sts-sponsors team mailing list archive

[Lukasz Zemczak <lukasz.zemczak@xxxxxxxxxxxxx>]

Ok, thanks for the clarification!

So, if I understand correctly, we should reinstate the reverted sssd
for all the series, and adcli for focal and groovy? Then for bionic
accept the cyrus-sasl2 upload + possibly an adcli with the changes
that were reverted? I suppose adcli would need a breaks statement in
that case.

Anyway, I'm around if any SRU reviews or package copying is needed.
Let me reach out to Eric.

Cheers,

On Wed, 9 Dec 2020 at 05:13, Matthew Ruffell
<matthew.ruffell@xxxxxxxxxxxxx> wrote:
>
> > Ok, so there was a LOT happening in this thread, so I'd use some quick summary.
> > Since what I'd like to know:
>
> > 1) Does this cyrus-sasl2 fix both the adcli and sssd regressions?
> > Since we reverted both as people were reporting regressions first for sssd
> > and then for adcli - not sure which one was the actual cause of it though
>
> The cyrus-sasl2 fix fixes the adcli regression, due to adcli changing to using
> GSS-SPNEGO by default, which was broken.
>
> sssd never had a regression in the first place, due to the changes having
> nothing to do with GSS-SPNEGO.
>
> The confusion with sssd came from confused users who did not know that adcli
> is the program under the hood of realm, and thought that sssd had broken, when
> in reality, it was adcli.
>
> > 2) Does it need fixing for all the stable series where we updated adcli and
> > (additionally) sssd?
>
> cyrus-sasl2 is only broken in Bionic. Focal onward already have the patch and
> work fine.
>
> Let me know if you have any more questions, happy to answer.
>
> Thanks,
> Matthew
>
> On Tue, Dec 8, 2020 at 4:57 PM Matthew Ruffell
> <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> >
> > Hello Eric and Lukasz,
> >
> > I have created new debdiffs for adcli. Please review and also sponsor one
> > of them to -proposed.
> >
> > Since there are multiple versions of adcli floating around I made two debdiffs.
> >
> > Please choose the one most convenient / cleanest to apply.
> >
> > The first simply builds ontop of 0.8.2-1ubuntu1 currently in -proposed, and is
> > the version pull-lp-source pulls down. It simply adds the dependency
> > to the fixed
> > libsasl2-modules-gssapi-mit package with a greater than or equal to
> > relationship.
> >
> > Use of this debdiff requires 0.8.2-1ubuntu2 to be deleted from the upload queue,
> > and treated as 0.8.2-1ubuntu2 never existed.
> >
> > https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441872/+files/lp1906627_adcli_option_one.debdiff
> >
> > Option two builds upon 0.8.2-1ubuntu2, and re-applies all of the --use-ldaps
> > patches from the previous SRU which 0.8.2-1ubuntu2 reverts. It also adds the
> > dependency to the fixed libsasl2-modules-gssapi-mit package with a
> > greater than
> > or equal to relationship.
> >
> > https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441873/+files/lp1906627_adcli_option_two.debdiff
> >
> > My preference is for option one, but use whatever is required. I only made both
> > of these to lower round trip time due to timezones if you don't like the option
> > one idea.
> >
> > Thanks,
> > Matthew
> >
> > On Mon, Dec 7, 2020 at 3:25 PM Matthew Ruffell
> > <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> > >
> > > Hi Eric, Lukasz,
> > >
> > > Please review and potentially sponsor the cyrus-sasl2 debdff attached
> > > to LP1906627.
> > >
> > > [1] https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627
> > >
> > > It fixes the root cause of the GSS-SPNEGO implementation being incompatible with
> > > Microsoft's implementation in Active Directory.
> > >
> > > If you are still planning to re-release adcli and sssd to -security, then you
> > > should also build cyrus-sasl2 in the same way:
> > >
> > > https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4336/+packages
> > >
> > > Again, I am sorry for causing the regression and these patches should fix the
> > > underlying cause.
> > >
> > > Thanks,
> > > Matthew



-- 
Łukasz 'sil2100' Zemczak
 Foundations Team
 lukasz.zemczak@xxxxxxxxxxxxx
 www.canonical.com