diff options
author | Andreas Schneider <asn@samba.org> | 2019-07-01 10:43:42 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-07-01 19:22:02 +0000 |
commit | 163c0cc84a1f2ded56389db80e9e4046f76f6185 (patch) | |
tree | cbc88f400d48f6fed1667318ad2c3d9d2e341203 /docs-xml | |
parent | a77fda0cd4b9ec89024c7ac8a3f77797e00f4263 (diff) | |
download | samba-163c0cc84a1f2ded56389db80e9e4046f76f6185.tar.gz |
s3:winbind: Add support for storing KRB5 credential in KCM
This can store crentiials in the Kerberos Credential Manager e.g.
provided by sssd.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 1 19:22:02 UTC 2019 on sn-devel-184
Diffstat (limited to 'docs-xml')
-rw-r--r-- | docs-xml/manpages/pam_winbind.conf.5.xml | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index 537007ba2fa..a5aaa01504d 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -113,19 +113,27 @@ store the retrieved Ticket Granting Ticket (TGT) in a credential cache. The type of credential cache can be controlled with this option. The supported values are: - <parameter>KEYRING</parameter> (when supported by the system's - Kerberos library and Kernel), <parameter>FILE</parameter> and - <parameter>DIR</parameter> (when the DIR type is supported by - the system's Kerberos library). In case of FILE a credential - cache in the form of /tmp/krb5cc_UID will be created - in case - of DIR you NEED to specify a directory. UID is replaced with - the numeric user id.</para> + <parameter>KCM</parameter> or <parameter>KEYRING</parameter> + (when supported by the system's Kerberos library and + operating system), + <parameter>FILE</parameter> and <parameter>DIR</parameter> + (when the DIR type is supported by the system's Kerberos + library). In case of FILE a credential cache in the form of + /tmp/krb5cc_UID will be created - in case of DIR you NEED + to specify a directory. UID is replaced with the numeric + user id.</para> <para>When using the KEYRING type, the supported mechanism is <quote>KEYRING:persistent:UID</quote>, which uses the Linux - kernel keyring to store credentials on a per-UID basis. This is - the recommended choice on latest Linux distributions, as it is - the most secure and predictable method.</para> + kernel keyring to store credentials on a per-UID basis.</para> + + <para>When using th KCM type, the supported mechanism is + <quote>KCM:UID</quote>, which uses a Kerberos credential + manaager to store credentials on a per-UID basis simliar to + KEYRING. This is the recommended choice on latest Linux + distributions, offering a Kerberos Credential Manager. If not + we suggest to use KEYRING as those are the most secure and + predictable method.</para> <para>It is also possible to define custom filepaths and use the "%u" pattern in order to substitue the numeric user id. |