Ubuntu
adsys package

Comment 37 for bug 2059756

Revision history for this message

Gabriel Nagy (gabuscus) wrote on 2024-07-05:

#37

I have validated adsys in Mantic using the following steps:

1. Join Mantic client to AD test domain where GPOs are configured
2. Install adsys from proposed
3. Apply user and machine policies (assert non-Pro policy managers)
4. Attach Mantic client to Ubuntu Pro
5. Re-apply user and machine policies (assert Pro-only policy managers)

Below are the steps used:

Joined domain using the following command:

# realm join warthogs.biz -U localadmin -v --unattended <<<$AD_PASSWORD
...
* Successfully enrolled machine in realm

Installed adsys using:
# apt install adsys/mantic-proposed --install-suggests
# apt-cache policy adsys
adsys:
  Installed: 0.14.1~23.10.1
  Candidate: 0.14.1~23.10.1
  Version table:
*** 0.14.1~23.10.1 400
        400 http://archive.ubuntu.com/ubuntu mantic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     0.13.1ubuntu0.1 500
        500 http://azure.archive.ubuntu.com/ubuntu mantic-updates/main amd64 Packages
        500 http://azure.archive.ubuntu.com/ubuntu mantic-security/main amd64 Packages
     0.13.1 500
        500 http://azure.archive.ubuntu.com/ubuntu mantic/main amd64 Packages

Applied non-Pro policies:

# adsysctl update -m -v
INFO Assets directory is already up to date
INFO GPO "e2e-mantic-b093-computers-gpo" is already up to date
INFO Applying policies for mantic-b093 (machine: true)
WARNING Rules from the following policy types will be filtered out as the machine is not enrolled to Ubuntu Pro: privilege, scripts, mount, apparmor, proxy, certificate

mantic-b093-usr$ adsysctl update -v
INFO GPO "e2e-mantic-b093-users-gpo" is already up to date
INFO Assets directory is already up to date
INFO Applying policies for <email address hidden> (machine: false)
WARNING Rules from the following policy types will be filtered out as the machine is not enrolled to Ubuntu Pro: scripts, mount

Confirmed non-Pro policies have been applied (dconf/gdm):
# DCONF_PROFILE=gdm dconf read /org/gnome/login-screen/banner-message-text
'Sample banner text'

mantic-b093-usr$ dconf read /org/gnome/shell/favorite-apps
['rhythmbox.desktop']

Confirmed Pro-only policies (e.g. certificate, mount) are not applied:
# getcert list
Number of certificates and requests being tracked: 0.

mantic-b093-usr$ gio mount -l | grep warthogs.biz

Attached machine to Pro and re-applied user and machine policies:
# pro attach $UBUNTU_PRO_TOKEN --no-auto-enable
This machine is now attached to 'Ubuntu Pro - free personal subscription'

# adsysctl update -m -v
INFO GPO "e2e-mantic-b093-computers-gpo" is already up to date
INFO Assets directory is already up to date
INFO Applying policies for mantic-b093 (machine: true)
INFO Running machine startup scripts
INFO Certificate autoenrollment script ran successfully

Confirmed Pro-only policies have now been applied:

# getcert list
root@mantic-b093:~# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'warthogs-CA.Machine':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/adsys/private/certs/warthogs-CA.Machine.key'
certificate: type=FILE,location='/var/lib/adsys/certs/warthogs-CA.Machine.crt'
CA: warthogs-CA
issuer: CN=warthogs-CA,DC=warthogs,DC=biz
subject: CN=mantic-b093
...

mantic-b093-usr$ gio mount -l | grep warthogs.biz
Mount(0): user-mount-smb on warthogs.biz -> smb://warthogs.biz/user-mount-smb/
Mount(1): user-mount-nfs on warthogs.biz -> nfs://warthogs.biz/user-mount-nfs

I have validated adsys in Mantic using the following steps:

Below are the steps used:

Joined domain using the following command:

# realm join warthogs.biz -U localadmin -v --unattended <<<$AD_PASSWORD
     ...
  * Successfully enrolled machine in realm

Installed adsys using:
# apt install adsys/mantic-proposed --install-suggests
# apt-cache policy adsys
adsys:
  Installed: 0.14.1~23.10.1
  Candidate: 0.14.1~23.10.1
  Version table:
 *** 0.14.1~23.10.1 400
        400 http://archive.ubuntu.com/ubuntu mantic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     0.13.1ubuntu0.1 500
        500 http://azure.archive.ubuntu.com/ubuntu mantic-updates/main amd64 Packages
        500 http://azure.archive.ubuntu.com/ubuntu mantic-security/main amd64 Packages
     0.13.1 500
        500 http://azure.archive.ubuntu.com/ubuntu mantic/main amd64 Packages

Applied non-Pro policies:

mantic-b093-usr$ adsysctl update -v
INFO GPO "e2e-mantic-b093-users-gpo" is already up to date
INFO Assets directory is already up to date
INFO Applying policies for mantic-b093-usr@warthogs.biz (machine: false)
WARNING Rules from the following policy types will be filtered out as the machine is not enrolled to Ubuntu Pro: scripts, mount

Confirmed non-Pro policies have been applied (dconf/gdm):
# DCONF_PROFILE=gdm dconf read /org/gnome/login-screen/banner-message-text
'Sample banner text'

mantic-b093-usr$ dconf read /org/gnome/shell/favorite-apps
['rhythmbox.desktop']

Confirmed Pro-only policies (e.g. certificate, mount) are not applied:
# getcert list
Number of certificates and requests being tracked: 0.

mantic-b093-usr$ gio mount -l | grep warthogs.biz

Attached machine to Pro and re-applied user and machine policies:
# pro attach $UBUNTU_PRO_TOKEN --no-auto-enable
This machine is now attached to 'Ubuntu Pro - free personal subscription'

Confirmed Pro-only policies have now been applied:

# getcert list
root@mantic-b093:~# getcert list
Number of certificates and requests being tracked: 1.
Request ID 'warthogs-CA.Machine':
 status: MONITORING
 stuck: no
 key pair storage: type=FILE,location='/var/lib/adsys/private/certs/warthogs-CA.Machine.key'
 certificate: type=FILE,location='/var/lib/adsys/certs/warthogs-CA.Machine.crt'
 CA: warthogs-CA
 issuer: CN=warthogs-CA,DC=warthogs,DC=biz
 subject: CN=mantic-b093
    ...

Ubuntuadsys package

Comment 37 for bug 2059756

Ubuntu
adsys package