[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Thu Oct 31 19:33:04 UTC 2019


The branch, master has been updated
       via  fe60eef9781 docs-xml: Update krb5_ccache_type in pam_winbind.8
       via  0de9dad9ebc docs-xml: Improve krb5_ccache_type documentation
      from  c714c996017 docs-xml/manpages/pam_winbind.conf.5.xml: typo fixes

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit fe60eef9781f9970d2fa0705e10a6e8e309f839e
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Oct 28 08:34:16 2019 +0100

    docs-xml: Update krb5_ccache_type in pam_winbind.8
    
    This is a copy from pam_winbind.conf.5
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14173
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Thu Oct 31 19:32:55 UTC 2019 on sn-devel-184

commit 0de9dad9ebc88ab044f4b946ef44f63ae2281649
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Oct 31 17:10:59 2019 +0100

    docs-xml: Improve krb5_ccache_type documentation
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Alexander Bokovoy <ab at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/manpages/pam_winbind.8.xml      | 58 ++++++++++++++++++++++++++------
 docs-xml/manpages/pam_winbind.conf.5.xml |  8 +++--
 2 files changed, 54 insertions(+), 12 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
index 97dc5733d64..003020d8b7c 100644
--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -150,21 +150,59 @@
 		<varlistentry>
 		<term>krb5_ccache_type=[type]</term>
 		<listitem><para>
-		
+
 		When pam_winbind is configured to try kerberos authentication
 		by enabling the <parameter>krb5_auth</parameter> option, it can
 		store the retrieved Ticket Granting Ticket (TGT) in a
-		credential cache. The type of credential cache can be set with
-		this option. Currently the only supported value is:
-		<parameter>FILE</parameter>. In that case a credential cache in
-		the form of /tmp/krb5cc_UID will be created, where UID is
-		replaced with the numeric user id.  Leave empty to just do
-		kerberos authentication without having a ticket cache after the
-		logon has succeeded.
+		credential cache. The type of credential cache can be
+		controlled with this option.  The supported values are:
+		<parameter>KCM</parameter> or <parameter>KEYRING</parameter>
+		(when supported by the system's Kerberos library and
+		operating system),
+		<parameter>FILE</parameter> and <parameter>DIR</parameter>
+		(when the DIR type is supported by the system's Kerberos
+		library). In case of FILE a credential cache in the form of
+		/tmp/krb5cc_UID will be created -  in case of DIR you NEED
+		to specify a directory. UID is replaced with the numeric
+		user id. The UID directory is being created. The path up to
+		the directory should already exist. Check the details of the
+		Kerberos implmentation.</para>
+
+		<para>When using the KEYRING type, the supported mechanism is
+		<quote>KEYRING:persistent:UID</quote>, which uses the Linux
+		kernel keyring to store credentials on a per-UID basis.
+		The KEYRING has its limitations. As it is secure kernel memory,
+		for example bulk sorage of credentils is for not possible.</para>
+
+		<para>When using th KCM type, the supported mechanism is
+		<quote>KCM:UID</quote>, which uses a Kerberos credential
+		manaager to store credentials on a per-UID basis similar to
+		KEYRING. This is the recommended choice on latest Linux
+		distributions, offering a Kerberos Credential Manager. If not
+		we suggest to use KEYRING as those are the most secure and
+		predictable method.</para>
+
+		<para>It is also possible to define custom filepaths and use the "%u"
+		pattern in order to substitute the numeric user id.
+		Examples:</para>
 
-		</para></listitem>
+		<variablelist>
+			<varlistentry>
+				<term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
+					<listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
+			</varlistentry>
+			<varlistentry>
+				<term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
+					<listitem><para>This will create a credential cache file.</para></listitem>
+			</varlistentry>
+		</variablelist>
+
+		<para>Leave empty to just do kerberos authentication without
+		having a ticket cache after the logon has succeeded.
+		This setting is empty by default.</para>
+		</listitem>
 		</varlistentry>
-	
+
 		<varlistentry>
 		<term>cached_login</term>
 		<listitem><para>
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 1c48f1bc428..918450c4643 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -121,11 +121,15 @@
 		library). In case of FILE a credential cache in the form of
 		/tmp/krb5cc_UID will be created -  in case of DIR you NEED
 		to specify a directory. UID is replaced with the numeric
-		user id.</para>
+		user id. The UID directory is being created. The path up to
+		the directory should already exist. Check the details of the
+		Kerberos implmentation.</para>
 
 		<para>When using the KEYRING type, the supported mechanism is
 		<quote>KEYRING:persistent:UID</quote>, which uses the Linux
-		kernel keyring to store credentials on a per-UID basis.</para>
+		kernel keyring to store credentials on a per-UID basis.
+		The KEYRING has its limitations. As it is secure kernel memory,
+		for example bulk sorage of credentils is for not possible.</para>
 
 		<para>When using th KCM type, the supported mechanism is
 		<quote>KCM:UID</quote>, which uses a Kerberos credential


-- 
Samba Shared Repository



More information about the samba-cvs mailing list