[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Oct 31 19:33:04 UTC 2019
The branch, master has been updated
via fe60eef9781 docs-xml: Update krb5_ccache_type in pam_winbind.8
via 0de9dad9ebc docs-xml: Improve krb5_ccache_type documentation
from c714c996017 docs-xml/manpages/pam_winbind.conf.5.xml: typo fixes
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit fe60eef9781f9970d2fa0705e10a6e8e309f839e
Author: Andreas Schneider <asn at samba.org>
Date: Mon Oct 28 08:34:16 2019 +0100
docs-xml: Update krb5_ccache_type in pam_winbind.8
This is a copy from pam_winbind.conf.5
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14173
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Oct 31 19:32:55 UTC 2019 on sn-devel-184
commit 0de9dad9ebc88ab044f4b946ef44f63ae2281649
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 31 17:10:59 2019 +0100
docs-xml: Improve krb5_ccache_type documentation
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/pam_winbind.8.xml | 58 ++++++++++++++++++++++++++------
docs-xml/manpages/pam_winbind.conf.5.xml | 8 +++--
2 files changed, 54 insertions(+), 12 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
index 97dc5733d64..003020d8b7c 100644
--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -150,21 +150,59 @@
<varlistentry>
<term>krb5_ccache_type=[type]</term>
<listitem><para>
-
+
When pam_winbind is configured to try kerberos authentication
by enabling the <parameter>krb5_auth</parameter> option, it can
store the retrieved Ticket Granting Ticket (TGT) in a
- credential cache. The type of credential cache can be set with
- this option. Currently the only supported value is:
- <parameter>FILE</parameter>. In that case a credential cache in
- the form of /tmp/krb5cc_UID will be created, where UID is
- replaced with the numeric user id. Leave empty to just do
- kerberos authentication without having a ticket cache after the
- logon has succeeded.
+ credential cache. The type of credential cache can be
+ controlled with this option. The supported values are:
+ <parameter>KCM</parameter> or <parameter>KEYRING</parameter>
+ (when supported by the system's Kerberos library and
+ operating system),
+ <parameter>FILE</parameter> and <parameter>DIR</parameter>
+ (when the DIR type is supported by the system's Kerberos
+ library). In case of FILE a credential cache in the form of
+ /tmp/krb5cc_UID will be created - in case of DIR you NEED
+ to specify a directory. UID is replaced with the numeric
+ user id. The UID directory is being created. The path up to
+ the directory should already exist. Check the details of the
+ Kerberos implmentation.</para>
+
+ <para>When using the KEYRING type, the supported mechanism is
+ <quote>KEYRING:persistent:UID</quote>, which uses the Linux
+ kernel keyring to store credentials on a per-UID basis.
+ The KEYRING has its limitations. As it is secure kernel memory,
+ for example bulk sorage of credentils is for not possible.</para>
+
+ <para>When using th KCM type, the supported mechanism is
+ <quote>KCM:UID</quote>, which uses a Kerberos credential
+ manaager to store credentials on a per-UID basis similar to
+ KEYRING. This is the recommended choice on latest Linux
+ distributions, offering a Kerberos Credential Manager. If not
+ we suggest to use KEYRING as those are the most secure and
+ predictable method.</para>
+
+ <para>It is also possible to define custom filepaths and use the "%u"
+ pattern in order to substitute the numeric user id.
+ Examples:</para>
- </para></listitem>
+ <variablelist>
+ <varlistentry>
+ <term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
+ <listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
+ <listitem><para>This will create a credential cache file.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>Leave empty to just do kerberos authentication without
+ having a ticket cache after the logon has succeeded.
+ This setting is empty by default.</para>
+ </listitem>
</varlistentry>
-
+
<varlistentry>
<term>cached_login</term>
<listitem><para>
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 1c48f1bc428..918450c4643 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -121,11 +121,15 @@
library). In case of FILE a credential cache in the form of
/tmp/krb5cc_UID will be created - in case of DIR you NEED
to specify a directory. UID is replaced with the numeric
- user id.</para>
+ user id. The UID directory is being created. The path up to
+ the directory should already exist. Check the details of the
+ Kerberos implmentation.</para>
<para>When using the KEYRING type, the supported mechanism is
<quote>KEYRING:persistent:UID</quote>, which uses the Linux
- kernel keyring to store credentials on a per-UID basis.</para>
+ kernel keyring to store credentials on a per-UID basis.
+ The KEYRING has its limitations. As it is secure kernel memory,
+ for example bulk sorage of credentils is for not possible.</para>
<para>When using th KCM type, the supported mechanism is
<quote>KCM:UID</quote>, which uses a Kerberos credential
--
Samba Shared Repository
More information about the samba-cvs
mailing list