From 163c0cc84a1f2ded56389db80e9e4046f76f6185 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 1 Jul 2019 10:43:42 +0200
Subject: [PATCH] s3:winbind: Add support for storing KRB5 credential in KCM

This can store crentiials in the Kerberos Credential Manager e.g.
provided by sssd.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul  1 19:22:02 UTC 2019 on sn-devel-184
---
 docs-xml/manpages/pam_winbind.conf.5.xml | 28 +++++++++++++++---------
 source3/winbindd/winbindd_pam.c          |  5 +++++
 2 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 537007ba2fa..a5aaa01504d 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -113,19 +113,27 @@
 		store the retrieved Ticket Granting Ticket (TGT) in a
 		credential cache. The type of credential cache can be
 		controlled with this option.  The supported values are:
-		<parameter>KEYRING</parameter> (when supported by the system's
-		Kerberos library and Kernel), <parameter>FILE</parameter> and
-		<parameter>DIR</parameter> (when the DIR type is supported by
-		the system's Kerberos library). In case of FILE a credential
-		cache in the form of /tmp/krb5cc_UID will be created -  in case
-		of DIR you NEED to specify a directory. UID is replaced with
-		the numeric user id.</para>
+		<parameter>KCM</parameter> or <parameter>KEYRING</parameter>
+		(when supported by the system's Kerberos library and
+		operating system),
+		<parameter>FILE</parameter> and <parameter>DIR</parameter>
+		(when the DIR type is supported by the system's Kerberos
+		library). In case of FILE a credential cache in the form of
+		/tmp/krb5cc_UID will be created -  in case of DIR you NEED
+		to specify a directory. UID is replaced with the numeric
+		user id.</para>
 
 		<para>When using the KEYRING type, the supported mechanism is
 		<quote>KEYRING:persistent:UID</quote>, which uses the Linux
-		kernel keyring to store credentials on a per-UID basis. This is
-		the recommended choice on latest Linux distributions, as it is
-		the most secure and predictable method.</para>
+		kernel keyring to store credentials on a per-UID basis.</para>
+
+		<para>When using th KCM type, the supported mechanism is
+		<quote>KCM:UID</quote>, which uses a Kerberos credential
+		manaager to store credentials on a per-UID basis simliar to
+		KEYRING. This is the recommended choice on latest Linux
+		distributions, offering a Kerberos Credential Manager. If not
+		we suggest to use KEYRING as those are the most secure and
+		predictable method.</para>
 
 		<para>It is also possible to define custom filepaths and use the "%u"
 		pattern in order to substitue the numeric user id.
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 190f23f1b24..eaf16d0dced 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -569,6 +569,11 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
 			gen_cc = talloc_asprintf(
 				mem_ctx, "KEYRING:persistent:%d", uid);
 		}
+		if (strequal(type, "KCM")) {
+			gen_cc = talloc_asprintf(mem_ctx,
+						 "KCM:%d",
+						 uid);
+		}
 
 		if (strnequal(type, "FILE:/", 6) ||
 		    strnequal(type, "WRFILE:/", 8) ||
-- 
2.47.3