s3:winbind: Add support for storing KRB5 credential in KCM

This can store crentiials in the Kerberos Credential Manager e.g.
provided by sssd.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul  1 19:22:02 UTC 2019 on sn-devel-184

diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 537007ba2fade6c2f87d652a86cc260156e6f3ae..a5aaa01504db0e2bf14292f94689c2c573a7a5de 100644 (file)
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -113,19 +113,27 @@
                store the retrieved Ticket Granting Ticket (TGT) in a
                credential cache. The type of credential cache can be
                controlled with this option.  The supported values are:
-               <parameter>KEYRING</parameter> (when supported by the system's
-               Kerberos library and Kernel), <parameter>FILE</parameter> and
-               <parameter>DIR</parameter> (when the DIR type is supported by
-               the system's Kerberos library). In case of FILE a credential
-               cache in the form of /tmp/krb5cc_UID will be created -  in case
-               of DIR you NEED to specify a directory. UID is replaced with
-               the numeric user id.</para>
+               <parameter>KCM</parameter> or <parameter>KEYRING</parameter>
+               (when supported by the system's Kerberos library and
+               operating system),
+               <parameter>FILE</parameter> and <parameter>DIR</parameter>
+               (when the DIR type is supported by the system's Kerberos
+               library). In case of FILE a credential cache in the form of
+               /tmp/krb5cc_UID will be created -  in case of DIR you NEED
+               to specify a directory. UID is replaced with the numeric
+               user id.</para>
 
                <para>When using the KEYRING type, the supported mechanism is
                <quote>KEYRING:persistent:UID</quote>, which uses the Linux
-               kernel keyring to store credentials on a per-UID basis. This is
-               the recommended choice on latest Linux distributions, as it is
-               the most secure and predictable method.</para>
+               kernel keyring to store credentials on a per-UID basis.</para>
+
+               <para>When using th KCM type, the supported mechanism is
+               <quote>KCM:UID</quote>, which uses a Kerberos credential
+               manaager to store credentials on a per-UID basis simliar to
+               KEYRING. This is the recommended choice on latest Linux
+               distributions, offering a Kerberos Credential Manager. If not
+               we suggest to use KEYRING as those are the most secure and
+               predictable method.</para>
 
                <para>It is also possible to define custom filepaths and use the "%u"
                pattern in order to substitue the numeric user id.

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 190f23f1b2487e7f220ad859c25f50ae8129ca65..eaf16d0dcedeb09ce8509910974188a249a7f9ff 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -569,6 +569,11 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
                        gen_cc = talloc_asprintf(
                                mem_ctx, "KEYRING:persistent:%d", uid);
                }
+               if (strequal(type, "KCM")) {
+                       gen_cc = talloc_asprintf(mem_ctx,
+                                                "KCM:%d",
+                                                uid);
+               }
 
                if (strnequal(type, "FILE:/", 6) ||
                    strnequal(type, "WRFILE:/", 8) ||