SSSD Manual pages
sssd-krb5
5
File Formats and Conventions
sssd-krb5
the configuration file for SSSD
DESCRIPTION
This manual page describes the configuration of the Kerberos
5 authentication backend for
sssd
8
.
For a detailed syntax reference, please refer to the FILE FORMAT
section of the
sssd.conf
5
manual page
The Kerberos 5 authentication backend does not contain an identity
provider and must be paired with one in order to function properly (for
example, id_provider = ldap). Some information required by the Kerberos
5 authentication backend must be provided by the identity provider, such
as the user's Kerberos Principal Name (UPN). The configuration of the
identity provider should have an entry to specify the UPN. Please refer
to the man page for the applicable identity provider for details on how
to configure this.
In the case where the UPN is not available in the identity backend
sssd will construct a UPN using the format
username@krb5_realm.
CONFIGURATION OPTIONS
If the auth-module krb5 is used in a SSSD domain, the following
options must be used. See the
sssd.conf
5
manual page, section DOMAIN SECTIONS
for details on the configuration of a SSSD domain.
krb5_kdcip (string)
Specifies the list of IP addresses or hostnames
of the Kerberos servers to which SSSD should
connect in the order of preference. For more
information on failover and server redundancy,
see the FAILOVER
section. An optional
port number (preceded by a colon) may be appended to
the addresses or hostnames.
If empty, service discovery is enabled -
for more information, refer to the
SERVICE DISCOVERY
section.
krb5_realm (string)
The name of the Kerberos realm.
krb5_changepw_principal (string)
The priciple of the change password service.
If only the 'identifier/instance' part of the
principal are given the realm part is added
automatically.
Default: kadmin/changepw
krb5_kpasswd (string)
If the change password service is not running on the
KDC alternative servers can be defined here. An
optional port number (preceded by a colon) may be
appended to the addresses or hostnames.
For more information on failover and server
redundancy, see the FAILOVER
section.
Please note that even if there are no more kpasswd
servers to try the back end is not switch to offline
if authentication against the KDC is still possible.
krb5_ccachedir (string)
Directory to store credential caches. All the
substitution sequences of krb5_ccname_template can
be used here, too, except %d and %P. If the
directory does not exist it will be created. If %u,
%U, %p or %h are used a private directory belonging
to the user is created. Otherwise a public directory
with restricted deletion flag (aka sticky bit, see
chmod
1
for details) is created.
Default: /tmp
krb5_ccname_template (string)
Location of the user's credential cache. Currently
only file based credential caches are supported. In
the template the following sequences are
substituted:
%u
login name
%U
login UID
%p
principal name
%r
realm name
%h
home directory
%d
value of krb5ccache_dir
%P
the process ID of the sssd
client
%%
a literal '%'
If the template ends with 'XXXXXX' mkstemp(3) is
used to create a unique filename in a safe way.
Default: FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout (integer)
Timeout in seconds after an online authentication or
change password request is aborted. If possible the
authentication request is continued offline.
Default: 15
krb5_validate (boolean)
Verify with the help of krb5_keytab that the TGT obtained has not been spoofed.
Default: false
krb5_keytab (string)
The location of the keytab to use when validating
credentials obtained from KDCs.
Default: /etc/krb5.keytab
krb5_store_password_if_offline (boolean)
Store the password of the user if the provider is
offline and use it to request a TGT when the
provider gets online again.
Please note that this feature currently only
available on a Linux plattform.
Default: false
EXAMPLE
The following example assumes that SSSD is correctly
configured and FOO is one of the domains in the
[sssd] section. This example shows
only configuration of Kerberos authentication, it does not include
any identity provider.
[domain/FOO]
auth_provider = krb5
krb5_kdcip = 192.168.1.1
krb5_realm = EXAMPLE.COM
SEE ALSO
sssd.conf5
,
sssd-ldap5
,
sssd8