krb5 commit: Document KCM ccache type

Wed Jul 30 13:39:19 EDT 2014

https://github.com/krb5/krb5/commit/4ac345865276e8848546ba75e09feecc23e8a040
commit 4ac345865276e8848546ba75e09feecc23e8a040
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Jul 11 15:00:09 2014 -0400

    Document KCM ccache type
    
    Document the new KCM ccache type in ccache_def.rst.  Document the
    kcm_socket and kcm_mach_service variables in krb5_conf.rst.
    
    ticket: 7964

 doc/admin/conf_files/krb5_conf.rst |   13 +++++++++++++
 doc/basic/ccache_def.rst           |   21 ++++++++++++++++++---
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 5930cf3..2b219fb 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -237,6 +237,19 @@ The libdefaults section may contain any of the following relations:
     For security reasons, .k5login files must be owned by
     the local user or by root.
 
+**kcm_mach_service**
+    On OS X only, determines the name of the bootstrap service used to
+    contact the KCM daemon for the KCM credential cache type.  If the
+    value is ``-``, Mach RPC will not be used to contact the KCM
+    daemon.  The default value is ``org.h5l.kcm``.
+
+**kcm_socket**
+    Determines the path to the Unix domain socket used to access the
+    KCM daemon for the KCM credential cache type.  If the value is
+    ``-``, Unix domain sockets will not be used to contact the KCM
+    daemon.  The default value is
+    ``/var/run/.heim_org.h5l.kcm-socket``.
+
 **kdc_default_options**
     Default KDC options (Xored for multiple values) when requesting
     initial tickets.  By default it is set to 0x00000010
diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst
index 85a06d6..ff857f4 100644
--- a/doc/basic/ccache_def.rst
+++ b/doc/basic/ccache_def.rst
@@ -54,7 +54,20 @@ library.
 
 #. **FILE** caches are the simplest and most portable. A simple flat
    file format is used to store one credential after another.  This is
-   the default ccache type.
+   the default ccache type if no type is specified in a ccache name.
+
+#. **KCM** caches work by contacting a daemon process called ``kcm``
+   to perform cache operations.  If the cache name is just ``KCM:``,
+   the default cache as determined by the KCM daemon will be used.
+   Newly created caches must generally be named ``KCM:uid:name``,
+   where *uid* is the effective user ID of the running process.
+
+   KCM client support is new in release 1.13.  A KCM daemon has not
+   yet been implemented in MIT krb5, but the client will interoperate
+   with the KCM daemon implemented by Heimdal.  OS X 10.7 and higher
+   provides a KCM daemon as part of the operating system, and the
+   **KCM** cache type is used as the default cache on that platform in
+   a default build.
 
 #. **KEYRING** is Linux-specific, and uses the kernel keyring support
    to store credential data in unswappable kernel memory where only
@@ -104,8 +117,10 @@ select between the caches in the collection based on criteria such as
 the target service realm.
 
 Credential cache collections are new in release 1.10, with support
-from the **DIR** and **API** ccache types.  In release 1.12, the
-**KEYRING** ccache type also supports collections.
+from the **DIR** and **API** ccache types.  Starting in release 1.12,
+collections are also supported by the **KEYRING** ccache type.
+Collections are supported by the **KCM** ccache type in release 1.13.
+
 
 Tool alterations to use cache collection
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
