** Project changed: cyrus-sasl2 => ubuntu-translations
** Changed in: ubuntu-translations
Importance: Unknown => Undecided
** Changed in: ubuntu-translations
Status: Unknown => New
** Changed in: ubuntu-translations
Remote watch: github.com/cyrusimap/cyrus-sasl/issues #600 => None
** Tags removed: verification-needed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703
Title:
Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
To manage notifications about this
This bug was fixed in the package sssd - 1.16.1-1ubuntu1.7
---
sssd (1.16.1-1ubuntu1.7) bionic; urgency=medium
* Enable support for "ad_use_ldaps" for new Active Directory
requirement ADV190023 (LP: #1868703):
-
This bug was fixed in the package sssd - 2.2.3-3ubuntu0.1
---
sssd (2.2.3-3ubuntu0.1) focal; urgency=medium
* Enable support for "ad_use_ldaps" for new Active Directory
requirement ADV190023 (LP: #1868703):
-
Łukasz? From what I understand reading these bugs the regression found
was not in sssd, so it should be releasable back to -updates (and
-security), but I'd like to check!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Can we get the sssd package moved again please? I've got over 200 VMs
depending on this.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703
Title:
Support "ad_use_ldaps" flag for new AD
Thanks Tobias for the testing. Good to hear it functions as intended.
Performing verification for Bionic
I installed adcli 0.8.2-1ubuntu1.2 from -proposed, and joined a domain
without using the --use-ldaps flag.
https://paste.ubuntu.com/p/RByVZRPhCK/
Next, I added the firewall rules from the
Target server was Windows 2012R2 with 2019 AD schema.
The servicePrincipalName error in the output is unrelated (the reason I
still use #net ads join).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
verification-done-bionic
adcli 0.8.2-1ubuntu1.2
libsasl2-2 2.1.27~101-g0780600+dfsg-3ubuntu2.1
I did all from the testcase with and without --use-ldaps
# adcli join --verbose -U admin-karnat -O
ou=Dummy,ou=IT,dc=REMONDIS-DE,dc=LOCAL --os-name=Ubuntu --os-version=18
Hi Tobias,
If you have a moment, could you please help test the new adcli package
in -proposed? Mainly focusing on testing Bionic, to ensure the
regression has been fixed.
Can you run through some tests with and without the --use-ldaps flag?
You can install the new adcli package in -proposed
** Tags removed: sts-sponsor sts-sponsor-slashd verification-done-bionic
** Tags added: verification-failed-bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703
Title:
Support
For what it's worth, we have gotten a report about adcli as well.
Lukasz will pull adcli from -upgrades/-security as well. We're
investigating the failures.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
It is most likely the adcli package and not sssd as the reported bug
happens on the domain join
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703
Title:
Support "ad_use_ldaps" flag for new AD
For now, I have pulled the sssd update from -upgrades/-security into
-proposed.
** Changed in: sssd (Ubuntu Focal)
Status: Fix Released => Fix Committed
** Changed in: sssd (Ubuntu Bionic)
Status: Fix Released => Fix Committed
--
You received this bug notification because you are
@Mattew - FYI a new bug report indicates that this update might have broken
some users.
Might I ask you - as the Author - to please investigate bug 1906673
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
As per discussion, and since the packages have been built with -security
in mind, I'll proceed with releasing those to the security pockets as
well.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This bug was fixed in the package sssd - 1.16.1-1ubuntu1.7
---
sssd (1.16.1-1ubuntu1.7) bionic; urgency=medium
* Enable support for "ad_use_ldaps" for new Active Directory
requirement ADV190023 (LP: #1868703):
-
This bug was fixed in the package adcli - 0.8.2-1ubuntu1
---
adcli (0.8.2-1ubuntu1) bionic; urgency=medium
* Enable support for "use-ldaps" for new Active Directory
requirement ADV190023 (LP: #1868703):
- d/p/lp-1868703-01-Use-GSS-SPNEGO-if-available.patch
-
This bug was fixed in the package sssd - 2.2.3-3ubuntu0.1
---
sssd (2.2.3-3ubuntu0.1) focal; urgency=medium
* Enable support for "ad_use_ldaps" for new Active Directory
requirement ADV190023 (LP: #1868703):
-
This bug was fixed in the package adcli - 0.9.0-1ubuntu0.20.04.1
---
adcli (0.9.0-1ubuntu0.20.04.1) focal; urgency=medium
* Enable support for "use-ldaps" for new Active Directory
requirement ADV190023 (LP: #1868703):
- d/p/lp-1868703-01-Use-GSS-SPNEGO-if-available.patch
This bug was fixed in the package adcli - 0.9.0-1ubuntu1.2
---
adcli (0.9.0-1ubuntu1.2) groovy; urgency=medium
* Fixup "use-ldaps" option to add missing subcommands, as a part of
enabling support for new active directory requirement ADV190023
(LP: #1868703):
-
** Tags added: verification-done
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703
Title:
Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
To manage notifications about this bug
Verification for sssd on Bionic:
The customer tested sssd from -updates, version 1.16.1-1ubuntu1.6 and
the package from -proposed, version 1.16.1-1ubuntu1.7.
Begins:
Before applying the patch [package from -proposed] I confirmed open
ports to our domain controllers using ss and grepping for the
Verification for sssd on Focal:
The customer tested sssd from -updates, version 2.2.3-3 and the package
from -proposed, version 2.2.3-3ubuntu0.1.
Begins:
I have successfully tested the [package from -proposed] on Ubuntu
20.04.1.
Before applying the patch [package from -proposed] I confirmed
Performing verification of adcli on Bionic
The patches for Bionic are a bit more involved, as it adds the whole
--use-ldaps ecosystem.
Firstly, I installed adcli 0.8.2-1 from -updates. The manpage did not
have any mention of --use-ldaps, and if I ran a command with --use-
ldaps, it would
Performing verification of adcli on Focal
The patches for Focal are a bit more involved, as it adds the whole
--use-ldaps ecosystem.
Firstly, I installed adcli 0.9.0-1 from -updates. The manpage did not
have any mention of --use-ldaps, and if I ran a command with --use-
ldaps, it would complain
Performing verification of adcli on Groovy.
Groovy only required one patch, which fixed a missed enablement of
--use-ldaps for the testjoin and update commands.
So, just testing those two.
I installed adcli 0.9.0-1ubuntu1 from -updates, and I set everything up
by issuing a join command. After
Hi Tobias, thanks for testing and verifying! I really appreciate it, and
it's good to hear that everything works.
I'll just add some of my own test output below, and we should be good to
go for a release to -updates in about a week's time.
--
You received this bug notification because you are a
Thanks for the testing Tobias !
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703
Title:
Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
To manage notifications about this bug
Yes, I did all from the testcase.
Additionally I did a AD-Join with LDAPS:
# adcli join --use-ldaps -U admin-karnat -O
ou=Dummy,ou=IT,dc=REMONDIS-DE,dc=LOCAL
And a login with an AD-User with public key saved as attribute
# grep ldap_user_ssh_public_key /etc/sssd/sssd.conf
@tobias, thanks for your comment.
Could you elaborate on the reproducer you took to test ?
Was it the one from the [test case] ?
SRU team will want the general steps taken to verify that package.
- Eric
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
verification-done-focal
adcli 0.9.0-1ubuntu0.20.04.1
sssd 2.2.3-3ubuntu0.1
verification-done-groovy
adcli 0.9.0-1ubuntu1.2
** Tags removed: verification-needed-focal verification-needed-groovy
** Tags added: verification-done-focal verification-done-groovy
--
You received this bug notification
verification-done-bionic
adcli 0.8.2-1ubuntu1
sssd 1.16.1-1ubuntu1.7
For focal I can't find the new package in proposed and 2.2.3-3ubuntu1 points to
a different fix?!
https://launchpad.net/ubuntu/+source/sssd/2.2.3-3ubuntu1
sssd
Hello Tobias, or anyone else affected,
Accepted sssd into focal-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/sssd/2.2.3-3ubuntu1 in
a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
So it seems Brian approved the earlier source upload instead. Let me
bump the version number, rebuild, sync and re-accept.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703
Title:
Support
[STS-SPONSOR] [ADCLI]
[BIONIC]
lgtm.
[FOCAL]
lgtm.
Please don't forget to ping security team to sponsor it in the -security pocket
once landed in -updates for both adcli and sssd.
- Eric
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
[STS-SPONSOR] [SSSD]
[BIONIC]
lgtm.
[FOCAL]
lgtm.
Please don't forget to ping security team to sponsor it in the -security
pocket once landed in -updates for both adcli and sssd.
- Eric
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
** Description changed:
+ ***
+ [NOTE FOR SRU VERIFICATION TEAM]
+
+ From security team :
+ "
+ Since this is more of a hardening measure and does not directly fix a
+ security vulnerability it is not really appropriate to go to just
+ -security - and so the SRU process should be followed as
[STS-SPONSOR] [ADCLI]
Sponsored in both Focal and Bionic.
[FOCAL]
* Changed the version in d/changelog in Focal from "0.9.0-1ubuntu1" to
"0.9.0-1ubuntu0.20.04.1".
Groovy has already that version "0.9.0-1ubuntu1".
[BIONIC]
lgtm.
Thanks for your contribution Matthew.
--
You received this bug
Hello Tobias, or anyone else affected,
Accepted adcli into groovy-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/adcli/0.9.0-1ubuntu1.1
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
Thanks Lukasz !
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703
Title:
Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
To manage notifications about this bug go to:
Hello! I did a quick review of the adcli changes and those seem to be
fine, but I agree this might be something that could go to -security. I
would like to at least get the security team to decide. If they say it
should go to the -security pocket as well, I have uploaded the groovy
package to a
I think it might be something we might like to have in -security pocket.
I'll talk to sil2100 to see what he thinks about it, while approving the
upload in Groovy for adcli.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I'll continue the sponsoring first thing first next week for
Focal/Bionic.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703
Title:
Support "ad_use_ldaps" flag for new AD requirements
[STS-SPONSOR][GROOVY][ADCLI]
Sponsored in Groovy.
Minor nitpicks:
* Rename the quilt patch from
"lp-1868703-01-tools-add-missing-use-ldaps-option-to-update-and-testjoin.patch"
to "lp1868703-tools-add-missing-use-ldaps-option-to-update-and-testjoin.patch"
Versioning the patch w/ "01" in this
[STS-SPONSOR]
Sponsored in active development release (hirsute). Once it is landed in
hirsute-releases, I'll go ahead with the SRU sponsoring.
- Eric
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: adcli (Ubuntu Groovy)
Status: Fix Released => In Progress
** Changed in: adcli (Ubuntu Groovy)
Assignee: (unassigned) => Matthew Ruffell (mruffell)
** Changed in: adcli (Ubuntu Groovy)
Importance: Undecided => Medium
--
You received this bug notification because
** Description changed:
[Impact]
Microsoft has released a new security advisory for Active Directory (AD)
which outlines that man-in-the-middle attacks can be performed on a LDAP
server, such as AD DS, that works by an attacker forwarding an
authentication request to a Windows LDAP
Attached is a revised debdiff for adcli for Focal.
** Patch added: "adcli debdiff for Focal v2"
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432871/+files/lp1868703_adcli_focal_v2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Attached is a revised debdiff for adcli in Bionic.
** Patch added: "adcli debdiff for Bionic v2"
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432874/+files/lp1868703_adcli_bionic_v2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Attached is a debdiff for adcli in Groovy.
** Patch added: "adcli debdiff for groovy"
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432870/+files/lp1868703_adcli_groovy.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Attached is a debdiff for adcli for Hirsute.
** Patch added: "adcli debdiff for hirsute"
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432869/+files/lp1868703_adcli_hirsute.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs,
Attached is a revised debdiff for sssd for Bionic.
** Patch added: "sssd debdiff for Bionic v2"
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432867/+files/lp1868703_sssd_bionic_v2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Attached is a revised debdiff for sssd for Focal.
** Patch added: "sssd debdiff for Focal v2"
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432866/+files/lp1868703_sssd_focal_v2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs,
** Patch removed: "adcli debdiff for Focal"
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432450/+files/lp1868703_adcli_focal.debdiff
** Patch removed: "sssd debdiff for Focal"
** Description changed:
[Impact]
Microsoft has released a new security advisory for Active Directory (AD)
which outlines that man-in-the-middle attacks can be performed on a LDAP
server, such as AD DS, that works by an attacker forwarding an
authentication request to a Windows LDAP
[STS-SPONSOR]
* Remove the link "https://portal.msrc.microsoft.com/en-us/security-
guidance/advisory/ADV190023" from d/changelog and please add it in the
patches DEP3 header as follows:
Bug: https://portal.msrc.microsoft.com/en-us/security-
guidance/advisory/ADV190023
NOTE: Please do keep a
[STS-SPONSOR]
* Was it intentional to add the patchset at the bottom of the quilt
stack in the SSSD src package ?
If not, could you please correct it and add them at the top of the stack
? At first glance, they should still apply cleanly after that chane.
* I came accross this change in adcli:
[STS-SPONSOR]
* Was it intentional to add the patchset at the bottom of the quilt
stack in the SSSD src package ?
If not, could you please correct it and add them at the top of the stack
? At first glance, they should still apply cleanly after that chane.
* I came accross this change in adcli:
** Tags added: sts-sponsor-slashd
** Also affects: sssd (Ubuntu Hirsute)
Importance: High
Status: Fix Released
** Changed in: sssd (Ubuntu Hirsute)
Importance: High => Undecided
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
** Tags added: sts-sponsor
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1868703
Title:
Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
To manage notifications about this bug go
Attached is a sssd debdiff for Focal
** Patch added: "sssd debdiff for Focal"
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432451/+files/lp1868703_sssd_focal.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Attached is a sssd debdiff for Bionic
** Patch added: "sssd debdiff for Bionic"
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432453/+files/lp1868703_sssd_bionic.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Attached is a debdiff for adcli on Focal.
** Patch added: "adcli debdiff for Focal"
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432450/+files/lp1868703_adcli_focal.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Attached is a adcli debdiff for Bionic
** Patch added: "adcli debdiff for Bionic"
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+attachment/5432452/+files/lp1868703_adcli_bionic.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Summary changed:
- Support new AD requirements (ADV190023)
+ Support "ad_use_ldaps" flag for new AD requirements (ADV190023)
** Description changed:
- Please backport the following patch to add the option ad_use_ldaps.
+ [Impact]
- With this new boolean option the AD provider should only
66 matches
Mail list logo
