path: root/src
diff options
authorSumit Bose <>2012-06-25 11:34:33 +0200
committerStephen Gallagher <>2012-06-25 07:36:40 -0400
commita8781a38b5fca84647d59199fd0b0b4b2d4624e0 (patch)
treee4ab493ec21c83363699df9a3ff3ba7eec5ad157 /src
parente5e8252ec48bfdd4e7529debc705c8e090264b9a (diff)
Add man page section for the PAC responder
Diffstat (limited to 'src')
2 files changed, 40 insertions, 1 deletions
diff --git a/src/man/ b/src/man/
index c15844e82..aa2907f04 100644
--- a/src/man/
+++ b/src/man/
@@ -18,7 +18,10 @@ endif
SSH_CONDS = ;with_ssh
+PAC_RESPONDER_CONDS = ;with_pac_responder
#Special Rules:
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index bdf2543b7..6c57571e8 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -90,6 +90,7 @@
<phrase condition="with_sudo">, sudo</phrase>
<phrase condition="with_autofs">, autofs</phrase>
<phrase condition="with_ssh">, ssh</phrase>
+ <phrase condition="with_pac_responder">, pac</phrase>
@@ -813,6 +814,41 @@
+ <refsect2 id='PAC_RESPONDER' condition="with_pac_responder">
+ <title>PAC responder configuration options</title>
+ <para>
+ Currently there are no PAC responder specific configuration
+ options.
+ </para>
+ <para>
+ <xi:include xmlns:xi=""
+ href="include/experimental.xml" />
+ </para>
+ <para>
+ The PAC responder works together with the authorization data
+ plugin for MIT Kerberos and a sub-domain
+ provider. The plugin sends the PAC data during a GSSAPI
+ authentication to the PAC responder. The sub-domain provider
+ collects domain SID and ID ranges of the domain the client is
+ joined to and of remote trusted domains from the local domain
+ controller. If the PAC is decoded and evaluated some of the
+ following operations are done:
+ <itemizedlist>
+ <listitem><para>If the remote user does not exist in the
+ cache, it is created. The uid is calculated based on the
+ SID, trusted domains will have UPGs and the gid will have
+ the same value as the uid. The home directory is set based
+ on the subdomain_homedir parameter. The shell will be empty
+ by default, i.e. the system defaults are used, but can be
+ overwritten with the default_shell parameter.</para>
+ </listitem>
+ <listitem><para>If there are SIDs of groups from the domain
+ the sssd client belongs to, the user will be added to those
+ groups.</para></listitem>
+ </itemizedlist>
+ </para>
+ </refsect2>
<refsect1 id='domain-sections'>