0

We are using Samba Active Directory 2:4.7.6 on Ubuntu 14.04.5 LT

We have only one domain controller, and it is not remote (it is inside the controlled, non-WAN-accessed subnet).

However, as is the default since Windows AD 2008, all authoritative users ("enterprise admins", "domain admins", "Cert Publishers", etc) belong to the group "Denied RODC Password Replication".

I have two questions:

  1. Since this is NOT a remote domain controller (it is the master) and it is NOT available via WAN (it is in an isolated subnet) - can we remove these users safely from the "Denied RODC Password Replication"

  2. (This may need to be a separate post). When attempting to log onto an Ubuntu 18 member of the domain, it fails with the error ...

Error:

lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "MyDomainAdminAccount"

This is because of the line in the /etc/pam.d/lightdm config...

auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin

I corrected the issue by changing this file to ...

#auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
auth    sufficient      pam_succeed_if.so user ingroup [domain users]
auth    sufficient      pam_succeed_if.so user ingroup [domain admins]

...but I don't know if these two issues are related.

Can anyone shed light on this?

BurningKrome
  • 525
  • 2
  • 12
  • 22

1 Answers1

1

Depends if you have Read Only Domain Controllers. If you don't then the group membership is irrelevant. If you do, removing those accounts from the Denied RODC Password Replication group defeats the main purpose of having an RODC.

Looking at the documentation, I don't think that setting is related to the Denied RODC Password Replication group membership:

https://wiki.archlinux.org/index.php/LightDM#Enabling_interactive_passwordless_login

"You must then also be part of the nopasswdlogin group to be able to login interactively without entering your password"

Greg Askew
  • 35,880
  • 5
  • 54
  • 82