This bug was fixed in the package adsys - 0.16.3~24.04.1
---------------
adsys (0.16.3~24.04.1) noble; urgency=medium
* debian/tests: Use the correct Go binary to run the autopkgtests
(LP: #2091940)
adsys (0.16.3~24.04) noble; urgency=medium
* Backport adsys 0.16.3 to noble (LP: #2091940)
* Bump Go version to 1.23
* Bump Go toolchain version to 1.23.6
* Fixes and improvements to certificate autoenrollment
- Improve log messages to help understand issues and failures
- Fix LDAP queries on multiple domains environments
- Allow default behavior to get supported certificate templates
to be overriden through cepces configuration
- Fix URL for NDES enrollment
* Resize buffer to parse very large GPOs
* Add corpus to fuzz tests to increase their precision
* Remove d/.prerm purge stanza
* Documentation improvements
- Add architecture diagrams to documentation
- Add ref glossary
- Change spelling to US
- Home and landing pages refresh
* Run certificates auto enroll script with debug enabled based on daemon
verbosity
* Add support for Polkit >= 124
* Refresh policy definition files to support latest Ubuntu releases
* CI and quality of life changes not impacting package functionality:
- Enable CI to run on pull requests from adsys forks
- Update links to new server documentation
* Bump dependencies to latest:
- golang.org/x/crypto (0.31.0)
- golang.org/x/net (0.37.0)
+ Fixes CVE-2024-45338
- golang.org/x/sys (0.29.0)
- golang.org/x/text (0.22.0)
- google.golang.org/grpc (1.71.0)
- google.golang.org/protobuf (1.36.6)
- github.com/charmbracelet/bubbles (0.20.0)
- github.com/charmbracelet/bubbletea (1.3.4)
- github.com/charmbracelet/glamour (0.9.1)
- github.com/charmbracelet/lipgloss (1.1.0)
- github.com/fatih/color (1.18.0)
- github.com/leonelquinteros/gotext (1.7.0)
- github.com/pkg/sftp (1.13.9)
- github.com/spf13/cobra (1.9.1)
- github.com/stretchr/testify (1.10.0)
- github.com/golangci/golangci-lint (1.64.8)
* CI dependencies not impacting package functionality:
- canonical/has-signed-canonical-cla (2)
- codecov/codecov-action (5)
- jidicula/clang-format-action (4.15.0)
- peter-evans/create-pull-request (7)
-- Denison Barbosa <denison.barb...@canonical.com> Mon, 02 Jun 2025
08:32:11 -0400
** Changed in: adsys (Ubuntu Noble)
Status: Fix Committed => Fix Released
** Changed in: adsys (Ubuntu Jammy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to adsys in Ubuntu.
https://bugs.launchpad.net/bugs/2091940
Title:
[SRU] Release adsys 0.16.3
Status in adsys package in Ubuntu:
Fix Released
Status in adsys source package in Jammy:
Fix Released
Status in adsys source package in Noble:
Fix Released
Status in adsys source package in Oracular:
Fix Released
Bug description:
[Impact]
Adsys 0.16.3 introduces dependency bumps, and updates to the privilege
policy manager to support the newer Polkit versions (>= 124) and their
new syntax for defining system admins.
It also adds fixes and improvements for certificate autoenrollment,
specifically for multiple domains AD environments (i.e. parent.com and
child.parent.com). Those fixes involve the refinement of some LDAP
queries that were targeting the wrong domain and allowing the default
behavior of getting the templates for a specific certificate authority
to be overridden through changes in the cepces configuration file.
We also fixed an issue with the parsing of (very) large policies, so
we can now support even bigger files.
Since the behavior updates mentioned only impact policy managers
locked under a Pro subscription, this should not impact interim
releases.
[Test Plan]
- For interim releases:
Requirements:
- Windows Server VM with Active Directory services (AD DS) configured;
1) Configure DCONF policies in the AD controller;
2) Configure a (very) large GPO (around 400kb);
3) Enroll the Ubuntu machine on the domain;
4) Install adsys 0.16.3;
5) Ensure that a user from the enrolled domain can authenticate and that
adsys was able to parse and apply the policies correctly.
- For LTS releases:
Requirements:
- Multiple domains environment (i.e. root.com and child.root.com)
- Windows Server VM with Active Directory services (AD DS), on root.com.
- Windows Server VM with Active Directory services (AD DS), Active
Directory Certificate Services (AD CS) and a CEPCES server configured,
on child.root.com.
1) Configure privilege policies in the child AD controller;
2) Enable the certificate autoenrollment policy in the child AD
controller;
3) Configure a (very) large GPO (around 400kb);
4) Enroll the Ubuntu machine on the child domain;
5) Install adsys 0.16.3;
6) Ensure that adsys was able to parse all the relevant policies;
7) Ensure that a user from the enrolled domain can authenticate and that
the
privilege policy was applied correctly;
8) Ensure that the machine is enrolled to the correct certificate
authority;
[Where problems could occur]
Since all of adsys external dependencies are vendored, there is no
risk of incompatibility with other packages in the Ubuntu release.
Unless an internal bug within one of them affects adsys (this would
likely have been spotted in CI), bumping their version should not
cause issues.
If adsys fails to parse a large policy file, it won't be applied. If
the policy was enforced on the domain controller, authentication will
be denied. This is already the case in the current archive version, so
there's no risk of regression here.
The changes focused at the Privilege and Certificate managers are
locked under a Pro subscription, so they have no impact on interim
releases.
As for LTS releases, there are two fail points:
If adsys fails to apply the privilege escalation policy and the policy
is enforced by the AD controller, then authentication will be
prevented for users that require this GPO. If the policy is not
enforced, then authentication will proceed as normal and polkit will
use the system default values for system administrators.
If adsys fails to fetch the certificate authorities or enroll the
machine to a certificate template, authentication will still be
allowed but the machine won't have access to the certificate benefits.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2091940/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
