adsysctl update with a domain user fails if KRB5CCNAME is not set

Bug #2049061 reported by Fabio Augusto Miranda Martins
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
adsys (Ubuntu)
Fix Released
Critical
Gabriel Nagy
Jammy
Fix Committed
Undecided
Unassigned
Mantic
Fix Committed
Undecided
Unassigned

Bug Description

This bug is not being verified individually because of the use of the SRU exception process (LP: #2059756)

-----

In an environment where /etc/krb5.conf sets "default_ccache_name = FILE:/tmp/krb5cc_%{uid}" and you don't have the KRB5CCNAME variable set, running "adsysctl update" with a AD domain user will fail.

If you either export the variable with the path to the kerberos ticket OR run the command "adsysctl update <user@domain> <path_to_kerberos_ticket>" it works.

The adsysctl command should fallback to the default location when KRB5CCNAME is not defined or have a mechanism to query klist and find the Kerberos tickets location.

Given that adsys can't find Kerberos tickets when `klist` does. It seems like a feature parity issue, granted, an edge case.

Here is an example of a reproducer:

https://pastebin.ubuntu.com/p/FjyTWQChjM/

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: adsys 0.9.2~22.04.2
ProcVersionSignature: Ubuntu 6.2.0-1014.14~22.04.1-aws 6.2.16
Uname: Linux 6.2.0-1014-aws x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: aws
CloudName: aws
CloudPlatform: ec2
CloudRegion: us-west-2
CloudSubPlatform: metadata (http://169.254.169.254)
CurrentDesktop: ubuntu:GNOME
Date: Thu Jan 11 11:39:06 2024
Ec2AMI: ami-00094f7041bb1b79d
Ec2AMIManifest: (unknown)
Ec2Architecture: x86_64
Ec2AvailabilityZone: us-west-2b
Ec2Imageid: ami-00094f7041bb1b79d
Ec2InstanceType: t3.large
Ec2Instancetype: t3.large
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
Ec2Region: us-west-2
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.utf8
 SHELL=/bin/bash
RebootRequiredPkgs: Error: path contained symlinks.
RelatedPackageVersions:
 sssd 2.6.3-1ubuntu3.2
 python3-samba 2:4.15.13+dfsg-0ubuntu1.5
SourcePackage: adsys
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf: [deleted]
modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted]

Revision history for this message
Fabio Augusto Miranda Martins (fabio.martins) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in adsys (Ubuntu):
status: New → Confirmed
Changed in adsys (Ubuntu):
importance: Undecided → Critical
status: Confirmed → Triaged
assignee: nobody → Gabriel Nagy (gabuscus)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package adsys - 0.14.1

---------------
adsys (0.14.1) noble; urgency=medium

  * Pin Go toolchain to 1.22.1 to fix the following security vulnerabilities:
    - GO-2024-2598
    - GO-2024-2599
  * Update apport hook to include journal errors and package logs
  * CI and quality of life changes not impacting package functionality:
    - Enable end-to-end tests in GitHub Actions
    - Remove stale AD resources on test finish
    - Add developer documentation for running end-to-end tests
    - Collect and upload end-to-end test logs on failure
    - Report test coverage in Cobertura XML format
    - Silence gosec warnings using nolint and remove deprecated ifshort linter
    - Use an environment variable to update golden files
    - Bump github actions to latest:
      - azure/login
      - softprops/action-gh-release
  * Update dependencies to latest:
    - github.com/charmbracelet/lipgloss
    - github.com/golangci/golangci-lint
    - github.com/golang/protobuf
    - github.com/stretchr/testify
    - golang.org/x/crypto
    - golang.org/x/net
    - google.golang.org/grpc
    - google.golang.org/protobuf

adsys (0.14.0) noble; urgency=medium

  * Infer user KRB5CCNAME path via the libkrb5 API (LP: #2049061)
    - This functionality is opt-in and activated if the detect_cached_ticket
      setting is set to true
    - If the AD backend (e.g. sssd) doesn't export the KRB5CCNAME variable, adsys
      will now determine the path to the default ticket cache and use it during
      authentication (when adsys is executed through the PAM module) and runs of
      adsysctl update for the current user.
  * Allow sssd backend to work without ad_domain being set (LP: #2054445)
  * Upgrade to Go 1.22
  * CI and quality of life changes not impacting package functionality:
    - Pass token explicitly to Codecov action
    - Fix require outside of main goroutine
    - Mark function arguments as unused where applicable
      Thanks to Edu Gómez Escandell
    - End to end test VM template creation updates
    - Bump github actions to latest:
      - codecov/codecov-action
      - peter-evans/create-pull-request
  * Update dependencies to latest:
    - github.com/charmbracelet/bubbles
    - github.com/golangci/golangci-lint
    - golang.org/x/crypto
    - golang.org/x/net
    - google.golang.org/grpc

 -- Gabriel Nagy <email address hidden> Thu, 21 Mar 2024 12:27:01 +0200

Changed in adsys (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

SRU information missing from the description

Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

Hi Timo,

We plan to do a release of ADSys from 24.04 to 22.04 which contains much more than this bug and we'll cover the testing of the entirety of the package.
Master SRU bug https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2059756
We'll send the exception request in the coming days.

Gabriel Nagy (gabuscus)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Fabio, or anyone else affected,

Accepted adsys into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/adsys/0.14.1~22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in adsys (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
Gabriel Nagy (gabuscus)
tags: added: verification-done verification-done-jammy
removed: verification-needed verification-needed-jammy
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hello Fabio, or anyone else affected,

Accepted adsys into mantic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/adsys/0.14.1~23.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-mantic to verification-done-mantic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-mantic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in adsys (Ubuntu Mantic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-mantic
removed: verification-done
Gabriel Nagy (gabuscus)
tags: added: verification-done verification-done-mantic
removed: verification-needed verification-needed-mantic
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.