Regresion in sssd backend configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
adsys (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Mantic |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
This bug is not being verified individually because of the use of the SRU exception process (LP: #2059756)
-----
This is a regression from when we added support for multiple AD backends (see https:/
Previously adsys would use the first domain from `sssd.conf` and potentially override it if `ad_domain` is explicitly set for the domain, see: https:/
The current implementation raises an error if we are not able to find an `ad_domain` setting in the domain section, even if we already have a domain (`sssdDomain`): https:/
Ideally we should set `domain` to `sssdDomain` if we cannot find a value for `ad_domain`, which will mimic the behavior previous to the refactor.
While by default joining a domain with `realm join` will set the appropriate configuration values in `sssd.conf` so this doesn't happen, this is a regression we should aim to fix.
### Steps to reproduce it
1. Join an AD domain with sssd (e.g. using `realm join`)
2. Install the latest version of adsys, run `adsysctl update -m -vv`, everything should work
3. Comment out the `ad_domain` line from `/etc/sssd/
4. `adsysctl update -m -vv` now fails, and the adsysd service does not start anymore
5. (Optional) To confirm the functionality prior to the regression, re-attempt the steps above on Ubuntu 22.04 using the adsys version currently in the archive (0.9.2) -- adsys is able to correctly determine the domain even without the `ad_domain` setting.
GitHub issue: https:/
CVE References
description: | updated |
tags: |
added: verification-done verification-done-jammy removed: verification-needed verification-needed-jammy |
tags: |
added: verification-done verification-done-mantic removed: verification-needed verification-needed-mantic |
This bug was fixed in the package adsys - 0.14.1
---------------
adsys (0.14.1) noble; urgency=medium
* Pin Go toolchain to 1.22.1 to fix the following security vulnerabilities: action- gh-release com/charmbracel et/lipgloss com/golangci/ golangci- lint com/golang/ protobuf com/stretchr/ testify golang. org/grpc golang. org/protobuf
- GO-2024-2598
- GO-2024-2599
* Update apport hook to include journal errors and package logs
* CI and quality of life changes not impacting package functionality:
- Enable end-to-end tests in GitHub Actions
- Remove stale AD resources on test finish
- Add developer documentation for running end-to-end tests
- Collect and upload end-to-end test logs on failure
- Report test coverage in Cobertura XML format
- Silence gosec warnings using nolint and remove deprecated ifshort linter
- Use an environment variable to update golden files
- Bump github actions to latest:
- azure/login
- softprops/
* Update dependencies to latest:
- github.
- github.
- github.
- github.
- golang.org/x/crypto
- golang.org/x/net
- google.
- google.
adsys (0.14.0) noble; urgency=medium
* Infer user KRB5CCNAME path via the libkrb5 API (LP: #2049061) cached_ ticket ation (when adsys is executed through the PAM module) and runs of codecov- action create- pull-request com/charmbracel et/bubbles com/golangci/ golangci- lint golang. org/grpc
- This functionality is opt-in and activated if the detect_
setting is set to true
- If the AD backend (e.g. sssd) doesn't export the KRB5CCNAME variable, adsys
will now determine the path to the default ticket cache and use it during
authentic
adsysctl update for the current user.
* Allow sssd backend to work without ad_domain being set (LP: #2054445)
* Upgrade to Go 1.22
* CI and quality of life changes not impacting package functionality:
- Pass token explicitly to Codecov action
- Fix require outside of main goroutine
- Mark function arguments as unused where applicable
Thanks to Edu Gómez Escandell
- End to end test VM template creation updates
- Bump github actions to latest:
- codecov/
- peter-evans/
* Update dependencies to latest:
- github.
- github.
- golang.org/x/crypto
- golang.org/x/net
- google.
-- Gabriel Nagy <email address hidden> Thu, 21 Mar 2024 12:27:01 +0200