diff options
| author | Andreas Schneider <asn@samba.org> | 2013-09-10 09:43:32 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2013-10-07 12:21:29 +0200 |
| commit | 82d6a4354d3b4a6cc9e70ccfb21d7b604bed179b (patch) | |
| tree | 556431a4e5ce7800c7c3b64b6f550d6593cb1384 | |
| parent | 5a55cb636fa50e96000ea6a00960cc34e00e26a1 (diff) | |
| download | samba-82d6a4354d3b4a6cc9e70ccfb21d7b604bed179b.tar.gz | |
doc: Update documentation of pam_winbind krb5 support.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Sep 10 15:35:20 CEST 2013 on sn-devel-104
The last 3 patches address bug #10132 - pam_winbindd should support the KEYRING
ccache type.
Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Mon Oct 7 12:21:29 CEST 2013 on sn-devel-104
| -rw-r--r-- | docs-xml/manpages/pam_winbind.conf.5.xml | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index be7f684f538..725e809e59b 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -106,16 +106,24 @@ <term>krb5_ccache_type = [type]</term> <listitem><para> - When pam_winbind is configured to try kerberos authentication by - enabling the <parameter>krb5_auth</parameter> option, it can - store the retrieved Ticket Granting Ticket (TGT) in a credential - cache. The type of credential cache can be controlled with this - option. The supported values are: <parameter>FILE</parameter> - and <parameter>DIR</parameter> (when the DIR type is supported - by the system's Kerberos library). In case of FILE a credential + When pam_winbind is configured to try kerberos authentication + by enabling the <parameter>krb5_auth</parameter> option, it can + store the retrieved Ticket Granting Ticket (TGT) in a + credential cache. The type of credential cache can be + controlled with this option. The supported values are: + <parameter>KEYRING</parameter> (when supported by the system's + Kerberos library and Kernel), <parameter>FILE</parameter> and + <parameter>DIR</parameter> (when the DIR type is supported by + the system's Kerberos library). In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created - in case - of DIR it will be located under the /run/user/UID/krb5cc - directory. UID is replaced with the numeric user id.</para> + of DIR you NEED to specify a directory. UID is replaced with + the numeric user id.</para> + + <para>When using the KEYRING type, the supported mechanism is + <quote>KEYRING:persistent:UID</quote>, which uses the Linux + kernel keyring to store credentials on a per-UID basis. This is + the recommended choice on latest Linux distributions, as it is + the most secure and predictable method.</para> <para>It is also possible to define custom filepaths and use the "%u" pattern in order to substitue the numeric user id. |