default SSSD pam config breaks ecryptfs
Bug #826643 reported by
Coops
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
The PAM configuration provided by the SSSD package breaks auto-mounting of encrypted home/Private directories.
This is because by default pam_sss.so doesn't place the entered passphrase onto the PAM stack so it can be used by other modules (i.e. pam_ecryptfs.so). The pam_ecryptfs.so module requires the user's passphrase in order to unlock the encryption key.
This can be resolved by adding "forward_pass" to the end of the pam_sss.so line in the PAM common-auth file.
Can "forward_pass" be add to the default PAM configuration for SSSD in Ubuntu?
(I've detailed my research of the problem here http://
To post a comment you must log in.
Confirmed, though for me it just asks the password again if ldap is not used. The other option to fix this appears to be to lower the priority in /usr/share/ pam-configs/ sss to 128 for instance, then pam_sss.so is put after pam_unix.so (which is what upstream suggests as well). Then I get just one password prompt and the private share is mounted correctly.