Adsys can't fetch GPOs

Status changed to 'Confirmed' because the bug affects multiple users.

Hello,

The issues described for 22.10 and 23.04 were fixed by https://github.com/ubuntu/adsys/pull/699 and are available since adsys v0.12.0. However this is only available in Mantic which is not yet released.

For the "invalid argument" issue encountered in 22.04, could you confirm the version of the installed libsmbclient library in 22.04?

Thanks

I am on LOA for work until 9/18. I'll check when I return to work that day
and follow up with you.

On Wed, Sep 13, 2023, 9:51 AM Gabriel Nagy <email address hidden>
wrote:

> Hello,
>
> The issues described for 22.10 and 23.04 were fixed by
> https://github.com/ubuntu/adsys/pull/699 and are available since adsys
> v0.12.0. However this is only available in Mantic which is not yet
> released.
>
> For the "invalid argument" issue encountered in 22.04, could you confirm
> the version of the installed libsmbclient library in 22.04?
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2024377
>
> Title:
> Adsys can't fetch GPOs
>
> Status in adsys package in Ubuntu:
> Confirmed
>
> Bug description:
> Bad, maybe no understandable english ahead.
>
> Can't find anything related to this on Github, Canonical Forums,
> Reddit or StackOverflow.
>
> On Ubuntu 22.04, I've followed the Wiki tutorial and verified all
> steps on Integration Ubuntu Desktop whitepaper. Currently using SSSD
> backend, I can log with Active Directory users however when adsys is
> installed I can't fetch GPOs. In this version the error is:
>
> ERROR Error from server: error while updating policy: can't get
> policies for "ubuntu": can't download all gpos and assets: one or more
> error while fetching GPOs and assets: can't download "ubuntuRoot":
> can't check if ubuntuRoot needs refreshing: no GPT.INI file: cannot
> open
> smb://
> addc01.domain.com.br/SysVol/domain.com.br/Policies/{DF072E7E-6F2F-46D1-A90F-699415F72F2E}/GPT.INI
> <http://addc01.domain.com.br/SysVol/domain.com.br/Policies/%7BDF072E7E-6F2F-46D1-A90F-699415F72F2E%7D/GPT.INI>
> :
> invalid argument
>
> It happens when using "adsysctl update -m" or "adsysctl update
> <email address hidden> /tmp/krb5c_getentId_randomdnumber" and just
> "adsysctl update" too.
>
> I've upgrade the machine to 22.10 and the error changed to:
>
> ERROR Error from server: error while updating policy: can't get policies
> for "ubuntu": failed to retrieve the list of GPO (exited with 1): exit
> status 1
> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://addc01.domain.com.br' with backend 'ldap':
> LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to open session: (1, 'LDAP client internal error:
> NT_STATUS_INVALID_PARAMETER').
>
> After upgrade to 23.04 the error persist same as the above.
>
> Full info 22.04 (-vvvv verbose):
>
> INFO No configuration file: Config File "adsys" Not Found in
> "[/home/jzprates /root /etc /usr/sbin]".
> We will only use the defaults, env variables or flags.
> DEBUG Connecting as [[2504:109556]]
> DEBUG New request /service/UpdatePolicy
> DEBUG Requesting with parameters: IsComputer: true, All: false, Target:
> ubuntu, Krb5Cc:
> DEBUG NormalizeTargetName for "ubuntu", type "computer"
> DEBUG Check if grpc request peer is authorized
> DEBUG Authorized as being administrator
> DEBUG GetPolicies for "ubuntu", type "computer"
> DEBUG Getting gpo list with arguments: "--objectclass computer...

Libsmbclient version 2:4.15.13+dfsg-0ubuntu1.3

On Wed, Sep 13, 2023, 9:51 AM Gabriel Nagy <email address hidden>
wrote:

> Hello,
>
> The issues described for 22.10 and 23.04 were fixed by
> https://github.com/ubuntu/adsys/pull/699 and are available since adsys
> v0.12.0. However this is only available in Mantic which is not yet
> released.
>
> For the "invalid argument" issue encountered in 22.04, could you confirm
> the version of the installed libsmbclient library in 22.04?
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2024377
>
> Title:
> Adsys can't fetch GPOs
>
> Status in adsys package in Ubuntu:
> Confirmed
>
> Bug description:
> Bad, maybe no understandable english ahead.
>
> Can't find anything related to this on Github, Canonical Forums,
> Reddit or StackOverflow.
>
> On Ubuntu 22.04, I've followed the Wiki tutorial and verified all
> steps on Integration Ubuntu Desktop whitepaper. Currently using SSSD
> backend, I can log with Active Directory users however when adsys is
> installed I can't fetch GPOs. In this version the error is:
>
> ERROR Error from server: error while updating policy: can't get
> policies for "ubuntu": can't download all gpos and assets: one or more
> error while fetching GPOs and assets: can't download "ubuntuRoot":
> can't check if ubuntuRoot needs refreshing: no GPT.INI file: cannot
> open
> smb://
> addc01.domain.com.br/SysVol/domain.com.br/Policies/{DF072E7E-6F2F-46D1-A90F-699415F72F2E}/GPT.INI
> <http://addc01.domain.com.br/SysVol/domain.com.br/Policies/%7BDF072E7E-6F2F-46D1-A90F-699415F72F2E%7D/GPT.INI>
> :
> invalid argument
>
> It happens when using "adsysctl update -m" or "adsysctl update
> <email address hidden> /tmp/krb5c_getentId_randomdnumber" and just
> "adsysctl update" too.
>
> I've upgrade the machine to 22.10 and the error changed to:
>
> ERROR Error from server: error while updating policy: can't get policies
> for "ubuntu": failed to retrieve the list of GPO (exited with 1): exit
> status 1
> Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to connect to 'ldap://addc01.domain.com.br' with backend 'ldap':
> LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> Failed to open session: (1, 'LDAP client internal error:
> NT_STATUS_INVALID_PARAMETER').
>
> After upgrade to 23.04 the error persist same as the above.
>
> Full info 22.04 (-vvvv verbose):
>
> INFO No configuration file: Config File "adsys" Not Found in
> "[/home/jzprates /root /etc /usr/sbin]".
> We will only use the defaults, env variables or flags.
> DEBUG Connecting as [[2504:109556]]
> DEBUG New request /service/UpdatePolicy
> DEBUG Requesting with parameters: IsComputer: true, All: false, Target:
> ubuntu, Krb5Cc:
> DEBUG NormalizeTargetName for "ubuntu", type "computer"
> DEBUG Check if grpc request peer is authorized
> DEBUG Authorized as being administrator
> DEBUG GetPolicies for "ubuntu", type "computer"
> DEBUG Getting gpo list with arguments: "--objectclass computer ldap://
> addc01.domain.com.br ubuntu"
> DEBUG GP...

Thanks for reaching back. Unfortunately we haven't been able to reproduce this issue and we suspect it's somehow related to the Windows environment or libsmbclient itself.

Could you try the following?

In a root console, execute the following:

export KRB5CCNAME=/var/run/adsys/krb5cc/$(hostname)
adsysctl policy debug gpolist-script
chmod +x adsys-gpolist
./adsys-gpolist --objectclass computer ldap://<ad-url> $(hostname)
<paste output>

smbclient --option='log level=10' //<ad-url>/SYSVOL/ -k -c 'get <ad-url>/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI /dev/fd/1' | cat
<paste output>

You might need to install the smbclient package as well if it's not already installed.

export KRB5CCNAME=/var/run/adsys/krb5cc/$hostname
adsysctl policy debug gpolist-script
chmod +x adsys-gpolist
./adsys-gpolist --objectclass computer ldap://domaincontroller.domain.com <hostname>
DEBUG Connecting as [[12227:085002]]
DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:27 StreamServerInterceptor.func1() New request /service/GPOListScript
DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:60 loggedServerStream.RecvMsg() Requesting with parameters:
DEBUG github.com/ubuntu/adsys/internal/authorizer/authorizer.go:111 Authorizer.IsAllowedFromContext() Check if grpc request peer is authorized
DEBUG github.com/ubuntu/adsys/internal/authorizer/authorizer.go:153 Authorizer.isAllowed() Any user always authorized
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://domaincontroller.domain.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to open session: (1, 'LDAP client internal error: NT_STATUS_INVALID_PARAMETER')

sudo smbclient --option='log level=10' //Domaincontroller.domain.com/SYSVOL/ -k -c 'get Domaincontroller.domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}/GPT.INI /dev/fd/1' | cat
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
WARNING: The option -k|--kerberos is deprecated!
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = domain
doing parameter security = ADS
doing parameter realm = domain.COM
doing parameter encrypt passwords = yes
lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is deprecated
doing parameter idmap config *:range = 16777216-33554431
doing parameter winbind use default domain = yes
doing parameter kerberos method = secrets and keytab
doing parameter winbind refresh tickets ...

Thanks for getting back. Noticing a couple of things about your pasted output:
- Did you run the first set of commands in a root session? This is necessary because the user needs to be able to read the `/var/run/adsys/krb5cc/$(hostname)` file. You can confirm this by trying to `cat` the file - it shouldn't give you a Permission denied error.

- The export command looks a bit wrong, we need `KRB5CCNAME=/var/run/adsys/krb5cc/$(hostname)` since `hostname` is a shell command. You can confirm that the variable is set correctly by running klist (provided by the krb5-user package). See an example below:

root@jammy-337515ec:~# export KRB5CCNAME=/var/run/adsys/krb5cc/jammy-337515ec
root@jammy-337515ec:~# klist
Ticket cache: FILE:/var/run/adsys/krb5cc/jammy-337515ec
Default principal: JAMMY-337515EC$@DOMAIN.COM

- You ran `smbclient` with sudo - unfortunately sudo does not preserve environment variables which is why the KRB5CCNAME value defaults to `FILE:/tmp/krb5cc_0` (as seen from the second command logs). This is why I suggested running everything as root. Or, pass the -E flag to sudo in order to preserve environment variables.

If there's no file at `/var/run/adsys/krb5cc/$(hostname)`, please run `adsysctl update -m` as root and it should be created (even if the command fails).

Thanks for your patience, and let me know how this goes

root@LCXVDU22NPE4030:~# export KRB5CCNAME=/var/run/adsys/krb5cc/LCXVDU22NPE4030
adsysctl policy debug gpolist-script
chmod +x adsys-gpolist
./adsys-gpolist --objectclass computer ldap://N060ADKCDC109.domain.com LCXVDU22NPE4030
0000000000cEntCTX-Ubuntu-Edge smb://domain.com/SysVol/domain.com/Policies/{F7E97A8D-7DB1-4571-956A-005D1658DC35}
0000000000cEntCtx-Ubuntu-Test smb://domain.com/SysVol/domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}

root@LCXVDU22NPE4030:~# smbclient --option='log level=10' //N060ADKCDC109.domain.com/SYSVOL/ -k -c 'get domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}/GPT.INI /dev/fd/1' | cat
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
WARNING: The option -k|--kerberos is deprecated!
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = domain
doing parameter security = ADS
doing parameter realm = domain.COM
doing parameter encrypt passwords = yes
lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is deprecated
doing parameter idmap config *:range = 16777216-33554431
doing parameter winbind use default domain = yes
doing parameter kerberos method = secrets and keytab
doing parameter winbind refresh tickets = yes
doing parameter template shell = /bin/bash
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=10.34.204.247 bcast=10.34.207.255 netmask=255.255.252.0
Client started (version 4.15.13-Ubuntu).
Opening cache file at /run/samba/gencache.tdb
sitename_fetch: Returning sitename for realm 'domain.COM': "703-XX001"
internal_resolve_name: looking up N060ADKCDC109.domain.com#20 (sitename 703-XX001)
namecache_fetch: name N060ADKCDC109.domain.com#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 10.254.163.93 at port 445
convert_string_handle: E2BIG: convert_string(...

Interesting - so we are able to get the list of GPOs, _and_ smbclient is able to print the contents of the GPT.INI file, but adsys still fails. At this point I'm out of ideas, I would suggest the following:

- upgrade the system to make sure you are running the latest available versions of adsys (0.9.2~22.04.2) and libsmbclient (2:4.15.13+dfsg-0ubuntu1.5) for your OS version
- confirm
- paste the output of running `sudo adsysctl update -m -vv` again

I noticed you're not the originator of the ticket and you haven't yet shared actual logs of running adsysctl - so this would be helpful in our investigation.

Thanks!

regularuser@LCXVDU22NPE4030:~$ apt list --installed | grep adsys

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

adsys/jammy-updates,now 0.9.2~22.04.2 amd64 [installed]
regularuser@LCXVDU22NPE4030:~$ apt list --installed | grep libsmbclient

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libsmbclient/jammy-security,now 2:4.15.13+dfsg-0ubuntu1.5 amd64 [installed,automatic]

regularuser@LCXVDU22NPE4030:~$ sudo adsysctl update -m -vvv
INFO github.com/ubuntu/adsys/internal/config/config.go:78 Init() Using configuration file: /etc/adsys.yaml
DEBUG Connecting as [[4492:009622]]
DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:27 StreamServerInterceptor.func1() New request /service/UpdatePolicy
DEBUG github.com/ubuntu/adsys/internal/grpc/logconnections/logconnections.go:60 loggedServerStream.RecvMsg() Requesting with parameters: IsComputer: true, All: false, Target: LCXVDU22NPE4030, Krb5Cc:
DEBUG github.com/ubuntu/adsys/internal/ad/ad.go:571 (*AD).NormalizeTargetName() NormalizeTargetName for "LCXVDU22NPE4030", type "computer"
DEBUG github.com/ubuntu/adsys/internal/authorizer/authorizer.go:111 Authorizer.IsAllowedFromContext() Check if grpc request peer is authorized
DEBUG github.com/ubuntu/adsys/internal/authorizer/authorizer.go:150 Authorizer.isAllowed() Authorized as being administrator
DEBUG github.com/ubuntu/adsys/internal/ad/ad.go:225 (*AD).GetPolicies() GetPolicies for "LCXVDU22NPE4030", type "computer"
DEBUG github.com/ubuntu/adsys/internal/ad/ad.go:293 (*AD).GetPolicies() Getting gpo list with arguments: "--objectclass computer ldap://n060adkhdc121.domain.com LCXVDU22NPE4030"
DEBUG github.com/ubuntu/adsys/internal/ad/ad.go:315 (*AD).GetPolicies() GPO "0000000000cEntCTX-Ubuntu-Edge" for "LCXVDU22NPE4030" available at "smb://domain.com/SysVol/domain.com/Policies/{F7E97A8D-7DB1-4571-956A-005D1658DC35}"
DEBUG github.com/ubuntu/adsys/internal/ad/ad.go:315 (*AD).GetPolicies() GPO "0000000000cEntCtx-Ubuntu-Test" for "LCXVDU22NPE4030" available at "smb://domain.com/SysVol/domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}"
DEBUG github.com/ubuntu/adsys/internal/ad/download.go:113 (*AD).fetch.func2() Analyzing "0000000000cEntCtx-Ubuntu-Test"
DEBUG github.com/ubuntu/adsys/internal/ad/download.go:113 (*AD).fetch.func2() Analyzing "0000000000cEntCTX-Ubuntu-Edge"
DEBUG github.com/ubuntu/adsys/internal/ad/download.go:113 (*AD).fetch.func2() Analyzing "assets"
INFO github.com/ubuntu/adsys/internal/ad/download.go:124 (*AD).fetch.func2() No assets directory with GPT.INI file found on AD, skipping assets download
ERRORgithub.com/ubuntu/adsys/cmd/adsysd/main.go:50 main.run() Error from server: error while updating policy: can't get policies for "LCXVDU22NPE4030": can't download all gpos and assets: one or more error while fetching GPOs and assets: can't download "0000000000cEntCtx-Ubuntu-Test": can't check if 0000000000cEntCtx-Ubuntu-Test needs refreshing: no GPT.INI file: cannot open smb://domain.com/SysVol/domain.com/Policies/{5B925A10-9572-4FB8-B9A0-DB2DFF9EF34B}/GPT.INI: invalid argument

Let me know if you want any addit...

Hi,

I've prepared a version of adsys with debug logs enabled for libsmbclient, this way we can pinpoint exactly what causes the libsmbclient call inside adsys to fail.

You can install the package using the following commands:

sudo add-apt-repository ppa:gabuscus/adsys-smbclient-debug
sudo apt update
sudo apt install -y adsys

After this, please run adsys once, then dump the journalctl logs to a file and attach it here (remember to redact any sensitive information):

sudo adsysctl update -m -vv
sudo journalctl -u adsysd -S yesterday > adsys_log.txt

Hopefully this will get us closer to the root of the issue. Also, could you please tell me what Windows Server version you are running?

Thanks!

See attached. I think I see a problem in there with Kerberos and going through some settings as there are no files being generated here `/var/run/adsys/krb5cc/$(hostname)`

Domain controllers run WS2016

Hey,

Unfortunately with Samba logs there's a lot of noise to filter out. I compared one of your runs with my (successful) run and I noticed something interesting.

We do a LDAP search to get the list of GPOs using the domain controller exposed by SSSD via D-Bus. For you the DC is autoselected as "n060adkhdc121". The list of GPOs is a list of URLs reported as "smb://domain.com/SysVol/domain.com/Policies..." which doesn't contain the DC name, only the domain name.

When we download the GPOs, libsmbclient will try to resolve a DC from the domain, in your case it appears there are a lot of DCs advertised (looking at the "Connecting to ... at port ..." prints). For some reason, the DC selected by libsmbclient is "N060ADKAZ103" instead of the DC reported by SSSD. Hence we end up with this error:

SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.

I've pushed another build to the PPA mentioned above, where the GPO URLs are rewritten to contain the hostname of the DC in addition to the domain which will bypass the autoselect/discovery logic of libsmbclient and reuse the server exposed by SSSD when downloading the GPO data. You can install the package using the same steps from my previous comment. Please let me know if it works for you.

I think we are getting closer.

This looks alright to me, GPOs are fetched and applied. Are you experiencing any other issues? If not I'll move forward with the fix from the PPA.

I think you can move forward with the fix!

This bug was fixed in the package adsys - 0.13.2

---------------
adsys (0.13.2) noble; urgency=medium

  [ Denison Barbosa ]
  [ Didier Roche ]
  [ Gabriel Nagy ]
  [ Jean-Baptiste Lallement ]
  * Ensure GPO URLs contain the FQDN of the domain controller (LP: #2024377)
  * Add runtime dependency on nfs-common (LP: #2044112)
  * Documentation changes:
    - Switch to Read the Docs for project documentation
    - Generate documentation from policy definitions
    - Fix installation path of adwatchd
  * CI and quality of life changes not impacting package functionality:
    - Bump go version to 1.21.4
    - Fix docker stop behavior on integration tests
    - Add e2e tests provisioning workflow
    - Reduce the amount of workflows to be run
    - Remove scopes from dependabot config
  * Update dependencies to latest:
    - github.com/charmbracelet/lipgloss
    - github.com/fatih/color
    - github.com/fsnotify/fsnotify
    - github.com/golangci/golangci-lint
    - github.com/google/uuid
    - github.com/maruel/natural
    - github.com/pkg/sftp
    - github.com/spf13/cobra
    - github.com/spf13/viper
    - golang.org/x/crypto
    - golang.org/x/net
    - golang.org/x/sync
    - golang.org/x/sys
    - golang.org/x/text
    - google.golang.org/grpc

 -- Gabriel Nagy <email address hidden> Tue, 21 Nov 2023 12:53:10 +0200

Is this going to also be fixed in Jammy Jellyfish where it was actually
reported? It does no good to fix in Noble when I'm bound to 22.04

On Wed, Nov 22, 2023, 7:15 PM Launchpad Bug Tracker <
<email address hidden>> wrote:

> This bug was fixed in the package adsys - 0.13.2
>
> ---------------
> adsys (0.13.2) noble; urgency=medium
>
> [ Denison Barbosa ]
> [ Didier Roche ]
> [ Gabriel Nagy ]
> [ Jean-Baptiste Lallement ]
> * Ensure GPO URLs contain the FQDN of the domain controller (LP:
> #2024377)
> * Add runtime dependency on nfs-common (LP: #2044112)
> * Documentation changes:
> - Switch to Read the Docs for project documentation
> - Generate documentation from policy definitions
> - Fix installation path of adwatchd
> * CI and quality of life changes not impacting package functionality:
> - Bump go version to 1.21.4
> - Fix docker stop behavior on integration tests
> - Add e2e tests provisioning workflow
> - Reduce the amount of workflows to be run
> - Remove scopes from dependabot config
> * Update dependencies to latest:
> - github.com/charmbracelet/lipgloss
> - github.com/fatih/color
> - github.com/fsnotify/fsnotify
> - github.com/golangci/golangci-lint
> - github.com/google/uuid
> - github.com/maruel/natural
> - github.com/pkg/sftp
> - github.com/spf13/cobra
> - github.com/spf13/viper
> - golang.org/x/crypto
> - golang.org/x/net
> - golang.org/x/sync
> - golang.org/x/sys
> - golang.org/x/text
> - google.golang.org/grpc
>
> -- Gabriel Nagy <email address hidden> Tue, 21 Nov 2023 12:53:10
> +0200
>
> ** Changed in: adsys (Ubuntu)
> Status: Triaged => Fix Released
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/2024377
>
> Title:
> Adsys can't fetch GPOs
>
> Status in adsys package in Ubuntu:
> Fix Released
>
> Bug description:
> Bad, maybe no understandable english ahead.
>
> Can't find anything related to this on Github, Canonical Forums,
> Reddit or StackOverflow.
>
> On Ubuntu 22.04, I've followed the Wiki tutorial and verified all
> steps on Integration Ubuntu Desktop whitepaper. Currently using SSSD
> backend, I can log with Active Directory users however when adsys is
> installed I can't fetch GPOs. In this version the error is:
>
> ERROR Error from server: error while updating policy: can't get
> policies for "ubuntu": can't download all gpos and assets: one or more
> error while fetching GPOs and assets: can't download "ubuntuRoot":
> can't check if ubuntuRoot needs refreshing: no GPT.INI file: cannot
> open
> smb://
> addc01.domain.com.br/SysVol/domain.com.br/Policies/{DF072E7E-6F2F-46D1-A90F-699415F72F2E}/GPT.INI
> <http://addc01.domain.com.br/SysVol/domain.com.br/Policies/%7BDF072E7E-6F2F-46D1-A90F-699415F72F2E%7D/GPT.INI>
> :
> invalid argument
>
> It happens when using "adsysctl update -m" or "adsysctl update
> <email address hidden> /tmp/krb5c_getentId_randomdnumber" and just
> "adsysctl update" too.
>
> I've upgrade the machine to 22.10 and the error changed to:
>
> ERROR Err...

Yes, it is going to be fixed. We are currently in the process of backporting 0.13.2 with the latest fixes and features from noble to 22.04.

Sorry for the time it is taking.

Hi all, is there any update on the fix being backported to 22.04? I'm also having this issue and am locked into 22.04.

Thanks!

Do we have any updates on this backing backported ?

Do we have any updates on the backporting timeline to 22.04 ?

Thanks!

ALL, I am also interested in this. Have the same problems. sssd install worked and Active Directory user login to Ubuntu 22.04.06 LTS fine. But then adsys broke it and had to disable with pam-auth-update. We would like to be able to use the extended GPOs from adsys. Wondering about when it might be released.

SRU information missing from the description