[SCM] Samba Shared Repository - branch v4-0-test updated
Karolin Seeger
kseeger at samba.org
Tue Oct 8 05:33:05 MDT 2013
The branch, v4-0-test has been updated
via acf4fe4 doc: Update documentation of pam_winbind krb5 support.
via 11a4a64 s3-winbind: Add support for the kernel krb5 keyring buffer.
via f91b6c9 s3-winbind: Don't set a default directory for DIR.
from 5b0caf4 VERSION: Bump version number up to 4.0.11...
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit acf4fe4084eb7e8715bc8ebc18ddf02b05b1ef57
Author: Andreas Schneider <asn at samba.org>
Date: Tue Sep 10 09:43:32 2013 +0200
doc: Update documentation of pam_winbind krb5 support.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Tue Sep 10 15:35:20 CEST 2013 on sn-devel-104
The last 3 patches address bug #10132 - pam_winbindd should support the KEYRING
ccache type.
Autobuild-User(v4-1-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-1-test): Mon Oct 7 12:21:29 CEST 2013 on sn-devel-104
(cherry picked from commit 82d6a4354d3b4a6cc9e70ccfb21d7b604bed179b)
Autobuild-User(v4-0-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-0-test): Tue Oct 8 13:32:27 CEST 2013 on sn-devel-104
commit 11a4a6474589fc5d3fccd8a645281323f7d252d1
Author: Andreas Schneider <asn at samba.org>
Date: Tue Sep 10 09:30:04 2013 +0200
s3-winbind: Add support for the kernel krb5 keyring buffer.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 5a55cb636fa50e96000ea6a00960cc34e00e26a1)
commit f91b6c995e322da9d359437bd114b751ba73a67c
Author: Andreas Schneider <asn at samba.org>
Date: Tue Sep 10 09:28:50 2013 +0200
s3-winbind: Don't set a default directory for DIR.
There is not default so you should always have to specify a directory in
the config file.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 58038f6b26b5363f07d6e4a3fac6db461f9bca2c)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/pam_winbind.conf.5.xml | 26 +++++++++++++++++---------
source3/winbindd/winbindd_pam.c | 4 ++--
2 files changed, 19 insertions(+), 11 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index be7f684..725e809 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -106,16 +106,24 @@
<term>krb5_ccache_type = [type]</term>
<listitem><para>
- When pam_winbind is configured to try kerberos authentication by
- enabling the <parameter>krb5_auth</parameter> option, it can
- store the retrieved Ticket Granting Ticket (TGT) in a credential
- cache. The type of credential cache can be controlled with this
- option. The supported values are: <parameter>FILE</parameter>
- and <parameter>DIR</parameter> (when the DIR type is supported
- by the system's Kerberos library). In case of FILE a credential
+ When pam_winbind is configured to try kerberos authentication
+ by enabling the <parameter>krb5_auth</parameter> option, it can
+ store the retrieved Ticket Granting Ticket (TGT) in a
+ credential cache. The type of credential cache can be
+ controlled with this option. The supported values are:
+ <parameter>KEYRING</parameter> (when supported by the system's
+ Kerberos library and Kernel), <parameter>FILE</parameter> and
+ <parameter>DIR</parameter> (when the DIR type is supported by
+ the system's Kerberos library). In case of FILE a credential
cache in the form of /tmp/krb5cc_UID will be created - in case
- of DIR it will be located under the /run/user/UID/krb5cc
- directory. UID is replaced with the numeric user id.</para>
+ of DIR you NEED to specify a directory. UID is replaced with
+ the numeric user id.</para>
+
+ <para>When using the KEYRING type, the supported mechanism is
+ <quote>KEYRING:persistent:UID</quote>, which uses the Linux
+ kernel keyring to store credentials on a per-UID basis. This is
+ the recommended choice on latest Linux distributions, as it is
+ the most secure and predictable method.</para>
<para>It is also possible to define custom filepaths and use the "%u"
pattern in order to substitue the numeric user id.
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 6fbad72..8f2facd 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -492,9 +492,9 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
gen_cc = talloc_asprintf(
mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
}
- if (strequal(type, "DIR")) {
+ if (strequal(type, "KEYRING")) {
gen_cc = talloc_asprintf(
- mem_ctx, "DIR:/run/user/%d/krb5cc", uid);
+ mem_ctx, "KEYRING:persistent:%d", uid);
}
if (strnequal(type, "FILE:/", 6) ||
--
Samba Shared Repository
More information about the samba-cvs
mailing list