Ubuntu
adsys package

Discovery of KRB5 ticket fails even if ticket is discoverable

Bug #2078473 reported by Denison Barbosa
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
adsys (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Noble
Fix Released
Undecided
Unassigned

Bug Description

tracking bug https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2078245

[ Impact ]

Even if the krb5 ticket is discoverable, the discovery fails (but actually succeeded) So we cannot retrieve the policies or do any action with the controller.

[ Test Plan ]

This is not something that can be easily reproduced in a real environment, so the best approach to reproduce this issue is:

1. Get adsys codebase before the fix. You can do this by getting the available version in the archive with the command:
  apt source adsys
2. Run the TestTicketPath test located in internal/ad/krb5_test.go as many times as needed to get the failure. To run the test, open a terminal and, inside the mentioned directory, runs the test X times with the command:
  go test -run TestTicketPatch -count X
3. The test can fail due to krb5_init_context changing the errno without returning any error.

Without the patched version the test will fail after a number of runs.
With the patch, it will not fail.

[ Where problems could occur ]

We now reset errno to 0, because krb5_init_context() can alter it, even if it succeeds. So the discovery always returns success when it succeeds.

Worst case would be that discovery failed but errno is set to 0 but this is handled earlier in the code.

See original description
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package adsys - 0.15.1

---------------
adsys (0.15.1) oracular; urgency=medium

  * Fix version based tests on released version

adsys (0.15) oracular; urgency=medium

  * Fix DCONF policy manager removing user DB on empty policy (LP: #2078245)
  * Ignore casing in domain/ section of sssd.conf (LP: #2078246)
  * Fix parsing of slash usernames (i.e. domain\user) (LP: #2078247)
  * Fix errno in get_ticket_path(LP: #2078473)
  * Remove XML declaration from glib schemas
  * Bump Go version to 1.23
  * CI and quality of life changes not impacting package functionality:
    - Integrate repo with TiCS quality assessment
    - Switch documentation spellchecking to en-GB
    - Add text version of certificates tutorial
    - Additional code coverage through more testing
    - Improvements to the e2e test environment
  * Bump dependencies to latest:
    - jidicula/clang-format-action
    - github.com/charmbracelet/bubbles
    - github.com/charmbracelet/bubbletea
    - github.com/charmbracelet/glamour
    - github.com/charmbracelet/lipgloss
    - github.com/fatih/color
    - github.com/leonelquinteros/gotext
    - github.com/spf13/cobra
    - github.com/spf13/viper
    - golang.org/x/crypto
    - golang.org/x/net
    - golang.org/x/sync
    - golang.org/x/sys
    - golang.org/x/text
    - google.golang.org/grpc/cmd/protoc-gen-go-grpc
    - google.golang.org/grpc
    - google.golang.org/protobuf
    - github.com/golangci/golangci-lint

 -- Didier Roche-Tolomelli <email address hidden> Mon, 02 Sep 2024 14:05:22 +0200

Changed in adsys (Ubuntu):
status: New → Fix Released
Jean-Baptiste Lallement (jibel)
description: updated
Jean-Baptiste Lallement (jibel)
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

the test plan is missing?

Denison Barbosa (justdenis)
description: updated
Denison Barbosa (justdenis)
description: updated
Jean-Baptiste Lallement (jibel)
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Denison, or anyone else affected,

Accepted adsys into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/adsys/0.14.2~24.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in adsys (Ubuntu Noble):
status: New → Fix Committed
tags: added: verification-needed verification-needed-noble
Changed in adsys (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Denison, or anyone else affected,

Accepted adsys into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/adsys/0.14.2~22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Denison Barbosa (justdenis)
tags: added: verification-done verification-done-jammy verification-done-noble
removed: verification-needed verification-needed-jammy verification-needed-noble
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Please follow the instructions from comments #3 and #4 and only change the verification tags to done after successfully completing the test plan with the package in proposed for the affected ubuntu releases.

tags: added: verification-needed-jammy verification-needed-noble
removed: verification-done-jammy verification-done-noble
Revision history for this message
Denison Barbosa (justdenis) wrote (last edit ):

I'm sorry for not commenting about the executed test plan. Let's fix this!

The test plan was executed for Jammy (22.04) and I confirm it was successful. The package version used for the tests is the one proposed, as can be seen by the output of apt-cache policy:
adsys:
  Installed: 0.14.2~22.04
  Candidate: 0.14.2~22.04
  Version table:
 *** 0.14.2~22.04 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages

The following steps were executed:

1) Create a fresh VM with Ubuntu 22.04;
2) Get the source code of the proposed package;
3) Install the test dependencies: Go (snap version, as it's the most recent one), pkg-config, libkrb5-dev, libsmbclient-dev, libglib2.0-dev, samba;
4) Go into the {where the source was downloaded}/adsys-0.14.2~22.04/internal/ad directory;
5) Run the "TestTicketPath" 1000 times;

After step 5, all test runs were successful.

Revision history for this message
Denison Barbosa (justdenis) wrote (last edit ):

The test plan was executed for Noble (24.04) and I confirm it was successful. The package version used for the tests is the one proposed, as can be seen by the output of apt-cache policy:
adsys:
  Installed: 0.14.2~24.04
  Candidate: 0.14.2~24.04
  Version table:
 *** 0.14.2~24.04 500
        500 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages

The following steps were executed:

1) Create a fresh VM with Ubuntu 24.04;
2) Get the source code of the proposed package;
3) Install the test dependencies: Go (snap version, as it's the most recent one), pkg-config, libkrb5-dev, libsmbclient-dev, libglib2.0-dev, samba;
4) Go into the {where the source was downloaded}/adsys-0.14.2~22.04/internal/ad directory;
5) Run the "TestTicketPath" 1000 times;

After step 5, all test runs were successful.

tags: added: verification-done-jammy verification-done-noble
removed: verification-needed-jammy verification-needed-noble
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package adsys - 0.14.2~24.04

---------------
adsys (0.14.2~24.04) noble; urgency=medium

  * Fix DCONF policy manager removing user DB on empty policy (LP: #2078245)
  * Ignore casing in domain/ section of sssd.conf (LP: #2078246)
  * Fix parsing of slash usernames (i.e. domain\user) (LP: #2078247)
  * Fix errno in get_ticket_path() (LP: #2078473)

 -- Denison Barbosa <email address hidden> Fri, 30 Aug 2024 10:28:07 -0400

Changed in adsys (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Update Released

The verification of the Stable Release Update for adsys has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package adsys - 0.14.2~22.04

---------------
adsys (0.14.2~22.04) jammy; urgency=medium

  * Fix DCONF policy manager removing user DB on empty policy (LP: #2078245)
  * Ignore casing in domain/ section of sssd.conf (LP: #2078246)
  * Fix parsing of slash usernames (i.e. domain\user) (LP: #2078247)
  * Fix errno in get_ticket_path() (LP: #2078473)

 -- Denison Barbosa <email address hidden> Fri, 30 Aug 2024 10:33:56 -0400

Changed in adsys (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.