pam_winbind: update documentation for "DIR" krb5ccname pragma.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 24 02:43:10 CEST 2013 on sn-devel-104

diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 8c36719a8b39afa47c85307642f7c58c19e65792..020cb674e79c875a0857c3f72855856ba394ab04 100644 (file)
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -106,16 +106,35 @@
                <term>krb5_ccache_type = [type]</term>
                <listitem><para>
 
-               When pam_winbind is configured to try kerberos authentication
-               by enabling the <parameter>krb5_auth</parameter> option, it can
-               store the retrieved Ticket Granting Ticket (TGT) in a
-               credential cache. The type of credential cache can be set with
-               this option. Currently the only supported value is:
-               <parameter>FILE</parameter>. In that case a credential cache in
-               the form of /tmp/krb5cc_UID will be created, where UID is
-               replaced with the numeric user id.  Leave empty to just do
-               kerberos authentication without having a ticket cache after the
-               logon has succeeded. This setting is empty by default.
+               When pam_winbind is configured to try kerberos authentication by
+               enabling the <parameter>krb5_auth</parameter> option, it can
+               store the retrieved Ticket Granting Ticket (TGT) in a credential
+               cache. The type of credential cache can be controlled with this
+               option.  The supported values are: <parameter>FILE</parameter>
+               and <parameter>DIR</parameter> (when the DIR type is supported
+               by the system's Kerberos library). In case of FILE a credential
+               cache in the form of /tmp/krb5cc_UID will be created -  in case
+               of DIR it will be located under the /run/user/UID/krb5cc
+               directory.  UID is replaced with the numeric user id.</para>
+
+               <para>It is also possible to define custom filepaths and use the "%u"
+               pattern in order to substitue the numeric user id.
+               Examples:</para>
+
+               <variablelist>
+                       <varlistentry>
+                               <term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
+                                       <listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
+                       </varlistentry>
+                       <varlistentry>
+                               <term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
+                                       <listitem><para>This will create a credential cache file.</para></listitem>
+                       </varlistentry>
+               </variablelist>
+
+               <para> Leave empty to just do kerberos authentication without
+                       having a ticket cache after the logon has succeeded.
+                       This setting is empty by default.
 
                </para></listitem>
                </varlistentry>

diff --git a/examples/pam_winbind/pam_winbind.conf b/examples/pam_winbind/pam_winbind.conf
index dd0b112f30424e8df3e956d9f9d6defd5a9435c2..87bc388a45dcfea7bd7935227d5c3629694f5fdf 100644 (file)
--- a/examples/pam_winbind/pam_winbind.conf
+++ b/examples/pam_winbind/pam_winbind.conf
@@ -3,6 +3,7 @@
 #
 # /etc/security/pam_winbind.conf
 #
+# For more details see man pam_winbind.conf(5)
 
 [global]
 
@@ -19,7 +20,7 @@
 # authenticate using kerberos
 ;krb5_auth = no
 
-# when using kerberos, request a "FILE" krb5 credential cache type
+# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
 # (leave empty to just do krb5 authentication but not have a ticket
 # afterwards)
 ;krb5_ccache_type =