The branch, v4-0-test has been updated via acf4fe4 doc: Update documentation of pam_winbind krb5 support. via 11a4a64 s3-winbind: Add support for the kernel krb5 keyring buffer. via f91b6c9 s3-winbind: Don't set a default directory for DIR. from 5b0caf4 VERSION: Bump version number up to 4.0.11...
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log ----------------------------------------------------------------- commit acf4fe4084eb7e8715bc8ebc18ddf02b05b1ef57 Author: Andreas Schneider <a...@samba.org> Date: Tue Sep 10 09:43:32 2013 +0200 doc: Update documentation of pam_winbind krb5 support. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> Autobuild-User(master): Günther Deschner <g...@samba.org> Autobuild-Date(master): Tue Sep 10 15:35:20 CEST 2013 on sn-devel-104 The last 3 patches address bug #10132 - pam_winbindd should support the KEYRING ccache type. Autobuild-User(v4-1-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-1-test): Mon Oct 7 12:21:29 CEST 2013 on sn-devel-104 (cherry picked from commit 82d6a4354d3b4a6cc9e70ccfb21d7b604bed179b) Autobuild-User(v4-0-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-0-test): Tue Oct 8 13:32:27 CEST 2013 on sn-devel-104 commit 11a4a6474589fc5d3fccd8a645281323f7d252d1 Author: Andreas Schneider <a...@samba.org> Date: Tue Sep 10 09:30:04 2013 +0200 s3-winbind: Add support for the kernel krb5 keyring buffer. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> (cherry picked from commit 5a55cb636fa50e96000ea6a00960cc34e00e26a1) commit f91b6c995e322da9d359437bd114b751ba73a67c Author: Andreas Schneider <a...@samba.org> Date: Tue Sep 10 09:28:50 2013 +0200 s3-winbind: Don't set a default directory for DIR. There is not default so you should always have to specify a directory in the config file. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> (cherry picked from commit 58038f6b26b5363f07d6e4a3fac6db461f9bca2c) ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages/pam_winbind.conf.5.xml | 26 +++++++++++++++++--------- source3/winbindd/winbindd_pam.c | 4 ++-- 2 files changed, 19 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index be7f684..725e809 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -106,16 +106,24 @@ <term>krb5_ccache_type = [type]</term> <listitem><para> - When pam_winbind is configured to try kerberos authentication by - enabling the <parameter>krb5_auth</parameter> option, it can - store the retrieved Ticket Granting Ticket (TGT) in a credential - cache. The type of credential cache can be controlled with this - option. The supported values are: <parameter>FILE</parameter> - and <parameter>DIR</parameter> (when the DIR type is supported - by the system's Kerberos library). In case of FILE a credential + When pam_winbind is configured to try kerberos authentication + by enabling the <parameter>krb5_auth</parameter> option, it can + store the retrieved Ticket Granting Ticket (TGT) in a + credential cache. The type of credential cache can be + controlled with this option. The supported values are: + <parameter>KEYRING</parameter> (when supported by the system's + Kerberos library and Kernel), <parameter>FILE</parameter> and + <parameter>DIR</parameter> (when the DIR type is supported by + the system's Kerberos library). In case of FILE a credential cache in the form of /tmp/krb5cc_UID will be created - in case - of DIR it will be located under the /run/user/UID/krb5cc - directory. UID is replaced with the numeric user id.</para> + of DIR you NEED to specify a directory. UID is replaced with + the numeric user id.</para> + + <para>When using the KEYRING type, the supported mechanism is + <quote>KEYRING:persistent:UID</quote>, which uses the Linux + kernel keyring to store credentials on a per-UID basis. This is + the recommended choice on latest Linux distributions, as it is + the most secure and predictable method.</para> <para>It is also possible to define custom filepaths and use the "%u" pattern in order to substitue the numeric user id. diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 6fbad72..8f2facd 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -492,9 +492,9 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, gen_cc = talloc_asprintf( mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid); } - if (strequal(type, "DIR")) { + if (strequal(type, "KEYRING")) { gen_cc = talloc_asprintf( - mem_ctx, "DIR:/run/user/%d/krb5cc", uid); + mem_ctx, "KEYRING:persistent:%d", uid); } if (strnequal(type, "FILE:/", 6) || -- Samba Shared Repository