<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<reference>
<title>SSSD Manual pages</title>
<refentry>
    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />

    <refmeta>
        <refentrytitle>sssd-krb5</refentrytitle>
        <manvolnum>5</manvolnum>
        <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
    </refmeta>

    <refnamediv id='name'>
        <refname>sssd-krb5</refname>
        <refpurpose>the configuration file for SSSD</refpurpose>
    </refnamediv>

    <refsect1 id='description'>
        <title>DESCRIPTION</title>
        <para>
            This manual page describes the configuration of the Kerberos
            5 authentication backend for
            <citerefentry>
                <refentrytitle>sssd</refentrytitle>
                <manvolnum>8</manvolnum>
            </citerefentry>.
            For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the
            <citerefentry>
                <refentrytitle>sssd.conf</refentrytitle>
                <manvolnum>5</manvolnum>
            </citerefentry> manual page
        </para>
    </refsect1>

    <refsect1 id='file-format'>
        <title>CONFIGURATION OPTIONS</title>
        <para>
            If the auth-module krb5 is used in a SSSD domain, the following
            options must be used. See the
            <citerefentry>
                <refentrytitle>sssd.conf</refentrytitle>
                <manvolnum>5</manvolnum>
            </citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>
            for details on the configuration of a SSSD domain.
            <variablelist>
                <varlistentry>
                    <term>krb5KDCIP (string)</term>
                    <listitem>
                        <para>
                            Specifies the IP address of the Kerberos server.
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5REALM (string)</term>
                    <listitem>
                        <para>
                            The name of the Kerberos realm.
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5try_simple_upn (boolean)</term>
                    <listitem>
                        <para>
                            Set this option to 'true'
                            if an User Principle Name (UPN) cannot be found in sysdb
                            and you want to use an UPN like 'username@realm'.
                        </para>
                        <para>
                            Default: false
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5changepw_principle (string)</term>
                    <listitem>
                        <para>
                            The priciple of the change password service.
                            If only the 'identifier/instance' part of the
                            principle are given the realm part is added
                            automatically.
                        </para>
                        <para>
                            Default: kadmin/changepw
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5ccache_dir (string)</term>
                    <listitem>
                        <para>
                            Directory to store credential caches.
                        </para>
                        <para>
                            Default: /tmp
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5ccname_template (string)</term>
                    <listitem>
                        <para>
                            Location of the user's credential cache. Currently
                            only file based credential caches are supported. In
                            the template the following sequences are
                            substituted:
                            <variablelist>
                                <varlistentry>
                                    <term>%u</term>
                                    <listitem><para>login name</para></listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%U</term>
                                    <listitem><para>login UID</para></listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%p</term>
                                    <listitem><para>principle name</para>
                                    </listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%r</term>
                                    <listitem><para>realm name</para></listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%h</term>
                                    <listitem><para>home directory</para>
                                    </listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%d</term>
                                    <listitem><para>value of krb5ccache_dir
                                              </para>
                                    </listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%P</term>
                                    <listitem><para>the process ID of the sssd
                                                    client</para>
                                    </listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%%</term>
                                    <listitem><para>a literal '%'</para>
                                    </listitem>
                                </varlistentry>
                            </variablelist>
                            If the template ends with 'XXXXXX' mkstemp(3) is
                            used to create a unique filename in a safe way.
                        </para>
                        <para>
                            Default: FILE:%d/krb5cc_%U_XXXXXX
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5auth_timeout (integer)</term>
                    <listitem>
                        <para>
                            Timeout in seconds after an online authentication or
                            change password request is aborted. If possible the
                            authentication request is continued offline.
                        </para>
                        <para>
                            Default: 15
                        </para>
                    </listitem>
                </varlistentry>

            </variablelist>
        </para>
    </refsect1>

    <refsect1 id='example'>
        <title>EXAMPLE</title>
        <para>
            The following example assumes that SSSD is correctly
            configured and FOO is one of the domains in the
            <replaceable>[domains]</replaceable> section.
        </para>
        <para>
<programlisting>
    [domains/FOO]
    auth-module = krb5
    krb5KDCIP = 192.168.1.1
    krb5REALM = EXAMPLE.COM
</programlisting>
        </para>
    </refsect1>

    <refsect1 id='see_also'>
        <title>SEE ALSO</title>
        <para>
            <citerefentry>
                <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
            </citerefentry>,
            <citerefentry>
                <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum>
            </citerefentry>
        </para>
    </refsect1>
</refentry>
</reference>