ecryptfs does not work for domain users (AD, likewise/powerbroker)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | ecryptfs-utils (Ubuntu) |
Low
|
Unassigned | ||
Bug Description
Ecryptfs encryption does not work for domain users in an active directory domain, integrated with likewise open / powerbroker for the following reasons:
- domain user names contain backslashes (DOMAIN\user.name). Ecryptfs checks for valid usernames, which mustn't contain backslashes
- There is no pam hook which automatically activates encryption of the home directory of new domain users
Steps to reproduce:
- Set up AD controller, e.g. via samba4
- Set up ecryptfs-utils on an ubuntu machine
- Add ubuntu machine to domain with likewise open / powerbroker
- Login with domain user
Result:
- Home directory is unencrypted
Additional steps:
- Manually encrypt home directory of domain user
Additional result:
- On login decryption fails with message: "Username has unsupported characters"
Expected result:
Home directories of domain users can easily be encrypted and decrypted with ecryptfs
Possible patch for ecryptfs-utils package
The attachment "45_44.diff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]
| tags: | added: patch |
For the record: The ppa was updated to vivid.
| Iain Lane (laney) wrote : | #5 |
Dustin, can you review please?
| Dustin Kirkland (kirkland) wrote : | #6 |
Hmm, looking at this patch and I'm quite nervous. Backslashes and dollar signs in user names -- that sounds fraught with peril.
@tyhicks, @slangesek, @pitti: could you guys review the pam portions of this patch for security and safety?
| Changed in ecryptfs-utils (Ubuntu): | |
| importance: | Undecided → Wishlist |
| importance: | Wishlist → Low |
| status: | New → Triaged |
| Steve Langasek (vorlon) wrote : | #7 |
nack for the pam changes.
- Dynamic home directory creation is not specific to ecryptfs and should not be part of an encryptfs-specific pam config; there is an existing mkhomedir profile to use for this.
- The /etc/security/
| Sebastien Bacher (seb128) wrote : | #8 |
(unsubscribing sponsors for now, the changes need more work before being up for review again)


Patched version of ecryptfs-utils is available here:
bzr branch lp:~dominik-gierlach/+junk/ecryptfs-enterprise gierlach/ enterprise
ppa:dominik-
Changes: askubuntu. com/questions/ 111803/ enable- ecryptfs- for-all- new-users- even-those- authenticating- through- kerberos- an)
- Allow backslashes in usernames
- Add pam hook and scripts (see http://