doc: Update documentation of pam_winbind krb5 support.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Sep 10 15:35:20 CEST 2013 on sn-devel-104

The last 3 patches address bug #10132 - pam_winbindd should support the KEYRING
ccache type.

Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Mon Oct  7 12:21:29 CEST 2013 on sn-devel-104
(cherry picked from commit 82d6a4354d3b4a6cc9e70ccfb21d7b604bed179b)

Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Tue Oct  8 13:32:27 CEST 2013 on sn-devel-104

diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index be7f684f53872f58c7f39ff2b9a0b53c978d2ef7..725e809e59b3383e70dbf4042016007e682c464d 100644 (file)
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -106,16 +106,24 @@
                <term>krb5_ccache_type = [type]</term>
                <listitem><para>
 
-               When pam_winbind is configured to try kerberos authentication by
-               enabling the <parameter>krb5_auth</parameter> option, it can
-               store the retrieved Ticket Granting Ticket (TGT) in a credential
-               cache. The type of credential cache can be controlled with this
-               option.  The supported values are: <parameter>FILE</parameter>
-               and <parameter>DIR</parameter> (when the DIR type is supported
-               by the system's Kerberos library). In case of FILE a credential
+               When pam_winbind is configured to try kerberos authentication
+               by enabling the <parameter>krb5_auth</parameter> option, it can
+               store the retrieved Ticket Granting Ticket (TGT) in a
+               credential cache. The type of credential cache can be
+               controlled with this option.  The supported values are:
+               <parameter>KEYRING</parameter> (when supported by the system's
+               Kerberos library and Kernel), <parameter>FILE</parameter> and
+               <parameter>DIR</parameter> (when the DIR type is supported by
+               the system's Kerberos library). In case of FILE a credential
                cache in the form of /tmp/krb5cc_UID will be created -  in case
-               of DIR it will be located under the /run/user/UID/krb5cc
-               directory.  UID is replaced with the numeric user id.</para>
+               of DIR you NEED to specify a directory. UID is replaced with
+               the numeric user id.</para>
+
+               <para>When using the KEYRING type, the supported mechanism is
+               <quote>KEYRING:persistent:UID</quote>, which uses the Linux
+               kernel keyring to store credentials on a per-UID basis. This is
+               the recommended choice on latest Linux distributions, as it is
+               the most secure and predictable method.</para>
 
                <para>It is also possible to define custom filepaths and use the "%u"
                pattern in order to substitue the numeric user id.