Regresion in sssd backend configuration
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| adsys (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
This is a regression from when we added support for multiple AD backends (see https:/
Previously adsys would use the first domain from `sssd.conf` and potentially override it if `ad_domain` is explicitly set for the domain, see: https:/
The current implementation raises an error if we are not able to find an `ad_domain` setting in the domain section, even if we already have a domain (`sssdDomain`): https:/
Ideally we should set `domain` to `sssdDomain` if we cannot find a value for `ad_domain`, which will mimic the behavior previous to the refactor.
While by default joining a domain with `realm join` will set the appropriate configuration values in `sssd.conf` so this doesn't happen, this is a regression we should aim to fix.
### Steps to reproduce it
1. Join an AD domain with sssd (e.g. using `realm join`)
2. Install the latest version of adsys, run `adsysctl update -m -vv`, everything should work
3. Comment out the `ad_domain` line from `/etc/sssd/
4. `adsysctl update -m -vv` now fails, and the adsysd service does not start anymore
5. (Optional) To confirm the functionality prior to the regression, re-attempt the steps above on Ubuntu 22.04 using the adsys version currently in the archive (0.9.2) -- adsys is able to correctly determine the domain even without the `ad_domain` setting.
GitHub issue: https:/
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in adsys (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| Timo Aaltonen (tjaalton) wrote | #2 |
This bug was fixed in the package adsys - 0.14.1
---------------
adsys (0.14.1) noble; urgency=medium
* Pin Go toolchain to 1.22.1 to fix the following security vulnerabilities:
- GO-2024-2598
- GO-2024-2599
* Update apport hook to include journal errors and package logs
* CI and quality of life changes not impacting package functionality:
- Enable end-to-end tests in GitHub Actions
- Remove stale AD resources on test finish
- Add developer documentation for running end-to-end tests
- Collect and upload end-to-end test logs on failure
- Report test coverage in Cobertura XML format
- Silence gosec warnings using nolint and remove deprecated ifshort linter
- Use an environment variable to update golden files
- Bump github actions to latest:
- azure/login
- softprops/
* Update dependencies to latest:
- github.
- github.
- github.
- github.
- golang.org/x/crypto
- golang.org/x/net
- google.
- google.
adsys (0.14.0) noble; urgency=medium
* Infer user KRB5CCNAME path via the libkrb5 API (LP: #2049061)
- This functionality is opt-in and activated if the detect_
setting is set to true
- If the AD backend (e.g. sssd) doesn't export the KRB5CCNAME variable, adsys
will now determine the path to the default ticket cache and use it during
authentic
adsysctl update for the current user.
* Allow sssd backend to work without ad_domain being set (LP: #2054445)
* Upgrade to Go 1.22
* CI and quality of life changes not impacting package functionality:
- Pass token explicitly to Codecov action
- Fix require outside of main goroutine
- Mark function arguments as unused where applicable
Thanks to Edu Gómez Escandell
- End to end test VM template creation updates
- Bump github actions to latest:
- codecov/
- peter-evans/
* Update dependencies to latest:
- github.
- github.
- golang.org/x/crypto
- golang.org/x/net
- google.
-- Gabriel Nagy <email address hidden> Thu, 21 Mar 2024 12:27:01 +0200