Public bug reported: [Impact]
When logging in (either via login or ssh) to an AD account using different case combinations, adsysd uses the specified account name instead of the lowercase one reported by getent/whoami to apply the GPOs. I believe this comes from the pam_get_item call here: https://github.com/ubuntu/adsys/blob/e3316e5e37970a07f09fa6df553ddac096c91255/pam/pam_adsys.c#L266 This works but has the unintended side effect of producing multiple dconf profile files for each variant of the username, and caching policies as well: root@ubuntu2204:~# ls /etc/dconf/profile/ | grep -i administrator administra...@warthogs.biz administra...@warthogs.biz administra...@warthogs.biz root@ubuntu2204:~# ls /var/cache/adsys/policies/ | grep -i administrator administra...@warthogs.biz administra...@warthogs.biz administra...@warthogs.biz Of course this all stems from the username retrieved by PAM so there might be more unintended side-effects, the dconf one being the easiest to observe. To ensure an unified experience, when a target name is normalized from e.g. DOMAIN\User to User@DOMAIN, it will also be lowercased. [Test Plan] * Enable a dconf policy on the AD controller * Log in with an AD account, alternating cases * Observe multiple files created at /etc/dconf/profile and /var/cache/adsys/policies [Where problems could occur] After login succeeds, an AD username is _always_ reported as lowercase by the system, so there are no suspected side-effects of this change. [Other Info] This issue was initially reported on GitHub at https://github.com/ubuntu/adsys/issues/378 ** Affects: adsys (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to adsys in Ubuntu. https://bugs.launchpad.net/bugs/1982347 Title: Username is case sensitive when applying policies on login Status in adsys package in Ubuntu: New Bug description: [Impact] When logging in (either via login or ssh) to an AD account using different case combinations, adsysd uses the specified account name instead of the lowercase one reported by getent/whoami to apply the GPOs. I believe this comes from the pam_get_item call here: https://github.com/ubuntu/adsys/blob/e3316e5e37970a07f09fa6df553ddac096c91255/pam/pam_adsys.c#L266 This works but has the unintended side effect of producing multiple dconf profile files for each variant of the username, and caching policies as well: root@ubuntu2204:~# ls /etc/dconf/profile/ | grep -i administrator administra...@warthogs.biz administra...@warthogs.biz administra...@warthogs.biz root@ubuntu2204:~# ls /var/cache/adsys/policies/ | grep -i administrator administra...@warthogs.biz administra...@warthogs.biz administra...@warthogs.biz Of course this all stems from the username retrieved by PAM so there might be more unintended side-effects, the dconf one being the easiest to observe. To ensure an unified experience, when a target name is normalized from e.g. DOMAIN\User to User@DOMAIN, it will also be lowercased. [Test Plan] * Enable a dconf policy on the AD controller * Log in with an AD account, alternating cases * Observe multiple files created at /etc/dconf/profile and /var/cache/adsys/policies [Where problems could occur] After login succeeds, an AD username is _always_ reported as lowercase by the system, so there are no suspected side-effects of this change. [Other Info] This issue was initially reported on GitHub at https://github.com/ubuntu/adsys/issues/378 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/1982347/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
