ecryptfs not work with libnss3/libnss3-1d Version 2:3.23-0ubuntu0.12.04.1

apt-cache policy ecryptfs-utils libecryptfs0
ecryptfs-utils:
  Installiert: 96-0ubuntu3.5
  Kandidat: 96-0ubuntu3.5
  Versionstabelle:
 *** 96-0ubuntu3.5 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     96-0ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
libecryptfs0:
  Installiert: 96-0ubuntu3.5
  Kandidat: 96-0ubuntu3.5
  Versionstabelle:
 *** 96-0ubuntu3.5 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     96-0ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

uname -a
Linux Michael-Thinkpad-X121e-SSD 3.2.0-105-generic #146-Ubuntu SMP Fri Jun 10 20:10:44 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

apt-cache policy lightdm
lightdm:
  Installiert: 1.2.3-0ubuntu2.8
  Kandidat: 1.2.3-0ubuntu2.8
  Versionstabelle:
 *** 1.2.3-0ubuntu2.8 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.2.1-0ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

Hello - Sorry for the trouble you're having.

I've downgraded a clean, up to date 12.04 amd64 VM to libnss3 and libnss3-1d version 2:3.21-0ubuntu0.12.04.3. Then I set up a new user with encrypted home (`adduser --encrypt-home foo`). I verified that I can log in and access the encrypted home directory and then upgraded libnss3 and libnss3-1d to version 2:3.23-0ubuntu0.12.04.1. I could still successfully log in and access the encrypted home after upgrading.

In addition, I locally rebuilt ecryptfs-utils in Precise as there are some test cases which get run as part of the build process which excercise the same code that you're having trouble with. They all still pass with the newer NSS version.

Did anything else change on your system around that time? Do you have any other information which may be helpful in reproducing the bug so that we can work towards getting you a fix?

I'm going to make this a public, non-security bug since there's no vulnerability. It will be helpful for other affected users to comment on the report.

FYI, I couldn't reproduce this earlier either.

I installed a new Ubuntu 12.04.5 VM with encrypted home, and was able to successfully upgrade to the newer nss without any issues.

What is the output of `ulimit -a` on your system?

You may be hitting the maximum amount of locked memory for the process handling the login.

ulimit -a with the old 2:3.21-0ubuntu0.12.04.3 Version after login.
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 28223
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 28223
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

My Laptop (Lenovo X121e AMD E300 processor) buying 12/04

The installed Ubuntu version is the first 12.04. No upgrade to newer Kernel.

The AMD E-Serie has no AES-NI extension.

The encryption of the home directory doing by installation for 4 years and never change.

I have upgrade libnss3 and libnss3-1d from 2:3.21-0ubuntu0.12.04.3 to 2:3.23-0ubuntu0.12.04.1

Same problem with my home directory.

I have add a new user "test" with encrypted home.

login for "test" not possible, ecryptfs-mount-private not possible but other failure message: "ERROR: Encrypted private directory is not setup properly"

Only auto-mount and auto-umount are in /home/test/.ecryptfs. No Private.mnt, Private.sig, wrapped-passphrase and .wrapped-phassphrase.recorded

syslog:

Jul 14 09:45:02 Michael-Thinkpad-X121e-SSD ecryptfs-add-passphrase: do_hash: PK11_HashBuf() error; SECFailure = [-1]; PORT_GetError() = [-8128]
Jul 14 09:45:02 Michael-Thinkpad-X121e-SSD ecryptfs-add-passphrase: Error generating passphrase signature; rc = [-22]
Jul 14 09:45:02 Michael-Thinkpad-X121e-SSD ecryptfs-add-passphrase: ecryptfs_add_passphrase_key_to_keyring: Error attempting to generate the passphrase auth tok payload; rc = [-22]

Unfortunately, I go today to the Baltic Sea and will come back Sunday night . I can only answer further questions.

When downgrade to previous version of libnss3 and libnss3-1d I can login in my home directory without restart.

Could you do the following steps and report the results?

1) Set higher locked memory limit
  $ echo "* - memlock 128" | sudo tee /etc/security/limits.d/lp1602680.conf

2) Reboot

3) Verify that the higher limit is in place
  $ ulimit -l
  128

4) Upgrade to the new NSS and see if you can log in.

If you still can't log in, feel free to delete /etc/security/limits.d/lp1602680.conf

I'm also suffering from this exact bug, and setting the higher memory limit does not allow me to log in.

auth.log shows:
PAM unable to dlopen(pam_ecryptfs.so): /usr/lib/i386-linux-gnu/libnssutil3.so: undefined symbol: PR_GetEnvSecure
PAM adding faulty module: pam_ecryptfs.so

Thanks, Sander. That allowed me to figure out the problem.

The new libnspr4 added a new exported function, PR_GetEnvSecure():

  $ nm -D /usr/lib/x86_64-linux-gnu/libnspr4.so | grep PR_GetEnvSecure
  000000000001a3a0 T PR_GetEnvSecure

The new libnss3 depends on that new function:

  $ nm -D /usr/lib/x86_64-linux-gnu/libnssutil3.so.1d | grep GetEnvSecure
                   U PR_GetEnvSecure

If you upgrade libnspr4 to the versions specified in this USN, you won't experience this bug any longer:

  http://www.ubuntu.com/usn/usn-3028-1/

I'm not sure how you kept the old libnspr4 but it looks like the new libnss3 correctly depends on the new libnspr4:

  $ apt-cache show libnss3=2:3.23-0ubuntu0.12.04.1 | grep ^Depends:
  Depends: libc6 (>= 2.4), libnspr4 (>= 4.12), libsqlite3-0 (>= 3.5.9), zlib1g (>= 1:1.1.4)

Thanks for your help!
FWIW, as it took me a bit to figure out how my libnspr4 version could be outdated:
I have 0ad installed from the wfg ppa, which depends on libmozjs-31-0, which depends on libnspr4, and has this version in the ppa: libnspr4_4.10.10-0ubuntu0.14.04.1~12.04~wfg1_i386.deb - and that's apparently seen as an upgrade of libnspr4_4.12-0ubuntu0.12.04.1_i386.deb

Thanks too.

By me is it the same. I use the wfg ad0 PPA too.

Sorry for the work which I have prepared you.