diff options
author | Andreas Schneider <asn@samba.org> | 2019-10-28 08:34:16 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-10-31 19:32:55 +0000 |
commit | fe60eef9781f9970d2fa0705e10a6e8e309f839e (patch) | |
tree | ee9b762a50d7c08c74aeea17b532ca4a3244a7e6 /docs-xml | |
parent | 0de9dad9ebc88ab044f4b946ef44f63ae2281649 (diff) | |
download | samba-fe60eef9781f9970d2fa0705e10a6e8e309f839e.tar.gz |
docs-xml: Update krb5_ccache_type in pam_winbind.8
This is a copy from pam_winbind.conf.5
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14173
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Oct 31 19:32:55 UTC 2019 on sn-devel-184
Diffstat (limited to 'docs-xml')
-rw-r--r-- | docs-xml/manpages/pam_winbind.8.xml | 58 |
1 files changed, 48 insertions, 10 deletions
diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml index 97dc5733d64..003020d8b7c 100644 --- a/docs-xml/manpages/pam_winbind.8.xml +++ b/docs-xml/manpages/pam_winbind.8.xml @@ -150,21 +150,59 @@ <varlistentry> <term>krb5_ccache_type=[type]</term> <listitem><para> - + When pam_winbind is configured to try kerberos authentication by enabling the <parameter>krb5_auth</parameter> option, it can store the retrieved Ticket Granting Ticket (TGT) in a - credential cache. The type of credential cache can be set with - this option. Currently the only supported value is: - <parameter>FILE</parameter>. In that case a credential cache in - the form of /tmp/krb5cc_UID will be created, where UID is - replaced with the numeric user id. Leave empty to just do - kerberos authentication without having a ticket cache after the - logon has succeeded. + credential cache. The type of credential cache can be + controlled with this option. The supported values are: + <parameter>KCM</parameter> or <parameter>KEYRING</parameter> + (when supported by the system's Kerberos library and + operating system), + <parameter>FILE</parameter> and <parameter>DIR</parameter> + (when the DIR type is supported by the system's Kerberos + library). In case of FILE a credential cache in the form of + /tmp/krb5cc_UID will be created - in case of DIR you NEED + to specify a directory. UID is replaced with the numeric + user id. The UID directory is being created. The path up to + the directory should already exist. Check the details of the + Kerberos implmentation.</para> + + <para>When using the KEYRING type, the supported mechanism is + <quote>KEYRING:persistent:UID</quote>, which uses the Linux + kernel keyring to store credentials on a per-UID basis. + The KEYRING has its limitations. As it is secure kernel memory, + for example bulk sorage of credentils is for not possible.</para> + + <para>When using th KCM type, the supported mechanism is + <quote>KCM:UID</quote>, which uses a Kerberos credential + manaager to store credentials on a per-UID basis similar to + KEYRING. This is the recommended choice on latest Linux + distributions, offering a Kerberos Credential Manager. If not + we suggest to use KEYRING as those are the most secure and + predictable method.</para> + + <para>It is also possible to define custom filepaths and use the "%u" + pattern in order to substitute the numeric user id. + Examples:</para> - </para></listitem> + <variablelist> + <varlistentry> + <term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term> + <listitem><para>This will create a credential cache file in the specified directory.</para></listitem> + </varlistentry> + <varlistentry> + <term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term> + <listitem><para>This will create a credential cache file.</para></listitem> + </varlistentry> + </variablelist> + + <para>Leave empty to just do kerberos authentication without + having a ticket cache after the logon has succeeded. + This setting is empty by default.</para> + </listitem> </varlistentry> - + <varlistentry> <term>cached_login</term> <listitem><para> |