<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <reference> <title>SSSD Manual pages</title> <refentry> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> <refmeta> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo> </refmeta> <refnamediv id='name'> <refname>sssd-krb5</refname> <refpurpose>the configuration file for SSSD</refpurpose> </refnamediv> <refsect1 id='description'> <title>DESCRIPTION</title> <para> This manual page describes the configuration of the Kerberos 5 authentication backend for <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page </para> <para> The Kerberos 5 authentication backend contains auth and chpass providers. It must be paired with identity provider in order to function properly (for example, id_provider = ldap). Some information required by the Kerberos 5 authentication backend must be provided by the identity provider, such as the user's Kerberos Principal Name (UPN). The configuration of the identity provider should have an entry to specify the UPN. Please refer to the man page for the applicable identity provider for details on how to configure this. </para> <para> In the case where the UPN is not available in the identity backend <command>sssd</command> will construct a UPN using the format <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>. </para> </refsect1> <refsect1 id='file-format'> <title>CONFIGURATION OPTIONS</title> <para> If the auth-module krb5 is used in a SSSD domain, the following options must be used. See the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote> for details on the configuration of a SSSD domain. <variablelist> <varlistentry> <term>krb5_kdcip (string)</term> <listitem> <para> Specifies the list of IP addresses or hostnames of the Kerberos servers to which SSSD should connect in the order of preference. For more information on failover and server redundancy, see the <quote>FAILOVER</quote> section. An optional port number (preceded by a colon) may be appended to the addresses or hostnames. If empty, service discovery is enabled - for more information, refer to the <quote>SERVICE DISCOVERY</quote> section. </para> </listitem> </varlistentry> <varlistentry> <term>krb5_realm (string)</term> <listitem> <para> The name of the Kerberos realm. This option is required and must be specified. </para> </listitem> </varlistentry> <varlistentry> <term>krb5_kpasswd (string)</term> <listitem> <para> If the change password service is not running on the KDC alternative servers can be defined here. An optional port number (preceded by a colon) may be appended to the addresses or hostnames. </para> <para> For more information on failover and server redundancy, see the <quote>FAILOVER</quote> section. Please note that even if there are no more kpasswd servers to try the back end is not switch to offline if authentication against the KDC is still possible. </para> <para> Default: Use the KDC </para> </listitem> </varlistentry> <varlistentry> <term>krb5_ccachedir (string)</term> <listitem> <para> Directory to store credential caches. All the substitution sequences of krb5_ccname_template can be used here, too, except %d and %P. If the directory does not exist it will be created. If %u, %U, %p or %h are used a private directory belonging to the user is created. Otherwise a public directory with restricted deletion flag (aka sticky bit, see <citerefentry> <refentrytitle>chmod</refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details) is created. </para> <para> Default: /tmp </para> </listitem> </varlistentry> <varlistentry> <term>krb5_ccname_template (string)</term> <listitem> <para> Location of the user's credential cache. Currently only file based credential caches are supported. In the template the following sequences are substituted: <variablelist> <varlistentry> <term>%u</term> <listitem><para>login name</para></listitem> </varlistentry> <varlistentry> <term>%U</term> <listitem><para>login UID</para></listitem> </varlistentry> <varlistentry> <term>%p</term> <listitem><para>principal name</para> </listitem> </varlistentry> <varlistentry> <term>%r</term> <listitem><para>realm name</para></listitem> </varlistentry> <varlistentry> <term>%h</term> <listitem><para>home directory</para> </listitem> </varlistentry> <varlistentry> <term>%d</term> <listitem><para>value of krb5ccache_dir </para> </listitem> </varlistentry> <varlistentry> <term>%P</term> <listitem><para>the process ID of the sssd client</para> </listitem> </varlistentry> <varlistentry> <term>%%</term> <listitem><para>a literal '%'</para> </listitem> </varlistentry> </variablelist> If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe way. </para> <para> Default: FILE:%d/krb5cc_%U_XXXXXX </para> </listitem> </varlistentry> <varlistentry> <term>krb5_auth_timeout (integer)</term> <listitem> <para> Timeout in seconds after an online authentication or change password request is aborted. If possible the authentication request is continued offline. </para> <para> Default: 15 </para> </listitem> </varlistentry> <varlistentry> <term>krb5_validate (boolean)</term> <listitem> <para> Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. </para> <para> Default: false </para> </listitem> </varlistentry> <varlistentry> <term>krb5_keytab (string)</term> <listitem> <para> The location of the keytab to use when validating credentials obtained from KDCs. </para> <para> Default: /etc/krb5.keytab </para> </listitem> </varlistentry> <varlistentry> <term>krb5_store_password_if_offline (boolean)</term> <listitem> <para> Store the password of the user if the provider is offline and use it to request a TGT when the provider gets online again. </para> <para> Please note that this feature currently only available on a Linux plattform. </para> <para> Default: false </para> </listitem> </varlistentry> </variablelist> </para> </refsect1> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" /> <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" /> <refsect1 id='example'> <title>EXAMPLE</title> <para> The following example assumes that SSSD is correctly configured and FOO is one of the domains in the <replaceable>[sssd]</replaceable> section. This example shows only configuration of Kerberos authentication, it does not include any identity provider. </para> <para> <programlisting> [domain/FOO] auth_provider = krb5 krb5_kdcip = 192.168.1.1 krb5_realm = EXAMPLE.COM </programlisting> </para> </refsect1> <refsect1 id='see_also'> <title>SEE ALSO</title> <para> <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry> </para> </refsect1> </refentry> </reference>