default SSSD pam config breaks ecryptfs

Bug #826643 reported by Coops on 2011-08-15
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)

Bug Description

The PAM configuration provided by the SSSD package breaks auto-mounting of encrypted home/Private directories.

This is because by default doesn't place the entered passphrase onto the PAM stack so it can be used by other modules (i.e. The module requires the user's passphrase in order to unlock the encryption key.

This can be resolved by adding "forward_pass" to the end of the line in the PAM common-auth file.

Can "forward_pass" be add to the default PAM configuration for SSSD in Ubuntu?

(I've detailed my research of the problem here

Timo Aaltonen (tjaalton) wrote :

Confirmed, though for me it just asks the password again if ldap is not used. The other option to fix this appears to be to lower the priority in /usr/share/pam-configs/sss to 128 for instance, then is put after (which is what upstream suggests as well). Then I get just one password prompt and the private share is mounted correctly.

Changed in sssd (Ubuntu):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.5.13-0ubuntu1

sssd (1.5.13-0ubuntu1) oneiric; urgency=low

  * FFE: New upstream release. (LP: #860297)
    - control: Add libunistring-dev to build-depends.
    - sssd.install: Include*.
  * Rebuild against current libldb1, and use the multiarch path
    for libldb modules. (LP: #746981)
  * sssd.default:
    - Move the option to run as daemon here.
    - Add option that makes the daemon to use logfiles. (LP: #859602)
  * sssd.upstart:
    - Don't start before net-device-up. (LP: #812943)
    - Source /etc/default/sssd. (LP: #812943)
  * rules: Install the Python API files to /usr/share/sssd, as discussed
    with upstream. (LP: #859611)
  * fix-python-api-path.dpatch: Use the new location for the API files.
    (LP: #859611)
  * libpam-sss.pam-auth-update:
    - Add 'forward_pass' to auth stack to fix ecryptfs mounts. (LP: #826643)
    - Add to account stack to allow local users to log in.
      (LP: #860488)
  * control: sssd now Recommends libpam-sss and libnss-sss, since sssd is
    mostly useless without them. (LP: #767337)
 -- Timo Aaltonen <email address hidden> Tue, 27 Sep 2011 06:03:41 +0300

Changed in sssd (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers