Skip to content

Commit

Permalink
Fix issues after switch to GB spelling
Browse files Browse the repository at this point in the history
- Changes US spellings to GB
- Does not change spellings if they refer to keywords, paths or GUIs
- Encloses elements (such as paths) in backticks to include US spelling
where necessary without triggering spellchecker
  • Loading branch information
edibotopic committed Jul 18, 2024
1 parent 910bee7 commit a0f92f6
Show file tree
Hide file tree
Showing 111 changed files with 557 additions and 284 deletions.
2 changes: 1 addition & 1 deletion docs/explanation/apparmor.md
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ It is also recommended to define a `DEFAULT` subprofile as part of the system-wi
}
```

## Profile parsing behaviors
## Profile parsing behaviours

### Troubleshooting misbehaving user profiles

Expand Down
32 changes: 16 additions & 16 deletions docs/explanation/certificates.md
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
# Certificate auto-enrollment
# Certificate auto-enrolment

The certificate policy manager allows clients to enroll for certificates from **Active Directory Certificate Services**. Certificates are then continuously monitored and refreshed by the [`certmonger`](https://www.freeipa.org/page/Certmonger) daemon. Currently, only machine certificates are supported.
The certificate policy manager allows clients to enrol for certificates from **Active Directory Certificate Services**. Certificates are then continuously monitored and refreshed by the [`certmonger`](https://www.freeipa.org/page/Certmonger) daemon. Currently, only machine certificates are supported.

Unlike the other ADSys policy managers which are configured in the special Ubuntu section provided by the ADMX files (Administrative Templates), settings for certificate auto-enrollment are configured in the Microsoft GPO tree:
Unlike the other ADSys policy managers which are configured in the special Ubuntu section provided by the ADMX files (Administrative Templates), settings for certificate auto-enrolment are configured in the Microsoft GPO tree:

* Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment
* `Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment`

![Certificate GPO tree view](../images/explanation/certificates/certificate-settings.png)

## Feature availability

This feature is available only for subscribers of **Ubuntu Pro** and has been tested and known to work on all Ubuntu versions starting with 22.04 (Jammy).

Additionally, the following packages must be installed on the client in order for auto-enrollment to work:
Additionally, the following packages must be installed on the client in order for auto-enrolment to work:

* [`certmonger`](https://www.freeipa.org/page/Certmonger) - daemon that monitors and updates certificates
* [`cepces`](https://github.com/openSUSE/cepces) - `certmonger` extension that can communicate with **Active Directory Certificate Services**
Expand All @@ -25,17 +25,17 @@ sudo apt install certmonger python3-cepces

On the Windows side, the following roles must be installed and configured:

* Certification Authority
* Certificate Enrollment Policy Web Service
* Certificate Enrollment Web Service
* `Certification Authority`
* `Certificate Enrollment Policy Web Service`
* `Certificate Enrollment Web Service`

## Rules precedence

Auto-enrollment configuration will override any settings referenced higher in the GPO hierarchy.
Auto-enrolment configuration will override any settings referenced higher in the GPO hierarchy.

## Policy configuration

Certificate auto-enrollment is configured by setting the **Configuration Model** to **Enabled** and ticking the following checkbox: **Update certificates that use certificate templates**.
Certificate auto-enrolment is configured by setting the **Configuration Model** to **Enabled** and ticking the following checkbox: **Update certificates that use certificate templates**.

![Certificate GPO properties](../images/explanation/certificates/certificate-gpo.png)

Expand All @@ -48,13 +48,13 @@ The other settings in this GPO entry do not affect ADSys in any way.

For more advanced configuration, a list of policy servers can be specified in the following GPO entry:

* Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Certificate Enrollment Policy
* `Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Certificate Enrollment Policy`

![Certificate advanced configuration](../images/explanation/certificates/advanced-configuration.png)

## Applying the policy

On the client system, a successful auto-enrollment will place certificate data in the following paths:
On the client system, a successful auto-enrolment will place certificate data in the following paths:

* `/var/lib/adsys/certs` - certificate data
* `/var/lib/adsys/private/certs` - private key data
Expand Down Expand Up @@ -97,7 +97,7 @@ CA 'galacticcafe-CA':

## Policy implementation

With the exception of policy parsing, ADSys leverages the Samba implementation of certificate auto-enrollment. As this feature is only available in newer versions of Samba, we have taken the liberty of vendoring the required Samba files to allow this policy to work on Ubuntu versions that ship an older Samba version. These files are shipped in `/usr/share/adsys/python/vendor_samba`.
With the exception of policy parsing, ADSys leverages the Samba implementation of certificate auto-enrolment. As this feature is only available in newer versions of Samba, we have taken the liberty of vendoring the required Samba files to allow this policy to work on Ubuntu versions that ship an older Samba version. These files are shipped in `/usr/share/adsys/python/vendor_samba`.

To ensure idempotency when applying the policy, we set up a Samba [TDB cache file](https://wiki.samba.org/index.php/TDB) at `/var/lib/adsys/samba/cert_gpo_state_$(hostname).tdb` which contains various information pertaining to the enrolled certificate(s).

Expand Down Expand Up @@ -134,9 +134,9 @@ CA "galacticcafe-CA" removed.

Note that tampering with certificate data outside of ADSys (e.g. manually unmonitoring using `getcert`) will render the GPO cache obsolete as it will cause a drift between the actual state and the "known" cached state. In this case, it's best to remove the cache file at `/var/lib/adsys/samba/*.tdb` together with any enrolled certificates and CAs to ensure a clean slate.

### Debugging auto-enroll script
### Debugging `auto-enroll` script

While certificate parsing happens in ADSys itself, enrollment is done via an embedded Python helper script. For debugging purposes, it can be dumped to the current directory and made executable by executing the following commands:
While certificate parsing happens in ADSys itself, enrolment is done via an embedded Python helper script. For debugging purposes, it can be dumped to the current directory and made executable by executing the following commands:

```output
> adsysctl policy debug cert-autoenroll-script
Expand Down Expand Up @@ -172,4 +172,4 @@ While configuring Active Directory Certificate Services is outside the scope of

## Acknowledgements

We would like to thank the Samba team for making great strides in the research and implementation of certificate auto-enrollment via Active Directory Certificate Services.
We would like to thank the Samba team for making great strides in the research and implementation of certificate auto-enrolment via Active Directory Certificate Services.
2 changes: 1 addition & 1 deletion docs/explanation/dconf.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Some settings are globally enforced on the machine while other are per-user spec

## Example of settings

- Change the login screen layout and background color.
- Change the login screen layout and background colour.
- Set and lock the default applications in the launcher.
- Set and lock the user wallpaper.
- Set the date and time format of the clock.
Expand Down
4 changes: 2 additions & 2 deletions docs/explanation/network-shares.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ The mount process for these mounts is triggered at the moment a client logs in.

All protocols supported by the [mount command](https://manpages.ubuntu.com/manpages/jammy/en/man8/mount.8.html) should work out of the box. However, the only tested ones are `smb`, `ftp` and `nfs`.

The backends for the protocols `smb` and `nfs` are automatically enabled when installing the adsys package. In order to enable the backend for `ftp` mounts, the user must install the recommended `curlftpfs` package. This behavior is tested on Ubuntu and might differ on other Linux distributions.
The backends for the protocols `smb` and `nfs` are automatically enabled when installing the adsys package. In order to enable the backend for `ftp` mounts, the user must install the recommended `curlftpfs` package. This behaviour is tested on Ubuntu and might differ on other Linux distributions.

Access control and file permissions should be configured on the shared location.

Expand All @@ -24,7 +24,7 @@ User mount policies are located under `Computer Configuration > Policies > Admin

The form is a list of shared drives that should be mounted for the client machine. They must follow the structure `{protocol}://{host name or ip address}/{shared location}`.

The default mount behavior is to mount the listed shares anonymously. In order to require kerberos authentication for the mount process, the tag `[krb5]` can be added as a prefix to the listed share, i.e. `[krb5]{protocol}://{host name or ip address}/{shared location}`.
The default mount behaviour is to mount the listed shares anonymously. In order to require kerberos authentication for the mount process, the tag `[krb5]` can be added as a prefix to the listed share, i.e. `[krb5]{protocol}://{host name or ip address}/{shared location}`.

Additional mount options are not supported yet.

Expand Down
2 changes: 1 addition & 1 deletion docs/explanation/proxy.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ The `System proxy configuration` category provides a list of configurable proxy

![HTTP proxy setting in GPO editor](../images/explanation/proxy/system-proxy-settings-focus.png)

Configured settings will then be forwarded to `ubuntu-proxy-manager` which will apply them on all supported backends (e.g. environment variables, APT, GSettings). For an up-to-date list of supported backends, proxy formats and behaviors, refer to the ubuntu-proxy-manager [documentation](https://github.com/ubuntu/ubuntu-proxy-manager/blob/main/README.md).
Configured settings will then be forwarded to `ubuntu-proxy-manager` which will apply them on all supported backends (e.g. environment variables, APT, GSettings). For an up-to-date list of supported backends, proxy formats and behaviours, refer to the ubuntu-proxy-manager [documentation](https://github.com/ubuntu/ubuntu-proxy-manager/blob/main/README.md).

### Disabling proxy settings

Expand Down
2 changes: 1 addition & 1 deletion docs/explanation/scripts.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ The form is a list of scripts path, relative to the `scripts/` subdirectory of y

This GPO won’t refer any scripts for execution.

## Scripts behaviors
## Scripts behaviours

### Scripts erroring out

Expand Down
2 changes: 1 addition & 1 deletion docs/how-to/join-ad-manually.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

ADSys supports two Active Directory backends:

1. [SSSD](https://sssd.io/), or System Security Services Daemon, provides access to centralized identity management systems like Microsoft Active Directory, OpenLDAP, and various other directory servers. This client component retrieves and caches data from remote directory servers, delivering identity, authentication, and authorization services to the host machine.
1. [SSSD](https://sssd.io/), or System Security Services Daemon, provides access to centralised identity management systems like Microsoft Active Directory, OpenLDAP, and various other directory servers. This client component retrieves and caches data from remote directory servers, delivering identity, authentication, and authorisation services to the host machine.
2. [Winbind](https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC) is a component of the Samba suite that provides seamless integration and authentication services between UNIX or Linux systems and Windows-based networks, allowing the former to appear as members in a Windows Active Directory domain.

## Join manually using SSSD
Expand Down
4 changes: 2 additions & 2 deletions docs/how-to/set-up-adsys.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,11 @@ Options such as the home directory path template, shell and others can be tweake

ADSys relies on the configured AD backend (e.g. SSSD) to export the `KRB5CCNAME` environment variable pointing to a valid Kerberos ticket cache when a domain user performs authentication.

If for any reason the backend doesn't export the variable but _does_ initialize a ticket cache in the [default path](https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html#default-ccache-name), ADSys can be configured to infer the path to the ticket cache (via the libkrb5 API) and export it as the `KRB5CCNAME` variable during both authentication and runs of `adsysctl update` for the current domain user.
If for any reason the backend doesn't export the variable but _does_ initialise a ticket cache in the [default path](https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html#default-ccache-name), ADSys can be configured to infer the path to the ticket cache (via the libkrb5 API) and export it as the `KRB5CCNAME` variable during both authentication and runs of `adsysctl update` for the current domain user.

To opt into this functionality, the following must be added to `/etc/adsys.yaml`:
```yaml
detect_cached_ticket: true
```
With this setting active, ADSys attempts to determine and export the path to the ticket cache. To avoid unexpected behaviors like rejecting authentication for non-domain users, no action is taken if the path returned by the libkrb5 API does not exist on disk.
With this setting active, ADSys attempts to determine and export the path to the ticket cache. To avoid unexpected behaviours like rejecting authentication for non-domain users, no action is taken if the path returned by the libkrb5 API does not exist on disk.
4 changes: 2 additions & 2 deletions docs/how-to/set-up-adwatchd.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ At its core, the program can be simplified to the following steps:

- watch a list of user-configured directories for changes -- subdirectories are also watched, but only the root directory will have a `GPT.ini` file
- when a change is detected, attempt to locate a `GPT.ini` file at the root of the watched directory, or create one if absent
- if a `GPT.ini` file is found, increment the version stanza of the file by 1, thus signaling clients that a new version of the assets (including scripts) are available to download during the next client refresh
- if a `GPT.ini` file is found, increment the version stanza of the file by 1, thus signalling clients that a new version of the assets (including scripts) are available to download during the next client refresh

## Installation

Expand Down Expand Up @@ -43,7 +43,7 @@ For a better understanding on what directories should be configured for watching

Note that the interactive configuration tool can only be run if the `adwatchd` service is not already installed on the machine. Please refer to the [CLI usage](#CLI usage) section for instructions on how to finely manage the service.

We recommend making use of the interactive configuration tool to install the application, as it provides a level of error handling, taking care of path normalization and the creation of the configuration file.
We recommend making use of the interactive configuration tool to install the application, as it provides a level of error handling, taking care of path normalisation and the creation of the configuration file.

The configuration file is stored as a YAML file, and can be freely edited after the application has been installed. The following keys are configurable:

Expand Down
6 changes: 3 additions & 3 deletions docs/how-to/use-gpo.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ The change is now visible on the greeter.
### Modifying an user setting

1. Let's create another GPO in `warthogs.biz > IT Dept > RnD`.
1. Select the list of favorite desktop applications setting in `User Configuration > Policies > Administrative Templates > Ubuntu > Desktop > Shell > List of desktop file IDs for favorite applications`.
1. Select the list of favourite desktop applications setting in `User Configuration > Policies > Administrative Templates > Ubuntu > Desktop > Shell > List of desktop file IDs for favorite applications`.
1. Enter a list of valid .desktop file IDs, one per line, like the following:

```
Expand All @@ -46,7 +46,7 @@ snap-store_ubuntu-software.desktop
yelp.desktop
```

![Favorite applications settings](../images/how-to/use-gpo/gpo_setting_enabled_list_of_apps.png)
![Favourite applications settings](../images/how-to/use-gpo/gpo_setting_enabled_list_of_apps.png)

4. Refresh the GPO rule applied to the user by logging in or running `adsysctl update` as your current user or `adsysctl update --all` to refresh the computer and all active users.

Expand Down Expand Up @@ -103,7 +103,7 @@ The **right pane** of the GPO Management editor contains the general information

#### Text entry

The type `Text` represents a single line of text. If you don’t enclose a string with single quotes `'` and the value is not a decimal, it will be done automatically and the entry will be sanitized (e.g. space, `'`…). If you want to force a decimal to be treated as a string, enclose the value with single quotes.
The type `Text` represents a single line of text. If you don’t enclose a string with single quotes `'` and the value is not a decimal, it will be done automatically and the entry will be sanitised (e.g. space, `'`…). If you want to force a decimal to be treated as a string, enclose the value with single quotes.

The default value will be already set.

Expand Down
2 changes: 1 addition & 1 deletion docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ ADSys enables system administrators to manage Ubuntu Desktop clients centrally v

It simplifies the task of configuring Ubuntu systems in a Microsoft Active Directory environment. However, it doesn't handle user authentication or initial security policy, which are managed by SSSD/Winbind and PAM.

ADSys is valuable for system administrators who wish to manage Ubuntu Desktop clients in a centralized manner through Microsoft Active Directory.
ADSys is valuable for system administrators who wish to manage Ubuntu Desktop clients in a centralised manner through Microsoft Active Directory.

```{toctree}
:hidden:
Expand Down
6 changes: 3 additions & 3 deletions docs/reference/adsys-daemon.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ The ADSys daemon is started on demand by systemd’s socket activation and only

## Configuration

`ADSys` doesn’t ship a configuration file by default. However, such a file can be created to modify the behavior of the daemon and the client.
`ADSys` doesn’t ship a configuration file by default. However, such a file can be created to modify the behaviour of the daemon and the client.

The configuration file can be system-wide in `/etc/adsys.yaml`. This will thus apply to both daemon and client. You can have per-user configuration by creating `$HOME/adsys.yaml`. It will then affect only the client for this user.

Expand Down Expand Up @@ -190,9 +190,9 @@ Only privileged users have access to this information. As with any other command

More information is available in the [next chapter](adsysctl.md) covering adsysctl cat command.

## Authorizations
## Authorisations

**ADSys** uses a privilege mechanism based on polkit to manage authorizations. Many commands require elevated privileges to be executed. If the adsys client is executed with insufficient privileges to execute a command, the user will be prompted to enter its password. If allowed then the command will be executed and denied otherwise.
**ADSys** uses a privilege mechanism based on polkit to manage authorisations. Many commands require elevated privileges to be executed. If the adsys client is executed with insufficient privileges to execute a command, the user will be prompted to enter its password. If allowed then the command will be executed and denied otherwise.

![Polkit authentication dialog](../images/reference/adsys-daemon/daemon-polkit.png)

Expand Down
2 changes: 1 addition & 1 deletion docs/reference/adsysctl.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

`adsysctl` is a command line utility to request actions from the daemon and query its current status. You can get more verbose output with the `-v` accumulative flags, which will stream all logs from the service corresponding to your specific request.

As a general rule, favor shell completion and the help command for discovering various parts of the adsysctl user interface. It will help you by completing subcommands, flags, users and even chapters of the offline documentation!
As a general rule, favour shell completion and the help command for discovering various parts of the adsysctl user interface. It will help you by completing subcommands, flags, users and even chapters of the offline documentation!

## Which policies are applied

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Computer Scripts

```{toctree}
:maxdepth: 99
shutdown
startup
```
Loading

0 comments on commit a0f92f6

Please sign in to comment.