[SRU] Backport to 22.04 LTS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-cepces (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
python-requests-gssapi (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
As part of our entreprise desktop offering, there is the request to backport python-cepces and its dependency (python-
cepces is an application for enrolling certificates through CEP and CES. It requires certmonger to operate. In Ubuntu it is used by ADSys to aid in the certificate auto-enrollment process. ADSys has been available starting Ubuntu 21.04, and cepces / the certificate auto-enrollment feature was first released in Ubuntu 23.10 in adsys package version 0.13.0.
[Impact]
* python-cepces and python-
* To leverage the functionality of the package, a recent enough ADSys version must be used (at least 0.13.0, not currently in Jammy but there are approved plans to backport ADSys 0.13.2).
* In addition to the ADSys requirement above, the machine must be Pro-enabled and the certificate auto-enrollment GPO must be configured on the Windows AD controller.
* No impact is expected if the conditions above are not met.
* This is a entreprise feature requested by desktop customers running LTS.
[Test Plan]
1. Configure your machine with AD, with a correctly configured SSSD and KRB5 (AD user should be able to log in). Instructions can be found on https:/
2. Install, configure and enable Active Directory Certificate Services (steps outlined in https:/
3. Join machine to Ubuntu Pro to enable certificate policy application
4. Configure certificate auto-enrollment in AD (https:/
5. Install ADSys (at least version 0.13.0) and python-cepces, then run `adsysctl update -m` to force a refresh of the policies
6. Ensure certificates were properly enrolled -- adsys should have exited with 0 and `getcert list` should return at least 1 certificate (e.g. 'warthogs-
7. Run `adsysctl policy purge -m` to purge all policies.
8. Run `getcert list` to confirm the previously enrolled certificate is now gone.
[Where problems could occur]
* ADSys policy application will fail and the program will exit with a non-zero exit code if the Windows Active Directory Certificate Services component is not properly configured, or if errors are encountered in the enrollment process.
[Other Info]
* The current version of ADSys in Jammy does not interact with this package whatsoever, but there are plans to backport the latest version.
Changed in python-cepces (Ubuntu): | |
status: | In Progress → New |
Changed in python-requests-gssapi (Ubuntu): | |
status: | In Progress → New |
Changed in python-cepces (Ubuntu): | |
status: | New → Fix Released |
Changed in python-requests-gssapi (Ubuntu): | |
status: | New → Fix Released |
The new packages were uploaded and are in NEW: https:/ /launchpad. net/ubuntu/ jammy/+ queue?queue_ state=0& queue_text= python-