** Changed in: adsys (Ubuntu Plucky)
Status: New => In Progress
** Changed in: adsys (Ubuntu Noble)
Status: New => In Progress
** Changed in: adsys (Ubuntu Jammy)
Status: New => In Progress
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to adsys in Ubuntu.
https://bugs.launchpad.net/bugs/2125134
Title:
Allow searching GPO list by userPrincipalName
Status in adsys package in Ubuntu:
Fix Released
Status in adsys source package in Jammy:
In Progress
Status in adsys source package in Noble:
In Progress
Status in adsys source package in Plucky:
In Progress
Status in adsys source package in Questing:
In Progress
Bug description:
[ Impact ]
Adsys user lookup assumes that a partial UserPrincipalName (UPN) will equal
to SAMaccountName (SAM).
For example, if a user has UPN as "[email protected]" and a SAM as "uone" in
Active Directory, the lookup will fail.
If SAM was "userone" then adsys would behave correctly.
Users normally login using their UPN and also usually the SAM is the same UPN
without the '@' and the domain.
Currently the Group Policy Object (GPO) search (by Adsys) is done by removing
the @ and the rest from the UPN and searching that value as SAM.
This fails for cases where SAM is not a suffix of the UPN (ie., SAM="uone",
UPN="[email protected]"). The patch adds a search using the
UPN if the search for SAM fails to support users with that have the
aforementioned discrapency between the SAM and UPN.
Link to the upstream patch: [1].
[ Test Plan ]
Test plan consists of setting up two VMs (Windows AD Domain Controller and
Ubuntu Desktop) on a KVM host, followed by configuring the Domain Controller
and the Ubuntu machine to connect to it, and authenticate users on Ubuntu
against AD. The low level procedure is as follows:
1. Install virt-manager on your host if you choose to create VMs with
virt-manager
sudo apt update && sudo apt install virt-manager virt-viewer qemu-kvm
libvirt-daemon-system libvirt-clients
2. download Windows Server 2022 iso image:
https://www.microsoft.com/en-us/evalcenter/download-windows-
server-2022
3. Configure the Windows VM:
virt-install --name winserver \
--virt-type kvm --memory 4096 --vcpus 4 \
--disk size=60 \
--cdrom /path/to/windows/iso/SERVER_EVAL_x64FRE_en-us.iso \
--network network:default \
--osinfo detect=on \
--noautoconsole \
--graphics spice
# use either the virt-manager or the remote-viewer to connect to the VMs
console. The following is a sample command for the remote-viewer. You can get
the VMs spice port by running:
virsh dumpxml ubuntuone | grep graphics winserver
# connect to VMs graphical interface (change port if needed)
remote-viewer spice://127.0.0.1:5900
4. Follow the installation in the VM. I picked the Windows Server 2022
Standard Evaluation, then Custom Install. During the installation VM
shutdown so you will need to start it by 'virsh start winserver'.
Installation completes with the Windows Core on the SConfig menu with
multiple options. Use the menu items to configure the computer name,
static IP, DNS server(remote to forward requests to), default gateway,
and time/timezone.
5. configure AD from the command line:
powershell
# install the spice-guest-tools to enable copy/paste between the Windows
guest and host
Invoke-WebRequest -Uri
https://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-latest.exe
-OutFile sgtl.exe
# install spice-guest-tools
.\sgtl.exe
# install and configure the Domain Controller
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSForest `
-DomainName "test.local" `
-InstallDns `
-DomainMode WinThreshold `
-ForestMode WinThreshold `
-SafeModeAdministratorPassword (ConvertTo-SecureString "ao4Ahnuzah$d!eeg"
-AsPlainText -Force) `
-NoRebootOnCompletion:$false `
-Force
# VM will restart to apply changes
# verification
Get-WindowsFeature -Name AD-Domain-Services
nslookup test.local
Install-WindowsFeature -Name RSAT-AD-PowerShell
Import-Module ActiveDirectory
# add test domain user
New-ADUser `
-SamAccountName "uone" `
-UserPrincipalName "[email protected]" `
-Name "User One" `
-GivenName "User1" `
-Surname "One1" `
-Enabled $true `
-AccountPassword (ConvertTo-SecureString "pAsswd&987!" -AsPlainText -Force)
`
-ChangePasswordAtLogon $true `
-Path "CN=Users,DC=test,DC=local"
# verify
Get-ADUser -Identity "uone"
6. Download Ubuntu 24.04.3 Desktop from
https://ubuntu.com/download/desktop
7. Configure Ubuntu VM:
virt-install --name ubuntuone \
--virt-type kvm --memory 4096 --vcpus 4 \
--disk size=20 \
--cdrom /path/to/ubuntu/iso/ubuntu-24.04.3-desktop-amd64.iso \
--network network:default \
--osinfo ubuntu24.04 \
--noautoconsole \
--graphics spice
# use either the virt-manager or the remote-viewer to connect to the VMs
console. The following is a sample command for the remote-viewer. You can get
the VMs spice port by running:
virsh dumpxml ubuntuone | grep graphics ubuntuone
# connect to VMs graphical interface (change port if needed)
remote-viewer spice://127.0.0.1:5900
8. Set DNS server to Windows machine IP address (we want the .local domain
from the example to be resolved by the Windows DNS)
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
Make /etc/resolv.conf a static file and add 'nameserver <windos machine IP>
9. Install required packages (ssh server may be helpful to interact with the
Ubuntu VM, but is optional)
sudo apt install sssd-ad sssd-tools realmd adcli openssh-server
# discover and join the realm. Supporting documentation [2]
sudo realm -v discover test.local
sudo realm join test.local
sudo pam-auth-update --enable mkhomedir
# verification - it will dump data from the passwd database. The output from
both commands should be the same and similar to the following:
# [email protected]:*:1355801103:1355800513:User
One:/home/[email protected]:/bin/bash
getent passwd [email protected]
getent passwd [email protected]
10. install adsys package and generate policy files. Supporting documentation
[3]
sudo apt install adsys
adsysctl policy admx lts-only
11. Install policy files on the Windows machine
# Copy Ubuntu.adml and Ubuntu.admx to the Windows machine
# On windows, add policy files to the proper destination
New-Item -Path $CentralStorePath -ItemType Directory -Force
# Change the -Path, if needed, to the location of your policy files
Copy-Item -Path C:\Users\Administrator\*.admx -Destination $CentralStorePath
-Force -Verbose
# Define source path for .adml files (adjust to your source location)
$AdmlDestination = Join-Path -Path $CentralStorePath -ChildPath "en-US"
New-Item -Path $AdmlDestination -ItemType Directory -Force
# Change the -Path, if needed, to the location of your policy files
Copy-Item -Path C:\Users\Administrator\*.adml -Destination $AdmlDestination
-Force -Verbose
# verify
Get-ChildItem -Path $CentralStorePath -Filter *.admx
Get-ChildItem -Path "$CentralStorePath\en-US" -Filter *.adml
12. Restart Ubuntu VM
13. Test login from the command line
# Testing from the command line is only possible on Ubuntu Noble and older
due to this bug [4]
# this should fail without the patch (UPN is used for login)
sudo login [email protected]
# It will fail with the following error:
Applying user settings
ERROR Error from server: error while updating policy: can't get policies for
"[email protected]": failed to retrieve the list of GPO (exited with 1): exit
status 1
Searching for account failed with: Failed to find account userone
# this will work even without the fix (SAM is used for login)
# I had to change the password during the first log in.
sudo login [email protected]
# Testing from GUI (all Ubuntu releases)
# On the Ubuntu Desktop login screen, click 'Not listed?' at the bottom of
the user name that was provided during the Ubuntu installation
# In the 'username' field, provide the UPN: [email protected]
# The login will fail with the following message: 'Sorry, password
authentication didn't work. Please try again.'
# Go back by clicking the '<' icon on the left of the 'password' field, and
use SAM for login: [email protected]
# The login will succeed. Supporting documentation on the GUI login [5].
14. Apply the patch by installing the fixed adsys package and repeat
the tests with UPN and SAM logins. They both should work.
[ Where problems could occur ]
The patch code now differentiates a lookup for the 'user' and a 'computer'
object class.
For the 'computer' object class, the code remains exactly the same as it was.
For the
'user' object class, the patch first executes the previous search, next adds
a fallback search if the one that was used before
doesn't return any value. In the worst-case regression scenario, the
following bad
things can happen:
- if a 'compute' object class is used and fails, the computer policies won't
be applied
- if a 'user' object class search fails for SAM, the user won't be able to
log in using her/his SAM, but may try the UPN instead
- if a 'user' object class search fails for UPN, the user won't be able to
log in using het/his UPN, however, for the situations where UPN doesn't contain
SAM, this doesn't work without the patch.
[ Other Info ]
This is a backport from Upstream [1].
[1]
https://github.com/ubuntu/adsys/pull/1275/commits/4c2449c78bb7314a5342f237bdb0ce34543a04fd
[2] https://documentation.ubuntu.com/server/how-to/sssd/with-active-directory/
[3] https://documentation.ubuntu.com/adsys/stable/how-to/set-up-ad/
[4] https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2125766
[5]
https://documentation.ubuntu.com/server/how-to/sssd/with-active-directory/#ubuntu-desktop-authentication
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/adsys/+bug/2125134/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
