diff options
author | Sumit Bose <sbose@redhat.com> | 2012-06-25 11:34:33 +0200 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-06-25 07:36:40 -0400 |
commit | a8781a38b5fca84647d59199fd0b0b4b2d4624e0 (patch) | |
tree | e4ab493ec21c83363699df9a3ff3ba7eec5ad157 /src/man/sssd.conf.5.xml | |
parent | e5e8252ec48bfdd4e7529debc705c8e090264b9a (diff) | |
download | sssd-a8781a38b5fca84647d59199fd0b0b4b2d4624e0.tar.gz sssd-a8781a38b5fca84647d59199fd0b0b4b2d4624e0.tar.bz2 sssd-a8781a38b5fca84647d59199fd0b0b4b2d4624e0.zip |
Add man page section for the PAC responder
Diffstat (limited to 'src/man/sssd.conf.5.xml')
-rw-r--r-- | src/man/sssd.conf.5.xml | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index bdf2543b..6c57571e 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -90,6 +90,7 @@ <phrase condition="with_sudo">, sudo</phrase> <phrase condition="with_autofs">, autofs</phrase> <phrase condition="with_ssh">, ssh</phrase> + <phrase condition="with_pac_responder">, pac</phrase> </para> </listitem> </varlistentry> @@ -813,6 +814,41 @@ </variablelist> </refsect2> + <refsect2 id='PAC_RESPONDER' condition="with_pac_responder"> + <title>PAC responder configuration options</title> + <para> + Currently there are no PAC responder specific configuration + options. + </para> + <para> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="include/experimental.xml" /> + </para> + <para> + The PAC responder works together with the authorization data + plugin for MIT Kerberos sssd_pac_plugin.so and a sub-domain + provider. The plugin sends the PAC data during a GSSAPI + authentication to the PAC responder. The sub-domain provider + collects domain SID and ID ranges of the domain the client is + joined to and of remote trusted domains from the local domain + controller. If the PAC is decoded and evaluated some of the + following operations are done: + <itemizedlist> + <listitem><para>If the remote user does not exist in the + cache, it is created. The uid is calculated based on the + SID, trusted domains will have UPGs and the gid will have + the same value as the uid. The home directory is set based + on the subdomain_homedir parameter. The shell will be empty + by default, i.e. the system defaults are used, but can be + overwritten with the default_shell parameter.</para> + </listitem> + <listitem><para>If there are SIDs of groups from the domain + the sssd client belongs to, the user will be added to those + groups.</para></listitem> + </itemizedlist> + </para> + </refsect2> + </refsect1> <refsect1 id='domain-sections'> |