Ubuntu
ecryptfs-utils package

ecryptfs-setup-private breaks with ldap user accounts

Bug #317307 reported by Tessa
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
eCryptfs
Fix Released
Wishlist
Dustin Kirkland 
ecryptfs-utils (Ubuntu)
Fix Released
Medium
Dustin Kirkland 

Bug Description

Binary package hint: ecryptfs-utils

On my intrepid amd64 system (ecryptfs-utils-53-1ubuntu12), running ecrypt-setup-private from an LDAP provided user account breaks:

$ ecryptfs-setup-private
ERROR: User [ldapusername] does not exist
$ ecryptfs-setup-private --username ldapusername
ERROR: User [ldapusername] does not exist

All other programs see the user account fine, including "getent passwd".

Revision history for this message
Lee Maguire (leemaguire) wrote :

Finding references to /etc/passwd and replacing with genent calls helps (see attached diff).

However the use of /sbin/unix_chkpwd for password verification will apparently fail for LDAP due to the ordering in /etc/pam.d/common-password (pam_unix first, then pam_ldap). You can use --loginpass to bypass this issue.

http://osdir.com/ml/linux.pam/2007-04/msg00008.html

Revision history for this message
Brian Murray (brian-murray) wrote :

Looking at the attachments in this bug report, I noticed that "Replace references to /etc/passwd" was not flagged as a patch. A patch contains changes to an Ubuntu package that will resolve a bug and this attachment is one! Subsequently, I've checked the patch flag for it. In the future when submitting patches please use the patch checkbox as there are some Launchpad searches that use this feature. Thanks for your contribution Lee Maguire!

Changed in ecryptfs-utils:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Thanks for the bug report!

The current code upstream and in Jaunty use getent rather than grepping passwd, so at least part of this bug is fixed.

I'll try to solve the rest of it with --loginpass...

:-Dustin

Changed in ecryptfs-utils:
assignee: nobody → kirkland
Revision history for this message
Dustin Kirkland  (kirkland) wrote : Re: [Bug 317307] Re: ecryptfs-setup-private breaks with ldap user accounts

On Fri, Jan 30, 2009 at 12:49 PM, Lee Maguire <email address hidden> wrote:
> However the use of  /sbin/unix_chkpwd for password verification will
> apparently fail for LDAP due to the ordering in /etc/pam.d/common-
> password (pam_unix first, then pam_ldap).  You can use --loginpass to
> bypass this issue.

Hi Lee-

About "--loginpass" ... What is this an option to?

It's not valid against unix_chkpwd, or getent.

I'd like to try and solve the password checking portion of this problem.

:-Dustin

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Okay, I have something of a solution for this problem.

I have already committed the getent changes. Those are fixed now.

For the password checking portion, I'm adding a new option to ecryptfs-setup-private: --nopwcheck.

This will bypass the /sbin/unix_chkpwd checking.

I'll also update the usage statement and the manpage to inform users that this option is useful if the user's password is not stored in /etc/shadow (such as LDAP, perhaps).

Thanks for the bug report!

:-Dustin

Changed in ecryptfs:
assignee: nobody → kirkland
importance: Undecided → Wishlist
status: New → Triaged
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Fix committed to upstream project. Will be released in ecryptfs-utils-72.

:-Dustin

Changed in ecryptfs:
status: Triaged → Fix Committed
Changed in ecryptfs-utils (Ubuntu):
status: Triaged → In Progress
Dustin Kirkland  (kirkland)
Changed in ecryptfs-utils (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ecryptfs-utils - 72-0ubuntu1

---------------
ecryptfs-utils (72-0ubuntu1) jaunty; urgency=low

  [ Dustin Kirkland ]
  * src/utils/ecryptfs-[u]mount-private: print message about cd $PWD,
    LP: #332331
  * doc/manpage/*: manpage updates
  * debian/ecryptfs-utils.prerm: prevent removal of ecryptfs-utils
    package, if in use, LP: #331085
  * src/utils/ecryptfs-setup-private:
    - allow for LDAP-based logins, LP: #317307
    - add --noautomount, --noautoumount options, LP: #301759

  [ Tyler Hicks ]
  * src/libecryptfs/cipher_list.c: ignore unknown ciphers, LP: #335632
  * doc/manpage/ecryptfs.7: add key sig mount options info, LP: #329491
  * src/utils/mount.ecryptfs.c: scrub unknown option

  [ James Dupin ]
  * doc/manpage/fr/*: initial cut at french manpages

  [ Michal Hlavinka ]
  * src/libecryptfs/module_mgr.c: fix mount parameter handling on
    interactive mounting, LP: #331948

 -- Dustin Kirkland <email address hidden> Wed, 18 Mar 2009 18:53:11 -0500

Changed in ecryptfs-utils:
status: Fix Committed → Fix Released
Dustin Kirkland  (kirkland)
Changed in ecryptfs:
status: Fix Committed → Fix Released
Revision history for this message
Rolf Fokkens (rolf-f) wrote :

The use of unix-chkpwd impies limitations on ecryptfs-migrate-home: there's no LDAP support. The attached patch adds a ecryptfs-chkpwd utility, and uses this one instead of unix-chkpwd.

The net result is that LDAP password validation now works too. That is: on Fedora/CentOS. I haven't been able to test on Ubuntu, but it just relies on PAM and I assume it'll build and run on Ubunto too.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.