diff options
| author | Andreas Schneider <asn@samba.org> | 2013-09-10 09:43:32 +0200 |
|---|---|---|
| committer | Günther Deschner <gd@samba.org> | 2013-09-10 15:35:20 +0200 |
| commit | f942d019d183f2f6acb7c9a93f0128d22ba93b7a (patch) | |
| tree | fa429354ef385b9076a30cda235f5b33bda3e0d1 /docs-xml | |
| parent | eae5373cfbe51a444d6381e6f7aeeb9f945902e9 (diff) | |
| download | samba-f942d019d183f2f6acb7c9a93f0128d22ba93b7a.tar.gz samba-f942d019d183f2f6acb7c9a93f0128d22ba93b7a.tar.xz samba-f942d019d183f2f6acb7c9a93f0128d22ba93b7a.zip | |
doc: Update documentation of pam_winbind krb5 support.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Sep 10 15:35:20 CEST 2013 on sn-devel-104
Diffstat (limited to 'docs-xml')
| -rw-r--r-- | docs-xml/manpages/pam_winbind.conf.5.xml | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index 020cb674e7..b318a3b58d 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -106,16 +106,24 @@ <term>krb5_ccache_type = [type]</term> <listitem><para> - When pam_winbind is configured to try kerberos authentication by - enabling the <parameter>krb5_auth</parameter> option, it can - store the retrieved Ticket Granting Ticket (TGT) in a credential - cache. The type of credential cache can be controlled with this - option. The supported values are: <parameter>FILE</parameter> - and <parameter>DIR</parameter> (when the DIR type is supported - by the system's Kerberos library). In case of FILE a credential + When pam_winbind is configured to try kerberos authentication + by enabling the <parameter>krb5_auth</parameter> option, it can + store the retrieved Ticket Granting Ticket (TGT) in a + credential cache. The type of credential cache can be + controlled with this option. The supported values are: + <parameter>KEYRING</parameter> (when supported by the system's + Kerberos library and Kernel), <parameter>FILE</parameter> and + <parameter>DIR</parameter> (when the DIR type is supported by + the system's Kerberos library). In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created - in case - of DIR it will be located under the /run/user/UID/krb5cc - directory. UID is replaced with the numeric user id.</para> + of DIR you NEED to specify a directory. UID is replaced with + the numeric user id.</para> + + <para>When using the KEYRING type, the supported mechanism is + <quote>KEYRING:persistent:UID</quote>, which uses the Linux + kernel keyring to store credentials on a per-UID basis. This is + the recommended choice on latest Linux distributions, as it is + the most secure and predictable method.</para> <para>It is also possible to define custom filepaths and use the "%u" pattern in order to substitue the numeric user id. |