[SCM] Samba Shared Repository - branch master updated

Günther Deschner gd at samba.org
Tue Sep 10 15:36:02 CEST 2013 

The branch, master has been updated
       via  f942d01 doc: Update documentation of pam_winbind krb5 support.
       via  eae5373 s3-winbind: Add support for the kernel krb5 keyring buffer.
       via  13094dc s3-winbind: Don't set a default directory for DIR.
      from  0af09f0 ldb: Do not build libldb-cmdline when using system ldb.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f942d019d183f2f6acb7c9a93f0128d22ba93b7a
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Sep 10 09:43:32 2013 +0200

    doc: Update documentation of pam_winbind krb5 support.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    
    Autobuild-User(master): Günther Deschner <gd at samba.org>
    Autobuild-Date(master): Tue Sep 10 15:35:20 CEST 2013 on sn-devel-104

commit eae5373cfbe51a444d6381e6f7aeeb9f945902e9
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Sep 10 09:30:04 2013 +0200

    s3-winbind: Add support for the kernel krb5 keyring buffer.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 13094dc8f6777e6d3d17cfd30fa6adf670702949
Author: Andreas Schneider <asn at samba.org>
Date:   Tue Sep 10 09:28:50 2013 +0200

    s3-winbind: Don't set a default directory for DIR.
    
    There is not default so you should always have to specify a directory in
    the config file.
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/manpages/pam_winbind.conf.5.xml |   26 +++++++++++++++++---------
 source3/winbindd/winbindd_pam.c          |    4 ++--
 2 files changed, 19 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 020cb67..b318a3b 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -106,16 +106,24 @@
 		<term>krb5_ccache_type = [type]</term>
 		<listitem><para>
 
-		When pam_winbind is configured to try kerberos authentication by
-		enabling the <parameter>krb5_auth</parameter> option, it can
-		store the retrieved Ticket Granting Ticket (TGT) in a credential
-		cache. The type of credential cache can be controlled with this
-		option.  The supported values are: <parameter>FILE</parameter>
-		and <parameter>DIR</parameter> (when the DIR type is supported
-		by the system's Kerberos library). In case of FILE a credential
+		When pam_winbind is configured to try kerberos authentication
+		by enabling the <parameter>krb5_auth</parameter> option, it can
+		store the retrieved Ticket Granting Ticket (TGT) in a
+		credential cache. The type of credential cache can be
+		controlled with this option.  The supported values are:
+		<parameter>KEYRING</parameter> (when supported by the system's
+		Kerberos library and Kernel), <parameter>FILE</parameter> and
+		<parameter>DIR</parameter> (when the DIR type is supported by
+		the system's Kerberos library). In case of FILE a credential
 		cache in the form of /tmp/krb5cc_UID will be created -  in case
-		of DIR it will be located under the /run/user/UID/krb5cc
-		directory.  UID is replaced with the numeric user id.</para>
+		of DIR you NEED to specify a directory. UID is replaced with
+		the numeric user id.</para>
+
+		<para>When using the KEYRING type, the supported mechanism is
+		<quote>KEYRING:persistent:UID</quote>, which uses the Linux
+		kernel keyring to store credentials on a per-UID basis. This is
+		the recommended choice on latest Linux distributions, as it is
+		the most secure and predictable method.</para>
 
 		<para>It is also possible to define custom filepaths and use the "%u"
 		pattern in order to substitue the numeric user id.
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 7b67154..c356686 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -492,9 +492,9 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
 			gen_cc = talloc_asprintf(
 				mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
 		}
-		if (strequal(type, "DIR")) {
+		if (strequal(type, "KEYRING")) {
 			gen_cc = talloc_asprintf(
-				mem_ctx, "DIR:/run/user/%d/krb5cc", uid);
+				mem_ctx, "KEYRING:persistent:%d", uid);
 		}
 
 		if (strnequal(type, "FILE:/", 6) ||


-- 
Samba Shared Repository

More information about the samba-cvs mailing list