123 lines
4.6 KiB
Diff
123 lines
4.6 KiB
Diff
From d0279ff5b87a40ea2e59d9f4ca96b2d4c8189d26 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 10 Sep 2013 09:28:50 +0200
|
|
Subject: [PATCH 1/3] s3-winbind: Don't set a default directory for DIR.
|
|
|
|
There is not default so you should always have to specify a directory in
|
|
the config file.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
---
|
|
source3/winbindd/winbindd_pam.c | 4 ----
|
|
1 file changed, 4 deletions(-)
|
|
|
|
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
|
|
index 7b67154..957dde3 100644
|
|
--- a/source3/winbindd/winbindd_pam.c
|
|
+++ b/source3/winbindd/winbindd_pam.c
|
|
@@ -492,10 +492,6 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
|
|
gen_cc = talloc_asprintf(
|
|
mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
|
|
}
|
|
- if (strequal(type, "DIR")) {
|
|
- gen_cc = talloc_asprintf(
|
|
- mem_ctx, "DIR:/run/user/%d/krb5cc", uid);
|
|
- }
|
|
|
|
if (strnequal(type, "FILE:/", 6) ||
|
|
strnequal(type, "WRFILE:/", 8) ||
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 266e5cea14109530b513ba7f48fa18f370333de3 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 10 Sep 2013 09:30:04 +0200
|
|
Subject: [PATCH 2/3] s3-winbind: Add support for the kernel krb5 keyring
|
|
buffer.
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
---
|
|
source3/winbindd/winbindd_pam.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
|
|
index 957dde3..c356686 100644
|
|
--- a/source3/winbindd/winbindd_pam.c
|
|
+++ b/source3/winbindd/winbindd_pam.c
|
|
@@ -492,6 +492,10 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
|
|
gen_cc = talloc_asprintf(
|
|
mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
|
|
}
|
|
+ if (strequal(type, "KEYRING")) {
|
|
+ gen_cc = talloc_asprintf(
|
|
+ mem_ctx, "KEYRING:persistent:%d", uid);
|
|
+ }
|
|
|
|
if (strnequal(type, "FILE:/", 6) ||
|
|
strnequal(type, "WRFILE:/", 8) ||
|
|
--
|
|
1.8.4
|
|
|
|
|
|
From 3884f6bb3e7c1e0a4445231f0c2bb7f3335a5b79 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 10 Sep 2013 09:43:32 +0200
|
|
Subject: [PATCH 3/3] doc: Update documentation of pam_winbind krb5 support.
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
|
|
Autobuild-User(master): Günther Deschner <gd@samba.org>
|
|
Autobuild-Date(master): Tue Sep 10 15:35:20 CEST 2013 on sn-devel-104
|
|
---
|
|
docs-xml/manpages/pam_winbind.conf.5.xml | 26 +++++++++++++++++---------
|
|
1 file changed, 17 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
|
|
index be7f684..725e809 100644
|
|
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
|
|
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
|
|
@@ -106,16 +106,24 @@
|
|
<term>krb5_ccache_type = [type]</term>
|
|
<listitem><para>
|
|
|
|
- When pam_winbind is configured to try kerberos authentication by
|
|
- enabling the <parameter>krb5_auth</parameter> option, it can
|
|
- store the retrieved Ticket Granting Ticket (TGT) in a credential
|
|
- cache. The type of credential cache can be controlled with this
|
|
- option. The supported values are: <parameter>FILE</parameter>
|
|
- and <parameter>DIR</parameter> (when the DIR type is supported
|
|
- by the system's Kerberos library). In case of FILE a credential
|
|
+ When pam_winbind is configured to try kerberos authentication
|
|
+ by enabling the <parameter>krb5_auth</parameter> option, it can
|
|
+ store the retrieved Ticket Granting Ticket (TGT) in a
|
|
+ credential cache. The type of credential cache can be
|
|
+ controlled with this option. The supported values are:
|
|
+ <parameter>KEYRING</parameter> (when supported by the system's
|
|
+ Kerberos library and Kernel), <parameter>FILE</parameter> and
|
|
+ <parameter>DIR</parameter> (when the DIR type is supported by
|
|
+ the system's Kerberos library). In case of FILE a credential
|
|
cache in the form of /tmp/krb5cc_UID will be created - in case
|
|
- of DIR it will be located under the /run/user/UID/krb5cc
|
|
- directory. UID is replaced with the numeric user id.</para>
|
|
+ of DIR you NEED to specify a directory. UID is replaced with
|
|
+ the numeric user id.</para>
|
|
+
|
|
+ <para>When using the KEYRING type, the supported mechanism is
|
|
+ <quote>KEYRING:persistent:UID</quote>, which uses the Linux
|
|
+ kernel keyring to store credentials on a per-UID basis. This is
|
|
+ the recommended choice on latest Linux distributions, as it is
|
|
+ the most secure and predictable method.</para>
|
|
|
|
<para>It is also possible to define custom filepaths and use the "%u"
|
|
pattern in order to substitue the numeric user id.
|
|
--
|
|
1.8.4
|
|
|