[Bug 2059756] Re: [SRU] adsys 0.14.1
Launchpad Bug Tracker
2059756 at bugs.launchpad.net
Tue Jul 9 18:11:25 UTC 2024
This bug was fixed in the package adsys - 0.14.1~22.04
---------------
adsys (0.14.1~22.04) jammy; urgency=medium
* Backport 0.14.1 to jammy (LP: #2059756)
- Build with Go 1.22
- Disable dh_dwz on account of go >= 1.19 compressing symbols itself
(fixed in newer dh_golang)
- Revert incorrect prerm purge stanza
adsys (0.14.1build1) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
adsys (0.14.1) noble; urgency=medium
* Pin Go toolchain to 1.22.1 to fix the following security vulnerabilities:
- GO-2024-2598
- GO-2024-2599
* Update apport hook to include journal errors and package logs
* CI and quality of life changes not impacting package functionality:
- Enable end-to-end tests in GitHub Actions
- Remove stale AD resources on test finish
- Add developer documentation for running end-to-end tests
- Collect and upload end-to-end test logs on failure
- Report test coverage in Cobertura XML format
- Silence gosec warnings using nolint and remove deprecated ifshort linter
- Use an environment variable to update golden files
- Bump github actions to latest:
- azure/login
- softprops/action-gh-release
* Update dependencies to latest:
- github.com/charmbracelet/lipgloss
- github.com/golangci/golangci-lint
- github.com/golang/protobuf
- github.com/stretchr/testify
- golang.org/x/crypto
- golang.org/x/net
- google.golang.org/grpc
- google.golang.org/protobuf
adsys (0.14.0) noble; urgency=medium
* Infer user KRB5CCNAME path via the libkrb5 API (LP: #2049061)
- This functionality is opt-in and activated if the detect_cached_ticket
setting is set to true
- If the AD backend (e.g. sssd) doesn't export the KRB5CCNAME variable, adsys
will now determine the path to the default ticket cache and use it during
authentication (when adsys is executed through the PAM module) and runs of
adsysctl update for the current user.
* Allow sssd backend to work without ad_domain being set (LP: #2054445)
* Upgrade to Go 1.22
* CI and quality of life changes not impacting package functionality:
- Pass token explicitly to Codecov action
- Fix require outside of main goroutine
- Mark function arguments as unused where applicable
Thanks to Edu Gómez Escandell
- End to end test VM template creation updates
- Bump github actions to latest:
- codecov/codecov-action
- peter-evans/create-pull-request
* Update dependencies to latest:
- github.com/charmbracelet/bubbles
- github.com/golangci/golangci-lint
- golang.org/x/crypto
- golang.org/x/net
- google.golang.org/grpc
adsys (0.13.3) noble; urgency=medium
* Fix cert auto-enroll without NDES (LP: #2051363)
* Refresh policy definition files (remove Lunar support)
* CI and quality of life changes not impacting package functionality:
- Bump github actions to latest:
- actions/download-artifact
- actions/setup-go
- actions/upload-artifact
* Update dependencies to latest:
- github.com/charmbracelet/bubbles
- github.com/charmbracelet/bubbletea
- github.com/google/uuid
- github.com/spf13/viper
- golang.org/x/crypto
- golang.org/x/net
- golang.org/x/sync
- golang.org/x/sys
- google.golang.org/grpc
- google.golang.org/protobuf
adsys (0.13.2) noble; urgency=medium
[ Denison Barbosa ]
[ Didier Roche ]
[ Gabriel Nagy ]
[ Jean-Baptiste Lallement ]
* Ensure GPO URLs contain the FQDN of the domain controller (LP: #2024377)
* Add runtime dependency on nfs-common (LP: #2044112)
* Documentation changes:
- Switch to Read the Docs for project documentation
- Generate documentation from policy definitions
- Fix installation path of adwatchd
* CI and quality of life changes not impacting package functionality:
- Bump go version to 1.21.4
- Fix docker stop behavior on integration tests
- Add e2e tests provisioning workflow
- Reduce the amount of workflows to be run
- Remove scopes from dependabot config
* Update dependencies to latest:
- github.com/charmbracelet/lipgloss
- github.com/fatih/color
- github.com/fsnotify/fsnotify
- github.com/golangci/golangci-lint
- github.com/google/uuid
- github.com/maruel/natural
- github.com/pkg/sftp
- github.com/spf13/cobra
- github.com/spf13/viper
- golang.org/x/crypto
- golang.org/x/net
- golang.org/x/sync
- golang.org/x/sys
- golang.org/x/text
- google.golang.org/grpc
adsys (0.13.1) mantic; urgency=medium
[ Denison Barbosa ]
[ Didier Roche ]
[ Gabriel Nagy ]
* Fix pam_adsys build (LP: #2037270)
* Switch to upstream gotext version and align go-i18n (LP: #2037271)
* Add documentation for certificate policy manager
* CI and quality of life changes not impacting package functionality:
- Workflow to auto-patch vendored Samba code
- Fix typo on build command for the admxgen package
- Switch to reusable code quality action in CI
- Apply issue template changes
- Open issue when ADMX/L builds fail
* Update dependencies to latest:
- github.com/charmbracelet/lipgloss
- github.com/golangci/golangci-lint
- github.com/gomarkdown/markdown
- golang.org/x/net
- golang.org/x/sys
- golang.org/x/text
- google.golang.org/grpc
adsys (0.13.0) mantic; urgency=medium
[ Denison Barbosa ]
[ Didier Roche ]
[ Gabriel Nagy ]
* Add certificate policy manager for machines
- a new Pro-only policy manager that leverages Samba functionality in order
to enroll the machine for certificates from AD Certificate Services
* Migrate translation support to native approach using go-i18n + gotext
* Update policy definitions to include dconf key for dark mode background
* Update dependencies to latest:
- github.com/charmbracelet/bubbles
- github.com/charmbracelet/bubbletea
- github.com/golangci/golangci-lint
- github.com/muesli/termenv
- github.com/sirupsen/logrus
- golang.org/x/net
- golang.org/x/sync
- golang.org/x/sys
- golang.org/x/text
- google.golang.org/grpc
- google.golang.org/protobuf
* CI and quality of life changes not impacting package functionality:
- Address a few issues in smbsafe_test.go
- Fix typo on build command for the admxgen package
- Switch to reusable code quality action in CI
- Apply issue template changes
- Open issue when ADMX/L builds fail
adsys (0.12.0) mantic; urgency=medium
[ Denison Barbosa ]
[ Didier Roche ]
[ Gabriel Nagy ]
[ Jean-Baptiste Lallement ]
* Release 0.12.0 (LP: #2020682)
- Fix DCONF_PROFILE not considering default_domain_suffix on sssd.conf
- Go implementation for the user mount handler
- Remove Rust source code from adsys
- Rework Kerberos ticket handling logic:
- to satisfy the Heimdal implementation of Kerberos, we now store and use
a root-owned copy of the cached ticket
- the ticket lifetime is still handled via a symlink, and the copy is
kept up to date based on the original ticket timestamp
- Ensure empty state for dconf policy
- Handle case mismatches in GPT.INI file name
- Refactor ListActiveUsers gRPC function
- Add adsysctl policy purge command to purge applied policies
- Rework policy application sync strategy
- Print logs when policies are up to date
- Bump Go version to 1.20
- Update dependencies to latest:
- github.com/charmbracelet/bubbles
- github.com/charmbracelet/bubbletea
- github.com/sirupsen/logrus
- github.com/spf13/cobra
- github.com/stretchr/testify
- golang.org/x/net
- golang.org/x/sync
- golang.org/x/sys
- google.golang.org/grpc
- CI and quality of life changes not affecting package functionality:
- peter-evans/create-pull-request
- Apply clang-format to C source files
- Remove Rust related code from CI and tests
- Improve test consistency
- Fix documentation example images
adsys (0.11.0) lunar; urgency=medium
[ Denison Barbosa ]
[ Gabriel Nagy ]
* List Pro policy types in service status output
* Warn when Pro-only rules are configured
* Use systemd via D-Bus instead of systemctl commands
* Add placeholder notes for entry types
* Add guideline docs to the policy managers
* Change Ubuntu Advantage to Ubuntu Pro in docs
* Add system proxy policy manager (LP: #2012371)
* Update dependencies to latest:
- github.com/charmbracelet/lipgloss
- github.com/coreos/go-systemd/v22
- github.com/fatih/color
- github.com/golangci/golangci-lint
- github.com/golang/protobuf
- golang.org/x/net
- google.golang.org/grpc
- google.golang.org/grpc/cmd/protoc-gen-go-grpc
- google.golang.org/protobuf
* CI and quality of life changes not impacting package functionality:
- Bump github actions to latest:
- actions/setup-go
- Update Rust related auto update jobs
- Replace testutils.Setenv with t.Setenv
- Set up more tests to run in parallel
- Various test refactors and improvements
adsys (0.10.1) lunar; urgency=medium
[ Denison Barbosa ]
[ Jean-Baptiste Lallement ]
[ Gabriel Nagy ]
[ Didier Roche ]
* Fix erroneous non alternative dependency on package krb5-user
* Fix a bug in internal/config tests that was causing the autopkgtests to fail
* Update internal/config to also trigger a reload when config file is
overwritten
* Update dependencies to latest:
- github.com/golangci/golangci-lint
- github.com/stretchr/testify
* CI and quality of life changes not impacting package functionality:
- Bump github actions to latest:
- peter-evans/create-pull-request
- actions/download-artifact
- Addressing some linter issues pointed out by new golangci-lint version
adsys (0.10.0) lunar; urgency=medium
[ Denison Barbosa ]
[ Jean-Baptiste Lallement ]
[ Gabriel Nagy ]
[ Didier Roche ]
* Add mount / network shares policy manager
- this is an Ubuntu Pro feature that allows mounting network shares at a
user or machine level
- supported mount types: smb, nfs, and ftp (after installing curlftpfs)
- supported authentication: anonymous (default), krb5
- user mounts are handled at login by a Rust binary now shipped with adsys
Thanks to schopin for the packaging guidance and contributions
- computer mounts are handled by systemd mount units requiring root
privileges
* Add AppArmor policy manager
- this is an Ubuntu Pro feature that allows enforcing application
confinement at a user or machine level using AppArmor
- user policies rely on the libpam-apparmor package which must be
installed manually
* Support multiple AD backends and implement Winbind support
- sssd is still the default backend, but winbind can be opted into through
the adsys.yaml configuration file
* Add a --machine / -m flag to adsysctl applied, indicating the policies
applied to the current machine
* Expose Ubuntu Pro status in the "status" command
- status is now fetched dynamically instead of relying on a possibly
outdated state when updating policies
* Update scripts manager creation
- scripts manager now creates both an users and machine directory on
initialization
* Fix policy update failing when GPT.INI contains no version key
* Fix object lookup for users having a FQDN as their hostname
* Support special characters in domains when parsing sssd configuration
* Reduce dependencies by excluding CI tools from go.mod
- tooling-related packages are now vendored in a separate go.mod file,
allowing for a smaller source package
* Replace gopkg.in/yaml.v2 with gopkg.in/yaml.v3
Thanks to Juneezee for the contribution
* Clean-up packaging scripts related to the user mount handler
Thanks to liushuyu for the contribution
* CI and quality of life changes not impacting package functionality:
- Add golden functionality to testutils
- Switch to new fsnotify event check syntax
- Move adsysgpotests to golden generated by testutils
- Fix test helper permission when making directory RO
- Rework skipping integration tests
- Compare golden tree executable permissions
- Allow running mount_handler tests as part of go test
- Fix python coverage in integration tests
- Factorize some coverage testutils functions
- Refactor tracking and generating coverage files
- Implement session dbus mock
- Stabilize integration test coverage
- Fix set-output GitHub Actions deprecation warning
- Reuse our utility function for comparing trees
- Install missing packages for auto-updates workflow
- Update d/copyright to account for the new Rust dependencies
- Fix FTBFS on Launchpad introduced by the latest unreleased work
- Standardize on test case naming and use the previously added testutils
functions for golden file comparison
* Update dependencies to latest:
- github.com/charmbracelet/bubbles
- github.com/charmbracelet/bubbletea
- github.com/charmbracelet/glamour
- github.com/charmbracelet/lipgloss
- github.com/fatih/color
- github.com/fsnotify/fsnotify
- github.com/golangci/golangci-lint
- github.com/kardianos/service
- github.com/muesli/termenv
- github.com/spf13/cobra
- github.com/spf13/viper
- github.com/stretchr/testify
- golang.org/x/net
- golang.org/x/sys
- golang.org/x/text
- google.golang.org/grpc
- gopkg.in/ini.v1
adsys (0.9.2) kinetic; urgency=medium
* Update generators to fix FTBFS
- shell out to mkdir instead of go's os.Mkdir which can bypass fakeroot's
filesystem hijacking and cause unexpected behavior
* Update dependencies to latest:
- github.com/golangci/golangci-lint
- google.golang.org/protobuf
-- Gabriel Nagy <gabriel.nagy at canonical.com> Wed, 26 Jun 2024 12:34:21
+0300
** Changed in: adsys (Ubuntu Jammy)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-3094
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to golang-1.22 in Ubuntu.
https://bugs.launchpad.net/bugs/2059756
Title:
[SRU] adsys 0.14.1
Status in adsys package in Ubuntu:
Fix Released
Status in golang-1.22 package in Ubuntu:
Fix Released
Status in adsys source package in Jammy:
Fix Released
Status in golang-1.22 source package in Jammy:
Fix Released
Status in adsys source package in Mantic:
Fix Committed
Status in golang-1.22 source package in Mantic:
Fix Released
Bug description:
[context]
ADSys is a tool designed for administering and implementing Group Policy Objects (GPOs) from Active Directory on Linux systems. It includes a suite of services and commands that empower administrators to efficiently manage policy updates and maintain compliance with organizational business rules.
Given that ADSys directly interfaces with Active Directory and needs
to align with new business requirements in LTS releases, it has been
essential to keep the package consistently updated with the latest
changes of ADSys upstream source. As ADSys is a key component of our
commercial offerings, our customers anticipate the availability of
recently implemented features in the 22.04 release.
Now that ADSys has a complete set of features, the request is to
proceed with a one-off release of ADSys 0.14.1 to 22.04. Please note
that any new features introduced in subsequent versions will be
exclusively available in 24.04 and later releases.
This version includes a comprehensive end to end automated test suite
that runs ADSys against a real Active directory environment.
Version 0.14.1 is available for 22.04 in a PPA
(https://launchpad.net/~ubuntu-enterprise-
desktop/+archive/ubuntu/adsys) and already used in production by
customers.
At this time of writing the number of open issues is 1 in Launchpad
and 16 in GitHub including 6 enhancements. None of them have a high or
critical importance.
[references]
LP: https://launchpad.net/ubuntu/+source/adsys
LP Bugs: https://bugs.launchpad.net/ubuntu/+source/adsys
GitHub: https://github.com/ubuntu/adsys/
GH Bugs: https://github.com/ubuntu/adsys/issues
Documentation: https://canonical-adsys.readthedocs-hosted.com/en/stable/
Initial SRU discussion: https://lists.ubuntu.com/archives/ubuntu-release/2023-June/005650.html
[changes]
Full LP Changelog: https://launchpad.net/ubuntu/+source/adsys/+changelog
* New features
* New policies:
- Add mount / network shares policy manager
- Add AppArmor policy manager
- Support multiple AD backends and implement Winbind support
- Add system proxy policy manager
- Add certificate policy manager for machines
- Add adsysctl policy purge command to purge applied policies
- Full documentation
- Full end to end automated test suite.
* Enhancements
* Add a --machine / -m flag to adsysctl applied, indicating the policies applied to the current machine
* Expose Ubuntu Pro status in the "status" command
* Update scripts manager creation
* List Pro policy types in service status output
* Warn when Pro-only rules are configured
* Use systemd via D-Bus instead of systemctl commands
* Add placeholder notes for entry types
* Rework Kerberos ticket handling logic to satisfy the Heimdal implementation of Kerberos
* Rework policy application sync strategy
* Print logs when policies are up to date
* Update policy definitions to include dconf key for dark mode background
* Infer user KRB5CCNAME path via the libkrb5 API (LP: #2049061)
* Allow sssd backend to work without ad_domain being set (LP: #2054445)
* Update apport hook to include journal errors and package logs
* Bug fixes
* Fix policy update failing when GPT.INI contains no version key
* Fix object lookup for users having a FQDN as their hostname
* Support special characters in domains when parsing sssd configuration
* Fix DCONF_PROFILE not considering default_domain_suffix on sssd.conf
* Ensure empty state for dconf policy
* Handle case mismatches in GPT.INI file name
* Ensure GPO URLs contain the FQDN of the domain controller
* Add runtime dependency on nfs-common
* Other
* Updates to latest versions of Go (fixing known Go vulnerabilities)
* Updates to latest versions of the Go dependencies
* Updates and improvements to CI and QoL
* Migrate translation support to native approach using go-i18n + gotext and switch to upstream gotext version
Dependencies:
* Build-dep: golang-go (>= 2:1.22~)
* Dependencies to backport to 22.04:
* golang-go >= 2:1.22
* ubuntu-proxy-manager (suggest. Required for Proxy support - feature will be disabled otherwise)
* python3-cepces (suggest. Required for Certificates autoenrollment support - feature will be disabled otherwise)
* Note: Both are currently in the new queue of 22.04 : https://launchpad.net/ubuntu/jammy/+queue?queue_state=0&queue_text=
[test plan]
# Process
Adsys follows a robust continuous integration and testing process. It is covered by a comprehensive automated tests suite (https://github.com/ubuntu/adsys/actions/workflows/qa.yaml) and an automated end to end test suite that runs in a real active directory environment (https://github.com/ubuntu/adsys/actions/workflows/e2e-tests.yaml).
The team applied the following quality criteria:
* All changes are thoroughly reviewed and approved by core team members before integration.
* Each change is thoroughly tested at the unit, integration and system levels.
* All the tests pass in all supported architectures.
* All bugs fixed in this release must have a link to the pull request that fixes them.
* All bug fixes and new features are verified in a system by executing automated or manual tests. Most of these tests are automated and executed in the autopkgtest suite. Tests that are not automated are executed manually.
* New and existing features are tested in a real Active Directory environment.
* There are no unfixed bugs tagged "blocker" on the milestone.
# Packaging QA
To prepare the release to 22.04, the following procedures will be completed to ensure quality:
* All autopkgtests pass.
* The package does not break when upgrading.
* The binary is identical to the CI build, with only Debian packaging changes.
* The copyrights and changelog are up to date.
* An upgrade test from the previous package version has been performed using apt install/upgrade.
# Code sanity
Code sanity checks are performed automatically on each build. They verify:
* Code linting
* Go module files are up to date
* Generated files are up to date
* Any binary in the project builds
* Vulnerabilities
Example report: https://github.com/ubuntu/adsys/actions/runs/6955264244
# Code coverage
* Code coverage is computed on every build and a report generated.
* Codecov report: https://app.codecov.io/gh/ubuntu/adsys
* Coverage as of today: 90.78%
# Manual tests
1. Configure your machine with AD, with a correctly configured SSSD and KRB5. AD user should be able to log in (https://canonical-adsys.readthedocs-hosted.com/en/latest/how-to/set-up-adsys/)
2. Install admx and adml files on your AD controller (https://canonical-adsys.readthedocs-hosted.com/en/latest/how-to/set-up-ad/)
3. Configure some Group Policies in the AD server (https://canonical-adsys.readthedocs-hosted.com/en/latest/how-to/use-gpo/)
4. Install ADSys, reboot the machine and login in as an AD user.
5. Ensure that the configuration done in the AD server is reflected on the Ubuntu machine.
[where problems could occur]
For AD users:
* ADSys can prevent authentication of AD users if some policies can't be applied or fail to apply properly
* Note: The categories of bugs we've identified typically revolve around Active Directory setup or network configuration. Extensive and detailed logging of both SSSD and ADSys aids in resolving these issues promptly.
* For local users, no impact will occur.
Notes:
* Recommends python-cepces and python-requests-gssapi are referenced in https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2048514
* The other recommends ubuntu-proxy-manager is referenced in https://bugs.launchpad.net/ubuntu/+source/ubuntu-proxy-manager/+bug/2048232
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2059756/+subscriptions
More information about the foundations-bugs
mailing list