diff options
author | Günther Deschner <gd@samba.org> | 2013-07-18 19:09:14 +0200 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2013-07-24 02:43:09 +0200 |
commit | 9adfe82a1785aa6a7baefb435072a0a81dfb13cb (patch) | |
tree | aff762463aa102d028ed248835685b08b54392e4 | |
parent | 7ad3a367d52b1f123c318946d654e95639202130 (diff) | |
download | samba-9adfe82a1785aa6a7baefb435072a0a81dfb13cb.tar.gz |
pam_winbind: update documentation for "DIR" krb5ccname pragma.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 24 02:43:10 CEST 2013 on sn-devel-104
-rw-r--r-- | docs-xml/manpages/pam_winbind.conf.5.xml | 39 | ||||
-rw-r--r-- | examples/pam_winbind/pam_winbind.conf | 3 |
2 files changed, 31 insertions, 11 deletions
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index 8c36719a8b3..020cb674e79 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -106,16 +106,35 @@ <term>krb5_ccache_type = [type]</term> <listitem><para> - When pam_winbind is configured to try kerberos authentication - by enabling the <parameter>krb5_auth</parameter> option, it can - store the retrieved Ticket Granting Ticket (TGT) in a - credential cache. The type of credential cache can be set with - this option. Currently the only supported value is: - <parameter>FILE</parameter>. In that case a credential cache in - the form of /tmp/krb5cc_UID will be created, where UID is - replaced with the numeric user id. Leave empty to just do - kerberos authentication without having a ticket cache after the - logon has succeeded. This setting is empty by default. + When pam_winbind is configured to try kerberos authentication by + enabling the <parameter>krb5_auth</parameter> option, it can + store the retrieved Ticket Granting Ticket (TGT) in a credential + cache. The type of credential cache can be controlled with this + option. The supported values are: <parameter>FILE</parameter> + and <parameter>DIR</parameter> (when the DIR type is supported + by the system's Kerberos library). In case of FILE a credential + cache in the form of /tmp/krb5cc_UID will be created - in case + of DIR it will be located under the /run/user/UID/krb5cc + directory. UID is replaced with the numeric user id.</para> + + <para>It is also possible to define custom filepaths and use the "%u" + pattern in order to substitue the numeric user id. + Examples:</para> + + <variablelist> + <varlistentry> + <term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term> + <listitem><para>This will create a credential cache file in the specified directory.</para></listitem> + </varlistentry> + <varlistentry> + <term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term> + <listitem><para>This will create a credential cache file.</para></listitem> + </varlistentry> + </variablelist> + + <para> Leave empty to just do kerberos authentication without + having a ticket cache after the logon has succeeded. + This setting is empty by default. </para></listitem> </varlistentry> diff --git a/examples/pam_winbind/pam_winbind.conf b/examples/pam_winbind/pam_winbind.conf index dd0b112f304..87bc388a45d 100644 --- a/examples/pam_winbind/pam_winbind.conf +++ b/examples/pam_winbind/pam_winbind.conf @@ -3,6 +3,7 @@ # # /etc/security/pam_winbind.conf # +# For more details see man pam_winbind.conf(5) [global] @@ -19,7 +20,7 @@ # authenticate using kerberos ;krb5_auth = no -# when using kerberos, request a "FILE" krb5 credential cache type +# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type # (leave empty to just do krb5 authentication but not have a ticket # afterwards) ;krb5_ccache_type = |