svn commit: samba-docs r940 - in trunk: manpages-3 smbdotconf/winbind

gd at samba.org gd at samba.org
Fri Apr 28 08:18:57 GMT 2006 

Author: gd
Date: 2006-04-28 08:18:56 +0000 (Fri, 28 Apr 2006)
New Revision: 940

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-docs&rev=940

Log:
Start documenting undocumented parameters.

Guenther

Added:
   trunk/smbdotconf/winbind/winbindofflinelogon.xml
   trunk/smbdotconf/winbind/winbindrefreshtickets.xml
Modified:
   trunk/manpages-3/pam_winbind.7.xml


Changeset:
Modified: trunk/manpages-3/pam_winbind.7.xml
===================================================================
--- trunk/manpages-3/pam_winbind.7.xml	2006-04-21 14:21:42 UTC (rev 939)
+++ trunk/manpages-3/pam_winbind.7.xml	2006-04-28 08:18:56 UTC (rev 940)
@@ -28,7 +28,14 @@
 <refsect1>
 	<title>OPTIONS</title>
 	<para>
-		pam_winbind supports several options:
+	
+		pam_winbind supports several options which can either be set in
+		the PAM configuration files or in the pam_winbind configuration
+		file situated at
+		<filename>/etc/security/pam_winbind.conf</filename>. Options
+		from the PAM configuration file take precedence to those from
+		the configuration file.
+
 		<variablelist>
 
 		<varlistentry>
@@ -41,8 +48,8 @@
 		<listitem><para>
 		If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
 		can be either a group-SID, a alias-SID or even a user-SID. It is also possible to give a NAME instead of the
-		SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
-		<parameter>MYDOMAIN\myuser</parameter>.  pam_winbind will, in that case, lookup the SID internally. Note that
+		SID. That name must have the form: <parameter>MYDOMAIN\\mygroup</parameter> or
+		<parameter>MYDOMAIN\\myuser</parameter>.  pam_winbind will, in that case, lookup the SID internally. Note that
 		NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
 		user is a member of with <command>wbinfo --user-sids=SID</command>.
 		</para></listitem>
@@ -70,6 +77,48 @@
 		</para></listitem>
 		</varlistentry>
 
+		<varlistentry>
+		<term>krb5_auth</term>
+		<listitem><para>
+
+		pam_winbind can authenticate using Kerberos when winbindd is
+		talking to an Active Directory domain controller. Kerberos
+		authentication must be enabled with this parameter. When
+		Kerberos authentication can not succeed (e.g. due to clock
+		skew), winbindd will fallback to samlogon authentication over
+		MSRPC. When this parameter is used in conjunction with
+		<parameter>winbind refresh tickets</parameter>, winbind will
+		keep your Ticket Granting Ticket (TGT) uptodate by refreshing
+		it whenever necessary.
+
+		</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>krb5_ccache_type=[type]</term>
+		<listitem><para>
+		
+		When pam_winbind is configured to try kerberos authentication
+		by enabling the <parameter>krb5_auth</parameter> option, it can
+		store the retrieved Ticket Granting Ticket (TGT) in a
+		credential cache. The type of credential cache can be set with
+		this option. Currently the only supported value is:
+		<parameter>FILE</parameter>. In that case a credential cache in
+		the form of /tmp/krb5cc_UID will be created, where UID is
+		replaced with the numeric user id.  Leave empty to just do
+		kerberos authentication without having a ticket cache after the
+		logon has succeeded.
+
+		</para></listitem>
+		</varlistentry>
+	
+		<varlistentry>
+		<term>cached_login</term>
+		<listitem><para>
+		Winbind allows to logon using cached credentials when <parameter>winbind offline logon</parameter> is enabled. To use this feature from the PAM module this option must be set.
+		</para></listitem>
+		</varlistentry>
+
 		</variablelist>
 
 
@@ -83,7 +132,9 @@
 	<refentrytitle>wbinfo</refentrytitle>
 	<manvolnum>1</manvolnum></citerefentry>, <citerefentry>
 	<refentrytitle>winbindd</refentrytitle>
-	<manvolnum>8</manvolnum></citerefentry></para>
+	<manvolnum>8</manvolnum></citerefentry>, <citerefentry>
+	<refentrytitle>smb.conf</refentrytitle>
+	<manvolnum>5</manvolnum></citerefentry></para>
 </refsect1>
 
 <refsect1>

Added: trunk/smbdotconf/winbind/winbindofflinelogon.xml
===================================================================
--- trunk/smbdotconf/winbind/winbindofflinelogon.xml	2006-04-21 14:21:42 UTC (rev 939)
+++ trunk/smbdotconf/winbind/winbindofflinelogon.xml	2006-04-28 08:18:56 UTC (rev 940)
@@ -0,0 +1,18 @@
+<samba:parameter name="winbind offline logon"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>This parameter is designed to control whether Winbind should
+	allow to login with the <parameter moreinfo="none">pam_winbind</parameter> 
+	module using Cached Credentials. If enabled, winbindd will store user credentials
+	from successful logins encrypted in a local cache.
+	</para>
+
+</description>
+
+<value type="default">false</value>
+<value type="example">true</value>
+</samba:parameter>

Added: trunk/smbdotconf/winbind/winbindrefreshtickets.xml
===================================================================
--- trunk/smbdotconf/winbind/winbindrefreshtickets.xml	2006-04-21 14:21:42 UTC (rev 939)
+++ trunk/smbdotconf/winbind/winbindrefreshtickets.xml	2006-04-28 08:18:56 UTC (rev 940)
@@ -0,0 +1,16 @@
+<samba:parameter name="winbind refresh tickets"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>This parameter is designed to control whether Winbind should refresh Kerberos Tickets
+	retrieved using the <parameter moreinfo="none">pam_winbind</parameter> module.
+
+</para>
+</description>
+
+<value type="default">false</value>
+<value type="example">true</value>
+</samba:parameter>

More information about the samba-cvs mailing list