[Desktop-packages] [Bug 2049061] Re: adsysctl update with a domain user fails if KRB5CCNAME is not set
Hi Timo,
We plan to do a release of ADSys from 24.04 to 22.04 which contains much more
than this bug and we'll cover the testing of the entirety of the package.
Master SRU bug https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2059756
We'll send the exception request in the coming days.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to adsys in Ubuntu.
https://bugs.launchpad.net/bugs/2049061
Title:
adsysctl update with a domain user fails if KRB5CCNAME is not set
Status in adsys package in Ubuntu:
Fix Released
Bug description:
In an environment where /etc/krb5.conf sets "default_ccache_name =
FILE:/tmp/krb5cc_%{uid}" and you don't have the KRB5CCNAME variable
set, running "adsysctl update" with a AD domain user will fail.
If you either export the variable with the path to the kerberos ticket
OR run the command "adsysctl update
" it works.
The adsysctl command should fallback to the default location when
KRB5CCNAME is not defined or have a mechanism to query klist and find
the Kerberos tickets location.
Given that adsys can't find Kerberos tickets when `klist` does. It
seems like a feature parity issue, granted, an edge case.
Here is an example of a reproducer:
https://pastebin.ubuntu.com/p/FjyTWQChjM/
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: adsys 0.9.2~22.04.2
ProcVersionSignature: Ubuntu 6.2.0-1014.14~22.04.1-aws 6.2.16
Uname: Linux 6.2.0-1014-aws x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: aws
CloudName: aws
CloudPlatform: ec2
CloudRegion: us-west-2
CloudSubPlatform: metadata (http://169.254.169.254)
CurrentDesktop: ubuntu:GNOME
Date: Thu Jan 11 11:39:06 2024
Ec2AMI: ami-00094f7041bb1b79d
Ec2AMIManifest: (unknown)
Ec2Architecture: x86_64
Ec2AvailabilityZone: us-west-2b
Ec2Imageid: ami-00094f7041bb1b79d
Ec2InstanceType: t3.large
Ec2Instancetype: t3.large
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
Ec2Region: us-west-2
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=en_US.utf8
SHELL=/bin/bash
RebootRequiredPkgs: Error: path contained symlinks.
RelatedPackageVersions:
sssd 2.6.3-1ubuntu3.2
python3-samba 2:4.15.13+dfsg-0ubuntu1.5
SourcePackage: adsys
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf:
[deleted]
modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2049061/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 2049061] Re: adsysctl update with a domain user fails if KRB5CCNAME is not set
SRU information missing from the description
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to adsys in Ubuntu.
https://bugs.launchpad.net/bugs/2049061
Title:
adsysctl update with a domain user fails if KRB5CCNAME is not set
Status in adsys package in Ubuntu:
Fix Released
Bug description:
In an environment where /etc/krb5.conf sets "default_ccache_name =
FILE:/tmp/krb5cc_%{uid}" and you don't have the KRB5CCNAME variable
set, running "adsysctl update" with a AD domain user will fail.
If you either export the variable with the path to the kerberos ticket
OR run the command "adsysctl update
" it works.
The adsysctl command should fallback to the default location when
KRB5CCNAME is not defined or have a mechanism to query klist and find
the Kerberos tickets location.
Given that adsys can't find Kerberos tickets when `klist` does. It
seems like a feature parity issue, granted, an edge case.
Here is an example of a reproducer:
https://pastebin.ubuntu.com/p/FjyTWQChjM/
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: adsys 0.9.2~22.04.2
ProcVersionSignature: Ubuntu 6.2.0-1014.14~22.04.1-aws 6.2.16
Uname: Linux 6.2.0-1014-aws x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: aws
CloudName: aws
CloudPlatform: ec2
CloudRegion: us-west-2
CloudSubPlatform: metadata (http://169.254.169.254)
CurrentDesktop: ubuntu:GNOME
Date: Thu Jan 11 11:39:06 2024
Ec2AMI: ami-00094f7041bb1b79d
Ec2AMIManifest: (unknown)
Ec2Architecture: x86_64
Ec2AvailabilityZone: us-west-2b
Ec2Imageid: ami-00094f7041bb1b79d
Ec2InstanceType: t3.large
Ec2Instancetype: t3.large
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
Ec2Region: us-west-2
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=en_US.utf8
SHELL=/bin/bash
RebootRequiredPkgs: Error: path contained symlinks.
RelatedPackageVersions:
sssd 2.6.3-1ubuntu3.2
python3-samba 2:4.15.13+dfsg-0ubuntu1.5
SourcePackage: adsys
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf:
[deleted]
modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2049061/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 2049061] Re: adsysctl update with a domain user fails if KRB5CCNAME is not set
This bug was fixed in the package adsys - 0.14.1
---
adsys (0.14.1) noble; urgency=medium
* Pin Go toolchain to 1.22.1 to fix the following security vulnerabilities:
- GO-2024-2598
- GO-2024-2599
* Update apport hook to include journal errors and package logs
* CI and quality of life changes not impacting package functionality:
- Enable end-to-end tests in GitHub Actions
- Remove stale AD resources on test finish
- Add developer documentation for running end-to-end tests
- Collect and upload end-to-end test logs on failure
- Report test coverage in Cobertura XML format
- Silence gosec warnings using nolint and remove deprecated ifshort linter
- Use an environment variable to update golden files
- Bump github actions to latest:
- azure/login
- softprops/action-gh-release
* Update dependencies to latest:
- github.com/charmbracelet/lipgloss
- github.com/golangci/golangci-lint
- github.com/golang/protobuf
- github.com/stretchr/testify
- golang.org/x/crypto
- golang.org/x/net
- google.golang.org/grpc
- google.golang.org/protobuf
adsys (0.14.0) noble; urgency=medium
* Infer user KRB5CCNAME path via the libkrb5 API (LP: #2049061)
- This functionality is opt-in and activated if the detect_cached_ticket
setting is set to true
- If the AD backend (e.g. sssd) doesn't export the KRB5CCNAME variable,
adsys
will now determine the path to the default ticket cache and use it during
authentication (when adsys is executed through the PAM module) and runs of
adsysctl update for the current user.
* Allow sssd backend to work without ad_domain being set (LP: #2054445)
* Upgrade to Go 1.22
* CI and quality of life changes not impacting package functionality:
- Pass token explicitly to Codecov action
- Fix require outside of main goroutine
- Mark function arguments as unused where applicable
Thanks to Edu Gómez Escandell
- End to end test VM template creation updates
- Bump github actions to latest:
- codecov/codecov-action
- peter-evans/create-pull-request
* Update dependencies to latest:
- github.com/charmbracelet/bubbles
- github.com/golangci/golangci-lint
- golang.org/x/crypto
- golang.org/x/net
- google.golang.org/grpc
-- Gabriel Nagy Thu, 21 Mar 2024 12:27:01
+0200
** Changed in: adsys (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to adsys in Ubuntu.
https://bugs.launchpad.net/bugs/2049061
Title:
adsysctl update with a domain user fails if KRB5CCNAME is not set
Status in adsys package in Ubuntu:
Fix Released
Bug description:
In an environment where /etc/krb5.conf sets "default_ccache_name =
FILE:/tmp/krb5cc_%{uid}" and you don't have the KRB5CCNAME variable
set, running "adsysctl update" with a AD domain user will fail.
If you either export the variable with the path to the kerberos ticket
OR run the command "adsysctl update
" it works.
The adsysctl command should fallback to the default location when
KRB5CCNAME is not defined or have a mechanism to query klist and find
the Kerberos tickets location.
Given that adsys can't find Kerberos tickets when `klist` does. It
seems like a feature parity issue, granted, an edge case.
Here is an example of a reproducer:
https://pastebin.ubuntu.com/p/FjyTWQChjM/
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: adsys 0.9.2~22.04.2
ProcVersionSignature: Ubuntu 6.2.0-1014.14~22.04.1-aws 6.2.16
Uname: Linux 6.2.0-1014-aws x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: aws
CloudName: aws
CloudPlatform: ec2
CloudRegion: us-west-2
CloudSubPlatform: metadata (http://169.254.169.254)
CurrentDesktop: ubuntu:GNOME
Date: Thu Jan 11 11:39:06 2024
Ec2AMI: ami-00094f7041bb1b79d
Ec2AMIManifest: (unknown)
Ec2Architecture: x86_64
Ec2AvailabilityZone: us-west-2b
Ec2Imageid: ami-00094f7041bb1b79d
Ec2InstanceType: t3.large
Ec2Instancetype: t3.large
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
Ec2Region: us-west-2
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=en_US.utf8
SHELL=/bin/bash
RebootRequiredPkgs: Error: path contained symlinks.
RelatedPackageVersions:
sssd 2.6.3-1ubuntu3.2
python3-samba 2:4.15.13+dfsg-0ubuntu1.5
SourcePackage: adsys
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf:
[deleted]
modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2049061/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
[Desktop-packages] [Bug 2049061] Re: adsysctl update with a domain user fails if KRB5CCNAME is not set
** Changed in: adsys (Ubuntu)
Importance: Undecided => Critical
** Changed in: adsys (Ubuntu)
Status: Confirmed => Triaged
** Changed in: adsys (Ubuntu)
Assignee: (unassigned) => Gabriel Nagy (gabuscus)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to adsys in Ubuntu.
https://bugs.launchpad.net/bugs/2049061
Title:
adsysctl update with a domain user fails if KRB5CCNAME is not set
Status in adsys package in Ubuntu:
Triaged
Bug description:
In an environment where /etc/krb5.conf sets "default_ccache_name =
FILE:/tmp/krb5cc_%{uid}" and you don't have the KRB5CCNAME variable
set, running "adsysctl update" with a AD domain user will fail.
If you either export the variable with the path to the kerberos ticket
OR run the command "adsysctl update
" it works.
The adsysctl command should fallback to the default location when
KRB5CCNAME is not defined or have a mechanism to query klist and find
the Kerberos tickets location.
Given that adsys can't find Kerberos tickets when `klist` does. It
seems like a feature parity issue, granted, an edge case.
Here is an example of a reproducer:
https://pastebin.ubuntu.com/p/FjyTWQChjM/
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: adsys 0.9.2~22.04.2
ProcVersionSignature: Ubuntu 6.2.0-1014.14~22.04.1-aws 6.2.16
Uname: Linux 6.2.0-1014-aws x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: aws
CloudName: aws
CloudPlatform: ec2
CloudRegion: us-west-2
CloudSubPlatform: metadata (http://169.254.169.254)
CurrentDesktop: ubuntu:GNOME
Date: Thu Jan 11 11:39:06 2024
Ec2AMI: ami-00094f7041bb1b79d
Ec2AMIManifest: (unknown)
Ec2Architecture: x86_64
Ec2AvailabilityZone: us-west-2b
Ec2Imageid: ami-00094f7041bb1b79d
Ec2InstanceType: t3.large
Ec2Instancetype: t3.large
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
Ec2Region: us-west-2
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=en_US.utf8
SHELL=/bin/bash
RebootRequiredPkgs: Error: path contained symlinks.
RelatedPackageVersions:
sssd 2.6.3-1ubuntu3.2
python3-samba 2:4.15.13+dfsg-0ubuntu1.5
SourcePackage: adsys
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf:
[deleted]
modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2049061/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 2049061] Re: adsysctl update with a domain user fails if KRB5CCNAME is not set
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: adsys (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to adsys in Ubuntu.
https://bugs.launchpad.net/bugs/2049061
Title:
adsysctl update with a domain user fails if KRB5CCNAME is not set
Status in adsys package in Ubuntu:
Confirmed
Bug description:
In an environment where /etc/krb5.conf sets "default_ccache_name =
FILE:/tmp/krb5cc_%{uid}" and you don't have the KRB5CCNAME variable
set, running "adsysctl update" with a AD domain user will fail.
If you either export the variable with the path to the kerberos ticket
OR run the command "adsysctl update
" it works.
The adsysctl command should fallback to the default location when
KRB5CCNAME is not defined or have a mechanism to query klist and find
the Kerberos tickets location.
Given that adsys can't find Kerberos tickets when `klist` does. It
seems like a feature parity issue, granted, an edge case.
Here is an example of a reproducer:
https://pastebin.ubuntu.com/p/FjyTWQChjM/
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: adsys 0.9.2~22.04.2
ProcVersionSignature: Ubuntu 6.2.0-1014.14~22.04.1-aws 6.2.16
Uname: Linux 6.2.0-1014-aws x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: aws
CloudName: aws
CloudPlatform: ec2
CloudRegion: us-west-2
CloudSubPlatform: metadata (http://169.254.169.254)
CurrentDesktop: ubuntu:GNOME
Date: Thu Jan 11 11:39:06 2024
Ec2AMI: ami-00094f7041bb1b79d
Ec2AMIManifest: (unknown)
Ec2Architecture: x86_64
Ec2AvailabilityZone: us-west-2b
Ec2Imageid: ami-00094f7041bb1b79d
Ec2InstanceType: t3.large
Ec2Instancetype: t3.large
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
Ec2Region: us-west-2
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=en_US.utf8
SHELL=/bin/bash
RebootRequiredPkgs: Error: path contained symlinks.
RelatedPackageVersions:
sssd 2.6.3-1ubuntu3.2
python3-samba 2:4.15.13+dfsg-0ubuntu1.5
SourcePackage: adsys
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf:
[deleted]
modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2049061/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
