** Description changed: [Impact] There are some issues with the implementation of AD nested groups from LP #1638603 It works fine when listing the groups a user belongs to, but fails when listing all members of a group. This function of listing all members is also used to check if a user belongs to a group which also fails. [Test Plan] Test plan consists of setting up two VMs (Windows AD Domain Controller and Ubuntu server) on a KVM host. We need a functional keystone installation on the ubuntu server and we will use regress-stack for that. The ubuntu server version and installed packages have to be adjusted to test each affected keystone version. The low level procedure is as follows: 1. Install virt-manager on your host sudo apt update && sudo apt install virt-manager virt-viewer qemu-kvm libvirt-daemon-system libvirt-clients 2. Download Windows Server 2022 iso image: https://www.microsoft.com/en- us/evalcenter/download-windows-server-2022 3. Start the Windows VM: virt-install --name winserver \ --virt-type kvm --memory 4096 --vcpus 4 \ --disk size=60 \ --cdrom /path/to/windows/iso/SERVER_EVAL_x64FRE_en-us.iso \ --network network:default \ --osinfo detect=on,require=off \ --noautoconsole \ --graphics spice 4. Use either the virt-manager or the remote-viewer to connect to the VMs console. The following is a sample command for the remote-viewer. You can get the VMs spice port by running: virsh dumpxml winserver | grep graphics Connect to VMs graphical interface (change port if needed) remote-viewer spice://127.0.0.1:5900 5. Follow the installation in the VM. I picked the Windows Server 2022 Standard Evaluation, then Custom Install. During the installation the VM will shutdown so you will need to start it with: virsh start winserver Installation completes with the SConfig menu with multiple options. Use the menu items to configure the computer name, IP address, default gateway, and time/timezone. Remember the Administrator user password. 6. Install the spice-guest-tools to enable copy/paste between the Windows guest and host Invoke-WebRequest -Uri https://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-latest.exe -OutFile sgtl.exe .\sgtl.exe An then reboot the server (run SConfig and then option 13) 7. Install and configure the Domain Controller Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools Install-ADDSForest ` -DomainName "test.local" ` -InstallDns ` -DomainMode WinThreshold ` -ForestMode WinThreshold ` -SafeModeAdministratorPassword (ConvertTo-SecureString "ao4Ahnuzah$d!eeg" -AsPlainText -Force) ` -NoRebootOnCompletion:$false ` -Force VM will restart to apply changes 8. Verification Get-WindowsFeature -Name AD-Domain-Services nslookup test.local 9. Add groups for testing New-ADOrganizationalUnit ` -Name "groups" ` -Path "DC=test,DC=local" New-ADGroup ` -Name "GroupA" ` -SamAccountName GroupA ` -GroupCategory Security ` -GroupScope Global ` -Path "OU=Groups,DC=test,DC=local" ` -Description "Group A" New-ADGroup ` -Name "GroupB" ` -SamAccountName GroupB ` -GroupCategory Security ` -GroupScope Global ` -Path "OU=Groups,DC=test,DC=local" ` -Description "Group B" 10. Add users for testing New-ADUser ` -SamAccountName "user1" ` -UserPrincipalName "[email protected]" ` -Name "User1" ` -GivenName "User" ` -Surname "One" ` -Enabled $true ` -AccountPassword (ConvertTo-SecureString "pAsswd&987!" -AsPlainText -Force) ` -ChangePasswordAtLogon $true ` -Path "CN=Users,DC=test,DC=local" New-ADUser ` -SamAccountName "user2" ` -UserPrincipalName "[email protected]" ` -Name "User2" ` -GivenName "User" ` -Surname "Two" ` -Enabled $true ` -AccountPassword (ConvertTo-SecureString "pAsswd&987!" -AsPlainText -Force) ` -ChangePasswordAtLogon $true ` -Path "CN=Users,DC=test,DC=local" 11. Add users to groups, and nest groups Add-ADGroupMember ` -Identity GroupA ` -Members user1, GroupB Add-ADGroupMember ` -Identity GroupB ` -Members user2 12. Verify Get-ADUser -Identity "user1" Get-ADUser -Identity "user2" Get-ADGroup -Identity "groupA" Get-ADGroup -Identity "groupB" 13. Download the appropriate ubuntu server version from https://ubuntu.com/download/server 14. Configure Ubuntu VM: virt-install --name ubuntu \ --virt-type kvm --memory 4096 --vcpus 4 \ --disk size=50 \ --cdrom /path/to/ubuntu/iso/ubuntu<version>.iso \ --network network:default \ --osinfo ubuntu<version> Use default values and enable the SSH server. Login via ssh to the server after installation. 15. Install packages and regress-stack If testing UCA packages that repo should be enabled first: sudo add-apt-repository cloud-archive:<version> sudo snap install openstackclients git clone https://github.com/canonical/regress-stack.git cd regress-stack sudo snap install astral-uv --classic uvx pre-commit install sudo apt install -y dpkg-dev python3-dev python-apt-dev python3-openstackclient keystone apache2 libapache2-mod-wsgi-py3 mysql-server crudini python3-ldappool uv sync sudo uv run regress-stack setup sudo cp /root/auth.rc ~ sudo chown $(id -u):$(id -g) ~/auth.rc sudo crudini --set /etc/keystone/keystone.conf identity domain_specific_drivers_enabled true 16. Create file keystone.windows.lan.conf in /etc/keystone/domains with these contents and set the windows server IP address and Administrator password [ldap] url = ldap://<windows_server_ip> user = CN=Administrator,CN=Users,DC=test,DC=local password = <windows_admin_password> suffix = DC=test,DC=local user_allow_create = False user_allow_update = False user_allow_delete = False group_allow_create = False group_allow_update = False group_allow_delete = False query_scope = sub user_tree_dn = CN=Users,DC=test,DC=local user_objectclass = person user_id_attribute = cn user_name_attribute = sAMAccountName user_enabled_attribute = userAccountcontrol user_enabled_invert = False user_enabled_mask = 2 user_enabled_default = 512 group_tree_dn = OU=groups,DC=test,DC=local group_objectclass = group group_id_attribute = cn group_name_attribute = sAMAccountName group_member_attribute = member group_members_are_ids = False group_ad_nesting = True [identity] driver = ldap 17. Finish configuration + source ~/auth.rc openstack domain create windows.lan sudo systemctl restart apache2 18. Test before patch: $ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupA user1 user1 not in group groupA $ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupA user2 user2 not in group groupA $ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupB user1 user1 in group groupB $ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupB user2 user2 not in group groupB 19. Apply patch and retest: $ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupA user1 user1 in group groupA $ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupA user2 user2 in group groupA $ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupB user1 user1 not in group groupB $ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupB user2 user2 in group groupB [Where problems could occur] Applications relying on the previous erroneous behavior could experience errors as the users permissions might change reflecting the actual user assigned groups. Moreover, the nested groups being functional now could add new permissions to users as they are considered to belong to the parent groups. This can be disabled by setting group_ad_nesting to false in the keystone-ldap charm config. [Other Info] Packages in Questing and Resolute already have the patch. Same for flamingo in UCA
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2112477 Title: Problems with AD nested groups To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/2112477/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
