diff options
| author | Greg Hudson <ghudson@mit.edu> | 2014-07-11 15:00:09 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2014-07-30 13:00:56 -0400 |
| commit | 4ac345865276e8848546ba75e09feecc23e8a040 (patch) | |
| tree | e9a791111f3eaa762cbc771f7197a0905a802884 /doc | |
| parent | f2aabecc10508c01b289e147a4c5f41969ab768f (diff) | |
| download | krb5-4ac345865276e8848546ba75e09feecc23e8a040.zip krb5-4ac345865276e8848546ba75e09feecc23e8a040.tar.gz krb5-4ac345865276e8848546ba75e09feecc23e8a040.tar.bz2 | |
Document KCM ccache type
Document the new KCM ccache type in ccache_def.rst. Document the
kcm_socket and kcm_mach_service variables in krb5_conf.rst.
ticket: 7964
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 13 | ||||
| -rw-r--r-- | doc/basic/ccache_def.rst | 21 |
2 files changed, 31 insertions, 3 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 5930cf3..2b219fb 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -237,6 +237,19 @@ The libdefaults section may contain any of the following relations: For security reasons, .k5login files must be owned by the local user or by root. +**kcm_mach_service** + On OS X only, determines the name of the bootstrap service used to + contact the KCM daemon for the KCM credential cache type. If the + value is ``-``, Mach RPC will not be used to contact the KCM + daemon. The default value is ``org.h5l.kcm``. + +**kcm_socket** + Determines the path to the Unix domain socket used to access the + KCM daemon for the KCM credential cache type. If the value is + ``-``, Unix domain sockets will not be used to contact the KCM + daemon. The default value is + ``/var/run/.heim_org.h5l.kcm-socket``. + **kdc_default_options** Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst index 85a06d6..ff857f4 100644 --- a/doc/basic/ccache_def.rst +++ b/doc/basic/ccache_def.rst @@ -54,7 +54,20 @@ library. #. **FILE** caches are the simplest and most portable. A simple flat file format is used to store one credential after another. This is - the default ccache type. + the default ccache type if no type is specified in a ccache name. + +#. **KCM** caches work by contacting a daemon process called ``kcm`` + to perform cache operations. If the cache name is just ``KCM:``, + the default cache as determined by the KCM daemon will be used. + Newly created caches must generally be named ``KCM:uid:name``, + where *uid* is the effective user ID of the running process. + + KCM client support is new in release 1.13. A KCM daemon has not + yet been implemented in MIT krb5, but the client will interoperate + with the KCM daemon implemented by Heimdal. OS X 10.7 and higher + provides a KCM daemon as part of the operating system, and the + **KCM** cache type is used as the default cache on that platform in + a default build. #. **KEYRING** is Linux-specific, and uses the kernel keyring support to store credential data in unswappable kernel memory where only @@ -104,8 +117,10 @@ select between the caches in the collection based on criteria such as the target service realm. Credential cache collections are new in release 1.10, with support -from the **DIR** and **API** ccache types. In release 1.12, the -**KEYRING** ccache type also supports collections. +from the **DIR** and **API** ccache types. Starting in release 1.12, +collections are also supported by the **KEYRING** ccache type. +Collections are supported by the **KCM** ccache type in release 1.13. + Tool alterations to use cache collection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |