[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Mon Jul 1 19:23:02 UTC 2019
The branch, master has been updated
via 163c0cc84a1 s3:winbind: Add support for storing KRB5 credential in KCM
from a77fda0cd4b lib tdb: memcmp ubsan warning
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 163c0cc84a1f2ded56389db80e9e4046f76f6185
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jul 1 10:43:42 2019 +0200
s3:winbind: Add support for storing KRB5 credential in KCM
This can store crentiials in the Kerberos Credential Manager e.g.
provided by sssd.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Jul 1 19:22:02 UTC 2019 on sn-devel-184
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/pam_winbind.conf.5.xml | 28 ++++++++++++++++++----------
source3/winbindd/winbindd_pam.c | 5 +++++
2 files changed, 23 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 537007ba2fa..a5aaa01504d 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -113,19 +113,27 @@
store the retrieved Ticket Granting Ticket (TGT) in a
credential cache. The type of credential cache can be
controlled with this option. The supported values are:
- <parameter>KEYRING</parameter> (when supported by the system's
- Kerberos library and Kernel), <parameter>FILE</parameter> and
- <parameter>DIR</parameter> (when the DIR type is supported by
- the system's Kerberos library). In case of FILE a credential
- cache in the form of /tmp/krb5cc_UID will be created - in case
- of DIR you NEED to specify a directory. UID is replaced with
- the numeric user id.</para>
+ <parameter>KCM</parameter> or <parameter>KEYRING</parameter>
+ (when supported by the system's Kerberos library and
+ operating system),
+ <parameter>FILE</parameter> and <parameter>DIR</parameter>
+ (when the DIR type is supported by the system's Kerberos
+ library). In case of FILE a credential cache in the form of
+ /tmp/krb5cc_UID will be created - in case of DIR you NEED
+ to specify a directory. UID is replaced with the numeric
+ user id.</para>
<para>When using the KEYRING type, the supported mechanism is
<quote>KEYRING:persistent:UID</quote>, which uses the Linux
- kernel keyring to store credentials on a per-UID basis. This is
- the recommended choice on latest Linux distributions, as it is
- the most secure and predictable method.</para>
+ kernel keyring to store credentials on a per-UID basis.</para>
+
+ <para>When using th KCM type, the supported mechanism is
+ <quote>KCM:UID</quote>, which uses a Kerberos credential
+ manaager to store credentials on a per-UID basis simliar to
+ KEYRING. This is the recommended choice on latest Linux
+ distributions, offering a Kerberos Credential Manager. If not
+ we suggest to use KEYRING as those are the most secure and
+ predictable method.</para>
<para>It is also possible to define custom filepaths and use the "%u"
pattern in order to substitue the numeric user id.
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 190f23f1b24..eaf16d0dced 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -569,6 +569,11 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
gen_cc = talloc_asprintf(
mem_ctx, "KEYRING:persistent:%d", uid);
}
+ if (strequal(type, "KCM")) {
+ gen_cc = talloc_asprintf(mem_ctx,
+ "KCM:%d",
+ uid);
+ }
if (strnequal(type, "FILE:/", 6) ||
strnequal(type, "WRFILE:/", 8) ||
--
Samba Shared Repository
More information about the samba-cvs
mailing list