[Bug 2091940] Re: [SRU] Release adsys 0.16.3
This bug was fixed in the package adsys - 0.16.3~22.04.1 --- adsys (0.16.3~22.04.1) jammy; urgency=medium * debian/tests: Use the correct Go binary to run the autopkgtests (LP: #2091940) adsys (0.16.3~22.04) jammy; urgency=medium * Backport adsys 0.16.3 to jammy (LP: #2091940) * Bump Go version to 1.23 * Bump Go toolchain version to 1.23.6 * Fixes and improvements to certificate autoenrollment - Improve log messages to help understand issues and failures - Fix LDAP queries on multiple domains environments - Allow default behavior to get supported certificate templates to be overriden through cepces configuration - Fix URL for NDES enrollment * Resize buffer to parse very large GPOs * Add corpus to fuzz tests to increase their precision * Documentation improvements - Add architecture diagrams to documentation - Add ref glossary - Change spelling to US - Home and landing pages refresh * Run certificates auto enroll script with debug enabled based on daemon verbosity * Add support for Polkit >= 124 * Refresh policy definition files to support latest Ubuntu releases * CI and quality of life changes not impacting package functionality: - Enable CI to run on pull requests from adsys forks - Update links to new server documentation * Bump dependencies to latest: - golang.org/x/crypto (0.31.0) - golang.org/x/net (0.37.0) + Fixes CVE-2024-45338 - golang.org/x/sys (0.29.0) - golang.org/x/text (0.22.0) - google.golang.org/grpc (1.71.0) - google.golang.org/protobuf (1.36.6) - github.com/charmbracelet/bubbles (0.20.0) - github.com/charmbracelet/bubbletea (1.3.4) - github.com/charmbracelet/glamour (0.9.1) - github.com/charmbracelet/lipgloss (1.1.0) - github.com/fatih/color (1.18.0) - github.com/leonelquinteros/gotext (1.7.0) - github.com/pkg/sftp (1.13.9) - github.com/spf13/cobra (1.9.1) - github.com/stretchr/testify (1.10.0) - github.com/golangci/golangci-lint (1.64.8) * CI dependencies not impacting package functionality: - canonical/has-signed-canonical-cla (2) - codecov/codecov-action (5) - jidicula/clang-format-action (4.15.0) - peter-evans/create-pull-request (7) -- Denison Barbosa Mon, 02 Jun 2025 08:27:55 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
This bug was fixed in the package adsys - 0.16.3~24.04.1 --- adsys (0.16.3~24.04.1) noble; urgency=medium * debian/tests: Use the correct Go binary to run the autopkgtests (LP: #2091940) adsys (0.16.3~24.04) noble; urgency=medium * Backport adsys 0.16.3 to noble (LP: #2091940) * Bump Go version to 1.23 * Bump Go toolchain version to 1.23.6 * Fixes and improvements to certificate autoenrollment - Improve log messages to help understand issues and failures - Fix LDAP queries on multiple domains environments - Allow default behavior to get supported certificate templates to be overriden through cepces configuration - Fix URL for NDES enrollment * Resize buffer to parse very large GPOs * Add corpus to fuzz tests to increase their precision * Remove d/.prerm purge stanza * Documentation improvements - Add architecture diagrams to documentation - Add ref glossary - Change spelling to US - Home and landing pages refresh * Run certificates auto enroll script with debug enabled based on daemon verbosity * Add support for Polkit >= 124 * Refresh policy definition files to support latest Ubuntu releases * CI and quality of life changes not impacting package functionality: - Enable CI to run on pull requests from adsys forks - Update links to new server documentation * Bump dependencies to latest: - golang.org/x/crypto (0.31.0) - golang.org/x/net (0.37.0) + Fixes CVE-2024-45338 - golang.org/x/sys (0.29.0) - golang.org/x/text (0.22.0) - google.golang.org/grpc (1.71.0) - google.golang.org/protobuf (1.36.6) - github.com/charmbracelet/bubbles (0.20.0) - github.com/charmbracelet/bubbletea (1.3.4) - github.com/charmbracelet/glamour (0.9.1) - github.com/charmbracelet/lipgloss (1.1.0) - github.com/fatih/color (1.18.0) - github.com/leonelquinteros/gotext (1.7.0) - github.com/pkg/sftp (1.13.9) - github.com/spf13/cobra (1.9.1) - github.com/stretchr/testify (1.10.0) - github.com/golangci/golangci-lint (1.64.8) * CI dependencies not impacting package functionality: - canonical/has-signed-canonical-cla (2) - codecov/codecov-action (5) - jidicula/clang-format-action (4.15.0) - peter-evans/create-pull-request (7) -- Denison Barbosa Mon, 02 Jun 2025 08:32:11 -0400 ** Changed in: adsys (Ubuntu Noble) Status: Fix Committed => Fix Released ** Changed in: adsys (Ubuntu Jammy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
This bug was fixed in the package adsys - 0.16.3~24.10 --- adsys (0.16.3~24.10) oracular; urgency=medium * Backport adsys 0.16.3 to oracular (LP: #2091940) * Bump Go version to 1.23 * Bump Go toolchain version to 1.23.6 * Fixes and improvements to certificate autoenrollment - Improve log messages to help understand issues and failures - Fix LDAP queries on multiple domains environments - Allow default behavior to get supported certificate templates to be overriden through cepces configuration - Fix URL for NDES enrollment * Resize buffer to parse very large GPOs * Add corpus to fuzz tests to increase their precision * Documentation improvements - Add architecture diagrams to documentation - Add ref glossary - Change spelling to US - Home and landing pages refresh * Run certificates auto enroll script with debug enabled based on daemon verbosity * Add support for Polkit >= 124 * Refresh policy definition files to support latest Ubuntu releases * CI and quality of life changes not impacting package functionality: - Enable CI to run on pull requests from adsys forks - Update links to new server documentation * Bump dependencies to latest: - golang.org/x/crypto (0.31.0) - golang.org/x/net (0.37.0) + Fixes CVE-2024-45338 - golang.org/x/sys (0.29.0) - golang.org/x/text (0.22.0) - google.golang.org/grpc (1.71.0) - google.golang.org/protobuf (1.36.6) - github.com/charmbracelet/bubbles (0.20.0) - github.com/charmbracelet/bubbletea (1.3.4) - github.com/charmbracelet/glamour (0.9.1) - github.com/charmbracelet/lipgloss (1.1.0) - github.com/fatih/color (1.18.0) - github.com/leonelquinteros/gotext (1.7.0) - github.com/pkg/sftp (1.13.9) - github.com/spf13/cobra (1.9.1) - github.com/stretchr/testify (1.10.0) - github.com/golangci/golangci-lint (1.64.8) * CI dependencies not impacting package functionality: - canonical/has-signed-canonical-cla (2) - codecov/codecov-action (5) - jidicula/clang-format-action (4.15.0) - peter-evans/create-pull-request (7) -- Denison Barbosa Mon, 31 Mar 2025 06:49:09 -0400 ** Changed in: adsys (Ubuntu Oracular) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-45338 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
+1 for release I have reviewed this SRU as part of my SRU training and it looks ok to release: - Aging is good - The autopgktests regressions that got reported earlier have cleared up - The verification has been done (thanks for the detailed verification) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
The test plan was executed for Jammy (22.04), and I confirm it was successful. The package version used for the tests is the one proposed, as can be seen by the output of apt-cache policy: adsys: Installed: 0.16.3~22.04.1 Candidate: 0.16.3~22.04.1 Version table: *** 0.16.3~22.04.1 500 500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages 100 /var/lib/dpkg/status The following steps were executed: 1) Created a fresh VM with Ubuntu 22.04; 2) Joined an active directory domain (created for test purposes); 3) On the AD server, configured group policies for privilege enforcement, certificate enrollment, and a large text policy (around 400kb); 4) Installed adsys; 5) Authenticated as an AD user; 6) Made sure the policies were applied as they were supposed to be: 6a) Ensured that /etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf exists and is properly written (Jammy has polkit < 124, so it still uses the old syntax); 6b) Ensured that the certificates were downloaded and applied; 6c) Ensured that the large GPO was parsed and applied; ** Tags removed: verification-needed-jammy verification-needed-noble ** Tags added: verification-done-jammy verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
The test plan was executed for Oracular (24.10), and I confirm it was successful. The package version used for the tests is the one proposed, as can be seen by the output of apt-cache policy: adsys: Installed: 0.16.3~24.10 Candidate: 0.16.3~24.10 Version table: *** 0.16.3~24.10 100 100 http://archive.ubuntu.com/ubuntu oracular-proposed/main amd64 Packages 100 /var/lib/dpkg/status The following steps were executed: 1) Created a fresh VM with Ubuntu 24.10; 2) Joined an active directory domain (created for test purposes); 3) On the AD server, configured group policies for DCONF rules and a large text policy (around 400kb); 4) Installed adsys; 5) Authenticated as an AD user; 6) Made sure the policies were applied as they were supposed to be: 6a) Ensure that the DCONF rules defined in the policy were applied; 6b) Ensured that the large GPO was parsed and applied; ** Tags removed: verification-needed verification-needed-oracular ** Tags added: verification-done verification-done-oracular -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
The test plan was executed for Noble (24.04), and I confirm it was successful. The package version used for the tests is the one proposed, as can be seen by the output of apt-cache policy: adsys: Installed: 0.16.3~24.04.1 Candidate: 0.16.3~24.04.1 Version table: *** 0.16.3~24.04.1 100 100 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages 100 /var/lib/dpkg/status The following steps were executed: 1) Created a fresh VM with Ubuntu 24.04; 2) Joined an active directory domain (created for test purposes); 3) On the AD server, configured group policies for privilege enforcement, certificate enrollment, and a large text policy (around 400kb); 4) Installed adsys; 5) Authenticated as an AD user; 6) Made sure the policies were applied as they were supposed to be: 6a) Ensured that /etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules exists and is properly written (Noble has polkit >= 124, so it uses the new syntax); 6b) Ensured that the certificates were downloaded and applied; 6c) Ensured that the large GPO was parsed and applied; -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
All triggered autopkgtests are passing now -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
The upload for jammy was rejected because the changes file missed the previous upload in jammy-proposed. It needs to be reuploaded with the correct -v argument when building the source package. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
The autopkgtests failures for Jammy and Noble were due to not properly adjusting the Go binary that should be used to run the tests. They are now fixed with the new uploads 0.16.3~22.04.1 and 0.16.3~24.04.1, for Jammy and Noble respectively, which are now waiting in the ~unnaproved queue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
Hello Denison, or anyone else affected, Accepted adsys into oracular-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/adsys/0.16.3~24.10 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- oracular to verification-done-oracular. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-oracular. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: adsys (Ubuntu Oracular) Status: Incomplete => Fix Committed ** Tags added: verification-needed verification-needed-oracular ** Changed in: adsys (Ubuntu Noble) Status: Incomplete => Fix Committed ** Tags added: verification-needed-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
Thanks, that's a good point! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
> Do you have a bug about this change? No, we didn't open any bug regarding this change. The detailed explanation for this change can be seen in this commit message: https://github.com/ubuntu/adsys/commit/fb9ab42e6320e3904aa229ad859d67d7aa1b12ba > Is this change in the policy purge upon package removal something that noble users would notice? AFAIK, this hook was never documented, and it never worked (as mentioned in the commit message: "dpkg NEVER calls a prerm script with an argument of 'purge'"), so Noble users won't see any difference or be impacted by it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
Do you have a bug about this change? Is this change in the policy purge upon package removal something that noble users would notice? How can this impact them? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
We had introduced the "purge" stenza for adsys in a previous update, but it had some issues managing the DCONF databases, so we decided to disable it entirely. AFAIK, it was only available on Noble and Mantic (we removed it before the Oracular release), so it's not present on Jammy and Oracular. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
What's the reason for this change in noble? I see that oracular and
jammy already don't have this prerm stanza, so at least now it's
consistent:
-if [ "$1" = purge ] && [ "${DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT:-1}" = 1 ]; then
-adsysctl policy purge -a
-rm -rf /var/cache/adsys
-# Remove adsys-managed machine dconf database
-rm -f /etc/dconf/db/machine
-rm -rf /etc/dconf/db/machine.d
-fi
-
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2091940
Title:
[SRU] Release adsys 0.16.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
Hey, Andreas! Thanks for looking into this (and sorry for the delayed answer)! Answering your questions: a) It does apply to the LTS releases. However, there are no changes to DCONF at all so, even though we could also test it in the LTS releases, it's not necessary. The reason I included the DCONF tests for the interim releases is that it's the only way interim releases can interact with adsys at all and, as such, it would be the only way to spot if something is broken by the update. In the LTS releases, we can properly test the changes that were made to the pro-related policy managers; b) That would be steps 1, 6 and 7 from the LTS test plan; c) Good one! Indeed, this was considered, and it is handled by the code changes. ADSys properly evaluates which Polkit version the client machine is running and handles the policy application accordingly, more details here: https://github.com/ubuntu/adsys/pull/1147 dX) Those templates are not used in Ubuntu at all. Those are files that will be used in the Windows AD Server to configure the GPOs there. We need all builds of a given version of adsys to be able to generate the same templates for the AD server to avoid conflicts (e.g. an admin generates the policy definitions in Jammy and then it gets overridden by the ones generated by an admin that generated them in Noble). So, TLDR: this does not impact Ubuntu at all and the correctness of the 25.04 policy definitions was already tested when releasing adsys 0.16.3 in Plucky; e) That's a great point! I'll update the test plan of the interim releases to also test the large policy files fix; f) I'm not sure if I understand exactly what you meant by the question, but I'll answer it based on my understanding (let me know if it's not enough): - All of the fixes that were released in older SRUs are part of adsys' codebase, so there's no risk of missing any of the previous fixes; - The last adsys' SRUs did not completely update the package (updating vendored dependencies and so on), so that's why we decided against bumping the packaging version. The actual behavior was the same as the one in the last release; - If you check the changelogs, you'll see that the main difference between what's released in Plucky and what's being released for the LTS'es is the dependency updates (there are quite some updates); ** Description changed: [Impact] Adsys 0.16.3 introduces dependency bumps, and updates to the privilege policy manager to support the newer Polkit versions (>= 124) and their new syntax for defining system admins. It also adds fixes and improvements for certificate autoenrollment, specifically for multiple domains AD environments (i.e. parent.com and child.parent.com). Those fixes involve the refinement of some LDAP queries that were targeting the wrong domain and allowing the default behavior of getting the templates for a specific certificate authority to be overridden through changes in the cepces configuration file. We also fixed an issue with the parsing of (very) large policies, so we can now support even bigger files. Since the behavior updates mentioned only impact policy managers locked under a Pro subscription, this should not impact interim releases. [Test Plan] - For interim releases: Requirements: - Windows Server VM with Active Directory services (AD DS) configured; 1) Configure DCONF policies in the AD controller; - 2) Enroll the Ubuntu machine on the domain; - 3) Install adsys 0.16.3; - 4) Ensure that a user from the enrolled domain can authenticate and that the - policies were applied correctly; + 2) Configure a (very) large GPO (around 400kb); + 3) Enroll the Ubuntu machine on the domain; + 4) Install adsys 0.16.3; + 5) Ensure that a user from the enrolled domain can authenticate and that +adsys was able to parse and apply the policies correctly. - For LTS releases: Requirements: - Multiple domains environment (i.e. root.com and child.root.com) - Windows Server VM with Active Directory services (AD DS), on root.com. - Windows Server VM with Active Directory services (AD DS), Active Directory Certificate Services (AD CS) and a CEPCES server configured, on child.root.com. 1) Configure privilege policies in the child AD controller; 2) Enable the certificate autoenrollment policy in the child AD controller; - 3) Configure a (very) large GPO (around 400kb). + 3) Configure a (very) large GPO (around 400kb); 4) Enroll the Ubuntu machine on the child domain; 5) Install adsys 0.16.3; 6) Ensure that adsys was able to parse all the relevant policies; 7) Ensure that a user from the enrolled domain can authenticate and that the privilege policy was applied correctly; 8) Ensure that the machine is enrolled to the correct certificate authority; [Where prob
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
Hi, some questions: a) It sounds like the dconf test for interim releases also applies to the LTS releases, right? If yes, could it be included in the test plan for LTS releases as well? b) updates to the privilege policy manager to support the newer Polkit versions (>= 124) Which part of the test plan explicitly tests this change? c) updates to the privilege policy manager to support the newer Polkit versions (>= 124) From the list of affected releases in this SRU, only jammy has an older policykit-1 package (0.105). How is this backwards compatibility being changed? I mean, adsys 0.16.3 needs to support both policykit-1 >= 124, and <124, right? d) I see a template file (policies/Ubuntu/all/Ubuntu.admx) getting updated entries for Ubuntu 25.04 (plucky), which is not part of this SRU (plucky already has adsys 0.16.3). d1) What is the reason to include this change in this SRU? d2) What is the benefit of including this change in this SRU? d3) What is the risk of including this change in this SRU? d4) How is this change going to be tested? e) Assuming adsys will process policies even on interim releases, but perhaps a restricted set, shouldn't the interim release also test the large policies fix? f) Jammy and Noble currently have 0.14.3. There are many launchpad bugs listed in d/changelog between 0.15 and 0.16.3. I know that jammy and noble had SRUs in the past which DID NOT update the version number, but applied patches. Can you confirm that this version 0.16.3 is not fixing anything else in noble and jammy that is already addressed by their latest SRUs? ** Changed in: adsys (Ubuntu Oracular) Status: New => Incomplete ** Changed in: adsys (Ubuntu Noble) Status: New => Incomplete ** Changed in: adsys (Ubuntu Jammy) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
I'm processing this SRU, and will continue outside my shift. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
** Description changed: [Impact] - Adsys 0.16.2 introduces dependency bumps, and updates to the privilege + Adsys 0.16.3 introduces dependency bumps, and updates to the privilege policy manager to support the newer Polkit versions (>= 124) and their new syntax for defining system admins. It also adds fixes and improvements for certificate autoenrollment, specifically for multiple domains AD environments (i.e. parent.com and child.parent.com). Those fixes involve the refinement of some LDAP queries that were targeting the wrong domain and allowing the default behavior of getting the templates for a specific certificate authority to be overridden through changes in the cepces configuration file. + We also fixed an issue with the parsing of (very) large policies, so we + can now support even bigger files. + Since the behavior updates mentioned only impact policy managers locked under a Pro subscription, this should not impact interim releases. [Test Plan] - For interim releases: - Requirements: - - Windows Server VM with Active Directory services (AD DS) configured; + Requirements: + - Windows Server VM with Active Directory services (AD DS) configured; - 1) Configure DCONF policies in the AD controller; - 2) Enroll the Ubuntu machine on the domain; - 3) Install adsys 0.16.2; - 4) Ensure that a user from the enrolled domain can authenticate and that the -policies were applied correctly; + 1) Configure DCONF policies in the AD controller; + 2) Enroll the Ubuntu machine on the domain; + 3) Install adsys 0.16.3; + 4) Ensure that a user from the enrolled domain can authenticate and that the + policies were applied correctly; - For LTS releases: - Requirements: - - Multiple domains environment (i.e. root.com and child.root.com) - - Windows Server VM with Active Directory services (AD DS), on root.com. - - Windows Server VM with Active Directory services (AD DS), Active - Directory Certificate Services (AD CS) and a CEPCES server configured, - on child.root.com. - - 1) Configure privilege policies in the child AD controller; - 2) Enable the certificate autoenrollment policy in the child AD controller; - 3) Enroll the Ubuntu machine on the child domain; - 4) Install adsys 0.16.2; - 5) Ensure that a user from the enrolled domain can authenticate and that the -privilege policy was applied correctly; - 6) Ensure that the machine is enrolled to the correct certificate authority; + Requirements: + - Multiple domains environment (i.e. root.com and child.root.com) + - Windows Server VM with Active Directory services (AD DS), on root.com. + - Windows Server VM with Active Directory services (AD DS), Active + Directory Certificate Services (AD CS) and a CEPCES server configured, + on child.root.com. + + 1) Configure privilege policies in the child AD controller; + 2) Enable the certificate autoenrollment policy in the child AD controller; + 3) Configure a (very) large GPO (around 400kb). + 4) Enroll the Ubuntu machine on the child domain; + 5) Install adsys 0.16.3; + 6) Ensure that adsys was able to parse all the relevant policies; + 7) Ensure that a user from the enrolled domain can authenticate and that the + privilege policy was applied correctly; + 8) Ensure that the machine is enrolled to the correct certificate authority; [Where problems could occur] Since all of adsys external dependencies are vendored, there is no risk of incompatibility with other packages in the Ubuntu release. Unless an internal bug within one of them affects adsys (this would likely have been spotted in CI), bumping their version should not cause issues. - As mentioned, the changes are targeted at policy managers locked under a - Pro subscription, so they have no impact on interim releases. + If adsys fails to parse a large policy file, it won't be applied. If the + policy was enforced on the domain controller, authentication will be + denied. + + As mentioned, the changes at the Privilege and Certificate managers are + locked under a Pro subscription, so they have no impact on interim + releases. As for LTS releases, there are two fail points: If adsys fails to apply the privilege escalation policy and the policy is enforced by the AD controller, then authentication will be prevented for users that require this GPO. If the policy is not enforced, then authentication will proceed as normal and polkit will use the system default values for system administrators. If adsys fails to fetch the certificate authorities or enroll the machine to a certificate template, authentication will still be allowed but the machine won't have access to the certificate benefits. ** Description changed: [Impact] Adsys 0.16.3 introduce
[Bug 2091940] Re: [SRU] Release adsys 0.16.3
** Summary changed: - [SRU] Release adsys 0.16.2 + [SRU] Release adsys 0.16.3 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
