summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2013-07-18 19:09:14 +0200
committerJeremy Allison <jra@samba.org>2013-07-24 02:43:09 +0200
commit9adfe82a1785aa6a7baefb435072a0a81dfb13cb (patch)
treeaff762463aa102d028ed248835685b08b54392e4
parent7ad3a367d52b1f123c318946d654e95639202130 (diff)
downloadsamba-9adfe82a1785aa6a7baefb435072a0a81dfb13cb.tar.gz
pam_winbind: update documentation for "DIR" krb5ccname pragma.
Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jul 24 02:43:10 CEST 2013 on sn-devel-104
-rw-r--r--docs-xml/manpages/pam_winbind.conf.5.xml39
-rw-r--r--examples/pam_winbind/pam_winbind.conf3
2 files changed, 31 insertions, 11 deletions
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 8c36719a8b3..020cb674e79 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -106,16 +106,35 @@
<term>krb5_ccache_type = [type]</term>
<listitem><para>
- When pam_winbind is configured to try kerberos authentication
- by enabling the <parameter>krb5_auth</parameter> option, it can
- store the retrieved Ticket Granting Ticket (TGT) in a
- credential cache. The type of credential cache can be set with
- this option. Currently the only supported value is:
- <parameter>FILE</parameter>. In that case a credential cache in
- the form of /tmp/krb5cc_UID will be created, where UID is
- replaced with the numeric user id. Leave empty to just do
- kerberos authentication without having a ticket cache after the
- logon has succeeded. This setting is empty by default.
+ When pam_winbind is configured to try kerberos authentication by
+ enabling the <parameter>krb5_auth</parameter> option, it can
+ store the retrieved Ticket Granting Ticket (TGT) in a credential
+ cache. The type of credential cache can be controlled with this
+ option. The supported values are: <parameter>FILE</parameter>
+ and <parameter>DIR</parameter> (when the DIR type is supported
+ by the system's Kerberos library). In case of FILE a credential
+ cache in the form of /tmp/krb5cc_UID will be created - in case
+ of DIR it will be located under the /run/user/UID/krb5cc
+ directory. UID is replaced with the numeric user id.</para>
+
+ <para>It is also possible to define custom filepaths and use the "%u"
+ pattern in order to substitue the numeric user id.
+ Examples:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
+ <listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
+ <listitem><para>This will create a credential cache file.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para> Leave empty to just do kerberos authentication without
+ having a ticket cache after the logon has succeeded.
+ This setting is empty by default.
</para></listitem>
</varlistentry>
diff --git a/examples/pam_winbind/pam_winbind.conf b/examples/pam_winbind/pam_winbind.conf
index dd0b112f304..87bc388a45d 100644
--- a/examples/pam_winbind/pam_winbind.conf
+++ b/examples/pam_winbind/pam_winbind.conf
@@ -3,6 +3,7 @@
#
# /etc/security/pam_winbind.conf
#
+# For more details see man pam_winbind.conf(5)
[global]
@@ -19,7 +20,7 @@
# authenticate using kerberos
;krb5_auth = no
-# when using kerberos, request a "FILE" krb5 credential cache type
+# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =