Ubuntu
likewise-open package

likewise-open users with migrated home directory won’t decrypt automatically

Bug #920609 reported by Alex Mauer
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ecryptfs-utils (Ubuntu)
Invalid
Low
Unassigned
likewise-open (Ubuntu)
Triaged
Low
Unassigned

Bug Description

I am using likewise-open for authentication against Active Directory.

I log in as a domain user to create their home dir, and then run 'ecryptfs-migrate-home -u USER' to encrypt the user’s home directory. This seems to work as expected.

However, when I try to log in, the user’s home directory is not automatically decrypted. (and so of course I cannot log in to the GUI). If I log in at the console and run 'ecryptfs-mount-private', it works fine and I can then log in to the display manager.

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

This has to do with the pam stack. It could either be an incompatibility with pam_ecryptfs and whatever pam module likewise-open uses, or perhaps just a missing bit of pam configuration in the /etc/pam.d stack.

Subscribing Steve Langasek... Any ideas, Steve?

Changed in ecryptfs-utils (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
Steve Langasek (vorlon) wrote :

I agree it probably has to do with the pam stack. What do /etc/pam.d/common-auth and /etc/pam.d/common-session look like on the affected system?

Changed in ecryptfs-utils (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Alex Mauer (hawke) wrote :

Just a stock, default config with those modules installed.

common-auth:
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_lsass.so try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
# end of pam-auth-update config

common-session:

# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session sufficient pam_lsass.so
session optional pam_ecryptfs.so unwrap
session optional pam_ck_connector.so nox11
# end of pam-auth-update config

Revision history for this message
Alex Mauer (hawke) wrote :

And now I see the problem, even. It’s in common-session:

session sufficient pam_lsass.so
session optional pam_ecryptfs.so unwrap

…it never gets to the pam_ecryptfs.so because pam_lsass is sufficient.

Revision history for this message
Alex Mauer (hawke) wrote :

This also partly explains why consolekit stuff doesn’t work properly for these users.

Revision history for this message
Steve Langasek (vorlon) wrote :

ok, looks like a bug in the likewise-open package then. reassigning.

affects: ecryptfs-utils (Ubuntu) → likewise-open (Ubuntu)
Changed in likewise-open (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Dustin Kirkland  (kirkland) wrote : Re: [Bug 920609] Re: likewise-open users with migrated home directory won’t decrypt automatically

Thanks, all! I'm actually going to re-add the ecryptfs-utils task and
mark it invalid there, as this question has come up more than once.
Hopefully that will make this more discoverable.

Changed in ecryptfs-utils (Ubuntu):
status: New → Invalid
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.