Ubuntu
python-cepces package

[SRU] Backport to 22.04 LTS

  1. Jammy (22.04)
  2. Bug #2048514
Bug #2048514 reported by Gabriel Nagy
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-cepces (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Committed
Undecided
Unassigned
python-requests-gssapi (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Fix Committed
Undecided
Unassigned

Bug Description

As part of our entreprise desktop offering, there is the request to backport python-cepces and its dependency (python-requests-gssapi) to 22.04 LTS. The packages are in universe for now.

cepces is an application for enrolling certificates through CEP and CES. It requires certmonger to operate. In Ubuntu it is used by ADSys to aid in the certificate auto-enrollment process. ADSys has been available starting Ubuntu 21.04, and cepces / the certificate auto-enrollment feature was first released in Ubuntu 23.10 in adsys package version 0.13.0.

[Impact]

 * python-cepces and python-requests-gssapi are new packages. Impact is thus only for people installing.
 * To leverage the functionality of the package, a recent enough ADSys version must be used (at least 0.13.0, not currently in Jammy but there are approved plans to backport ADSys 0.13.2).
 * In addition to the ADSys requirement above, the machine must be Pro-enabled and the certificate auto-enrollment GPO must be configured on the Windows AD controller.
 * No impact is expected if the conditions above are not met.
 * This is a entreprise feature requested by desktop customers running LTS.

[Test Plan]

 1. Configure your machine with AD, with a correctly configured SSSD and KRB5 (AD user should be able to log in). Instructions can be found on https://canonical-adsys.readthedocs-hosted.com/en/stable/how-to/#linux-client-machine
 2. Install, configure and enable Active Directory Certificate Services (steps outlined in https://www.virtuallyboring.com/setup-microsoft-active-directory-certificate-services-ad-cs/)
 3. Join machine to Ubuntu Pro to enable certificate policy application
 4. Configure certificate auto-enrollment in AD (https://canonical-adsys.readthedocs-hosted.com/en/stable/explanation/certificates/)
 5. Install ADSys (at least version 0.13.0) and python-cepces, then run `adsysctl update -m` to force a refresh of the policies
 6. Ensure certificates were properly enrolled -- adsys should have exited with 0 and `getcert list` should return at least 1 certificate (e.g. 'warthogs-CA.Machine' and status should be MONITORING).
 7. Run `adsysctl policy purge -m` to purge all policies.
 8. Run `getcert list` to confirm the previously enrolled certificate is now gone.

[Where problems could occur]

 * ADSys policy application will fail and the program will exit with a non-zero exit code if the Windows Active Directory Certificate Services component is not properly configured, or if errors are encountered in the enrollment process.

[Other Info]

 * The current version of ADSys in Jammy does not interact with this package whatsoever, but there are plans to backport the latest version.

Revision history for this message
Gabriel Nagy (gabuscus) wrote :

The new packages were uploaded and are in NEW: https://launchpad.net/ubuntu/jammy/+queue?queue_state=0&queue_text=python-

Changed in python-cepces (Ubuntu):
status: New → In Progress
Changed in python-requests-gssapi (Ubuntu):
status: New → In Progress
Didier Roche-Tolomelli (didrocks)
Changed in python-cepces (Ubuntu):
status: In Progress → New
Changed in python-requests-gssapi (Ubuntu):
status: In Progress → New
Changed in python-cepces (Ubuntu):
status: New → Fix Released
Changed in python-requests-gssapi (Ubuntu):
status: New → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Gabriel, or anyone else affected,

Accepted python-cepces into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-cepces/0.3.7-0ubuntu1~22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in python-cepces (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Gabriel, or anyone else affected,

Accepted python-requests-gssapi into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-requests-gssapi/1.2.3-0ubuntu1~22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in python-requests-gssapi (Ubuntu Jammy):
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.