diff options
| -rw-r--r-- | docs-xml/manpages/pam_winbind.conf.5.xml | 39 | ||||
| -rw-r--r-- | examples/pam_winbind/pam_winbind.conf | 3 |
2 files changed, 31 insertions, 11 deletions
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index 8c36719a8b..020cb674e7 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -106,16 +106,35 @@ <term>krb5_ccache_type = [type]</term> <listitem><para> - When pam_winbind is configured to try kerberos authentication - by enabling the <parameter>krb5_auth</parameter> option, it can - store the retrieved Ticket Granting Ticket (TGT) in a - credential cache. The type of credential cache can be set with - this option. Currently the only supported value is: - <parameter>FILE</parameter>. In that case a credential cache in - the form of /tmp/krb5cc_UID will be created, where UID is - replaced with the numeric user id. Leave empty to just do - kerberos authentication without having a ticket cache after the - logon has succeeded. This setting is empty by default. + When pam_winbind is configured to try kerberos authentication by + enabling the <parameter>krb5_auth</parameter> option, it can + store the retrieved Ticket Granting Ticket (TGT) in a credential + cache. The type of credential cache can be controlled with this + option. The supported values are: <parameter>FILE</parameter> + and <parameter>DIR</parameter> (when the DIR type is supported + by the system's Kerberos library). In case of FILE a credential + cache in the form of /tmp/krb5cc_UID will be created - in case + of DIR it will be located under the /run/user/UID/krb5cc + directory. UID is replaced with the numeric user id.</para> + + <para>It is also possible to define custom filepaths and use the "%u" + pattern in order to substitue the numeric user id. + Examples:</para> + + <variablelist> + <varlistentry> + <term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term> + <listitem><para>This will create a credential cache file in the specified directory.</para></listitem> + </varlistentry> + <varlistentry> + <term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term> + <listitem><para>This will create a credential cache file.</para></listitem> + </varlistentry> + </variablelist> + + <para> Leave empty to just do kerberos authentication without + having a ticket cache after the logon has succeeded. + This setting is empty by default. </para></listitem> </varlistentry> diff --git a/examples/pam_winbind/pam_winbind.conf b/examples/pam_winbind/pam_winbind.conf index dd0b112f30..87bc388a45 100644 --- a/examples/pam_winbind/pam_winbind.conf +++ b/examples/pam_winbind/pam_winbind.conf @@ -3,6 +3,7 @@ # # /etc/security/pam_winbind.conf # +# For more details see man pam_winbind.conf(5) [global] @@ -19,7 +20,7 @@ # authenticate using kerberos ;krb5_auth = no -# when using kerberos, request a "FILE" krb5 credential cache type +# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type # (leave empty to just do krb5 authentication but not have a ticket # afterwards) ;krb5_ccache_type = |