Public bug reported: [ Impact ] Adsys user lookup assumes that a partial UserPrincipalName (UPN) will equal to SAMaccountName (SAM). For example, if a user has UPN as "[email protected]" and a SAM as "uone" in Active Directory, the lookup will fail. If SAM was "userone" then adsys would behave correctly. Users normally login using their UPN and also usually the SAM is the same UPN without the '@' and the domain. Currently the Group Policy Object (GPO) search (by Adsys) is done by removing the @ and the rest from the UPN and searching that value as SAM. This fails for cases where SAM is not a suffix of the UPN (ie., SAM="uone", UPN="[email protected]"). The patch adds a search using the UPN if the search for SAM fails to support users with that have the aforementioned discrapency between the SAM and UPN.
Link to the upstream patch: [1]. [ Test Plan ] 1. Install virt-manager on your host if you choose to create VMs with virt-manager sudo apt update && sudo apt install virt-manager 2. download Windows Server 2022 iso image: https://www.microsoft.com/en-us/evalcenter/download-windows-server-2022 3. I used the virt-manager to craete a Windows VM (8GB ram, 6 VCPUs, 60GB disk) 4. Follow the installation in the VM. I picked the Windows Server 2022 Standard Evaluation, then Custom Install. From the SConfig, configure the static IP, DNS server, default gateway, administrator's password, and time/timezone. 5. configure AD from the command line: powershell # install the spice-guest-tools to enable copy/paste between the Windows guest and host Invoke-WebRequest -Uri https://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-latest.exe -OutFile sgtl.exe # install spice-guest-tools .\sgtl.exe # install and configure the Domain Controller Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools Install-ADDSForest ` -DomainName "test.local" ` -InstallDns ` -DomainMode WinThreshold ` -ForestMode WinThreshold ` -SafeModeAdministratorPassword (ConvertTo-SecureString "ao4Ahnuzah$d!eeg" -AsPlainText -Force) ` -NoRebootOnCompletion:$false ` -Force # VM will restart to apply changes # verification Get-WindowsFeature -Name AD-Domain-Services nslookup test.local Install-WindowsFeature -Name RSAT-AD-PowerShell Import-Module ActiveDirectory # add test domain user New-ADUser ` -SamAccountName "uone" ` -UserPrincipalName "[email protected]" ` -Name "User One" ` -GivenName "User1" ` -Surname "One1" ` -Enabled $true ` -AccountPassword (ConvertTo-SecureString "pAsswd&987!" -AsPlainText -Force) ` -ChangePasswordAtLogon $true ` -Path "CN=Users,DC=test,DC=local" # verify Get-ADUser -Identity "uone" 6. Download Ubuntu 24.04.3 Desktop 7. Install Ubuntu VM I used the virt-manager to craete Ubuntu VM (4GB ram, 2 VCPUs, 25GB disk) 8. Set DNS server to Windows machine IP address (we want the .local domain from the example to be resolved by the Windows DNS) sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved Make /etc/resolv.conf a static file and add 'nameserver <windos machine IP> 9. Install required packages (ssh server may be helpful to interact with the Ubuntu VM, but is optional) sudo apt install sssd-ad sssd-tools realmd adcli openssh-server # discover and join the realm. Supporting documentation [2] sudo realm -v discover test.local sudo realm join test.local sudo pam-auth-update --enable mkhomedir # verification getent passwd [email protected] getent passwd [email protected] 10. install adsys package and generate policy files. Supporting documentation [3] sudo apt install adsys adsysctl policy admx lts-only 11. Install policy files on the Windows machine # Copy Ubuntu.adml and Ubuntu.admx to the Windows machine # On windows, add policy files to the proper destination New-Item -Path $CentralStorePath -ItemType Directory -Force # Change the -Path, if needed, to the location of your policy files Copy-Item -Path C:\Users\Administrator\*.admx -Destination $CentralStorePath -Force -Verbose # Define source path for .adml files (adjust to your source location) $AdmlDestination = Join-Path -Path $CentralStorePath -ChildPath "en-US" New-Item -Path $AdmlDestination -ItemType Directory -Force # Change the -Path, if needed, to the location of your policy files Copy-Item -Path C:\Users\Administrator\*.adml -Destination $AdmlDestination -Force -Verbose # verify Get-ChildItem -Path $CentralStorePath -Filter *.admx Get-ChildItem -Path "$CentralStorePath\en-US" -Filter *.adml 12. Restart Ubuntu VM 13. Test login from the command line # this should fail without the patch (UPN is used for login) sudo login [email protected] # It will fail with the following error: Applying user settings ERROR Error from server: error while updating policy: can't get policies for "[email protected]": failed to retrieve the list of GPO (exited with 1): exit status 1 Searching for account failed with: Failed to find account userone # this will work even without the fix (SAM is used for login) # I had to change the password during the first log in. sudo login [email protected] 14. Apply the patch by installig fixed adsys package and repeat the tests with UPN and SAM logins. They both should work. [ Where problems could occur ] The patch code now differentiates a lookup for the 'user' and a 'computer' object class. For the 'computer' object class the code remains exactly the same as it was. For the 'user' object class, the patch first executes the previous search, next adds a fallback search if the one that was used before doesn't return any value. In the worst case regression scenario, the following bad things can happen: - if a 'compute' object class is used and fails, the computer policies won't be applied - if a 'user' object class serach fails for SAM, the user won't be able to log in using her/his SAM, but may try the UPN instead - if a 'user' object class serach fails for UPN, the user won't be able to log in using het/his UPN, however, for the situations where UPN doesn't contain SAM, this doesn't work without the patch. [ Other Info ] This is backport from upsteream [1]. [1] https://github.com/ubuntu/adsys/pull/1275/commits/4c2449c78bb7314a5342f237bdb0ce34543a04fd [2] https://documentation.ubuntu.com/server/how-to/sssd/with-active-directory/ [3] https://documentation.ubuntu.com/adsys/stable/how-to/set-up-ad/ ** Affects: adsys (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to adsys in Ubuntu. https://bugs.launchpad.net/bugs/2125134 Title: Allow searching GPO list by userPrincipalName Status in adsys package in Ubuntu: New Bug description: [ Impact ] Adsys user lookup assumes that a partial UserPrincipalName (UPN) will equal to SAMaccountName (SAM). For example, if a user has UPN as "[email protected]" and a SAM as "uone" in Active Directory, the lookup will fail. If SAM was "userone" then adsys would behave correctly. Users normally login using their UPN and also usually the SAM is the same UPN without the '@' and the domain. Currently the Group Policy Object (GPO) search (by Adsys) is done by removing the @ and the rest from the UPN and searching that value as SAM. This fails for cases where SAM is not a suffix of the UPN (ie., SAM="uone", UPN="[email protected]"). The patch adds a search using the UPN if the search for SAM fails to support users with that have the aforementioned discrapency between the SAM and UPN. Link to the upstream patch: [1]. [ Test Plan ] 1. Install virt-manager on your host if you choose to create VMs with virt-manager sudo apt update && sudo apt install virt-manager 2. download Windows Server 2022 iso image: https://www.microsoft.com/en-us/evalcenter/download-windows-server-2022 3. I used the virt-manager to craete a Windows VM (8GB ram, 6 VCPUs, 60GB disk) 4. Follow the installation in the VM. I picked the Windows Server 2022 Standard Evaluation, then Custom Install. From the SConfig, configure the static IP, DNS server, default gateway, administrator's password, and time/timezone. 5. configure AD from the command line: powershell # install the spice-guest-tools to enable copy/paste between the Windows guest and host Invoke-WebRequest -Uri https://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-latest.exe -OutFile sgtl.exe # install spice-guest-tools .\sgtl.exe # install and configure the Domain Controller Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools Install-ADDSForest ` -DomainName "test.local" ` -InstallDns ` -DomainMode WinThreshold ` -ForestMode WinThreshold ` -SafeModeAdministratorPassword (ConvertTo-SecureString "ao4Ahnuzah$d!eeg" -AsPlainText -Force) ` -NoRebootOnCompletion:$false ` -Force # VM will restart to apply changes # verification Get-WindowsFeature -Name AD-Domain-Services nslookup test.local Install-WindowsFeature -Name RSAT-AD-PowerShell Import-Module ActiveDirectory # add test domain user New-ADUser ` -SamAccountName "uone" ` -UserPrincipalName "[email protected]" ` -Name "User One" ` -GivenName "User1" ` -Surname "One1" ` -Enabled $true ` -AccountPassword (ConvertTo-SecureString "pAsswd&987!" -AsPlainText -Force) ` -ChangePasswordAtLogon $true ` -Path "CN=Users,DC=test,DC=local" # verify Get-ADUser -Identity "uone" 6. Download Ubuntu 24.04.3 Desktop 7. Install Ubuntu VM I used the virt-manager to craete Ubuntu VM (4GB ram, 2 VCPUs, 25GB disk) 8. Set DNS server to Windows machine IP address (we want the .local domain from the example to be resolved by the Windows DNS) sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved Make /etc/resolv.conf a static file and add 'nameserver <windos machine IP> 9. Install required packages (ssh server may be helpful to interact with the Ubuntu VM, but is optional) sudo apt install sssd-ad sssd-tools realmd adcli openssh-server # discover and join the realm. Supporting documentation [2] sudo realm -v discover test.local sudo realm join test.local sudo pam-auth-update --enable mkhomedir # verification getent passwd [email protected] getent passwd [email protected] 10. install adsys package and generate policy files. Supporting documentation [3] sudo apt install adsys adsysctl policy admx lts-only 11. Install policy files on the Windows machine # Copy Ubuntu.adml and Ubuntu.admx to the Windows machine # On windows, add policy files to the proper destination New-Item -Path $CentralStorePath -ItemType Directory -Force # Change the -Path, if needed, to the location of your policy files Copy-Item -Path C:\Users\Administrator\*.admx -Destination $CentralStorePath -Force -Verbose # Define source path for .adml files (adjust to your source location) $AdmlDestination = Join-Path -Path $CentralStorePath -ChildPath "en-US" New-Item -Path $AdmlDestination -ItemType Directory -Force # Change the -Path, if needed, to the location of your policy files Copy-Item -Path C:\Users\Administrator\*.adml -Destination $AdmlDestination -Force -Verbose # verify Get-ChildItem -Path $CentralStorePath -Filter *.admx Get-ChildItem -Path "$CentralStorePath\en-US" -Filter *.adml 12. Restart Ubuntu VM 13. Test login from the command line # this should fail without the patch (UPN is used for login) sudo login [email protected] # It will fail with the following error: Applying user settings ERROR Error from server: error while updating policy: can't get policies for "[email protected]": failed to retrieve the list of GPO (exited with 1): exit status 1 Searching for account failed with: Failed to find account userone # this will work even without the fix (SAM is used for login) # I had to change the password during the first log in. sudo login [email protected] 14. Apply the patch by installig fixed adsys package and repeat the tests with UPN and SAM logins. They both should work. [ Where problems could occur ] The patch code now differentiates a lookup for the 'user' and a 'computer' object class. For the 'computer' object class the code remains exactly the same as it was. For the 'user' object class, the patch first executes the previous search, next adds a fallback search if the one that was used before doesn't return any value. In the worst case regression scenario, the following bad things can happen: - if a 'compute' object class is used and fails, the computer policies won't be applied - if a 'user' object class serach fails for SAM, the user won't be able to log in using her/his SAM, but may try the UPN instead - if a 'user' object class serach fails for UPN, the user won't be able to log in using het/his UPN, however, for the situations where UPN doesn't contain SAM, this doesn't work without the patch. [ Other Info ] This is backport from upsteream [1]. [1] https://github.com/ubuntu/adsys/pull/1275/commits/4c2449c78bb7314a5342f237bdb0ce34543a04fd [2] https://documentation.ubuntu.com/server/how-to/sssd/with-active-directory/ [3] https://documentation.ubuntu.com/adsys/stable/how-to/set-up-ad/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2125134/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
