Ubuntu
ecryptfs-utils package

ecryptfs does not work for domain users (AD, likewise/powerbroker)

Bug #1406940 reported by Dominik Gierlach on 2015-01-01

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

ecryptfs-utils (Ubuntu)

Triaged

Low

Unassigned

You need to log in to change this bug's status.

Affecting:	ecryptfs-utils (Ubuntu)
Filed here by:	Dominik Gierlach
When:	2015-01-01
Confirmed:	2015-08-13

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	Low

Assigned to

	Nobody
	Me

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

Ecryptfs encryption does not work for domain users in an active directory domain, integrated with likewise open / powerbroker for the following reasons:

- domain user names contain backslashes (DOMAIN\user.name). Ecryptfs checks for valid usernames, which mustn't contain backslashes
- There is no pam hook which automatically activates encryption of the home directory of new domain users

Steps to reproduce:
- Set up AD controller, e.g. via samba4
- Set up ecryptfs-utils on an ubuntu machine
- Add ubuntu machine to domain with likewise open / powerbroker
- Login with domain user

Result:
- Home directory is unencrypted

Additional steps:
- Manually encrypt home directory of domain user

Additional result:
- On login decryption fails with message: "Username has unsupported characters"

Expected result:
Home directories of domain users can easily be encrypted and decrypted with ecryptfs

Tags: Edit Tag help

Dominik Gierlach (dominik-gierlach) wrote on 2015-01-01:

Patched version of ecryptfs-utils is available here:

bzr branch lp:~dominik-gierlach/+junk/ecryptfs-enterprise
ppa:dominik-gierlach/enterprise

Changes:
- Allow backslashes in usernames
- Add pam hook and scripts (see http://askubuntu.com/questions/111803/enable-ecryptfs-for-all-new-users-even-those-authenticating-through-kerberos-an)

Dominik Gierlach (dominik-gierlach) wrote on 2015-01-01:

45_44.diff Edit (4.1 KiB, text/plain)

Possible patch for ecryptfs-utils package

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2015-01-01:

The attachment "45_44.diff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags:

added: patch

Dominik Gierlach (dominik-gierlach) wrote on 2015-04-27:

For the record: The ppa was updated to vivid.

Iain Lane (laney) wrote on 2015-05-05:

Dustin, can you review please?

Dustin Kirkland  (kirkland) wrote on 2015-08-13:

Hmm, looking at this patch and I'm quite nervous. Backslashes and dollar signs in user names -- that sounds fraught with peril.

@tyhicks, @slangesek, @pitti: could you guys review the pam portions of this patch for security and safety?

Changed in ecryptfs-utils (Ubuntu):
importance:	Undecided → Wishlist
importance:	Wishlist → Low
status:	New → Triaged

Steve Langasek (vorlon) wrote on 2015-08-13:

nack for the pam changes.

- Dynamic home directory creation is not specific to ecryptfs and should not be part of an encryptfs-specific pam config; there is an existing mkhomedir profile to use for this.
- The /etc/security/ecryptfs script is not very reusable, it encodes your local policy preference to enable ecryptfs for all users logging in. It's also insecure, at a minimum because you are passing passwords to a program as commandline arguments, which are visible to all other users on the system.

Sebastien Bacher (seb128) wrote on 2015-08-14:

(unsubscribing sponsors for now, the changes need more work before being up for review again)