Description of problem: Changing user with "su" does not result, even if properly setup, in ~/Private mounted, as it does for other login cases. Version-Release number of selected component (if applicable): coreutils-8.10-2.fc15.i686 How reproducible: Always Steps to Reproduce: 1. Login using ssh, see bug #718807 2. Use "su - user" in order to re-login Actual results: ~/Private is not mounted Expected results: ~/Private should be mounted Additional info: As mentioned in bug #718807, it seems the pam configuration is not correct since "postlogin" is not include in "/etc/pam.d/su" and maybe others.
Fixed in Rawhide - coreutils-8.12-2.fc16 - http://lists.fedoraproject.org/pipermail/scm-commits/2011-July/628365.html ... could you please check that the changes are sufficient ?
Nope... I get: $ su - atest Password: keyctl_search: Required key not available Perhaps try the interactive 'ecryptfs-mount-private' Of course, the interactive works fine. This might be related to bug #722445 comment #1.
Argh, I pressed return... Nothing, just added CC Michal Hlavinka to this issue, maybe he can confirm it's the same as the ssh one. Thanks, bye, pg
Hi again, I tried ecryptfs-utils-90-1.fc16.i686 with the same results. dmesg reports: ecryptfs_parse_options: eCryptfs: unrecognized option [ecryptfs_check_dev_ruid] and in /var/log/messages there is: ... kernel: [ 1879.520439] ecryptfs_parse_options: eCryptfs: unrecognized option [ecryptfs_check_dev_ruid] ... su: ecryptfs: fill_keyring: Unable to get ecryptfs pam data : No module specific data is present Hope this helps, bye, pg
Adding Tomas Mraz - pam maintainer - to CC as well.
According to https://bugzilla.redhat.com/show_bug.cgi?id=487088#c44 (which was likely a blocker for this one) there should be ecryptfs-utils-90-2.fc15 in updates testing. Could you please if this updated ecryptfs-utils package makes some change?
(In reply to comment #6) > According to https://bugzilla.redhat.com/show_bug.cgi?id=487088#c44 (which was > likely a blocker for this one) there should be ecryptfs-utils-90-2.fc15 in > updates testing. Could you please if this updated ecryptfs-utils package makes > some change? Uhm, nope. Same error about key not available. The kernel module was anyway loaded, since the user from which the "su" was done had already the "Private" folder mounted (encrypted, of course). Hope this helps, bye, pg
For some reason, pam_ecryptfs module is not called. You can check this by looking at /var/log/{messages,secure}. Look for something like: Sep 20 15:37:16 krles sshd[4579]: ecryptfs: pam_sm_authenticate: pam auth stack calls pam_ecryptfs module (this is first thing in pam_ecryptfs, so there's no way pam_ecryptfs being called & message in log missing) Reason for this: > $ su - atest > Password: > keyctl_search: Required key not available > Perhaps try the interactive 'ecryptfs-mount-private' is that it calls pam_ecryptfs module in session stack (it should be called in both) I've verified this: # authconfig --enableecryptfs --updateall # useradd -G ecryptfs etest # passwd etest # ssh etest@localhost $ ecryptfs-setup-private $ keyctl clear @u $ logout $ su - etest #not from root account! log contains only: Sep 20 15:36:57 krles su: ecryptfs: fill_keyring: Unable to get ecryptfs pam data : No module specific data is present which is expected result for case where pam_ecryptfs is called in session stack and not in the auth stack too /etc/pam.d/su on my system contains auth include postlogin I have no idea, why pam does not call it in this case...
Cleanup - since F15 is close to EOL and I think this should be solved in F16 coreutils, setting needinfo on reporter. Is this still an issue for you?
Hi Ondrej, I'm actually on F17 and it does not work either (F16 was not working too). Basically, login or user change or ssh localhost do work, the "Private" folder is mounted. "su - ..." does not work. The following error is shown: keyctl_search: Required key not available Perhaps try the interactive 'ecryptfs-mount-private' So I updated the release to F17, since the problem is there too. bye, pg
su moved to util-linux...
I see that (at least on Fedora 16) there is auth include system-auth in /etc/pam.d/su which is incorrect. There should be auth substack system-auth instead. Otherwise the postlogin include is not being processed if there is f.e. sufficient module in the system-auth include.
(In reply to comment #11) > su moved to util-linux... yes, in f19... reassigning back to coreutils. I guess the bug should be fixed in f17 and f18 too.
Hi all, in my system, F17, the ecryptfs stuff seems to be in "postlogin". #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth optional pam_ecryptfs.so unwrap password optional pam_ecryptfs.so unwrap session optional pam_ecryptfs.so unwrap "postlogin" is _include-d_ (not "substack-ed") in all relevant pam configuration files, but "passwd". Has "system-auth" anything to do with "ecryptfs"? If it must be "substack-ed", why all others use "include"? Thanks, bye, pg
(In reply to comment #14) > "postlogin" is _include-d_ (not "substack-ed") in all relevant pam > configuration files, but "passwd". In case of postlogin and also other module types (account, session) it does not matter whether they are included or substacked. > Has "system-auth" anything to do with "ecryptfs"? > If it must be "substack-ed", why all others use "include"? Because modules in auth in the system-auth file use sufficient to end the authentication stack on success and if it is just included it will end the whole authentication. If it is substacked only the substack will finish.
coreutils-8.17-6.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/coreutils-8.17-6.fc18
coreutils-8.15-8.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/coreutils-8.15-8.fc17
coreutils-8.12-8.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/coreutils-8.12-8.fc16
Package coreutils-8.17-6.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing coreutils-8.17-6.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17694/coreutils-8.17-6.fc18 then log in and leave karma (feedback).
coreutils-8.15-8.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
coreutils-8.12-8.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.