From: Andreas Schneider <asn@samba.org>
Date: Mon, 28 Oct 2019 07:34:16 +0000 (+0100)
Subject: docs-xml: Update krb5_ccache_type in pam_winbind.8
X-Git-Tag: talloc-2.3.1~150
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe60eef9781f9970d2fa0705e10a6e8e309f839e;p=thirdparty%2Fsamba.git

docs-xml: Update krb5_ccache_type in pam_winbind.8

This is a copy from pam_winbind.conf.5

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14173

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Oct 31 19:32:55 UTC 2019 on sn-devel-184
---

diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
index 97dc5733d64..003020d8b7c 100644
--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -150,21 +150,59 @@
 		<varlistentry>
 		<term>krb5_ccache_type=[type]</term>
 		<listitem><para>
-		
+
 		When pam_winbind is configured to try kerberos authentication
 		by enabling the <parameter>krb5_auth</parameter> option, it can
 		store the retrieved Ticket Granting Ticket (TGT) in a
-		credential cache. The type of credential cache can be set with
-		this option. Currently the only supported value is:
-		<parameter>FILE</parameter>. In that case a credential cache in
-		the form of /tmp/krb5cc_UID will be created, where UID is
-		replaced with the numeric user id.  Leave empty to just do
-		kerberos authentication without having a ticket cache after the
-		logon has succeeded.
+		credential cache. The type of credential cache can be
+		controlled with this option.  The supported values are:
+		<parameter>KCM</parameter> or <parameter>KEYRING</parameter>
+		(when supported by the system's Kerberos library and
+		operating system),
+		<parameter>FILE</parameter> and <parameter>DIR</parameter>
+		(when the DIR type is supported by the system's Kerberos
+		library). In case of FILE a credential cache in the form of
+		/tmp/krb5cc_UID will be created -  in case of DIR you NEED
+		to specify a directory. UID is replaced with the numeric
+		user id. The UID directory is being created. The path up to
+		the directory should already exist. Check the details of the
+		Kerberos implmentation.</para>
+
+		<para>When using the KEYRING type, the supported mechanism is
+		<quote>KEYRING:persistent:UID</quote>, which uses the Linux
+		kernel keyring to store credentials on a per-UID basis.
+		The KEYRING has its limitations. As it is secure kernel memory,
+		for example bulk sorage of credentils is for not possible.</para>
+
+		<para>When using th KCM type, the supported mechanism is
+		<quote>KCM:UID</quote>, which uses a Kerberos credential
+		manaager to store credentials on a per-UID basis similar to
+		KEYRING. This is the recommended choice on latest Linux
+		distributions, offering a Kerberos Credential Manager. If not
+		we suggest to use KEYRING as those are the most secure and
+		predictable method.</para>
+
+		<para>It is also possible to define custom filepaths and use the "%u"
+		pattern in order to substitute the numeric user id.
+		Examples:</para>
 
-		</para></listitem>
+		<variablelist>
+			<varlistentry>
+				<term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
+					<listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
+			</varlistentry>
+			<varlistentry>
+				<term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
+					<listitem><para>This will create a credential cache file.</para></listitem>
+			</varlistentry>
+		</variablelist>
+
+		<para>Leave empty to just do kerberos authentication without
+		having a ticket cache after the logon has succeeded.
+		This setting is empty by default.</para>
+		</listitem>
 		</varlistentry>
-	
+
 		<varlistentry>
 		<term>cached_login</term>
 		<listitem><para>