summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2006-04-28 08:18:56 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:47:18 -0500
commit6ea1d213691f2b01fc59db8d819432ec00f9a4ae (patch)
tree319ad7733e43154802978191c8411431ca7540aa /docs
parent324f15f24fb9eb44e00c8ebcbca6a4440776b7ca (diff)
downloadsamba-6ea1d213691f2b01fc59db8d819432ec00f9a4ae.tar.gz
samba-6ea1d213691f2b01fc59db8d819432ec00f9a4ae.tar.bz2
samba-6ea1d213691f2b01fc59db8d819432ec00f9a4ae.zip
Start documenting undocumented parameters.
Guenther (This used to be commit 2b1c2ef31428f82ab656a80006a9b8f5ce403b22)
Diffstat (limited to 'docs')
-rw-r--r--docs/manpages-3/pam_winbind.7.xml59
-rw-r--r--docs/smbdotconf/winbind/winbindofflinelogon.xml18
-rw-r--r--docs/smbdotconf/winbind/winbindrefreshtickets.xml16
3 files changed, 89 insertions, 4 deletions
diff --git a/docs/manpages-3/pam_winbind.7.xml b/docs/manpages-3/pam_winbind.7.xml
index 98d15d26a8..861bc323a2 100644
--- a/docs/manpages-3/pam_winbind.7.xml
+++ b/docs/manpages-3/pam_winbind.7.xml
@@ -28,7 +28,14 @@
<refsect1>
<title>OPTIONS</title>
<para>
- pam_winbind supports several options:
+
+ pam_winbind supports several options which can either be set in
+ the PAM configuration files or in the pam_winbind configuration
+ file situated at
+ <filename>/etc/security/pam_winbind.conf</filename>. Options
+ from the PAM configuration file take precedence to those from
+ the configuration file.
+
<variablelist>
<varlistentry>
@@ -41,8 +48,8 @@
<listitem><para>
If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
can be either a group-SID, a alias-SID or even a user-SID. It is also possible to give a NAME instead of the
- SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
- <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
+ SID. That name must have the form: <parameter>MYDOMAIN\\mygroup</parameter> or
+ <parameter>MYDOMAIN\\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
user is a member of with <command>wbinfo --user-sids=SID</command>.
</para></listitem>
@@ -70,6 +77,48 @@
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term>krb5_auth</term>
+ <listitem><para>
+
+ pam_winbind can authenticate using Kerberos when winbindd is
+ talking to an Active Directory domain controller. Kerberos
+ authentication must be enabled with this parameter. When
+ Kerberos authentication can not succeed (e.g. due to clock
+ skew), winbindd will fallback to samlogon authentication over
+ MSRPC. When this parameter is used in conjunction with
+ <parameter>winbind refresh tickets</parameter>, winbind will
+ keep your Ticket Granting Ticket (TGT) uptodate by refreshing
+ it whenever necessary.
+
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_ccache_type=[type]</term>
+ <listitem><para>
+
+ When pam_winbind is configured to try kerberos authentication
+ by enabling the <parameter>krb5_auth</parameter> option, it can
+ store the retrieved Ticket Granting Ticket (TGT) in a
+ credential cache. The type of credential cache can be set with
+ this option. Currently the only supported value is:
+ <parameter>FILE</parameter>. In that case a credential cache in
+ the form of /tmp/krb5cc_UID will be created, where UID is
+ replaced with the numeric user id. Leave empty to just do
+ kerberos authentication without having a ticket cache after the
+ logon has succeeded.
+
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>cached_login</term>
+ <listitem><para>
+ Winbind allows to logon using cached credentials when <parameter>winbind offline logon</parameter> is enabled. To use this feature from the PAM module this option must be set.
+ </para></listitem>
+ </varlistentry>
+
</variablelist>
@@ -83,7 +132,9 @@
<refentrytitle>wbinfo</refentrytitle>
<manvolnum>1</manvolnum></citerefentry>, <citerefentry>
<refentrytitle>winbindd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry></para>
+ <manvolnum>8</manvolnum></citerefentry>, <citerefentry>
+ <refentrytitle>smb.conf</refentrytitle>
+ <manvolnum>5</manvolnum></citerefentry></para>
</refsect1>
<refsect1>
diff --git a/docs/smbdotconf/winbind/winbindofflinelogon.xml b/docs/smbdotconf/winbind/winbindofflinelogon.xml
new file mode 100644
index 0000000000..b5a0de1631
--- /dev/null
+++ b/docs/smbdotconf/winbind/winbindofflinelogon.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="winbind offline logon"
+ context="G"
+ type="boolean"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This parameter is designed to control whether Winbind should
+ allow to login with the <parameter moreinfo="none">pam_winbind</parameter>
+ module using Cached Credentials. If enabled, winbindd will store user credentials
+ from successful logins encrypted in a local cache.
+ </para>
+
+</description>
+
+<value type="default">false</value>
+<value type="example">true</value>
+</samba:parameter>
diff --git a/docs/smbdotconf/winbind/winbindrefreshtickets.xml b/docs/smbdotconf/winbind/winbindrefreshtickets.xml
new file mode 100644
index 0000000000..d39cb76861
--- /dev/null
+++ b/docs/smbdotconf/winbind/winbindrefreshtickets.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="winbind refresh tickets"
+ context="G"
+ type="boolean"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This parameter is designed to control whether Winbind should refresh Kerberos Tickets
+ retrieved using the <parameter moreinfo="none">pam_winbind</parameter> module.
+
+</para>
+</description>
+
+<value type="default">false</value>
+<value type="example">true</value>
+</samba:parameter>