The Samba-Bugzilla – Attachment 9201 Details for
Bug 10132
pam_winbindd should support the KEYRING ccache type
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
v4-0-test and v4-1-test patch
look (text/plain), 4.64 KB, created by
Andreas Schneider
on 2013-09-10 13:45:30 UTC
(
hide
)
Description:
v4-0-test and v4-1-test patch
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2013-09-10 13:45:30 UTC
Size:
4.64 KB
patch
obsolete
>From d0279ff5b87a40ea2e59d9f4ca96b2d4c8189d26 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 10 Sep 2013 09:28:50 +0200 >Subject: [PATCH 1/3] s3-winbind: Don't set a default directory for DIR. > >There is not default so you should always have to specify a directory in >the config file. > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >--- > source3/winbindd/winbindd_pam.c | 4 ---- > 1 file changed, 4 deletions(-) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 7b67154..957dde3 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -492,10 +492,6 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, > gen_cc = talloc_asprintf( > mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid); > } >- if (strequal(type, "DIR")) { >- gen_cc = talloc_asprintf( >- mem_ctx, "DIR:/run/user/%d/krb5cc", uid); >- } > > if (strnequal(type, "FILE:/", 6) || > strnequal(type, "WRFILE:/", 8) || >-- >1.8.4 > > >From 266e5cea14109530b513ba7f48fa18f370333de3 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 10 Sep 2013 09:30:04 +0200 >Subject: [PATCH 2/3] s3-winbind: Add support for the kernel krb5 keyring > buffer. > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> >--- > source3/winbindd/winbindd_pam.c | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 957dde3..c356686 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -492,6 +492,10 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, > gen_cc = talloc_asprintf( > mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid); > } >+ if (strequal(type, "KEYRING")) { >+ gen_cc = talloc_asprintf( >+ mem_ctx, "KEYRING:persistent:%d", uid); >+ } > > if (strnequal(type, "FILE:/", 6) || > strnequal(type, "WRFILE:/", 8) || >-- >1.8.4 > > >From 3884f6bb3e7c1e0a4445231f0c2bb7f3335a5b79 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Tue, 10 Sep 2013 09:43:32 +0200 >Subject: [PATCH 3/3] doc: Update documentation of pam_winbind krb5 support. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Guenther Deschner <gd@samba.org> > >Autobuild-User(master): Günther Deschner <gd@samba.org> >Autobuild-Date(master): Tue Sep 10 15:35:20 CEST 2013 on sn-devel-104 >--- > docs-xml/manpages/pam_winbind.conf.5.xml | 26 +++++++++++++++++--------- > 1 file changed, 17 insertions(+), 9 deletions(-) > >diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml >index be7f684..725e809 100644 >--- a/docs-xml/manpages/pam_winbind.conf.5.xml >+++ b/docs-xml/manpages/pam_winbind.conf.5.xml >@@ -106,16 +106,24 @@ > <term>krb5_ccache_type = [type]</term> > <listitem><para> > >- When pam_winbind is configured to try kerberos authentication by >- enabling the <parameter>krb5_auth</parameter> option, it can >- store the retrieved Ticket Granting Ticket (TGT) in a credential >- cache. The type of credential cache can be controlled with this >- option. The supported values are: <parameter>FILE</parameter> >- and <parameter>DIR</parameter> (when the DIR type is supported >- by the system's Kerberos library). In case of FILE a credential >+ When pam_winbind is configured to try kerberos authentication >+ by enabling the <parameter>krb5_auth</parameter> option, it can >+ store the retrieved Ticket Granting Ticket (TGT) in a >+ credential cache. The type of credential cache can be >+ controlled with this option. The supported values are: >+ <parameter>KEYRING</parameter> (when supported by the system's >+ Kerberos library and Kernel), <parameter>FILE</parameter> and >+ <parameter>DIR</parameter> (when the DIR type is supported by >+ the system's Kerberos library). In case of FILE a credential > cache in the form of /tmp/krb5cc_UID will be created - in case >- of DIR it will be located under the /run/user/UID/krb5cc >- directory. UID is replaced with the numeric user id.</para> >+ of DIR you NEED to specify a directory. UID is replaced with >+ the numeric user id.</para> >+ >+ <para>When using the KEYRING type, the supported mechanism is >+ <quote>KEYRING:persistent:UID</quote>, which uses the Linux >+ kernel keyring to store credentials on a per-UID basis. This is >+ the recommended choice on latest Linux distributions, as it is >+ the most secure and predictable method.</para> > > <para>It is also possible to define custom filepaths and use the "%u" > pattern in order to substitue the numeric user id. >-- >1.8.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=9201">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
gd
:
review+
asn
:
review?
(
idra
)
Actions:
View
Attachments on
bug 10132
: 9201