<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <reference> <title>SSSD Manual pages</title> <refentry> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> <refmeta> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo> </refmeta> <refnamediv id='name'> <refname>sssd-krb5</refname> <refpurpose>the configuration file for SSSD</refpurpose> </refnamediv> <refsect1 id='description'> <title>DESCRIPTION</title> <para> This manual page describes the configuration of the Kerberos 5 authentication backend for <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page </para> </refsect1> <refsect1 id='file-format'> <title>CONFIGURATION OPTIONS</title> <para> If the auth-module krb5 is used in a SSSD domain, the following options must be used. See the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote> for details on the configuration of a SSSD domain. <variablelist> <varlistentry> <term>krb5KDCIP (string)</term> <listitem> <para> Specifies the IP address of the Kerberos server. </para> </listitem> </varlistentry> <varlistentry> <term>krb5REALM (string)</term> <listitem> <para> The name of the Kerberos realm. </para> </listitem> </varlistentry> <varlistentry> <term>krb5try_simple_upn (boolean)</term> <listitem> <para> Set this option to 'true' if an User Principle Name (UPN) cannot be found in sysdb and you want to use an UPN like 'username@realm'. </para> <para> Default: false </para> </listitem> </varlistentry> <varlistentry> <term>krb5changepw_principle (string)</term> <listitem> <para> The priciple of the change password service. If only the 'identifier/instance' part of the principle are given the realm part is added automatically. </para> <para> Default: kadmin/changepw </para> </listitem> </varlistentry> <varlistentry> <term>krb5ccache_dir (string)</term> <listitem> <para> Directory to store credential caches. </para> <para> Default: /tmp </para> </listitem> </varlistentry> <varlistentry> <term>krb5ccname_template (string)</term> <listitem> <para> Location of the user's credential cache. Currently only file based credential caches are supported. In the template the following sequences are substituted: <variablelist> <varlistentry> <term>%u</term> <listitem><para>login name</para></listitem> </varlistentry> <varlistentry> <term>%U</term> <listitem><para>login UID</para></listitem> </varlistentry> <varlistentry> <term>%p</term> <listitem><para>principle name</para> </listitem> </varlistentry> <varlistentry> <term>%r</term> <listitem><para>realm name</para></listitem> </varlistentry> <varlistentry> <term>%h</term> <listitem><para>home directory</para> </listitem> </varlistentry> <varlistentry> <term>%d</term> <listitem><para>value of krb5ccache_dir </para> </listitem> </varlistentry> <varlistentry> <term>%P</term> <listitem><para>the process ID of the sssd client</para> </listitem> </varlistentry> <varlistentry> <term>%%</term> <listitem><para>a literal '%'</para> </listitem> </varlistentry> </variablelist> If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe way. </para> <para> Default: FILE:%d/krb5cc_%U_XXXXXX </para> </listitem> </varlistentry> <varlistentry> <term>krb5auth_timeout (integer)</term> <listitem> <para> Timeout in seconds after an online authentication or change password request is aborted. If possible the authentication request is continued offline. </para> <para> Default: 15 </para> </listitem> </varlistentry> </variablelist> </para> </refsect1> <refsect1 id='example'> <title>EXAMPLE</title> <para> The following example assumes that SSSD is correctly configured and FOO is one of the domains in the <replaceable>[domains]</replaceable> section. </para> <para> <programlisting> [domains/FOO] auth-module = krb5 krb5KDCIP = 192.168.1.1 krb5REALM = EXAMPLE.COM </programlisting> </para> </refsect1> <refsect1 id='see_also'> <title>SEE ALSO</title> <para> <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry> </para> </refsect1> </refentry> </reference>