sssd hbac rule applicaton for AD users is inconsistent

Thanks for filing this bug in Ubuntu.

It looks like you are familiar with Ubuntu/Debian development. Do you think you would be able to make a merge proposal against this git branch for xenial?

https://code.launchpad.net/~usd-import-team/ubuntu/+source/sssd/+git/sssd/+ref/ubuntu/xenial-devel

If you are familiar with git and Ubuntu development, you can use our git workflow and the git-ubuntu helper tool.

Something like this, on a fresh xenial VM to show the setup steps:

$ sudo snap install git-ubuntu --classic
$ mkdir -p git/packages
$ cd git/packages
$ git ubuntu clone sssd
$ cd sssd
$ git checkout -b xenial-sssd-hbac-rule-1722936 pkg/ubuntu/xenial-devel

code away

$ git ubuntu submit

More information about this tool can be found in this blog post:
https://naccblog.wordpress.com/2017/08/01/git-ubuntu-clone/

I just started to try to do this - but it looks like the pkg/ubuntu/xenial-devel branch is at 1.13.4-1ubuntu1.8, but 1.13.4-1ubuntu1.9 has been released. Can that branch be updated?

Hm, you are right, something must have happened with the importer. I'll email ubuntu-server@ requesting for that branch to be updated and the importer checked.

Thanks

we restarted the importer and it's catching up. Should be up-to-date soon, later today.

I beg your pardon as it is great to see people participate.
Of course in that cases all kind of usual teething troubles hit :-/

I took the importer from beta and ran it test-wise - it imported it just fine.
So I ran it again including a push to the repo.
A subsequent git ubuntu clone had the most recent version as it should have had.

I hope this unblocks you.

Proposed merge - https://code.launchpad.net/~orion-cora/ubuntu/+source/sssd/+git/sssd/+merge/334317 hope I got that right.

Your freeipa server, is that on ubuntu or redhat/centos/fedora?

I deployed ubuntu's latest freeipa package (in bionic), but ran into some issues that I think come from some rh'isms that do not apply to debian systems and couldn't add a trust relationship to my test AD server. My next step would be to use a fedora vm and deploy freeipa there.

Server is EL 7.4.

please file bugs for RH'isms you find in freeipa, I have no AD to test against

that said, 4.6.2 will soon hit bionic

Thanks Timo, will do.

On Wed, Jan 3, 2018 at 6:50 AM, Timo Aaltonen <email address hidden> wrote:

> please file bugs for RH'isms you find in freeipa, I have no AD to test
> against
>
> that said, 4.6.2 will soon hit bionic
>
> --
> You received this bug notification because you are subscribed to sssd in
> Ubuntu.
> https://bugs.launchpad.net/bugs/1722936
>
> Title:
> sssd hbac rule applicaton for AD users is inconsistent
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1722936/+subscriptions
>

I've tried again: https://code.launchpad.net/~orion-cora/ubuntu/+source/sssd/+git/sssd/+merge/362837

Thank you. This fell through last time, apologies for that. I'm taking a look today.

Thank you. I'll probably have another one after this to deal with issues with sssh key lookup fixed by https://pagure.io/SSSD/sssd/c/cf89f552f06b95bd69d8c61aaa55a330a5d9f6e6?branch=master

I also chose to bring in the DEP8 tests we added to the package in later ubuntu releases, to give more confidence in this and upcoming SRUs.

should be fixed bionic and up

Hello Orion-cora, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.13 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

This update will soon be removed from proposed if there is no testing done.

@orion-cora, I know you submitted this mp a long time ago, we lost it, then you submitted again, and we thank you for that. Do you think you could try out the packages from -proposed?

I've installed the version from -proposed now. So far so good.

Actually, there seems to be a conflict with freeaip-client (+python-ipaclient python-ipalib python-libipa-hba) and this version of sssd.

Sorry - freeipa-client

What kind of conflict?

Are all your packages from ubuntu xenial?

Hmm, perhaps I was just missing all the different -proposed repositories - as after adding universe and multiverse I don't seem to have the problem any more

Hi @orion-cora, if everything is still fine, would you mind adjusting the tags in this bug according to comment #16? Thanks

This bug was fixed in the package sssd - 1.13.4-1ubuntu1.13

---------------
sssd (1.13.4-1ubuntu1.13) xenial; urgency=medium

  [Orion Poplawski]
  * Add upstream HBAC patch. Closes LP: #1722936.

  [Andreas Hasenack]
  * d/t/{common-tests,control,ldap-user-group-*-auth,login.exp,util}: add DEP8
    tests from later releases of Ubuntu (LP: #1793882)

 -- Andreas Hasenack <email address hidden> Fri, 08 Feb 2019 15:08:44 -0200

The verification of the Stable Release Update for sssd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.