** Description changed: [ Impact ] Adsys user lookup assumes that a partial UserPrincipalName (UPN) will equal to SAMaccountName (SAM). For example, if a user has UPN as "[email protected]" and a SAM as "uone" in Active Directory, the lookup will fail. If SAM was "userone" then adsys would behave correctly. Users normally login using their UPN and also usually the SAM is the same UPN without the '@' and the domain. Currently the Group Policy Object (GPO) search (by Adsys) is done by removing the @ and the rest from the UPN and searching that value as SAM. This fails for cases where SAM is not a suffix of the UPN (ie., SAM="uone", UPN="[email protected]"). The patch adds a search using the UPN if the search for SAM fails to support users with that have the aforementioned discrapency between the SAM and UPN. Link to the upstream patch: [1]. [ Test Plan ] Test plan consists of setting up two VMs (Windows AD Domain Controller and Ubuntu Desktop) on a KVM host, followed by configuring the Domain Controller and the Ubuntu machine to connect to it, and authenticate users on Ubuntu against AD. The low level procedure is as follows: 1. Install virt-manager on your host if you choose to create VMs with virt-manager sudo apt update && sudo apt install virt-manager virt-viewer qemu-kvm libvirt-daemon-system libvirt-clients 2. download Windows Server 2022 iso image: https://www.microsoft.com/en- us/evalcenter/download-windows-server-2022 3. Configure the Windows VM: virt-install --name winserver \ --virt-type kvm --memory 4096 --vcpus 4 \ --disk size=60 \ --cdrom /path/to/windows/iso/SERVER_EVAL_x64FRE_en-us.iso \ --network network:default \ --osinfo detect=on \ --noautoconsole \ --graphics spice # use either the virt-manager or the remote-viewer to connect to the VMs console. The following is a sample command for the remote-viewer. You can get the VMs spice port by running: virsh dumpxml ubuntuone | grep graphics winserver # connect to VMs graphical interface (change port if needed) remote-viewer spice://127.0.0.1:5900 4. Follow the installation in the VM. I picked the Windows Server 2022 Standard Evaluation, then Custom Install. During the installation VM shutdown so you will need to start it by 'virsh start winserver'. Installation completes with the Windows Core on the SConfig menu with multiple options. Use the menu items to configure the computer name, static IP, DNS server(remote to forward requests to), default gateway, and time/timezone. 5. configure AD from the command line: powershell # install the spice-guest-tools to enable copy/paste between the Windows guest and host Invoke-WebRequest -Uri https://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-latest.exe -OutFile sgtl.exe # install spice-guest-tools .\sgtl.exe # install and configure the Domain Controller Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools Install-ADDSForest ` -DomainName "test.local" ` -InstallDns ` -DomainMode WinThreshold ` -ForestMode WinThreshold ` -SafeModeAdministratorPassword (ConvertTo-SecureString "ao4Ahnuzah$d!eeg" -AsPlainText -Force) ` -NoRebootOnCompletion:$false ` -Force # VM will restart to apply changes # verification Get-WindowsFeature -Name AD-Domain-Services nslookup test.local Install-WindowsFeature -Name RSAT-AD-PowerShell Import-Module ActiveDirectory # add test domain user New-ADUser ` -SamAccountName "uone" ` -UserPrincipalName "[email protected]" ` -Name "User One" ` -GivenName "User1" ` -Surname "One1" ` -Enabled $true ` -AccountPassword (ConvertTo-SecureString "pAsswd&987!" -AsPlainText -Force) ` -ChangePasswordAtLogon $true ` -Path "CN=Users,DC=test,DC=local" # verify Get-ADUser -Identity "uone" 6. Download Ubuntu 24.04.3 Desktop from https://ubuntu.com/download/desktop 7. Configure Ubuntu VM: virt-install --name ubuntuone \ --virt-type kvm --memory 4096 --vcpus 4 \ --disk size=20 \ --cdrom /path/to/ubuntu/iso/ubuntu-24.04.3-desktop-amd64.iso \ --network network:default \ --osinfo ubuntu24.04 \ --noautoconsole \ --graphics spice # use either the virt-manager or the remote-viewer to connect to the VMs console. The following is a sample command for the remote-viewer. You can get the VMs spice port by running: virsh dumpxml ubuntuone | grep graphics ubuntuone # connect to VMs graphical interface (change port if needed) remote-viewer spice://127.0.0.1:5900 8. Set DNS server to Windows machine IP address (we want the .local domain from the example to be resolved by the Windows DNS) sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved Make /etc/resolv.conf a static file and add 'nameserver <windos machine IP> 9. Install required packages (ssh server may be helpful to interact with the Ubuntu VM, but is optional) sudo apt install sssd-ad sssd-tools realmd adcli openssh-server # discover and join the realm. Supporting documentation [2] sudo realm -v discover test.local sudo realm join test.local sudo pam-auth-update --enable mkhomedir # verification - it will dump data from the passwd database. The output from both commands should be the same and similar to the following: # [email protected]:*:1355801103:1355800513:User One:/home/[email protected]:/bin/bash getent passwd [email protected] getent passwd [email protected] 10. install adsys package and generate policy files. Supporting documentation [3] sudo apt install adsys adsysctl policy admx lts-only 11. Install policy files on the Windows machine # Copy Ubuntu.adml and Ubuntu.admx to the Windows machine # On windows, add policy files to the proper destination New-Item -Path $CentralStorePath -ItemType Directory -Force # Change the -Path, if needed, to the location of your policy files Copy-Item -Path C:\Users\Administrator\*.admx -Destination $CentralStorePath -Force -Verbose # Define source path for .adml files (adjust to your source location) $AdmlDestination = Join-Path -Path $CentralStorePath -ChildPath "en-US" New-Item -Path $AdmlDestination -ItemType Directory -Force # Change the -Path, if needed, to the location of your policy files Copy-Item -Path C:\Users\Administrator\*.adml -Destination $AdmlDestination -Force -Verbose # verify Get-ChildItem -Path $CentralStorePath -Filter *.admx Get-ChildItem -Path "$CentralStorePath\en-US" -Filter *.adml 12. Restart Ubuntu VM 13. Test login from the command line + # Testing from the command line is only possible on Ubuntu Noble and older due to this bug [4] # this should fail without the patch (UPN is used for login) sudo login [email protected] # It will fail with the following error: Applying user settings ERROR Error from server: error while updating policy: can't get policies for "[email protected]": failed to retrieve the list of GPO (exited with 1): exit status 1 Searching for account failed with: Failed to find account userone # this will work even without the fix (SAM is used for login) # I had to change the password during the first log in. sudo login [email protected] - 14. Apply the patch by installig fixed adsys package and repeat the + # Testing from GUI (all Ubuntu releases) + # On the Ubuntu Desktop login screen, click 'Not listed?' at the bottom of the user name that was provided during the Ubuntu installation + # In the 'username' field, provide the UPN: [email protected] + # The login will fail with the following message: 'Sorry, password authentication didn't work. Please try again.' + # Go back by clicking the '<' icon on the left of the 'password' field, and use SAM for login: [email protected] + # The login will succeed. Supporting documentation on the GUI login [5]. + + 14. Apply the patch by installing the fixed adsys package and repeat the tests with UPN and SAM logins. They both should work. + [ Where problems could occur ] The patch code now differentiates a lookup for the 'user' and a 'computer' object class. - For the 'computer' object class the code remains exactly the same as it was. For the + For the 'computer' object class, the code remains exactly the same as it was. For the 'user' object class, the patch first executes the previous search, next adds a fallback search if the one that was used before - doesn't return any value. In the worst case regression scenario, the following bad + doesn't return any value. In the worst-case regression scenario, the following bad things can happen: - if a 'compute' object class is used and fails, the computer policies won't be applied - - if a 'user' object class serach fails for SAM, the user won't be able to log in using her/his SAM, but may try the UPN instead - - if a 'user' object class serach fails for UPN, the user won't be able to log in using het/his UPN, however, for the situations where UPN doesn't contain SAM, this doesn't work without the patch. + - if a 'user' object class search fails for SAM, the user won't be able to log in using her/his SAM, but may try the UPN instead + - if a 'user' object class search fails for UPN, the user won't be able to log in using het/his UPN, however, for the situations where UPN doesn't contain SAM, this doesn't work without the patch. [ Other Info ] - This is backport from upsteream [1]. + This is a backport from Upstream [1]. [1] https://github.com/ubuntu/adsys/pull/1275/commits/4c2449c78bb7314a5342f237bdb0ce34543a04fd [2] https://documentation.ubuntu.com/server/how-to/sssd/with-active-directory/ [3] https://documentation.ubuntu.com/adsys/stable/how-to/set-up-ad/ + [4] https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2125766 + [5] https://documentation.ubuntu.com/server/how-to/sssd/with-active-directory/#ubuntu-desktop-authentication
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to adsys in Ubuntu. https://bugs.launchpad.net/bugs/2125134 Title: Allow searching GPO list by userPrincipalName Status in adsys package in Ubuntu: In Progress Status in adsys source package in Jammy: New Status in adsys source package in Noble: New Status in adsys source package in Plucky: New Status in adsys source package in Questing: In Progress Bug description: [ Impact ] Adsys user lookup assumes that a partial UserPrincipalName (UPN) will equal to SAMaccountName (SAM). For example, if a user has UPN as "[email protected]" and a SAM as "uone" in Active Directory, the lookup will fail. If SAM was "userone" then adsys would behave correctly. Users normally login using their UPN and also usually the SAM is the same UPN without the '@' and the domain. Currently the Group Policy Object (GPO) search (by Adsys) is done by removing the @ and the rest from the UPN and searching that value as SAM. This fails for cases where SAM is not a suffix of the UPN (ie., SAM="uone", UPN="[email protected]"). The patch adds a search using the UPN if the search for SAM fails to support users with that have the aforementioned discrapency between the SAM and UPN. Link to the upstream patch: [1]. [ Test Plan ] Test plan consists of setting up two VMs (Windows AD Domain Controller and Ubuntu Desktop) on a KVM host, followed by configuring the Domain Controller and the Ubuntu machine to connect to it, and authenticate users on Ubuntu against AD. The low level procedure is as follows: 1. Install virt-manager on your host if you choose to create VMs with virt-manager sudo apt update && sudo apt install virt-manager virt-viewer qemu-kvm libvirt-daemon-system libvirt-clients 2. download Windows Server 2022 iso image: https://www.microsoft.com/en-us/evalcenter/download-windows- server-2022 3. Configure the Windows VM: virt-install --name winserver \ --virt-type kvm --memory 4096 --vcpus 4 \ --disk size=60 \ --cdrom /path/to/windows/iso/SERVER_EVAL_x64FRE_en-us.iso \ --network network:default \ --osinfo detect=on \ --noautoconsole \ --graphics spice # use either the virt-manager or the remote-viewer to connect to the VMs console. The following is a sample command for the remote-viewer. You can get the VMs spice port by running: virsh dumpxml ubuntuone | grep graphics winserver # connect to VMs graphical interface (change port if needed) remote-viewer spice://127.0.0.1:5900 4. Follow the installation in the VM. I picked the Windows Server 2022 Standard Evaluation, then Custom Install. During the installation VM shutdown so you will need to start it by 'virsh start winserver'. Installation completes with the Windows Core on the SConfig menu with multiple options. Use the menu items to configure the computer name, static IP, DNS server(remote to forward requests to), default gateway, and time/timezone. 5. configure AD from the command line: powershell # install the spice-guest-tools to enable copy/paste between the Windows guest and host Invoke-WebRequest -Uri https://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-latest.exe -OutFile sgtl.exe # install spice-guest-tools .\sgtl.exe # install and configure the Domain Controller Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools Install-ADDSForest ` -DomainName "test.local" ` -InstallDns ` -DomainMode WinThreshold ` -ForestMode WinThreshold ` -SafeModeAdministratorPassword (ConvertTo-SecureString "ao4Ahnuzah$d!eeg" -AsPlainText -Force) ` -NoRebootOnCompletion:$false ` -Force # VM will restart to apply changes # verification Get-WindowsFeature -Name AD-Domain-Services nslookup test.local Install-WindowsFeature -Name RSAT-AD-PowerShell Import-Module ActiveDirectory # add test domain user New-ADUser ` -SamAccountName "uone" ` -UserPrincipalName "[email protected]" ` -Name "User One" ` -GivenName "User1" ` -Surname "One1" ` -Enabled $true ` -AccountPassword (ConvertTo-SecureString "pAsswd&987!" -AsPlainText -Force) ` -ChangePasswordAtLogon $true ` -Path "CN=Users,DC=test,DC=local" # verify Get-ADUser -Identity "uone" 6. Download Ubuntu 24.04.3 Desktop from https://ubuntu.com/download/desktop 7. Configure Ubuntu VM: virt-install --name ubuntuone \ --virt-type kvm --memory 4096 --vcpus 4 \ --disk size=20 \ --cdrom /path/to/ubuntu/iso/ubuntu-24.04.3-desktop-amd64.iso \ --network network:default \ --osinfo ubuntu24.04 \ --noautoconsole \ --graphics spice # use either the virt-manager or the remote-viewer to connect to the VMs console. The following is a sample command for the remote-viewer. You can get the VMs spice port by running: virsh dumpxml ubuntuone | grep graphics ubuntuone # connect to VMs graphical interface (change port if needed) remote-viewer spice://127.0.0.1:5900 8. Set DNS server to Windows machine IP address (we want the .local domain from the example to be resolved by the Windows DNS) sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved Make /etc/resolv.conf a static file and add 'nameserver <windos machine IP> 9. Install required packages (ssh server may be helpful to interact with the Ubuntu VM, but is optional) sudo apt install sssd-ad sssd-tools realmd adcli openssh-server # discover and join the realm. Supporting documentation [2] sudo realm -v discover test.local sudo realm join test.local sudo pam-auth-update --enable mkhomedir # verification - it will dump data from the passwd database. The output from both commands should be the same and similar to the following: # [email protected]:*:1355801103:1355800513:User One:/home/[email protected]:/bin/bash getent passwd [email protected] getent passwd [email protected] 10. install adsys package and generate policy files. Supporting documentation [3] sudo apt install adsys adsysctl policy admx lts-only 11. Install policy files on the Windows machine # Copy Ubuntu.adml and Ubuntu.admx to the Windows machine # On windows, add policy files to the proper destination New-Item -Path $CentralStorePath -ItemType Directory -Force # Change the -Path, if needed, to the location of your policy files Copy-Item -Path C:\Users\Administrator\*.admx -Destination $CentralStorePath -Force -Verbose # Define source path for .adml files (adjust to your source location) $AdmlDestination = Join-Path -Path $CentralStorePath -ChildPath "en-US" New-Item -Path $AdmlDestination -ItemType Directory -Force # Change the -Path, if needed, to the location of your policy files Copy-Item -Path C:\Users\Administrator\*.adml -Destination $AdmlDestination -Force -Verbose # verify Get-ChildItem -Path $CentralStorePath -Filter *.admx Get-ChildItem -Path "$CentralStorePath\en-US" -Filter *.adml 12. Restart Ubuntu VM 13. Test login from the command line # Testing from the command line is only possible on Ubuntu Noble and older due to this bug [4] # this should fail without the patch (UPN is used for login) sudo login [email protected] # It will fail with the following error: Applying user settings ERROR Error from server: error while updating policy: can't get policies for "[email protected]": failed to retrieve the list of GPO (exited with 1): exit status 1 Searching for account failed with: Failed to find account userone # this will work even without the fix (SAM is used for login) # I had to change the password during the first log in. sudo login [email protected] # Testing from GUI (all Ubuntu releases) # On the Ubuntu Desktop login screen, click 'Not listed?' at the bottom of the user name that was provided during the Ubuntu installation # In the 'username' field, provide the UPN: [email protected] # The login will fail with the following message: 'Sorry, password authentication didn't work. Please try again.' # Go back by clicking the '<' icon on the left of the 'password' field, and use SAM for login: [email protected] # The login will succeed. Supporting documentation on the GUI login [5]. 14. Apply the patch by installing the fixed adsys package and repeat the tests with UPN and SAM logins. They both should work. [ Where problems could occur ] The patch code now differentiates a lookup for the 'user' and a 'computer' object class. For the 'computer' object class, the code remains exactly the same as it was. For the 'user' object class, the patch first executes the previous search, next adds a fallback search if the one that was used before doesn't return any value. In the worst-case regression scenario, the following bad things can happen: - if a 'compute' object class is used and fails, the computer policies won't be applied - if a 'user' object class search fails for SAM, the user won't be able to log in using her/his SAM, but may try the UPN instead - if a 'user' object class search fails for UPN, the user won't be able to log in using het/his UPN, however, for the situations where UPN doesn't contain SAM, this doesn't work without the patch. [ Other Info ] This is a backport from Upstream [1]. [1] https://github.com/ubuntu/adsys/pull/1275/commits/4c2449c78bb7314a5342f237bdb0ce34543a04fd [2] https://documentation.ubuntu.com/server/how-to/sssd/with-active-directory/ [3] https://documentation.ubuntu.com/adsys/stable/how-to/set-up-ad/ [4] https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2125766 [5] https://documentation.ubuntu.com/server/how-to/sssd/with-active-directory/#ubuntu-desktop-authentication To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2125134/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
