Hey, Andreas! Thanks for looking into this (and sorry for the delayed answer)!
Answering your questions: a) It does apply to the LTS releases. However, there are no changes to DCONF at all so, even though we could also test it in the LTS releases, it's not necessary. The reason I included the DCONF tests for the interim releases is that it's the only way interim releases can interact with adsys at all and, as such, it would be the only way to spot if something is broken by the update. In the LTS releases, we can properly test the changes that were made to the pro-related policy managers; b) That would be steps 1, 6 and 7 from the LTS test plan; c) Good one! Indeed, this was considered, and it is handled by the code changes. ADSys properly evaluates which Polkit version the client machine is running and handles the policy application accordingly, more details here: https://github.com/ubuntu/adsys/pull/1147 dX) Those templates are not used in Ubuntu at all. Those are files that will be used in the Windows AD Server to configure the GPOs there. We need all builds of a given version of adsys to be able to generate the same templates for the AD server to avoid conflicts (e.g. an admin generates the policy definitions in Jammy and then it gets overridden by the ones generated by an admin that generated them in Noble). So, TLDR: this does not impact Ubuntu at all and the correctness of the 25.04 policy definitions was already tested when releasing adsys 0.16.3 in Plucky; e) That's a great point! I'll update the test plan of the interim releases to also test the large policy files fix; f) I'm not sure if I understand exactly what you meant by the question, but I'll answer it based on my understanding (let me know if it's not enough): - All of the fixes that were released in older SRUs are part of adsys' codebase, so there's no risk of missing any of the previous fixes; - The last adsys' SRUs did not completely update the package (updating vendored dependencies and so on), so that's why we decided against bumping the packaging version. The actual behavior was the same as the one in the last release; - If you check the changelogs, you'll see that the main difference between what's released in Plucky and what's being released for the LTS'es is the dependency updates (there are quite some updates); ** Description changed: [Impact] Adsys 0.16.3 introduces dependency bumps, and updates to the privilege policy manager to support the newer Polkit versions (>= 124) and their new syntax for defining system admins. It also adds fixes and improvements for certificate autoenrollment, specifically for multiple domains AD environments (i.e. parent.com and child.parent.com). Those fixes involve the refinement of some LDAP queries that were targeting the wrong domain and allowing the default behavior of getting the templates for a specific certificate authority to be overridden through changes in the cepces configuration file. We also fixed an issue with the parsing of (very) large policies, so we can now support even bigger files. Since the behavior updates mentioned only impact policy managers locked under a Pro subscription, this should not impact interim releases. [Test Plan] - For interim releases: Requirements: - Windows Server VM with Active Directory services (AD DS) configured; 1) Configure DCONF policies in the AD controller; - 2) Enroll the Ubuntu machine on the domain; - 3) Install adsys 0.16.3; - 4) Ensure that a user from the enrolled domain can authenticate and that the - policies were applied correctly; + 2) Configure a (very) large GPO (around 400kb); + 3) Enroll the Ubuntu machine on the domain; + 4) Install adsys 0.16.3; + 5) Ensure that a user from the enrolled domain can authenticate and that + adsys was able to parse and apply the policies correctly. - For LTS releases: Requirements: - Multiple domains environment (i.e. root.com and child.root.com) - Windows Server VM with Active Directory services (AD DS), on root.com. - Windows Server VM with Active Directory services (AD DS), Active Directory Certificate Services (AD CS) and a CEPCES server configured, on child.root.com. 1) Configure privilege policies in the child AD controller; 2) Enable the certificate autoenrollment policy in the child AD controller; - 3) Configure a (very) large GPO (around 400kb). + 3) Configure a (very) large GPO (around 400kb); 4) Enroll the Ubuntu machine on the child domain; 5) Install adsys 0.16.3; 6) Ensure that adsys was able to parse all the relevant policies; 7) Ensure that a user from the enrolled domain can authenticate and that the privilege policy was applied correctly; 8) Ensure that the machine is enrolled to the correct certificate authority; [Where problems could occur] Since all of adsys external dependencies are vendored, there is no risk of incompatibility with other packages in the Ubuntu release. Unless an internal bug within one of them affects adsys (this would likely have been spotted in CI), bumping their version should not cause issues. If adsys fails to parse a large policy file, it won't be applied. If the policy was enforced on the domain controller, authentication will be denied. This is already the case in the current archive version, so there's no risk of regression here. The changes focused at the Privilege and Certificate managers are locked under a Pro subscription, so they have no impact on interim releases. As for LTS releases, there are two fail points: If adsys fails to apply the privilege escalation policy and the policy is enforced by the AD controller, then authentication will be prevented for users that require this GPO. If the policy is not enforced, then authentication will proceed as normal and polkit will use the system default values for system administrators. If adsys fails to fetch the certificate authorities or enroll the machine to a certificate template, authentication will still be allowed but the machine won't have access to the certificate benefits. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to adsys in Ubuntu. https://bugs.launchpad.net/bugs/2091940 Title: [SRU] Release adsys 0.16.3 Status in adsys package in Ubuntu: Fix Released Status in adsys source package in Jammy: Incomplete Status in adsys source package in Noble: Incomplete Status in adsys source package in Oracular: Incomplete Bug description: [Impact] Adsys 0.16.3 introduces dependency bumps, and updates to the privilege policy manager to support the newer Polkit versions (>= 124) and their new syntax for defining system admins. It also adds fixes and improvements for certificate autoenrollment, specifically for multiple domains AD environments (i.e. parent.com and child.parent.com). Those fixes involve the refinement of some LDAP queries that were targeting the wrong domain and allowing the default behavior of getting the templates for a specific certificate authority to be overridden through changes in the cepces configuration file. We also fixed an issue with the parsing of (very) large policies, so we can now support even bigger files. Since the behavior updates mentioned only impact policy managers locked under a Pro subscription, this should not impact interim releases. [Test Plan] - For interim releases: Requirements: - Windows Server VM with Active Directory services (AD DS) configured; 1) Configure DCONF policies in the AD controller; 2) Configure a (very) large GPO (around 400kb); 3) Enroll the Ubuntu machine on the domain; 4) Install adsys 0.16.3; 5) Ensure that a user from the enrolled domain can authenticate and that adsys was able to parse and apply the policies correctly. - For LTS releases: Requirements: - Multiple domains environment (i.e. root.com and child.root.com) - Windows Server VM with Active Directory services (AD DS), on root.com. - Windows Server VM with Active Directory services (AD DS), Active Directory Certificate Services (AD CS) and a CEPCES server configured, on child.root.com. 1) Configure privilege policies in the child AD controller; 2) Enable the certificate autoenrollment policy in the child AD controller; 3) Configure a (very) large GPO (around 400kb); 4) Enroll the Ubuntu machine on the child domain; 5) Install adsys 0.16.3; 6) Ensure that adsys was able to parse all the relevant policies; 7) Ensure that a user from the enrolled domain can authenticate and that the privilege policy was applied correctly; 8) Ensure that the machine is enrolled to the correct certificate authority; [Where problems could occur] Since all of adsys external dependencies are vendored, there is no risk of incompatibility with other packages in the Ubuntu release. Unless an internal bug within one of them affects adsys (this would likely have been spotted in CI), bumping their version should not cause issues. If adsys fails to parse a large policy file, it won't be applied. If the policy was enforced on the domain controller, authentication will be denied. This is already the case in the current archive version, so there's no risk of regression here. The changes focused at the Privilege and Certificate managers are locked under a Pro subscription, so they have no impact on interim releases. As for LTS releases, there are two fail points: If adsys fails to apply the privilege escalation policy and the policy is enforced by the AD controller, then authentication will be prevented for users that require this GPO. If the policy is not enforced, then authentication will proceed as normal and polkit will use the system default values for system administrators. If adsys fails to fetch the certificate authorities or enroll the machine to a certificate template, authentication will still be allowed but the machine won't have access to the certificate benefits. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
