubuntu User:/home/ubuntuuser:/bin/bash

The syslog file shows;
Feb 7 08:01:07 su-tst-01 systemd[1]: Started System Security Services Daemon.
Feb 7 08:05:40 su-tst-01 [sssd[krb5_child[3762]]]: Cannot find KDC for realm “mydomain.COM
Feb 7 08:05:40 su-tst-01 [sssd[krb5_child[3762]]]: Cannot find KDC for realm “mydomain.COM
Feb 7 08:06:37 su-tst-01 systemd[1]: getty@tty1.service: Service has no hold-off time, scheduling restart.
Feb 7 08:06:37 su-tst-01 systemd[1]: Stopped Getty on tty1.
Feb 7 08:06:37 su-tst-01 systemd[1]: Started Getty on tty1.

Thanks


#2

I had forgotten to add the Kerberos part of the documentation, now login works fine.

Is there a way to make it so only certain groups can login? ex. Domain admins and they get adm, sudo groups by default.

Thanks