[Bug 2112477] [NEW] Problems with AD nested groups

Launchpad Bug Tracker 2112477 at bugs.launchpad.net
Tue Dec 2 11:53:58 UTC 2025 

You have been subscribed to a public bug by Jorge Merlino (jorge-merlino):

[Impact]
There are some issues with the implementation of AD nested groups from LP #1638603

It works fine when listing the groups a user belongs to, but fails when
listing all members of a group. This function of listing all members is
also used to check if a user belongs to a group which also fails.

[Test Plan]
Test plan consists of setting up two VMs (Windows AD Domain Controller and Ubuntu server) on a KVM host. We need a functional keystone installation on the ubuntu server and we will use regress-stack for that. The ubuntu server version and installed packages have to be adjusted to test each affected keystone version.

The low level procedure is as follows:

1. Install virt-manager on your host

sudo apt update && sudo apt install virt-manager virt-viewer qemu-kvm
libvirt-daemon-system libvirt-clients

2. Download Windows Server 2022 iso image: https://www.microsoft.com/en-
us/evalcenter/download-windows-server-2022

3. Start the Windows VM:

virt-install --name winserver \
  --virt-type kvm --memory 4096 --vcpus 4 \
  --disk size=60 \
  --cdrom /path/to/windows/iso/SERVER_EVAL_x64FRE_en-us.iso \
  --network network:default \
  --osinfo detect=on,require=off \
  --noautoconsole \
  --graphics spice

4. Use either the virt-manager or the remote-viewer to connect to the
VMs console. The following is a sample command for the remote-viewer.
You can get the VMs spice port by running:

virsh dumpxml winserver | grep graphics

Connect to VMs graphical interface (change port if needed)

remote-viewer spice://127.0.0.1:5900

5. Follow the installation in the VM. I picked the Windows Server 2022
Standard Evaluation, then Custom Install. During the installation the VM
will shutdown so you will need to start it with:

virsh start winserver

Installation completes with the SConfig menu with multiple options. Use
the menu items to configure the computer name, IP address, default
gateway, and time/timezone. Remember the Administrator user password.

6. Install the spice-guest-tools to enable copy/paste between the
Windows guest and host

Invoke-WebRequest -Uri https://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-latest.exe -OutFile sgtl.exe
.\sgtl.exe

An then reboot the server (run SConfig and then option 13)

7. Install and configure the Domain Controller

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSForest `
  -DomainName "test.local" `
  -InstallDns `
  -DomainMode WinThreshold `
  -ForestMode WinThreshold `
  -SafeModeAdministratorPassword (ConvertTo-SecureString "ao4Ahnuzah$d!eeg" -AsPlainText -Force) `
  -NoRebootOnCompletion:$false `
  -Force

VM will restart to apply changes

8. Verification

Get-WindowsFeature -Name AD-Domain-Services
nslookup test.local

9. Add groups for testing

New-ADOrganizationalUnit `
  -Name "groups" `
  -Path "DC=test,DC=local"
New-ADGroup `
  -Name "GroupA" `
  -SamAccountName GroupA `
  -GroupCategory Security `
  -GroupScope Global `
  -Path "OU=Groups,DC=test,DC=local" `
  -Description "Group A"
New-ADGroup `
  -Name "GroupB" `
  -SamAccountName GroupB `
  -GroupCategory Security `
  -GroupScope Global `
  -Path "OU=Groups,DC=test,DC=local" `
  -Description "Group B"

10. Add users for testing

New-ADUser `
  -SamAccountName "user1" `
  -UserPrincipalName "user1 at test.local" `
  -Name "User1" `
  -GivenName "User" `
  -Surname "One" `
  -Enabled $true `
  -AccountPassword (ConvertTo-SecureString "pAsswd&987!" -AsPlainText -Force) `
  -ChangePasswordAtLogon $true `
  -Path "CN=Users,DC=test,DC=local"
New-ADUser `
  -SamAccountName "user2" `
  -UserPrincipalName "user2 at test.local" `
  -Name "User2" `
  -GivenName "User" `
  -Surname "Two" `
  -Enabled $true `
  -AccountPassword (ConvertTo-SecureString "pAsswd&987!" -AsPlainText -Force) `
  -ChangePasswordAtLogon $true `
  -Path "CN=Users,DC=test,DC=local"

11. Add users to groups, and nest groups

Add-ADGroupMember `
  -Identity GroupA `
  -Members user1, GroupB
Add-ADGroupMember `
  -Identity GroupB `
  -Members user2

12. Verify

Get-ADUser -Identity "user1"
Get-ADUser -Identity "user2"
Get-ADGroup -Identity "groupA"
Get-ADGroup -Identity "groupB"

13. Download the appropriate ubuntu server version from
https://ubuntu.com/download/server

14. Configure Ubuntu VM:

virt-install --name ubuntu \
  --virt-type kvm --memory 4096 --vcpus 4 \
  --disk size=50 \
  --cdrom /path/to/ubuntu/iso/ubuntu<version>.iso \
  --network network:default \
  --osinfo ubuntu<version>

Use default values and enable the SSH server.
Login via ssh to the server after installation.

15. Install packages and regress-stack

If testing UCA packages that repo should be enabled first:

sudo add-apt-repository cloud-archive:<version>

sudo snap install openstackclients
git clone https://github.com/canonical/regress-stack.git
cd regress-stack
sudo snap install astral-uv --classic
uvx pre-commit install
sudo apt install -y dpkg-dev python3-dev python-apt-dev python3-openstackclient keystone apache2 libapache2-mod-wsgi-py3 mysql-server crudini python3-ldappool
uv sync
sudo uv run regress-stack setup
sudo cp /root/auth.rc ~
sudo chown $(id -u):$(id -g) ~/auth.rc
sudo crudini --set /etc/keystone/keystone.conf identity domain_specific_drivers_enabled true

16. Create file keystone.windows.lan.conf in /etc/keystone/domains with
these contents and set the windows server IP address and Administrator
password

[ldap]
url = ldap://<windows_server_ip>
user = CN=Administrator,CN=Users,DC=test,DC=local
password = <windows_admin_password>
suffix = DC=test,DC=local

user_allow_create = False
user_allow_update = False
user_allow_delete = False

group_allow_create = False
group_allow_update = False
group_allow_delete = False

query_scope = sub
user_tree_dn = CN=Users,DC=test,DC=local
user_objectclass = person
user_id_attribute = cn
user_name_attribute = sAMAccountName
user_enabled_attribute = userAccountcontrol
user_enabled_invert = False
user_enabled_mask = 2
user_enabled_default = 512
group_tree_dn = OU=groups,DC=test,DC=local
group_objectclass = group
group_id_attribute = cn
group_name_attribute = sAMAccountName
group_member_attribute = member
group_members_are_ids = False

group_ad_nesting = True
[identity]
driver = ldap

17. Finish configuration
openstack domain create windows.lan
sudo systemctl restart apache2

18. Test before patch:
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupA user1
user1 not in group groupA
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupA user2
user2 not in group groupA
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupB user1
user1 in group groupB
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupB user2
user2 not in group groupB

19. Apply patch and retest:
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupA user1
user1 in group groupA
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupA user2
user2 in group groupA
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupB user1
user1 not in group groupB
$ openstack group contains user --group-domain windows.lan --user-domain windows.lan groupB user2
user2 in group groupB

[Where problems could occur]
Applications relying on the previous erroneous behavior could experience errors as the users permissions might change reflecting the actual user assigned groups.
Moreover, the nested groups being functional now could add new permissions to users as they are considered to belong to the parent groups. This can be disabled by setting group_ad_nesting to false in the keystone-ldap charm config.

[Other Info]
Packages in Questing and Resolute already have the patch. Same for flamingo in UCA

** Affects: keystone
     Importance: Medium
     Assignee: David Wilde (dave-wilde)
         Status: Fix Released

-- 
Problems with AD nested groups
https://bugs.launchpad.net/bugs/2112477
You received this bug notification because you are a member of Ubuntu Sponsors, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list