Problems with AD nested groups
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
Medium
|
David Wilde | ||
| Ubuntu Cloud Archive |
New
|
Undecided
|
Unassigned | ||
| Antelope |
New
|
Undecided
|
Unassigned | ||
| Bobcat |
New
|
Undecided
|
Unassigned | ||
| Caracal |
In Progress
|
Undecided
|
Unassigned | ||
| Dalmatian |
In Progress
|
Undecided
|
Unassigned | ||
| Epoxy |
In Progress
|
Undecided
|
Unassigned | ||
| keystone (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Focal |
New
|
Undecided
|
Unassigned | ||
| Jammy |
New
|
Undecided
|
Unassigned | ||
| Noble |
Fix Committed
|
Undecided
|
Jorge Merlino | ||
| Plucky |
Won't Fix
|
Undecided
|
Jorge Merlino | ||
Bug Description
[Impact]
There are some issues with the implementation of AD nested groups from LP #1638603
It works fine when listing the groups a user belongs to, but fails when listing all members of a group. This function of listing all members is also used to check if a user belongs to a group which also fails.
[Test Plan]
Test plan consists of setting up two VMs (Windows AD Domain Controller and Ubuntu server) on a KVM host. We need a functional keystone installation on the ubuntu server and we will use regress-stack for that. The ubuntu server version and installed packages have to be adjusted to test each affected keystone version.
The low level procedure is as follows:
1. Install virt-manager on your host
sudo apt update && sudo apt install virt-manager virt-viewer qemu-kvm libvirt-
2. Download Windows Server 2022 iso image: https:/
3. Start the Windows VM:
virt-install --name winserver \
--virt-type kvm --memory 4096 --vcpus 4 \
--disk size=60 \
--cdrom /path/to/
--network network:default \
--osinfo detect=
--noautoconsole \
--graphics spice
4. Use either the virt-manager or the remote-viewer to connect to the VMs console. The following is a sample command for the remote-viewer. You can get the VMs spice port by running:
virsh dumpxml winserver | grep graphics
Connect to VMs graphical interface (change port if needed)
remote-viewer spice:/
5. Follow the installation in the VM. I picked the Windows Server 2022 Standard Evaluation, then Custom Install. During the installation the VM will shutdown so you will need to start it with:
virsh start winserver
Installation completes with the SConfig menu with multiple options. Use the menu items to configure the computer name, IP address, default gateway, and time/timezone. Remember the Administrator user password.
6. Install the spice-guest-tools to enable copy/paste between the Windows guest and host
Invoke-WebRequest -Uri https:/
.\sgtl.exe
An then reboot the server (run SConfig and then option 13)
7. Install and configure the Domain Controller
Install-
Install-ADDSForest `
-DomainName "test.local" `
-InstallDns `
-DomainMode WinThreshold `
-ForestMode WinThreshold `
-SafeModeAdmi
-NoRebootOnCo
-Force
VM will restart to apply changes
8. Verification
Get-WindowsFeature -Name AD-Domain-Services
nslookup test.local
9. Add groups for testing
New-ADOrganizat
-Name "groups" `
-Path "DC=test,DC=local"
New-ADGroup `
-Name "GroupA" `
-SamAccountName GroupA `
-GroupCategory Security `
-GroupScope Global `
-Path "OU=Groups,
-Description "Group A"
New-ADGroup `
-Name "GroupB" `
-SamAccountName GroupB `
-GroupCategory Security `
-GroupScope Global `
-Path "OU=Groups,
-Description "Group B"
10. Add users for testing
New-ADUser `
-SamAccountName "user1" `
-UserPrincipa
-Name "User1" `
-GivenName "User" `
-Surname "One" `
-Enabled $true `
-AccountPassword (ConvertTo-
-ChangePasswo
-Path "CN=Users,
New-ADUser `
-SamAccountName "user2" `
-UserPrincipa
-Name "User2" `
-GivenName "User" `
-Surname "Two" `
-Enabled $true `
-AccountPassword (ConvertTo-
-ChangePasswo
-Path "CN=Users,
11. Add users to groups, and nest groups
Add-ADGroupMember `
-Identity GroupA `
-Members user1, GroupB
Add-ADGroupMember `
-Identity GroupB `
-Members user2
12. Verify
Get-ADUser -Identity "user1"
Get-ADUser -Identity "user2"
Get-ADGroup -Identity "groupA"
Get-ADGroup -Identity "groupB"
13. Download the appropriate ubuntu server version from https:/
14. Configure Ubuntu VM:
virt-install --name ubuntu \
--virt-type kvm --memory 4096 --vcpus 4 \
--disk size=50 \
--cdrom /path/to/
--network network:default \
--osinfo ubuntu<version>
Use default values and enable the SSH server.
Login via ssh to the server after installation.
15. Install packages and regress-stack
If testing UCA packages that repo should be enabled first:
sudo add-apt-repository cloud-archive:
sudo snap install openstackclients
git clone https:/
cd regress-stack
sudo snap install astral-uv --classic
uvx pre-commit install
sudo apt install -y dpkg-dev python3-dev python-apt-dev python3-
uv sync
sudo uv run regress-stack setup
sudo cp /root/auth.rc ~
sudo chown $(id -u):$(id -g) ~/auth.rc
sudo crudini --set /etc/keystone/
16. Create file keystone.
[ldap]
url = ldap://
user = CN=Administrato
password = <windows_
suffix = DC=test,DC=local
user_allow_create = False
user_allow_update = False
user_allow_delete = False
group_allow_create = False
group_allow_update = False
group_allow_delete = False
query_scope = sub
user_tree_dn = CN=Users,
user_objectclass = person
user_id_attribute = cn
user_name_attribute = sAMAccountName
user_enabled_
user_enabled_invert = False
user_enabled_mask = 2
user_enabled_
group_tree_dn = OU=groups,
group_objectclass = group
group_id_attribute = cn
group_name_
group_member_
group_members_
group_ad_nesting = True
[identity]
driver = ldap
17. Finish configuration
openstack domain create windows.lan
sudo systemctl restart apache2
18. Test before patch:
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupA user1
user1 not in group groupA
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupA user2
user2 not in group groupA
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupB user1
user1 in group groupB
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupB user2
user2 not in group groupB
19. Apply patch and retest:
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupA user1
user1 in group groupA
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupA user2
user2 in group groupA
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupB user1
user1 not in group groupB
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupB user2
user2 in group groupB
[Where problems could occur]
Applications relying on the previous erroneous behavior could experience errors as the users permissions might change reflecting the actual user assigned groups.
Moreover, the nested groups being functional now could add new permissions to users as they are considered to belong to the parent groups. This can be disabled by setting group_ad_nesting to false in the keystone-ldap charm config.
[Other Info]
Packages in Questing and Resolute already have the patch. Same for flamingo in UCA
| description: | updated |
| description: | updated |
| David Wilde (dave-wilde) wrote | #1 |
| Changed in keystone: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| assignee: | nobody → David Wilde (dave-wilde) |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (master) | #2 |
| Changed in keystone: | |
| status: | Triaged → In Progress |
| OpenStack Infra (hudson-openstack) wrote Fix merged to keystone (master) | #3 |
| Changed in keystone: | |
| status: | In Progress → Fix Released |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (stable/2025.1) | #4 |
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/keystone 28.0.0.0rc1 | #5 |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (stable/2024.2) | #6 |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to keystone (stable/2024.1) | #7 |
| OpenStack Infra (hudson-openstack) wrote Change abandoned on keystone (stable/2024.1) | #8 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to keystone (stable/2025.1) | #9 |
| description: | updated |
| description: | updated |
| Jorge Merlino (jorge-merlino) wrote | #10 |
| Jorge Merlino (jorge-merlino) wrote | #11 |
| Jorge Merlino (jorge-merlino) wrote | #12 |
| Jorge Merlino (jorge-merlino) wrote | #13 |
| Jorge Merlino (jorge-merlino) wrote | #14 |
| Jorge Merlino (jorge-merlino) wrote | #15 |
| Jorge Merlino (jorge-merlino) wrote | #16 |
| Changed in keystone (Ubuntu): | |
| milestone: | none → plucky-updates |
| milestone: | plucky-updates → none |
| Changed in keystone (Ubuntu Resolute): | |
| status: | New → In Progress |
| Changed in keystone (Ubuntu Questing): | |
| status: | New → In Progress |
| Changed in keystone (Ubuntu Plucky): | |
| status: | New → In Progress |
| no longer affects: | keystone (Ubuntu Questing) |
| no longer affects: | keystone (Ubuntu Resolute) |
| Changed in keystone (Ubuntu Noble): | |
| status: | New → In Progress |
| Changed in keystone (Ubuntu Plucky): | |
| assignee: | nobody → Jorge Merlino (jorge-merlino) |
| Changed in keystone (Ubuntu Noble): | |
| assignee: | nobody → Jorge Merlino (jorge-merlino) |
| Changed in keystone (Ubuntu Plucky): | |
| status: | In Progress → Won't Fix |
| Dariusz Gadomski (dgadomski) wrote | #17 |
| Timo Aaltonen (tjaalton) wrote | #18 |
| Changed in keystone (Ubuntu): | |
| status: | In Progress → Fix Released |
| Changed in keystone (Ubuntu Noble): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed verification-needed-noble |
| Timo Aaltonen (tjaalton) wrote Please test proposed package | #19 |
We're going to be working with AD and LDAP and will attempt to reproduce this bug at that point. Should we find an issue we will dedicate engineering time to fix it.
/Dave