When a user log in a server with systemd, the PAM logic execute pam_systemd.
With that module, the users are registered under the systemd control group. This is an example of two users (root and a normal user) login in a server:
# systemd-cgls
Control group /:
-.slice
├─user.slice
│ ├─user-0.slice
│ │ ├─session-5233.scope
│ │ │ ├─13309 sshd: root@pts/0
│ │ │ ├─13367 -bash
│ │ │ ├─13447 systemd-cgls
│ │ │ └─13448 pager
│ │ └─[email protected]
│ │ └─init.scope
│ │ ├─13312 /lib/systemd/systemd --user
│ │ └─13313 (sd-pam)
│ └─user-1000.slice
│ ├─session-5236.scope
│ │ ├─13385 sshd: user1 [priv]
│ │ ├─13443 sshd: user1@pts/1
│ │ └─13444 -bash
│ └─[email protected]
│ └─init.scope
│ ├─13388 /lib/systemd/systemd --user
│ └─13389 (sd-pam)
But that behaviour was optional in Debian 8 (already with systemd), and in Debian 9 you have the option to disable with pam-auth-update
and if you do all seems to work equal.
Why is needed that agrupation over the users under cgroups? What happens when it is disabled?
It's not really needed, but it allows administrator to set per-user limits via cgroup. E.g. memory and cpu usage can be limited.
If cgroup isolation is disabled you won't be able to set such limits.