default SSSD pam config breaks ecryptfs

Bug #826643 reported by Coops on 2011-08-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Undecided
Unassigned

Bug Description

The PAM configuration provided by the SSSD package breaks auto-mounting of encrypted home/Private directories.

This is because by default pam_sss.so doesn't place the entered passphrase onto the PAM stack so it can be used by other modules (i.e. pam_ecryptfs.so). The pam_ecryptfs.so module requires the user's passphrase in order to unlock the encryption key.

This can be resolved by adding "forward_pass" to the end of the pam_sss.so line in the PAM common-auth file.

Can "forward_pass" be add to the default PAM configuration for SSSD in Ubuntu?

(I've detailed my research of the problem here http://askubuntu.com/questions/56972/sssd-encrypted-home-no-longer-automounts-at-login)

Timo Aaltonen (tjaalton) wrote :

Confirmed, though for me it just asks the password again if ldap is not used. The other option to fix this appears to be to lower the priority in /usr/share/pam-configs/sss to 128 for instance, then pam_sss.so is put after pam_unix.so (which is what upstream suggests as well). Then I get just one password prompt and the private share is mounted correctly.

Changed in sssd (Ubuntu):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.5.13-0ubuntu1

---------------
sssd (1.5.13-0ubuntu1) oneiric; urgency=low

  * FFE: New upstream release. (LP: #860297)
    - control: Add libunistring-dev to build-depends.
    - sssd.install: Include libipa_hbac.so*.
  * Rebuild against current libldb1, and use the multiarch path
    for libldb modules. (LP: #746981)
  * sssd.default:
    - Move the option to run as daemon here.
    - Add option that makes the daemon to use logfiles. (LP: #859602)
  * sssd.upstart:
    - Don't start before net-device-up. (LP: #812943)
    - Source /etc/default/sssd. (LP: #812943)
  * rules: Install the Python API files to /usr/share/sssd, as discussed
    with upstream. (LP: #859611)
  * fix-python-api-path.dpatch: Use the new location for the API files.
    (LP: #859611)
  * libpam-sss.pam-auth-update:
    - Add 'forward_pass' to auth stack to fix ecryptfs mounts. (LP: #826643)
    - Add pam_localuser.so to account stack to allow local users to log in.
      (LP: #860488)
  * control: sssd now Recommends libpam-sss and libnss-sss, since sssd is
    mostly useless without them. (LP: #767337)
 -- Timo Aaltonen <email address hidden> Tue, 27 Sep 2011 06:03:41 +0300

Changed in sssd (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers