SSSD Manual pages sssd-krb5 5 File Formats and Conventions sssd-krb5 the configuration file for SSSD DESCRIPTION This manual page describes the configuration of the Kerberos 5 authentication backend for sssd 8 . For a detailed syntax reference, please refer to the FILE FORMAT section of the sssd.conf 5 manual page The Kerberos 5 authentication backend does not contain an identity provider and must be paired with one in order to function properly (for example, id_provider = ldap). Some information required by the Kerberos 5 authentication backend must be provided by the identity provider, such as the user's Kerberos Principal Name (UPN). The configuration of the identity provider should have an entry to specify the UPN. Please refer to the man page for the applicable identity provider for details on how to configure this. In the case where the UPN is not available in the identity backend sssd will construct a UPN using the format username@krb5_realm. CONFIGURATION OPTIONS If the auth-module krb5 is used in a SSSD domain, the following options must be used. See the sssd.conf 5 manual page, section DOMAIN SECTIONS for details on the configuration of a SSSD domain. krb5_kdcip (string) Specifies the list of IP addresses or hostnames of the Kerberos servers to which SSSD should connect in the order of preference. For more information on failover and server redundancy, see the FAILOVER section. krb5_realm (string) The name of the Kerberos realm. krb5_changepw_principal (string) The priciple of the change password service. If only the 'identifier/instance' part of the principal are given the realm part is added automatically. Default: kadmin/changepw krb5_ccachedir (string) Directory to store credential caches. Default: /tmp krb5_ccname_template (string) Location of the user's credential cache. Currently only file based credential caches are supported. In the template the following sequences are substituted: %u login name %U login UID %p principal name %r realm name %h home directory %d value of krb5ccache_dir %P the process ID of the sssd client %% a literal '%' If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe way. Default: FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout (integer) Timeout in seconds after an online authentication or change password request is aborted. If possible the authentication request is continued offline. Default: 15 krb5_validate (boolean) Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. Default: false krb5_keytab (string) The location of the keytab to use when validating credentials obtained from KDCs. Default: /etc/krb5.keytab EXAMPLE The following example assumes that SSSD is correctly configured and FOO is one of the domains in the [sssd] section. This example shows only configuration of Kerberos authentication, it does not include any identity provider. [domain/FOO] auth_provider = krb5 krb5_kdcip = 192.168.1.1 krb5_realm = EXAMPLE.COM SEE ALSO sssd.conf5 , sssd-ldap5 , sssd8