Ubuntu
adsys package

adsysctl update with a domain user fails if KRB5CCNAME is not set

Bug #2049061 reported by Fabio Augusto Miranda Martins
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
adsys (Ubuntu)
Fix Released
Critical
Gabriel Nagy

Bug Description

In an environment where /etc/krb5.conf sets "default_ccache_name = FILE:/tmp/krb5cc_%{uid}" and you don't have the KRB5CCNAME variable set, running "adsysctl update" with a AD domain user will fail.

If you either export the variable with the path to the kerberos ticket OR run the command "adsysctl update <user@domain> <path_to_kerberos_ticket>" it works.

The adsysctl command should fallback to the default location when KRB5CCNAME is not defined or have a mechanism to query klist and find the Kerberos tickets location.

Given that adsys can't find Kerberos tickets when `klist` does. It seems like a feature parity issue, granted, an edge case.

Here is an example of a reproducer:

https://pastebin.ubuntu.com/p/FjyTWQChjM/

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: adsys 0.9.2~22.04.2
ProcVersionSignature: Ubuntu 6.2.0-1014.14~22.04.1-aws 6.2.16
Uname: Linux 6.2.0-1014-aws x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckResult: unknown
CloudArchitecture: x86_64
CloudID: aws
CloudName: aws
CloudPlatform: ec2
CloudRegion: us-west-2
CloudSubPlatform: metadata (http://169.254.169.254)
CurrentDesktop: ubuntu:GNOME
Date: Thu Jan 11 11:39:06 2024
Ec2AMI: ami-00094f7041bb1b79d
Ec2AMIManifest: (unknown)
Ec2Architecture: x86_64
Ec2AvailabilityZone: us-west-2b
Ec2Imageid: ami-00094f7041bb1b79d
Ec2InstanceType: t3.large
Ec2Instancetype: t3.large
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
Ec2Region: us-west-2
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.utf8
 SHELL=/bin/bash
RebootRequiredPkgs: Error: path contained symlinks.
RelatedPackageVersions:
 sssd 2.6.3-1ubuntu3.2
 python3-samba 2:4.15.13+dfsg-0ubuntu1.5
SourcePackage: adsys
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf: [deleted]
modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted]

Revision history for this message
Fabio Augusto Miranda Martins (fabio.martins) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in adsys (Ubuntu):
status: New → Confirmed
Jean-Baptiste Lallement (jibel)
Changed in adsys (Ubuntu):
importance: Undecided → Critical
status: Confirmed → Triaged
assignee: nobody → Gabriel Nagy (gabuscus)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package adsys - 0.14.1

---------------
adsys (0.14.1) noble; urgency=medium

  * Pin Go toolchain to 1.22.1 to fix the following security vulnerabilities:
    - GO-2024-2598
    - GO-2024-2599
  * Update apport hook to include journal errors and package logs
  * CI and quality of life changes not impacting package functionality:
    - Enable end-to-end tests in GitHub Actions
    - Remove stale AD resources on test finish
    - Add developer documentation for running end-to-end tests
    - Collect and upload end-to-end test logs on failure
    - Report test coverage in Cobertura XML format
    - Silence gosec warnings using nolint and remove deprecated ifshort linter
    - Use an environment variable to update golden files
    - Bump github actions to latest:
      - azure/login
      - softprops/action-gh-release
  * Update dependencies to latest:
    - github.com/charmbracelet/lipgloss
    - github.com/golangci/golangci-lint
    - github.com/golang/protobuf
    - github.com/stretchr/testify
    - golang.org/x/crypto
    - golang.org/x/net
    - google.golang.org/grpc
    - google.golang.org/protobuf

adsys (0.14.0) noble; urgency=medium

  * Infer user KRB5CCNAME path via the libkrb5 API (LP: #2049061)
    - This functionality is opt-in and activated if the detect_cached_ticket
      setting is set to true
    - If the AD backend (e.g. sssd) doesn't export the KRB5CCNAME variable, adsys
      will now determine the path to the default ticket cache and use it during
      authentication (when adsys is executed through the PAM module) and runs of
      adsysctl update for the current user.
  * Allow sssd backend to work without ad_domain being set (LP: #2054445)
  * Upgrade to Go 1.22
  * CI and quality of life changes not impacting package functionality:
    - Pass token explicitly to Codecov action
    - Fix require outside of main goroutine
    - Mark function arguments as unused where applicable
      Thanks to Edu Gómez Escandell
    - End to end test VM template creation updates
    - Bump github actions to latest:
      - codecov/codecov-action
      - peter-evans/create-pull-request
  * Update dependencies to latest:
    - github.com/charmbracelet/bubbles
    - github.com/golangci/golangci-lint
    - golang.org/x/crypto
    - golang.org/x/net
    - google.golang.org/grpc

 -- Gabriel Nagy <email address hidden> Thu, 21 Mar 2024 12:27:01 +0200

Changed in adsys (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

SRU information missing from the description

Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

Hi Timo,

We plan to do a release of ADSys from 24.04 to 22.04 which contains much more than this bug and we'll cover the testing of the entirety of the package.
Master SRU bug https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2059756
We'll send the exception request in the coming days.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.