summaryrefslogtreecommitdiff
path: root/src/man/sssd-krb5.5.xml
blob: e8d693aa8ad6ff11c88ee0e9d5d7445c610baad9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<reference>
<title>SSSD Manual pages</title>
<refentry>
    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />

    <refmeta>
        <refentrytitle>sssd-krb5</refentrytitle>
        <manvolnum>5</manvolnum>
        <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
    </refmeta>

    <refnamediv id='name'>
        <refname>sssd-krb5</refname>
        <refpurpose>SSSD Kerberos provider</refpurpose>
    </refnamediv>

    <refsect1 id='description'>
        <title>DESCRIPTION</title>
        <para>
            This manual page describes the configuration of the Kerberos
            5 authentication backend for
            <citerefentry>
                <refentrytitle>sssd</refentrytitle>
                <manvolnum>8</manvolnum>
            </citerefentry>.
            For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the
            <citerefentry>
                <refentrytitle>sssd.conf</refentrytitle>
                <manvolnum>5</manvolnum>
            </citerefentry> manual page.
        </para>
        <para>
            The Kerberos 5 authentication backend contains auth and chpass
            providers. It must be paired with an identity provider in
            order to function properly (for example, id_provider = ldap). Some
            information required by the Kerberos 5 authentication backend must
            be provided by the identity provider, such as the user's Kerberos
            Principal Name (UPN). The configuration of the identity provider
            should have an entry to specify the UPN. Please refer to the man
            page for the applicable identity provider for details on how to
            configure this.
        </para>
        <para>
            This backend also provides access control based on the .k5login
            file in the home directory of the user. See <citerefentry>
            <refentrytitle>.k5login</refentrytitle><manvolnum>5</manvolnum>
            </citerefentry> for more details. Please note that an empty .k5login
            file will deny all access to this user. To activate this feature,
            use 'access_provider = krb5' in your SSSD configuration.
        </para>
        <para>
            In the case where the UPN is not available in the identity backend,
            <command>sssd</command> will construct a UPN using the format
            <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>.
        </para>

    </refsect1>

    <refsect1 id='configuration-options'>
        <title>CONFIGURATION OPTIONS</title>
        <para>
            If the auth-module krb5 is used in an SSSD domain, the following
            options must be used. See the
            <citerefentry>
                <refentrytitle>sssd.conf</refentrytitle>
                <manvolnum>5</manvolnum>
            </citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>,
            for details on the configuration of an SSSD domain.
            <variablelist>
                <varlistentry>
                    <term>krb5_server, krb5_backup_server (string)</term>
                    <listitem>
                        <para>
                            Specifies the comma-separated list of IP addresses or hostnames
                            of the Kerberos servers to which SSSD should
                            connect, in the order of preference. For more
                            information on failover and server redundancy,
                            see the <quote>FAILOVER</quote> section. An optional
                            port number (preceded by a colon) may be appended to
                            the addresses or hostnames.
                            If empty, service discovery is enabled;
                            for more information, refer to the
                            <quote>SERVICE DISCOVERY</quote> section.
                        </para>
                        <para>
                            When using service discovery for KDC or kpasswd servers,
                            SSSD first searches for DNS entries that specify _udp as
                            the protocol and falls back to _tcp if none are found.
                        </para>
                        <para>
                            This option was named <quote>krb5_kdcip</quote> in
                            earlier releases of SSSD. While the legacy name is recognized
                            for the time being, users are advised to migrate their config
                            files to use <quote>krb5_server</quote> instead.
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_realm (string)</term>
                    <listitem>
                        <para>
                            The name of the Kerberos realm. This option is required
                            and must be specified.
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_kpasswd, krb5_backup_kpasswd (string)</term>
                    <listitem>
                        <para>
                            If the change password service is not running on the
                            KDC, alternative servers can be defined here. An
                            optional port number (preceded by a colon) may be
                            appended to the addresses or hostnames.
                        </para>
                        <para>
                            For more information on failover and server
                            redundancy, see the <quote>FAILOVER</quote> section.
                            NOTE: Even if there are no more kpasswd
                            servers to try, the backend is not switched to operate offline
                            if authentication against the KDC is still possible.
                        </para>
                        <para>
                            Default: Use the KDC
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_ccachedir (string)</term>
                    <listitem>
                        <para>
                            Directory to store credential caches. All the
                            substitution sequences of krb5_ccname_template can
                            be used here, too, except %d and %P. If the
                            directory does not exist, it will be created. If %u,
                            %U, %p or %h are used, a private directory belonging
                            to the user is created. Otherwise, a public directory
                            with restricted deletion flag (aka sticky bit, as
                            described in
                            <citerefentry>
                                <refentrytitle>chmod</refentrytitle>
                                <manvolnum>1</manvolnum>
                            </citerefentry> for details) is created.
                        </para>
                        <para>
                            Default: /tmp
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_ccname_template (string)</term>
                    <listitem>
                        <para>
                            Location of the user's credential cache. Three
                            credential cache types are currently supported:
                            <quote>FILE</quote>, <quote>DIR</quote> and
                            <quote>KEYRING:persistent</quote>. The cache can
                            be specified either as
                            <replaceable>TYPE:RESIDUAL</replaceable>, or as an
                            absolute path, which implies the
                            <quote>FILE</quote> type. In the template, the
                            following sequences are substituted:
                            <variablelist>
                                <varlistentry>
                                    <term>%u</term>
                                    <listitem><para>login name</para></listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%U</term>
                                    <listitem><para>login UID</para></listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%p</term>
                                    <listitem><para>principal name</para>
                                    </listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%r</term>
                                    <listitem><para>realm name</para></listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%h</term>
                                    <listitem><para>home directory</para>
                                    </listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%d</term>
                                    <listitem><para>value of krb5ccache_dir
                                              </para>
                                    </listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%P</term>
                                    <listitem><para>the process ID of the SSSD
                                                    client</para>
                                    </listitem>
                                </varlistentry>
                                <varlistentry>
                                    <term>%%</term>
                                    <listitem><para>a literal '%'</para>
                                    </listitem>
                                </varlistentry>
                            </variablelist>
                            If the template ends with 'XXXXXX' mkstemp(3) is
                            used to create a unique filename in a safe way.
                        </para>
                        <para>
                            When using KEYRING types, the only supported
                            mechanism is <quote>KEYRING:persistent:%U</quote>,
                            which uses the Linux kernel keyring to store
                            credentials on a per-UID basis. This is also the
                            recommended choice, as it is the most secure and
                            predictable method.
                        </para>
                        <para>
                            The default value for the credential cache name is
                            sourced from the profile stored in the system wide
                            krb5.conf configuration file in the [libdefaults]
                            section. The option name is default_ccache_name.
                            See krb5.conf(5)'s PARAMETER EXPANSION paragraph
                            for additional information on the expansion format
                            defined by krb5.conf.
                        </para>
                        <para>
                            Default: (from libkrb5)
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_auth_timeout (integer)</term>
                    <listitem>
                        <para>
                            Timeout in seconds after an online authentication request
                            or change password request is aborted. If possible, the
                            authentication request is continued offline.
                        </para>
                        <para>
                            Default: 6
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_validate (boolean)</term>
                    <listitem>
                        <para>
                            Verify with the help of krb5_keytab that the TGT
                            obtained has not been spoofed. The keytab is checked for
                            entries sequentially, and the first entry with a matching
                            realm is used for validation. If no entry matches the realm, the last
                            entry in the keytab is used. This process can be used to validate
                            environments using cross-realm trust by placing the appropriate
                            keytab entry as the last entry or the only entry in the keytab file.
                        </para>
                        <para>
                            Default: false
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_keytab (string)</term>
                    <listitem>
                        <para>
                            The location of the keytab to use when validating
                            credentials obtained from KDCs.
                        </para>
                        <para>
                            Default: /etc/krb5.keytab
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_store_password_if_offline (boolean)</term>
                    <listitem>
                        <para>
                            Store the password of the user if the provider is
                            offline and use it to request a TGT when the
                            provider comes online again.
                        </para>
                        <para>
                            NOTE: this feature is only available on Linux.
                            Passwords stored in this way are kept in
                            plaintext in the kernel keyring and are
                            potentially accessible by the root user
                            (with difficulty).
                        </para>
                        <para>
                            Default: false
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_renewable_lifetime (string)</term>
                    <listitem>
                        <para>
                            Request a renewable ticket with a total
                            lifetime, given as an integer immediately followed
                            by a time unit:
                        </para>
                        <para>
                            <emphasis>s</emphasis> for seconds
                        </para>
                        <para>
                            <emphasis>m</emphasis> for minutes
                        </para>
                        <para>
                            <emphasis>h</emphasis> for hours
                        </para>
                        <para>
                            <emphasis>d</emphasis> for days.
                        </para>
                        <para>
                            If there is no unit given, <emphasis>s</emphasis> is
                            assumed.
                        </para>
                        <para>
                            NOTE: It is not possible to mix units.  To set
                            the renewable lifetime to one and a half hours,
                            use '90m' instead of '1h30m'.
                        </para>
                        <para>
                            Default: not set, i.e. the TGT is not renewable
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_lifetime (string)</term>
                    <listitem>
                        <para>
                            Request ticket with a lifetime, given as an
                            integer immediately followed by a time unit:
                        </para>
                        <para>
                            <emphasis>s</emphasis> for seconds
                        </para>
                        <para>
                            <emphasis>m</emphasis> for minutes
                        </para>
                        <para>
                            <emphasis>h</emphasis> for hours
                        </para>
                        <para>
                            <emphasis>d</emphasis> for days.
                        </para>
                        <para>
                            If there is no unit given <emphasis>s</emphasis> is
                            assumed.
                        </para>
                        <para>
                            NOTE: It is not possible to mix units.
                            To set the lifetime to one and a half
                            hours please use '90m' instead of '1h30m'.
                        </para>
                        <para>
                            Default: not set, i.e. the default ticket lifetime
                            configured on the KDC.
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_renew_interval (string)</term>
                    <listitem>
                        <para>
                            The time in seconds between two checks if the TGT
                            should be renewed. TGTs are renewed if about half
                            of their lifetime is exceeded, given as an integer
                            immediately followed by a time unit:
                        </para>
                        <para>
                            <emphasis>s</emphasis> for seconds
                        </para>
                        <para>
                            <emphasis>m</emphasis> for minutes
                        </para>
                        <para>
                            <emphasis>h</emphasis> for hours
                        </para>
                        <para>
                            <emphasis>d</emphasis> for days.
                        </para>
                        <para>
                            If there is no unit given, <emphasis>s</emphasis> is
                            assumed.
                        </para>
                        <para>
                            NOTE: It is not possible to mix units.  To set
                            the renewable lifetime to one and a half hours,
                            use '90m' instead of '1h30m'.
                        </para>
                        <para>
                             If this option is not set or is 0 the automatic
                             renewal is disabled.
                        </para>
                        <para>
                            Default: not set
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_use_fast (string)</term>
                    <listitem>
                        <para>
                            Enables flexible authentication secure tunneling
                            (FAST) for Kerberos pre-authentication. The
                            following options are supported:
                        </para>
                        <para>
                            <emphasis>never</emphasis> use FAST. This is
                            equivalent to not setting this option at all.
                        </para>
                        <para>
                            <emphasis>try</emphasis> to use FAST. If the server
                            does not support FAST, continue the
                            authentication without it.
                        </para>
                        <para>
                            <emphasis>demand</emphasis> to use FAST. The
                            authentication fails if the server does not
                            require fast.
                        </para>
                        <para>
                            Default: not set, i.e. FAST is not used.
                        </para>
                        <para>
                            NOTE: a keytab is required to use FAST.
                        </para>
                        <para>
                            NOTE: SSSD supports FAST only with
                            MIT Kerberos version 1.8 and later. If SSSD is used
                            with an older version of MIT Kerberos, using this
                            option is a configuration error.
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_fast_principal (string)</term>
                    <listitem>
                        <para>
                            Specifies the server principal to use for FAST.
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_canonicalize (boolean)</term>
                    <listitem>
                        <para>
                            Specifies if the host and user principal should be
                            canonicalized. This feature is available with MIT
                            Kerberos 1.7 and later versions.
                        </para>

                        <para>
                            Default: false
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_use_kdcinfo (boolean)</term>
                    <listitem>
                        <para>
                            Specifies if the SSSD should instruct the Kerberos
                            libraries what realm and which KDCs to use. This option
                            is on by default, if you disable it, you need to configure
                            the Kerberos library using the
                            <citerefentry>
                                <refentrytitle>krb5.conf</refentrytitle>
                                <manvolnum>5</manvolnum>
                            </citerefentry>
                            configuration file.
                        </para>
                        <para>
                            See the
                            <citerefentry>
                                <refentrytitle>sssd_krb5_locator_plugin</refentrytitle>
                                <manvolnum>8</manvolnum>
                            </citerefentry>
                            manual page for more information on the locator plugin.
                        </para>
                        <para>
                            Default: true
                        </para>
                    </listitem>
                </varlistentry>

                <varlistentry>
                    <term>krb5_use_enterprise_principal (boolean)</term>
                    <listitem>
                        <para>
                            Specifies if the user principal should be treated
                            as enterprise principal. See section 5 of RFC 6806
                            for more details about enterprise principals.
                        </para>

                        <para>
                            Default: false (AD provide: true)
                        </para>
                    </listitem>
                </varlistentry>

            </variablelist>
        </para>
    </refsect1>

    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />

    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />

    <refsect1 id='example'>
        <title>EXAMPLE</title>
        <para>
            The following example assumes that SSSD is correctly
            configured and FOO is one of the domains in the
            <replaceable>[sssd]</replaceable> section. This example shows
            only configuration of Kerberos authentication; it does not include
            any identity provider.
        </para>
        <para>
<programlisting>
    [domain/FOO]
    auth_provider = krb5
    krb5_server = 192.168.1.1
    krb5_realm = EXAMPLE.COM
</programlisting>
        </para>
    </refsect1>

    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />

</refentry>
</reference>