path: root/src
diff options
Diffstat (limited to 'src')
2 files changed, 40 insertions, 1 deletions
diff --git a/src/man/ b/src/man/
index c15844e82..aa2907f04 100644
--- a/src/man/
+++ b/src/man/
@@ -18,7 +18,10 @@ endif
SSH_CONDS = ;with_ssh
+PAC_RESPONDER_CONDS = ;with_pac_responder
#Special Rules:
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index bdf2543b7..6c57571e8 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -90,6 +90,7 @@
<phrase condition="with_sudo">, sudo</phrase>
<phrase condition="with_autofs">, autofs</phrase>
<phrase condition="with_ssh">, ssh</phrase>
+ <phrase condition="with_pac_responder">, pac</phrase>
@@ -813,6 +814,41 @@
+ <refsect2 id='PAC_RESPONDER' condition="with_pac_responder">
+ <title>PAC responder configuration options</title>
+ <para>
+ Currently there are no PAC responder specific configuration
+ options.
+ </para>
+ <para>
+ <xi:include xmlns:xi=""
+ href="include/experimental.xml" />
+ </para>
+ <para>
+ The PAC responder works together with the authorization data
+ plugin for MIT Kerberos and a sub-domain
+ provider. The plugin sends the PAC data during a GSSAPI
+ authentication to the PAC responder. The sub-domain provider
+ collects domain SID and ID ranges of the domain the client is
+ joined to and of remote trusted domains from the local domain
+ controller. If the PAC is decoded and evaluated some of the
+ following operations are done:
+ <itemizedlist>
+ <listitem><para>If the remote user does not exist in the
+ cache, it is created. The uid is calculated based on the
+ SID, trusted domains will have UPGs and the gid will have
+ the same value as the uid. The home directory is set based
+ on the subdomain_homedir parameter. The shell will be empty
+ by default, i.e. the system defaults are used, but can be
+ overwritten with the default_shell parameter.</para>
+ </listitem>
+ <listitem><para>If there are SIDs of groups from the domain
+ the sssd client belongs to, the user will be added to those
+ groups.</para></listitem>
+ </itemizedlist>
+ </para>
+ </refsect2>
<refsect1 id='domain-sections'>