[Desktop-packages] [Bug 2049061] Re: adsysctl update with a domain user fails if KRB5CCNAME is not set
Hi Timo, We plan to do a release of ADSys from 24.04 to 22.04 which contains much more than this bug and we'll cover the testing of the entirety of the package. Master SRU bug https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2059756 We'll send the exception request in the coming days. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to adsys in Ubuntu. https://bugs.launchpad.net/bugs/2049061 Title: adsysctl update with a domain user fails if KRB5CCNAME is not set Status in adsys package in Ubuntu: Fix Released Bug description: In an environment where /etc/krb5.conf sets "default_ccache_name = FILE:/tmp/krb5cc_%{uid}" and you don't have the KRB5CCNAME variable set, running "adsysctl update" with a AD domain user will fail. If you either export the variable with the path to the kerberos ticket OR run the command "adsysctl update " it works. The adsysctl command should fallback to the default location when KRB5CCNAME is not defined or have a mechanism to query klist and find the Kerberos tickets location. Given that adsys can't find Kerberos tickets when `klist` does. It seems like a feature parity issue, granted, an edge case. Here is an example of a reproducer: https://pastebin.ubuntu.com/p/FjyTWQChjM/ ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: adsys 0.9.2~22.04.2 ProcVersionSignature: Ubuntu 6.2.0-1014.14~22.04.1-aws 6.2.16 Uname: Linux 6.2.0-1014-aws x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CloudArchitecture: x86_64 CloudID: aws CloudName: aws CloudPlatform: ec2 CloudRegion: us-west-2 CloudSubPlatform: metadata (http://169.254.169.254) CurrentDesktop: ubuntu:GNOME Date: Thu Jan 11 11:39:06 2024 Ec2AMI: ami-00094f7041bb1b79d Ec2AMIManifest: (unknown) Ec2Architecture: x86_64 Ec2AvailabilityZone: us-west-2b Ec2Imageid: ami-00094f7041bb1b79d Ec2InstanceType: t3.large Ec2Instancetype: t3.large Ec2Kernel: unavailable Ec2Ramdisk: unavailable Ec2Region: us-west-2 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.utf8 SHELL=/bin/bash RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: sssd 2.6.3-1ubuntu3.2 python3-samba 2:4.15.13+dfsg-0ubuntu1.5 SourcePackage: adsys UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf: [deleted] modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2049061/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 2049061] Re: adsysctl update with a domain user fails if KRB5CCNAME is not set
SRU information missing from the description -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to adsys in Ubuntu. https://bugs.launchpad.net/bugs/2049061 Title: adsysctl update with a domain user fails if KRB5CCNAME is not set Status in adsys package in Ubuntu: Fix Released Bug description: In an environment where /etc/krb5.conf sets "default_ccache_name = FILE:/tmp/krb5cc_%{uid}" and you don't have the KRB5CCNAME variable set, running "adsysctl update" with a AD domain user will fail. If you either export the variable with the path to the kerberos ticket OR run the command "adsysctl update " it works. The adsysctl command should fallback to the default location when KRB5CCNAME is not defined or have a mechanism to query klist and find the Kerberos tickets location. Given that adsys can't find Kerberos tickets when `klist` does. It seems like a feature parity issue, granted, an edge case. Here is an example of a reproducer: https://pastebin.ubuntu.com/p/FjyTWQChjM/ ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: adsys 0.9.2~22.04.2 ProcVersionSignature: Ubuntu 6.2.0-1014.14~22.04.1-aws 6.2.16 Uname: Linux 6.2.0-1014-aws x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CloudArchitecture: x86_64 CloudID: aws CloudName: aws CloudPlatform: ec2 CloudRegion: us-west-2 CloudSubPlatform: metadata (http://169.254.169.254) CurrentDesktop: ubuntu:GNOME Date: Thu Jan 11 11:39:06 2024 Ec2AMI: ami-00094f7041bb1b79d Ec2AMIManifest: (unknown) Ec2Architecture: x86_64 Ec2AvailabilityZone: us-west-2b Ec2Imageid: ami-00094f7041bb1b79d Ec2InstanceType: t3.large Ec2Instancetype: t3.large Ec2Kernel: unavailable Ec2Ramdisk: unavailable Ec2Region: us-west-2 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.utf8 SHELL=/bin/bash RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: sssd 2.6.3-1ubuntu3.2 python3-samba 2:4.15.13+dfsg-0ubuntu1.5 SourcePackage: adsys UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf: [deleted] modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2049061/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 2049061] Re: adsysctl update with a domain user fails if KRB5CCNAME is not set
This bug was fixed in the package adsys - 0.14.1 --- adsys (0.14.1) noble; urgency=medium * Pin Go toolchain to 1.22.1 to fix the following security vulnerabilities: - GO-2024-2598 - GO-2024-2599 * Update apport hook to include journal errors and package logs * CI and quality of life changes not impacting package functionality: - Enable end-to-end tests in GitHub Actions - Remove stale AD resources on test finish - Add developer documentation for running end-to-end tests - Collect and upload end-to-end test logs on failure - Report test coverage in Cobertura XML format - Silence gosec warnings using nolint and remove deprecated ifshort linter - Use an environment variable to update golden files - Bump github actions to latest: - azure/login - softprops/action-gh-release * Update dependencies to latest: - github.com/charmbracelet/lipgloss - github.com/golangci/golangci-lint - github.com/golang/protobuf - github.com/stretchr/testify - golang.org/x/crypto - golang.org/x/net - google.golang.org/grpc - google.golang.org/protobuf adsys (0.14.0) noble; urgency=medium * Infer user KRB5CCNAME path via the libkrb5 API (LP: #2049061) - This functionality is opt-in and activated if the detect_cached_ticket setting is set to true - If the AD backend (e.g. sssd) doesn't export the KRB5CCNAME variable, adsys will now determine the path to the default ticket cache and use it during authentication (when adsys is executed through the PAM module) and runs of adsysctl update for the current user. * Allow sssd backend to work without ad_domain being set (LP: #2054445) * Upgrade to Go 1.22 * CI and quality of life changes not impacting package functionality: - Pass token explicitly to Codecov action - Fix require outside of main goroutine - Mark function arguments as unused where applicable Thanks to Edu Gómez Escandell - End to end test VM template creation updates - Bump github actions to latest: - codecov/codecov-action - peter-evans/create-pull-request * Update dependencies to latest: - github.com/charmbracelet/bubbles - github.com/golangci/golangci-lint - golang.org/x/crypto - golang.org/x/net - google.golang.org/grpc -- Gabriel Nagy Thu, 21 Mar 2024 12:27:01 +0200 ** Changed in: adsys (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to adsys in Ubuntu. https://bugs.launchpad.net/bugs/2049061 Title: adsysctl update with a domain user fails if KRB5CCNAME is not set Status in adsys package in Ubuntu: Fix Released Bug description: In an environment where /etc/krb5.conf sets "default_ccache_name = FILE:/tmp/krb5cc_%{uid}" and you don't have the KRB5CCNAME variable set, running "adsysctl update" with a AD domain user will fail. If you either export the variable with the path to the kerberos ticket OR run the command "adsysctl update " it works. The adsysctl command should fallback to the default location when KRB5CCNAME is not defined or have a mechanism to query klist and find the Kerberos tickets location. Given that adsys can't find Kerberos tickets when `klist` does. It seems like a feature parity issue, granted, an edge case. Here is an example of a reproducer: https://pastebin.ubuntu.com/p/FjyTWQChjM/ ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: adsys 0.9.2~22.04.2 ProcVersionSignature: Ubuntu 6.2.0-1014.14~22.04.1-aws 6.2.16 Uname: Linux 6.2.0-1014-aws x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CloudArchitecture: x86_64 CloudID: aws CloudName: aws CloudPlatform: ec2 CloudRegion: us-west-2 CloudSubPlatform: metadata (http://169.254.169.254) CurrentDesktop: ubuntu:GNOME Date: Thu Jan 11 11:39:06 2024 Ec2AMI: ami-00094f7041bb1b79d Ec2AMIManifest: (unknown) Ec2Architecture: x86_64 Ec2AvailabilityZone: us-west-2b Ec2Imageid: ami-00094f7041bb1b79d Ec2InstanceType: t3.large Ec2Instancetype: t3.large Ec2Kernel: unavailable Ec2Ramdisk: unavailable Ec2Region: us-west-2 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.utf8 SHELL=/bin/bash RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: sssd 2.6.3-1ubuntu3.2 python3-samba 2:4.15.13+dfsg-0ubuntu1.5 SourcePackage: adsys UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf: [deleted] modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2049061/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages
[Desktop-packages] [Bug 2049061] Re: adsysctl update with a domain user fails if KRB5CCNAME is not set
** Changed in: adsys (Ubuntu) Importance: Undecided => Critical ** Changed in: adsys (Ubuntu) Status: Confirmed => Triaged ** Changed in: adsys (Ubuntu) Assignee: (unassigned) => Gabriel Nagy (gabuscus) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to adsys in Ubuntu. https://bugs.launchpad.net/bugs/2049061 Title: adsysctl update with a domain user fails if KRB5CCNAME is not set Status in adsys package in Ubuntu: Triaged Bug description: In an environment where /etc/krb5.conf sets "default_ccache_name = FILE:/tmp/krb5cc_%{uid}" and you don't have the KRB5CCNAME variable set, running "adsysctl update" with a AD domain user will fail. If you either export the variable with the path to the kerberos ticket OR run the command "adsysctl update " it works. The adsysctl command should fallback to the default location when KRB5CCNAME is not defined or have a mechanism to query klist and find the Kerberos tickets location. Given that adsys can't find Kerberos tickets when `klist` does. It seems like a feature parity issue, granted, an edge case. Here is an example of a reproducer: https://pastebin.ubuntu.com/p/FjyTWQChjM/ ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: adsys 0.9.2~22.04.2 ProcVersionSignature: Ubuntu 6.2.0-1014.14~22.04.1-aws 6.2.16 Uname: Linux 6.2.0-1014-aws x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CloudArchitecture: x86_64 CloudID: aws CloudName: aws CloudPlatform: ec2 CloudRegion: us-west-2 CloudSubPlatform: metadata (http://169.254.169.254) CurrentDesktop: ubuntu:GNOME Date: Thu Jan 11 11:39:06 2024 Ec2AMI: ami-00094f7041bb1b79d Ec2AMIManifest: (unknown) Ec2Architecture: x86_64 Ec2AvailabilityZone: us-west-2b Ec2Imageid: ami-00094f7041bb1b79d Ec2InstanceType: t3.large Ec2Instancetype: t3.large Ec2Kernel: unavailable Ec2Ramdisk: unavailable Ec2Region: us-west-2 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.utf8 SHELL=/bin/bash RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: sssd 2.6.3-1ubuntu3.2 python3-samba 2:4.15.13+dfsg-0ubuntu1.5 SourcePackage: adsys UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf: [deleted] modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2049061/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 2049061] Re: adsysctl update with a domain user fails if KRB5CCNAME is not set
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: adsys (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to adsys in Ubuntu. https://bugs.launchpad.net/bugs/2049061 Title: adsysctl update with a domain user fails if KRB5CCNAME is not set Status in adsys package in Ubuntu: Confirmed Bug description: In an environment where /etc/krb5.conf sets "default_ccache_name = FILE:/tmp/krb5cc_%{uid}" and you don't have the KRB5CCNAME variable set, running "adsysctl update" with a AD domain user will fail. If you either export the variable with the path to the kerberos ticket OR run the command "adsysctl update " it works. The adsysctl command should fallback to the default location when KRB5CCNAME is not defined or have a mechanism to query klist and find the Kerberos tickets location. Given that adsys can't find Kerberos tickets when `klist` does. It seems like a feature parity issue, granted, an edge case. Here is an example of a reproducer: https://pastebin.ubuntu.com/p/FjyTWQChjM/ ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: adsys 0.9.2~22.04.2 ProcVersionSignature: Ubuntu 6.2.0-1014.14~22.04.1-aws 6.2.16 Uname: Linux 6.2.0-1014-aws x86_64 ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown CloudArchitecture: x86_64 CloudID: aws CloudName: aws CloudPlatform: ec2 CloudRegion: us-west-2 CloudSubPlatform: metadata (http://169.254.169.254) CurrentDesktop: ubuntu:GNOME Date: Thu Jan 11 11:39:06 2024 Ec2AMI: ami-00094f7041bb1b79d Ec2AMIManifest: (unknown) Ec2Architecture: x86_64 Ec2AvailabilityZone: us-west-2b Ec2Imageid: ami-00094f7041bb1b79d Ec2InstanceType: t3.large Ec2Instancetype: t3.large Ec2Kernel: unavailable Ec2Ramdisk: unavailable Ec2Region: us-west-2 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.utf8 SHELL=/bin/bash RebootRequiredPkgs: Error: path contained symlinks. RelatedPackageVersions: sssd 2.6.3-1ubuntu3.2 python3-samba 2:4.15.13+dfsg-0ubuntu1.5 SourcePackage: adsys UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf: [deleted] modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2049061/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp