Remove NDES requirement.

[gustavstrandberg]

Is there an existing request for this feature?

• I have searched the existing issues and found none that matched mine

Describe the feature

Hi!

I have been discussing the setup of Certificate Auto Enrollment with my customer's PKI team and they had some reservations regarding using NDES. According to my PKI colleague NDES is no longer considered secure and they will not allow it to be used.

NDES is listed as a requirement on the Windows Server side in the ADSys documentation.

Samba's implementation of Certificate Auto Enrollment has removed NDES as a requirement and instead parse the certs from SYSVOL and LDAP.

Are you still using NDES in your implementation?
If you are please remove that requirement since it makes the ADSys implementation less secure than going "the Samba way" and that's one of your main selling points going with Ubuntu Pro.
If you are no longer using NDES it's all good but update the documentation accordingly.

Happy Holidays!

Thanks,
Gustav

Describe the ideal solution

Parse the certs from SYSVOL and LDAP they way Samba now does.

Alternatives and current workarounds

No response

Ubuntu users: System information

ProblemType: Bug
ApportVersion: 2.27.0-0ubuntu5
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Dec 22 11:14:56 2023
Dependencies:
adduser 3.137ubuntu1
apparmor 4.0.0alpha2-0ubuntu5
apt 2.7.3
apt-utils 2.7.3
base-passwd 3.6.1
bind9-dnsutils 1:9.18.18-0ubuntu2
bind9-host 1:9.18.18-0ubuntu2
bind9-libs 1:9.18.18-0ubuntu2
ca-certificates 20230311ubuntu1
cifs-utils 2:7.0-2
cracklib-runtime 2.9.6-5build1
dbus 1.14.10-1ubuntu1
dbus-bin 1.14.10-1ubuntu1
dbus-daemon 1.14.10-1ubuntu1
dbus-session-bus-common 1.14.10-1ubuntu1
dbus-system-bus-common 1.14.10-1ubuntu1
dbus-user-session 1.14.10-1ubuntu1
dconf-gsettings-backend 0.40.0-4
dconf-service 0.40.0-4
debconf 1.5.82
debconf-i18n 1.5.82
desktop-file-utils 0.26-1ubuntu5
dirmngr 2.2.40-1.1ubuntu1
distro-info 1.5
distro-info-data 0.58ubuntu0.1
dmidecode 3.5-2
dmsetup 2:1.02.185-2ubuntu1
dosfstools 4.2-1build3
dpkg 1.22.0ubuntu1
e2fsprogs 1.47.0-2ubuntu1
e2fsprogs-l10n 1.47.0-2ubuntu1
eject 2.39.1-4ubuntu2
file 1:5.44-3
fuse3 3.14.0-4
gcc-13-base 13.2.0-4ubuntu3
gir1.2-glib-2.0 1.78.1-1
gnupg 2.2.40-1.1ubuntu1
gnupg-l10n 2.2.40-1.1ubuntu1
gnupg-utils 2.2.40-1.1ubuntu1
gpg 2.2.40-1.1ubuntu1
gpg-agent 2.2.40-1.1ubuntu1
gpg-wks-client 2.2.40-1.1ubuntu1
gpg-wks-server 2.2.40-1.1ubuntu1
gpgconf 2.2.40-1.1ubuntu1
gpgsm 2.2.40-1.1ubuntu1
gpgv 2.2.40-1.1ubuntu1
gsettings-desktop-schemas 45.0-1ubuntu1
gvfs 1.52.0-1
gvfs-common 1.52.0-1
gvfs-daemons 1.52.0-1
gvfs-libs 1.52.0-1
init-system-helpers 1.65.2ubuntu1
iso-codes 4.15.0-1
keyutils 1.6.3-2
krb5-locales 1.20.1-3ubuntu1
ldap-utils 2.6.6+dfsg-1exp1ubuntu1
libacl1 2.3.1-3
libapparmor1 4.0.0alpha2-0ubuntu5
libapt-pkg6.0 2.7.3
libargon2-1 020190702+dfsg-3
libassuan0 2.5.6-1
libatasmart4 0.19-5build2
libaudit-common 1:3.1.1-1
libaudit1 1:3.1.1-1
libavahi-client3 0.8-10ubuntu1.1
libavahi-common-data 0.8-10ubuntu1.1
libavahi-common3 0.8-10ubuntu1.1
libbasicobjects0 0.6.2-1
libblkid1 2.39.1-4ubuntu2
libblockdev-crypto3 3.0.3-1
libblockdev-fs3 3.0.3-1
libblockdev-loop3 3.0.3-1
libblockdev-mdraid3 3.0.3-1
libblockdev-nvme3 3.0.3-1
libblockdev-part3 3.0.3-1
libblockdev-swap3 3.0.3-1
libblockdev-utils3 3.0.3-1
libblockdev3 3.0.3-1
libbsd0 0.11.7-4
libbytesize-common 2.9-1ubuntu2
libbytesize1 2.9-1ubuntu2
libbz2-1.0 1.0.8-5build1
libc-ares2 1.19.1-3
libc6 2.38-1ubuntu6
libcap-ng0 0.8.3-1build2
libcap2 1:2.66-4ubuntu1
libcollection4 0.6.2-1
libcom-err2 1.47.0-2ubuntu1
libcrack2 2.9.6-5build1
libcrypt1 1:4.4.36-2
libcryptsetup12 2:2.6.1-4ubuntu3
libdb5.3 5.3.28+dfsg2-2
libdbus-1-3 1.14.10-1ubuntu1
libdconf1 0.40.0-4
libdebconfclient0 0.270ubuntu1
libdevmapper1.02.1 2:1.02.185-2ubuntu1
libdhash1 0.6.2-1
libduktape207 2.7.0+tests-0ubuntu2
libedit2 3.1-20221030-2
libexpat1 2.5.0-2
libext2fs2 1.47.0-2ubuntu1
libfdisk1 2.39.1-4ubuntu2
libffi8 3.4.4-1
libfuse3-3 3.14.0-4
libgcc-s1 13.2.0-4ubuntu3
libgck-1-0 3.41.1-3
libgcr-base-3-1 3.41.1-3
libgcrypt20 1.10.2-3ubuntu1
libgirepository-1.0-1 1.78.1-1
libglib2.0-0 2.78.0-2
libglib2.0-data 2.78.0-2
libgmp10 2:6.3.0+dfsg-2ubuntu4
libgnutls30 3.8.1-4ubuntu1.1
libgpg-error-l10n 1.47-2
libgpg-error0 1.47-2
libgpgme11 1.18.0-3ubuntu2
libgpm2 1.20.7-10build1
libgssapi-krb5-2 1.20.1-3ubuntu1
libgudev-1.0-0 1:238-2
libhogweed6 3.9.1-2
libicu72 72.1-3ubuntu3
libidn2-0 2.3.4-1
libini-config5 0.6.2-1
libip4tc2 1.8.9-2ubuntu2
libipa-hbac0 2.9.1-2ubuntu2
libjansson4 2.14-2
libjson-c5 0.17-1
libjson-glib-1.0-0 1.8.0-1
libjson-glib-1.0-common 1.8.0-1
libk5crypto3 1.20.1-3ubuntu1
libkeyutils1 1.6.3-2
libkmod2 30+20230519-1ubuntu3
libkrb5-3 1.20.1-3ubuntu1
libkrb5support0 1.20.1-3ubuntu1
libksba8 1.6.4-2
libldap-common 2.6.6+dfsg-1exp1ubuntu1
libldap2 2.6.6+dfsg-1exp1ubuntu1
libldb2 2:2.7.2+samba4.18.6+dfsg-1ubuntu2.1
liblmdb0 0.9.31-1
liblocale-gettext-perl 1.07-6
liblz4-1 1.9.4-1
liblzma5 5.4.1-0.2
libmagic-mgc 1:5.44-3
libmagic1 1:5.44-3
libmaxminddb0 1.7.1-1
libmd0 1.1.0-1
libmount1 2.39.1-4ubuntu2
libmpfr6 4.2.1-1
libncursesw6 6.4+20230625-2
libnettle8 3.9.1-2
libnfsidmap1 1:2.6.3-3ubuntu1
libnghttp2-14 1.55.1-1ubuntu0.1
libnl-3-200 3.7.0-0.2
libnl-route-3-200 3.7.0-0.2
libnpth0 1.6-3build2
libnsl2 1.3.0-2build2
libnspr4 2:4.35-1.1
libnss-nis 3.1-0ubuntu6
libnss-nisplus 1.3-0ubuntu6
libnss-sss 2.9.1-2ubuntu2
libnss-systemd 253.5-1ubuntu6.1
libnss3 2:3.92-1
libntfs-3g89 1:2022.10.3-1ubuntu1
libnvme1 1.5-3
libp11-kit0 0.25.0-4ubuntu1
libpam-modules 1.5.2-6ubuntu1
libpam-modules-bin 1.5.2-6ubuntu1
libpam-pwquality 1.4.5-1build1
libpam-runtime 1.5.2-6ubuntu1
libpam-sss 2.9.1-2ubuntu2
libpam-systemd 253.5-1ubuntu6.1
libpam0g 1.5.2-6ubuntu1
libparted2 3.6-3
libpath-utils1 0.6.2-1
libpcre2-8-0 10.42-4
libpolkit-agent-1-0 123-1
libpolkit-gobject-1-0 123-1
libpopt0 1.19+dfsg-1
libproc2-0 2:4.0.3-1ubuntu1.23.10.1
libpwquality-common 1.4.5-1build1
libpwquality1 1.4.5-1build1
libpython3-stdlib 3.11.4-5
libpython3.11 3.11.6-3
libpython3.11-minimal 3.11.6-3
libpython3.11-stdlib 3.11.6-3
libreadline8 8.2-1.3
libref-array1 0.6.2-1
libsasl2-2 2.1.28+dfsg1-3
libsasl2-modules 2.1.28+dfsg1-3
libsasl2-modules-db 2.1.28+dfsg1-3
libsasl2-modules-gssapi-mit 2.1.28+dfsg1-3
libseccomp2 2.5.4-1ubuntu3
libsecret-1-0 0.21.0-1
libsecret-common 0.21.0-1
libselinux1 3.5-1
libsemanage-common 3.5-1
libsemanage2 3.5-1
libsepol2 3.5-1
libsmartcols1 2.39.1-4ubuntu2
libsmbclient 2:4.18.6+dfsg-1ubuntu2.1
libsqlite3-0 3.42.0-1
libss2 1.47.0-2ubuntu1
libssl3 3.0.10-1ubuntu2.1
libsss-certmap0 2.9.1-2ubuntu2
libsss-idmap0 2.9.1-2ubuntu2
libsss-nss-idmap0 2.9.1-2ubuntu2
libstdc++6 13.2.0-4ubuntu3
libsystemd-shared 253.5-1ubuntu6.1
libsystemd0 253.5-1ubuntu6.1
libtalloc2 2.4.1-2
libtasn1-6 4.19.0-3
libtdb1 1.4.9-2
libtevent0 0.15.0-1
libtext-charwidth-perl 0.04-11
libtext-iconv-perl 1.7-8
libtext-wrapi18n-perl 0.06-10
libtinfo6 6.4+20230625-2
libtirpc-common 1.3.3+ds-1
libtirpc3 1.3.3+ds-1
libudev1 253.5-1ubuntu6.1
libudisks2-0 2.10.1-1ubuntu1
libunistring2 1.0-2
libuuid1 2.39.1-4ubuntu2
libuv1 1.44.2-1
libvolume-key1 0.3.12-5build1
libwbclient0 2:4.18.6+dfsg-1ubuntu2.1
libxml2 2.9.14+dfsg-1.3
libxxhash0 0.8.1-1
libyaml-0-2 0.2.5-1
libzstd1 1.5.5+dfsg2-1ubuntu2
logsave 1.47.0-2ubuntu1
lsb-base 11.6
lsb-release 12.0-2
lsof 4.95.0-1
media-types 10.1.0
mount 2.39.1-4ubuntu2
networkd-dispatcher 2.2.4-1
ntfs-3g 1:2022.10.3-1ubuntu1
openssl 3.0.10-1ubuntu2.1
parted 3.6-3
passwd 1:4.13+dfsg1-1ubuntu1
perl-base 5.36.0-9ubuntu1.1
pinentry-curses 1.2.1-1ubuntu1
polkitd 123-1
procps 2:4.0.3-1ubuntu1.23.10.1
psmisc 23.6-1
python-apt-common 2.6.0ubuntu1
python3 3.11.4-5
python3-apt 2.6.0ubuntu1
python3-dbus 1.3.2-5
python3-gi 3.46.0-1
python3-gpg 1.18.0-3ubuntu2
python3-ldb 2:2.7.2+samba4.18.6+dfsg-1ubuntu2.1
python3-minimal 3.11.4-5
python3-pkg-resources 68.1.2-2
python3-samba 2:4.18.6+dfsg-1ubuntu2.1
python3-sss 2.9.1-2ubuntu2
python3-talloc 2.4.1-2
python3-tdb 1.4.9-2
python3-yaml 6.0.1-1
python3.11 3.11.6-3
python3.11-minimal 3.11.6-3
readline-common 8.2-1.3
samba-dsdb-modules 2:4.18.6+dfsg-1ubuntu2.1
samba-libs 2:4.18.6+dfsg-1ubuntu2.1
sed 4.9-1
sensible-utils 0.0.20
session-migration 0.3.6
sgml-base 1.31
shared-mime-info 2.2-1
sssd 2.9.1-2ubuntu2
sssd-ad 2.9.1-2ubuntu2
sssd-ad-common 2.9.1-2ubuntu2
sssd-common 2.9.1-2ubuntu2
sssd-dbus 2.9.1-2ubuntu2
sssd-ipa 2.9.1-2ubuntu2
sssd-krb5 2.9.1-2ubuntu2
sssd-krb5-common 2.9.1-2ubuntu2
sssd-ldap 2.9.1-2ubuntu2
sssd-proxy 2.9.1-2ubuntu2
systemd 253.5-1ubuntu6.1
systemd-dev 253.5-1ubuntu6.1
systemd-hwe-hwdb 253.5.1
systemd-resolved 253.5-1ubuntu6.1
systemd-sysv 253.5-1ubuntu6.1
systemd-timesyncd 253.5-1ubuntu6.1
sysvinit-utils 3.07-1ubuntu1
tar 1.34+dfsg-1.2ubuntu1.1
tzdata 2023c-9ubuntu1
tzdata-icu 2023c-9ubuntu1
ubuntu-advantage-desktop-daemon 1.10
ubuntu-advantage-tools 3023.10
ubuntu-keyring 2021.03.26
ubuntu-pro-client-l10n 3023.10
udev 253.5-1ubuntu6.1
udisks2 2.10.1-1ubuntu1
uuid-runtime 2.39.1-4ubuntu2
wamerican 2020.12.07-2
xdg-user-dirs 0.18-1
xml-core 0.18+nmu1
zlib1g 1:1.2.13.dfsg-1ubuntu5
DistroRelease: Ubuntu 23.10
InstallationDate: Installed on 2023-11-17 (35 days ago)
InstallationMedia: Ubuntu-Server 23.10 "Mantic Minotaur" - Release amd64 (20231011)
Package: adsys 0.13.1
PackageArchitecture: amd64
ProcCpuinfoMinimal:
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 79
model name : Intel(R) Xeon(R) CPU E5-2687W v4 @ 3.00GHz
stepping : 1
microcode : 0xffffffff
cpu MHz : 2993.067
cache size : 30720 KB
physical id : 0
siblings : 1
core id : 0
cpu cores : 1
apicid : 0
initial apicid : 0
fpu : yes
fpu_exception : yes
cpuid level : 20
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti ssbd ibrs ibpb stibp fsgsbase bmi1 hle avx2 smep bmi2 erms invpcid rtm rdseed adx smap xsaveopt flush_l1d arch_capabilities
bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs taa itlb_multihit mmio_stale_data
bogomips : 5986.13
clflush size : 64
cache_alignment : 64
address sizes : 46 bits physical, 48 bits virtual
power management:
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=
ProcVersionSignature: Ubuntu 6.5.0-14.14-generic 6.5.3
RelatedPackageVersions:
sssd 2.9.1-2ubuntu2
python3-samba 2:4.18.6+dfsg-1ubuntu2.1
SourcePackage: adsys
Tags: mantic wayland-session
Uname: Linux 6.5.0-14-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
_MarkForUpload: True
modified.conffile..etc.polkit-1.localauthority.conf.d.99-adsys-privilege-enforcement.conf: [deleted]
modified.conffile..etc.sudoers.d.99-adsys-privilege-enforcement: [deleted]

Non Ubuntu users: System information

No response

Additional information

No response

Double check your logs

• I have redacted any sensitive information from the logs

[didrocks]

Thanks for your report! Adding it to our board for investigation.

[GabrielNagy]

Hey @gustavstrandberg,

Thanks for the report. I've taken a detailed look and you're right, NDES should not be mandatory in this case.

Samba/ADSys is able to take advantage of the NDES endpoint to install the root certificate chain, but indeed is able to infer the certificate information from LDAP as you mentioned.

However while investigating this I've discovered a possible bug in Samba where the root cert is not parsed properly if the NDES component is not installed -- so in the current state attempting auto-enrollment without NDES installed will result in an error like the following:

2024-01-08 16:11:07.809|[W26775]| Failed to fetch the root certificate chain. | {}
2024-01-08 16:11:07.809|[W05621]| The Network Device Enrollment Service is either not installed or not configured. | {}
2024-01-08 16:11:07.809|[W11946]| Installing the server certificate only. | {}
Traceback (most recent call last):
  File "<string>", line 142, in <module>
  File "<string>", line 89, in main
  File "<string>", line 20, in enroll
  File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 502, in __enroll
    self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
  File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 369, in apply
    data = applier_func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 274, in cert_enroll
    root_certs = getca(ca, url, trust_dir)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/share/adsys/python/vendor_samba/gp/gp_cert_auto_enroll_ext.py", line 221, in getca
    cert = load_der_x509_certificate(ca['cACertificate'],
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/cryptography/x509/base.py", line 528, in load_der_x509_certificate
    return rust_x509.load_der_x509_certificate(data)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument 'data': 'str' object cannot be converted to 'PyBytes'

This is probably why we wrongly assumed that the NDES feature was mandatory to ensure proper functionality of certificate auto-enrollment.

I'll prepare a fix for this in ADSys and try to submit an upstream patch as well. Thanks again for reporting this.