From 44998a91af75a83d15c82d8cf697f9cc278e41aa Mon Sep 17 00:00:00 2001
From: =?utf8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 28 Apr 2006 08:18:56 +0000
Subject: [PATCH] Start documenting undocumented parameters.

Guenther
---
 docs/manpages-3/pam_winbind.7.xml                 | 59 +++++++++++++++++++++--
 docs/smbdotconf/winbind/winbindofflinelogon.xml   | 18 +++++++
 docs/smbdotconf/winbind/winbindrefreshtickets.xml | 16 ++++++
 3 files changed, 89 insertions(+), 4 deletions(-)
 create mode 100644 docs/smbdotconf/winbind/winbindofflinelogon.xml
 create mode 100644 docs/smbdotconf/winbind/winbindrefreshtickets.xml

diff --git a/docs/manpages-3/pam_winbind.7.xml b/docs/manpages-3/pam_winbind.7.xml
index 98d15d26a84..861bc323a23 100644
--- a/docs/manpages-3/pam_winbind.7.xml
+++ b/docs/manpages-3/pam_winbind.7.xml
@@ -28,7 +28,14 @@
 <refsect1>
 	<title>OPTIONS</title>
 	<para>
-		pam_winbind supports several options:
+	
+		pam_winbind supports several options which can either be set in
+		the PAM configuration files or in the pam_winbind configuration
+		file situated at
+		<filename>/etc/security/pam_winbind.conf</filename>. Options
+		from the PAM configuration file take precedence to those from
+		the configuration file.
+
 		<variablelist>
 
 		<varlistentry>
@@ -41,8 +48,8 @@
 		<listitem><para>
 		If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
 		can be either a group-SID, a alias-SID or even a user-SID. It is also possible to give a NAME instead of the
-		SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
-		<parameter>MYDOMAIN\myuser</parameter>.  pam_winbind will, in that case, lookup the SID internally. Note that
+		SID. That name must have the form: <parameter>MYDOMAIN\\mygroup</parameter> or
+		<parameter>MYDOMAIN\\myuser</parameter>.  pam_winbind will, in that case, lookup the SID internally. Note that
 		NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
 		user is a member of with <command>wbinfo --user-sids=SID</command>.
 		</para></listitem>
@@ -70,6 +77,48 @@
 		</para></listitem>
 		</varlistentry>
 
+		<varlistentry>
+		<term>krb5_auth</term>
+		<listitem><para>
+
+		pam_winbind can authenticate using Kerberos when winbindd is
+		talking to an Active Directory domain controller. Kerberos
+		authentication must be enabled with this parameter. When
+		Kerberos authentication can not succeed (e.g. due to clock
+		skew), winbindd will fallback to samlogon authentication over
+		MSRPC. When this parameter is used in conjunction with
+		<parameter>winbind refresh tickets</parameter>, winbind will
+		keep your Ticket Granting Ticket (TGT) uptodate by refreshing
+		it whenever necessary.
+
+		</para></listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>krb5_ccache_type=[type]</term>
+		<listitem><para>
+		
+		When pam_winbind is configured to try kerberos authentication
+		by enabling the <parameter>krb5_auth</parameter> option, it can
+		store the retrieved Ticket Granting Ticket (TGT) in a
+		credential cache. The type of credential cache can be set with
+		this option. Currently the only supported value is:
+		<parameter>FILE</parameter>. In that case a credential cache in
+		the form of /tmp/krb5cc_UID will be created, where UID is
+		replaced with the numeric user id.  Leave empty to just do
+		kerberos authentication without having a ticket cache after the
+		logon has succeeded.
+
+		</para></listitem>
+		</varlistentry>
+	
+		<varlistentry>
+		<term>cached_login</term>
+		<listitem><para>
+		Winbind allows to logon using cached credentials when <parameter>winbind offline logon</parameter> is enabled. To use this feature from the PAM module this option must be set.
+		</para></listitem>
+		</varlistentry>
+
 		</variablelist>
 
 
@@ -83,7 +132,9 @@
 	<refentrytitle>wbinfo</refentrytitle>
 	<manvolnum>1</manvolnum></citerefentry>, <citerefentry>
 	<refentrytitle>winbindd</refentrytitle>
-	<manvolnum>8</manvolnum></citerefentry></para>
+	<manvolnum>8</manvolnum></citerefentry>, <citerefentry>
+	<refentrytitle>smb.conf</refentrytitle>
+	<manvolnum>5</manvolnum></citerefentry></para>
 </refsect1>
 
 <refsect1>
diff --git a/docs/smbdotconf/winbind/winbindofflinelogon.xml b/docs/smbdotconf/winbind/winbindofflinelogon.xml
new file mode 100644
index 00000000000..b5a0de16315
--- /dev/null
+++ b/docs/smbdotconf/winbind/winbindofflinelogon.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="winbind offline logon"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>This parameter is designed to control whether Winbind should
+	allow to login with the <parameter moreinfo="none">pam_winbind</parameter> 
+	module using Cached Credentials. If enabled, winbindd will store user credentials
+	from successful logins encrypted in a local cache.
+	</para>
+
+</description>
+
+<value type="default">false</value>
+<value type="example">true</value>
+</samba:parameter>
diff --git a/docs/smbdotconf/winbind/winbindrefreshtickets.xml b/docs/smbdotconf/winbind/winbindrefreshtickets.xml
new file mode 100644
index 00000000000..d39cb768610
--- /dev/null
+++ b/docs/smbdotconf/winbind/winbindrefreshtickets.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="winbind refresh tickets"
+                 context="G"
+				 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>This parameter is designed to control whether Winbind should refresh Kerberos Tickets
+	retrieved using the <parameter moreinfo="none">pam_winbind</parameter> module.
+
+</para>
+</description>
+
+<value type="default">false</value>
+<value type="example">true</value>
+</samba:parameter>
-- 
2.11.4.GIT