* Active Directory Integration?
@ 2012-05-29 22:51 Ray Van Dolson
2012-05-30 0:01 ` Tyler Hicks
0 siblings, 1 reply; 2+ messages in thread
From: Ray Van Dolson @ 2012-05-29 22:51 UTC (permalink / raw)
To: ecryptfs
Hello;
I'm exploring using eCryptfs in tandem with Samba, winbindd and Active
Directory to automount eCryptfs-encrypted directores automatically
based on the AD user accessing it.
Is anyone out there doing something similar or am I barking up the
wrong tree here?
In addition, this conceptually makes sense to me from a 1:1 user to
directory or share perspective, but when multiple users are allowed
access to a file system it's not quite so clear how the implementation
would look (or even if it would be doable).
Thanks,
Ray
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Active Directory Integration?
2012-05-29 22:51 Active Directory Integration? Ray Van Dolson
@ 2012-05-30 0:01 ` Tyler Hicks
0 siblings, 0 replies; 2+ messages in thread
From: Tyler Hicks @ 2012-05-30 0:01 UTC (permalink / raw)
To: Ray Van Dolson; +Cc: ecryptfs
[-- Attachment #1: Type: text/plain, Size: 2218 bytes --]
On 2012-05-29 15:51:04, Ray Van Dolson wrote:
> Hello;
>
> I'm exploring using eCryptfs in tandem with Samba, winbindd and Active
> Directory to automount eCryptfs-encrypted directores automatically
> based on the AD user accessing it.
>
> Is anyone out there doing something similar or am I barking up the
> wrong tree here?
You're not barking up the wrong tree. I recall this idea popping up in a
few different designs over the years. Unfortunately, no one has
committed the development resources to make it work.
I'm making the assumptions that you're wanting to mount eCryptfs on top
of a SMB client, that the client is the in-kernel CIFS code, and that
you'll pull the key material for the eCryptfs mount from the directory
store. Let me know if any of those assumptions are invalid.
I haven't tested it recently, but eCryptfs is not known to work on top
of the in-kernel CIFS client code. It is worth a shot trying. Please
report any bugs you discover. It may have benefited from some of the
bugs I fixed (about a year ago) when trying to use eCryptfs on top of
the in-kernel NFS client.
Additionally, I don't know of an off-the-shelf way to fetch an eCryptfs
mount passphrase from AD and insert it into the kernel keyring in
preparation for doing the eCryptfs mount. It should just be a matter of
some glue code but no one, that I'm aware of, has done it.
> In addition, this conceptually makes sense to me from a 1:1 user to
> directory or share perspective, but when multiple users are allowed
> access to a file system it's not quite so clear how the implementation
> would look (or even if it would be doable).
eCryptfs lacks the ability to do even slightly complex decision making
about what key should be used when encrypting a new file. Currently, it
is done with just a list of key signatures specified at mount time.
eCryptfs does have some basic support for allowing multiple keys to be
used to access a given file. However, it would be difficult to do if
users are accessing the shares from different client machines because
each client would need to have all of the keys loaded into the kernel
keyring. That is obviously not ideal. :/
Tyler
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-05-30 0:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-05-29 22:51 Active Directory Integration? Ray Van Dolson
2012-05-30 0:01 ` Tyler Hicks
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.