NAME
sssd-krb5 - the configuration file for SSSD
DESCRIPTION
This manual page describes the configuration of the Kerberos 5
authentication backend for sssd(8). For a detailed syntax reference,
please refer to the "FILE FORMAT" section of the sssd.conf(5) manual
page
The Kerberos 5 authentication backend does not contain an identity
provider and must be paired with one in order to function properly (for
example, id_provider = ldap). Some information required by the Kerberos
5 authentication backend must be provided by the identity provider,
such as the user's Kerberos Principal Name (UPN). The configuration of
the identity provider should have an entry to specify the UPN. Please
refer to the man page for the applicable identity provider for details
on how to configure this.
In the case where the UPN is not available in the identity backend sssd
will construct a UPN using the format username@krb5_realm.
CONFIGURATION OPTIONS
If the auth-module krb5 is used in a SSSD domain, the following options
must be used. See the sssd.conf(5) manual page, section "DOMAIN
SECTIONS" for details on the configuration of a SSSD domain.
krb5_kdcip (string)
Specifies the list of IP addresses or hostnames of the Kerberos
servers to which SSSD should connect in the order of preference.
For more information on failover and server redundancy, see the
"FAILOVER" section. An optional port number (preceded by a colon)
may be appended to the addresses or hostnames. If empty, service
discovery is enabled - for more information, refer to the "SERVICE
DISCOVERY" section.
krb5_realm (string)
The name of the Kerberos realm. This option is required and must be
specified.
krb5_kpasswd (string)
If the change password service is not running on the KDC
alternative servers can be defined here. An optional port number
(preceded by a colon) may be appended to the addresses or
hostnames.
For more information on failover and server redundancy, see the
"FAILOVER" section. Please note that even if there are no more
kpasswd servers to try the back end is not switch to offline if
authentication against the KDC is still possible.
Default: Use the KDC
krb5_ccachedir (string)
Directory to store credential caches. All the substitution
sequences of krb5_ccname_template can be used here, too, except %d
and %P. If the directory does not exist it will be created. If %u,
%U, %p or %h are used a private directory belonging to the user is
created. Otherwise a public directory with restricted deletion flag
(aka sticky bit, see chmod(1) for details) is created.
Default: /tmp
krb5_ccname_template (string)
Location of the user's credential cache. Currently only file based
credential caches are supported. In the template the following
sequences are substituted:
%u
login name
%U
login UID
%p
principal name
%r
realm name
%h
home directory
%d
value of krb5ccache_dir
%P
the process ID of the sssd client
%%
a literal '%'
If the template ends with 'XXXXXX' mkstemp(3) is used to create a
unique filename in a safe way.
Default: FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout (integer)
Timeout in seconds after an online authentication or change
password request is aborted. If possible the authentication request
is continued offline.
Default: 15
krb5_validate (boolean)
Verify with the help of krb5_keytab that the TGT obtained has not
been spoofed.
Default: false
krb5_keytab (string)
The location of the keytab to use when validating credentials
obtained from KDCs.
Default: /etc/krb5.keytab
krb5_store_password_if_offline (boolean)
Store the password of the user if the provider is offline and use
it to request a TGT when the provider gets online again.
Please note that this feature currently only available on a Linux
plattform.
Default: false
FAILOVER
The failover feature allows back ends to automatically switch to a
different server if the primary server fails.
Failover Syntax
The list of servers is given as a comma-separated list; any number of
spaces is allowed around the comma. The servers are listed in order of
preference. The list can contain any number of servers.
The Failover Mechanism
The failover mechanism distinguishes between a machine and a service.
The back end first tries to resolve the hostname of a given machine; if
this resolution attempt fails, the machine is considered offline. No
further attempts are made to connect to this machine for any other
service. If the resolution attempt succeeds, the back end tries to
connect to a service on this machine. If the service connection attempt
fails, then only this particular service is considered offline and the
back end automatically switches over to the next service. The machine
is still considered online and might still be tried for another
service.
Further connection attempts are made to machines or services marked as
offline after a specified period of time; this is currently hard coded
to 30 seconds.
If there are no more machines to try, the back end as a whole switches
to offline mode, and then attempts to reconnect every 30 seconds.
SERVICE DISCOVERY
The service discovery feature allows back ends to automatically find
the appropriate servers to connect to using a special DNS query.
Configuration
If no servers are specified, the back end automatically uses service
discovery to try to find a server. Optionally, the user may choose to
use both fixed server addresses and service discovery by inserting a
special keyword, "_srv_", in the list of servers. The order of
preference is maintained. This feature is useful if, for example, the
user prefers to use service discovery whenever possible, and fall back
to a specific server when no servers can be discovered using DNS.
The domain name
The name of the SSSD domain is used as the domain part of the service
discovery DNS query.
See Also
For more information on the service discovery mechanism, refer to RFC
2782.
EXAMPLE
The following example assumes that SSSD is correctly configured and FOO
is one of the domains in the [sssd] section. This example shows only
configuration of Kerberos authentication, it does not include any
identity provider.
[domain/FOO]
auth_provider = krb5
krb5_kdcip = 192.168.1.1
krb5_realm = EXAMPLE.COM
SEE ALSO
sssd.conf(5), sssd-ldap(5), sssd(8)
AUTHORS
The SSSD upstream - http://fedorahosted.org/sssd