Ubuntu
sssd package

default SSSD pam config breaks ecryptfs

Bug #826643 reported by Coops
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The PAM configuration provided by the SSSD package breaks auto-mounting of encrypted home/Private directories.

This is because by default pam_sss.so doesn't place the entered passphrase onto the PAM stack so it can be used by other modules (i.e. pam_ecryptfs.so). The pam_ecryptfs.so module requires the user's passphrase in order to unlock the encryption key.

This can be resolved by adding "forward_pass" to the end of the pam_sss.so line in the PAM common-auth file.

Can "forward_pass" be add to the default PAM configuration for SSSD in Ubuntu?

(I've detailed my research of the problem here http://askubuntu.com/questions/56972/sssd-encrypted-home-no-longer-automounts-at-login)

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Confirmed, though for me it just asks the password again if ldap is not used. The other option to fix this appears to be to lower the priority in /usr/share/pam-configs/sss to 128 for instance, then pam_sss.so is put after pam_unix.so (which is what upstream suggests as well). Then I get just one password prompt and the private share is mounted correctly.

Changed in sssd (Ubuntu):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.5.13-0ubuntu1

---------------
sssd (1.5.13-0ubuntu1) oneiric; urgency=low

  * FFE: New upstream release. (LP: #860297)
    - control: Add libunistring-dev to build-depends.
    - sssd.install: Include libipa_hbac.so*.
  * Rebuild against current libldb1, and use the multiarch path
    for libldb modules. (LP: #746981)
  * sssd.default:
    - Move the option to run as daemon here.
    - Add option that makes the daemon to use logfiles. (LP: #859602)
  * sssd.upstart:
    - Don't start before net-device-up. (LP: #812943)
    - Source /etc/default/sssd. (LP: #812943)
  * rules: Install the Python API files to /usr/share/sssd, as discussed
    with upstream. (LP: #859611)
  * fix-python-api-path.dpatch: Use the new location for the API files.
    (LP: #859611)
  * libpam-sss.pam-auth-update:
    - Add 'forward_pass' to auth stack to fix ecryptfs mounts. (LP: #826643)
    - Add pam_localuser.so to account stack to allow local users to log in.
      (LP: #860488)
  * control: sssd now Recommends libpam-sss and libnss-sss, since sssd is
    mostly useless without them. (LP: #767337)
 -- Timo Aaltonen <email address hidden> Tue, 27 Sep 2011 06:03:41 +0300

Changed in sssd (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.