[context]
ADSys is a tool designed for administering and implementing Group Policy Objects (GPOs) from Active Directory on Linux systems. It includes a suite of services and commands that empower administrators to efficiently manage policy updates and maintain compliance with organizational business rules.
Given that ADSys directly interfaces with Active Directory and needs to align with new business requirements in LTS releases, it has been essential to keep the package consistently updated with the latest changes of ADSys upstream source. As ADSys is a key component of our commercial offerings, our customers anticipate the availability of recently implemented features in the 22.04 release.
Now that ADSys has a complete set of features, the request is to proceed with a one-off release of ADSys 0.14.1 to 22.04. Please note that any new features introduced in subsequent versions will be exclusively available in 24.04 and later releases.
This version includes a comprehensive end to end automated test suite that runs ADSys against a real Active directory environment.
Version 0.14.1 is available for 22.04 in a PPA (https://launchpad.net/~ubuntu-enterprise-desktop/+archive/ubuntu/adsys) and already used in production by customers.
At this time of writing the number of open issues is 1 in Launchpad and 16 in GitHub including 6 enhancements. None of them have a high or critical importance.
[references]
LP: https://launchpad.net/ubuntu/+source/adsys
LP Bugs: https://bugs.launchpad.net/ubuntu/+source/adsys
GitHub: https://github.com/ubuntu/adsys/
GH Bugs: https://github.com/ubuntu/adsys/issues
Documentation: https://canonical-adsys.readthedocs-hosted.com/en/stable/
Initial SRU discussion: https://lists.ubuntu.com/archives/ubuntu-release/2023-June/005650.html
[changes]
Full LP Changelog: https://launchpad.net/ubuntu/+source/adsys/+changelog
* New features
* New policies:
- Add mount / network shares policy manager
- Add AppArmor policy manager
- Support multiple AD backends and implement Winbind support
- Add system proxy policy manager
- Add certificate policy manager for machines
- Add adsysctl policy purge command to purge applied policies
- Full documentation
- Full end to end automated test suite.
* Enhancements
* Add a --machine / -m flag to adsysctl applied, indicating the policies applied to the current machine
* Expose Ubuntu Pro status in the "status" command
* Update scripts manager creation
* List Pro policy types in service status output
* Warn when Pro-only rules are configured
* Use systemd via D-Bus instead of systemctl commands
* Add placeholder notes for entry types
* Rework Kerberos ticket handling logic to satisfy the Heimdal implementation of Kerberos
* Rework policy application sync strategy
* Print logs when policies are up to date
* Update policy definitions to include dconf key for dark mode background
* Infer user KRB5CCNAME path via the libkrb5 API (LP: #2049061)
* Allow sssd backend to work without ad_domain being set (LP: #2054445)
* Update apport hook to include journal errors and package logs
* Bug fixes
* Fix policy update failing when GPT.INI contains no version key
* Fix object lookup for users having a FQDN as their hostname
* Support special characters in domains when parsing sssd configuration
* Fix DCONF_PROFILE not considering default_domain_suffix on sssd.conf
* Ensure empty state for dconf policy
* Handle case mismatches in GPT.INI file name
* Ensure GPO URLs contain the FQDN of the domain controller
* Add runtime dependency on nfs-common
* Other
* Updates to latest versions of Go (fixing known Go vulnerabilities)
* Updates to latest versions of the Go dependencies
* Updates and improvements to CI and QoL
* Migrate translation support to native approach using go-i18n + gotext and switch to upstream gotext version
Dependencies:
* Build-dep: golang-go (>= 2:1.22~)
* Dependencies to backport to 22.04:
* golang-go >= 2:1.22
* ubuntu-proxy-manager (suggest. Required for Proxy support - feature will be disabled otherwise)
* python3-cepces (suggest. Required for Certificates autoenrollment support - feature will be disabled otherwise)
* Note: Both are currently in the new queue of 22.04 : https://launchpad.net/ubuntu/jammy/+queue?queue_state=0&queue_text=
[test plan]
# Process
Adsys follows a robust continuous integration and testing process. It is covered by a comprehensive automated tests suite (https://github.com/ubuntu/adsys/actions/workflows/qa.yaml) and an automated end to end test suite that runs in a real active directory environment (https://github.com/ubuntu/adsys/actions/workflows/e2e-tests.yaml).
The team applied the following quality criteria:
* All changes are thoroughly reviewed and approved by core team members before integration.
* Each change is thoroughly tested at the unit, integration and system levels.
* All the tests pass in all supported architectures.
* All bugs fixed in this release must have a link to the pull request that fixes them.
* All bug fixes and new features are verified in a system by executing automated or manual tests. Most of these tests are automated and executed in the autopkgtest suite. Tests that are not automated are executed manually.
* New and existing features are tested in a real Active Directory environment.
* There are no unfixed bugs tagged "blocker" on the milestone.
# Packaging QA
To prepare the release to 22.04, the following procedures will be completed to ensure quality:
* All autopkgtests pass.
* The package does not break when upgrading.
* The binary is identical to the CI build, with only Debian packaging changes.
* The copyrights and changelog are up to date.
* An upgrade test from the previous package version has been performed using apt install/upgrade.
# Code sanity
Code sanity checks are performed automatically on each build. They verify:
* Code linting
* Go module files are up to date
* Generated files are up to date
* Any binary in the project builds
* Vulnerabilities
Example report: https://github.com/ubuntu/adsys/actions/runs/6955264244
# Code coverage
* Code coverage is computed on every build and a report generated.
* Codecov report: https://app.codecov.io/gh/ubuntu/adsys
* Coverage as of today: 90.78%
# Manual tests
1. Configure your machine with AD, with a correctly configured SSSD and KRB5. AD user should be able to log in (https://canonical-adsys.readthedocs-hosted.com/en/latest/how-to/set-up-adsys/)
2. Install admx and adml files on your AD controller (https://canonical-adsys.readthedocs-hosted.com/en/latest/how-to/set-up-ad/)
3. Configure some Group Policies in the AD server (https://canonical-adsys.readthedocs-hosted.com/en/latest/how-to/use-gpo/)
4. Install ADSys, reboot the machine and login in as an AD user.
5. Ensure that the configuration done in the AD server is reflected on the Ubuntu machine.
[where problems could occur]
For AD users:
* ADSys can prevent authentication of AD users if some policies can't be applied or fail to apply properly
* Note: The categories of bugs we've identified typically revolve around Active Directory setup or network configuration. Extensive and detailed logging of both SSSD and ADSys aids in resolving these issues promptly.
* For local users, no impact will occur.
Notes:
* Recommends python-cepces and python-requests-gssapi are referenced in https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2048514
* The other recommends ubuntu-proxy-manager is referenced in https://bugs.launchpad.net/ubuntu/+source/ubuntu-proxy-manager/+bug/2048232
The attachment "golang-
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]