Document KCM ccache type

Document the new KCM ccache type in ccache_def.rst.  Document the
kcm_socket and kcm_mach_service variables in krb5_conf.rst.

ticket: 7964

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 5930cf32880e4de526e0e2e45a39d8d9e68a9d24..2b219fbedf2e1e79ade557f0c6946e6c041b7866 100644 (file)
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -237,6 +237,19 @@ The libdefaults section may contain any of the following relations:
     For security reasons, .k5login files must be owned by
     the local user or by root.
 
+**kcm_mach_service**
+    On OS X only, determines the name of the bootstrap service used to
+    contact the KCM daemon for the KCM credential cache type.  If the
+    value is ``-``, Mach RPC will not be used to contact the KCM
+    daemon.  The default value is ``org.h5l.kcm``.
+
+**kcm_socket**
+    Determines the path to the Unix domain socket used to access the
+    KCM daemon for the KCM credential cache type.  If the value is
+    ``-``, Unix domain sockets will not be used to contact the KCM
+    daemon.  The default value is
+    ``/var/run/.heim_org.h5l.kcm-socket``.
+
 **kdc_default_options**
     Default KDC options (Xored for multiple values) when requesting
     initial tickets.  By default it is set to 0x00000010

diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst
index 85a06d664267ad5840db57c5a329fbfe78b4f71d..ff857f4f9422288076f078c17f16ffe7cfed48d4 100644 (file)
--- a/doc/basic/ccache_def.rst
+++ b/doc/basic/ccache_def.rst
@@ -54,7 +54,20 @@ library.
 
 #. **FILE** caches are the simplest and most portable. A simple flat
    file format is used to store one credential after another.  This is
-   the default ccache type.
+   the default ccache type if no type is specified in a ccache name.
+
+#. **KCM** caches work by contacting a daemon process called ``kcm``
+   to perform cache operations.  If the cache name is just ``KCM:``,
+   the default cache as determined by the KCM daemon will be used.
+   Newly created caches must generally be named ``KCM:uid:name``,
+   where *uid* is the effective user ID of the running process.
+
+   KCM client support is new in release 1.13.  A KCM daemon has not
+   yet been implemented in MIT krb5, but the client will interoperate
+   with the KCM daemon implemented by Heimdal.  OS X 10.7 and higher
+   provides a KCM daemon as part of the operating system, and the
+   **KCM** cache type is used as the default cache on that platform in
+   a default build.
 
 #. **KEYRING** is Linux-specific, and uses the kernel keyring support
    to store credential data in unswappable kernel memory where only
@@ -104,8 +117,10 @@ select between the caches in the collection based on criteria such as
 the target service realm.
 
 Credential cache collections are new in release 1.10, with support
-from the **DIR** and **API** ccache types.  In release 1.12, the
-**KEYRING** ccache type also supports collections.
+from the **DIR** and **API** ccache types.  Starting in release 1.12,
+collections are also supported by the **KEYRING** ccache type.
+Collections are supported by the **KCM** ccache type in release 1.13.
+
 
 Tool alterations to use cache collection
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~