Allow password login to external AD users


I have a unit which is setup to authenticate via “SSSD” (AD backend).

What would be the best way to enable password-login to allow my users to login a machines that allows this?

Is it through the charm layers (Modifying or is this something that I would be able to do through some juju tools?


So are you authenticating to the charm tool or the juju cli itself? I’m trying to tell if you’re authenticating to the charmstore, JAAS, or a juju controller of your own?

EDIT: and is this using candid for the juju controller or normal Juju auth?


Its for user(s) to ssh from a “non juju” client at a separate network to access a/few nodes in a model which has been setup to use AD as a backend authentication mechanism (sssd + pam).

Its needed to allow users to log in as their “real” users.


Oooooh, ok so this is system accounts on the physical machines. Hmmm, are these MAAS machines? It feels like something that would be seeded on the machines themselves with cloud-init config such that they are setup so the support the AD auth on machine deploy time aside from Juju.


Thats true and we do that as a part of a subordinate, specific to our environment. It runs a few ansible playbooks “scania-specific” where we probably will end up placing this facility if juju doesn’t have an intelligent mechanism to do this out-of-the-box.


It feels like either a subordinate, or a primary charm that you deploy to each machine to configure its PAM to integrate with your AD backend.
We have discussed in the past a sort of “machine subordinate”, that defines a charm to deploy on every machine in a model for similar use cases as this. (On all the machines, I want it to run this snippet of code, and do so reasonably early on.)

Putting the ansible code in a charm and installing it would get you there, and give you reasonable ways to upgrade it over time, see that its running, status, etc. I do think ‘global subordinate’ as a way to ensure that it is always available fits your use case pretty well.


We ended up putting it in a subordinate with an ansible configuration to point towards the AWX. It feels a bit awkward, but does it for us at the moment. Thanx!