1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
3
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
5
<title>SSSD Manual pages</title>
7
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
10
<refentrytitle>sssd-krb5</refentrytitle>
11
<manvolnum>5</manvolnum>
12
<refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
15
<refnamediv id='name'>
16
<refname>sssd-krb5</refname>
17
<refpurpose>the configuration file for SSSD</refpurpose>
20
<refsect1 id='description'>
21
<title>DESCRIPTION</title>
23
This manual page describes the configuration of the Kerberos
24
5 authentication backend for
26
<refentrytitle>sssd</refentrytitle>
27
<manvolnum>8</manvolnum>
29
For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the
31
<refentrytitle>sssd.conf</refentrytitle>
32
<manvolnum>5</manvolnum>
33
</citerefentry> manual page
36
The Kerberos 5 authentication backend contains auth and chpass
37
providers. It must be paired with identity provider in
38
order to function properly (for example, id_provider = ldap). Some
39
information required by the Kerberos 5 authentication backend must
40
be provided by the identity provider, such as the user's Kerberos
41
Principal Name (UPN). The configuration of the identity provider
42
should have an entry to specify the UPN. Please refer to the man
43
page for the applicable identity provider for details on how to
47
This backend also provides access control based on the .k5login
48
file in the home directory of the user. See <citerefentry>
49
<refentrytitle>.k5login</refentrytitle><manvolnum>5</manvolnum>
50
</citerefentry> for more details. Please note that an empty .k5login
51
file will deny all access to this user. To activate this feature
52
use 'access_provider = krb5' in your sssd configuration.
55
In the case where the UPN is not available in the identity backend
56
<command>sssd</command> will construct a UPN using the format
57
<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>.
62
<refsect1 id='file-format'>
63
<title>CONFIGURATION OPTIONS</title>
65
If the auth-module krb5 is used in a SSSD domain, the following
66
options must be used. See the
68
<refentrytitle>sssd.conf</refentrytitle>
69
<manvolnum>5</manvolnum>
70
</citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>
71
for details on the configuration of a SSSD domain.
74
<term>krb5_server (string)</term>
77
Specifies the list of IP addresses or hostnames
78
of the Kerberos servers to which SSSD should
79
connect in the order of preference. For more
80
information on failover and server redundancy,
81
see the <quote>FAILOVER</quote> section. An optional
82
port number (preceded by a colon) may be appended to
83
the addresses or hostnames.
84
If empty, service discovery is enabled -
85
for more information, refer to the
86
<quote>SERVICE DISCOVERY</quote> section.
89
When using service discovery for KDC or kpasswd servers,
90
SSSD first searches for DNS entries that specify _udp as
91
the protocol and falls back to _tcp if none are found.
94
This option was named <quote>krb5_kdcip</quote> in
95
earlier releases of SSSD. While the legacy name is recognized
96
for the time being, users are advised to migrate their config
97
files to use <quote>krb5_server</quote> instead.
103
<term>krb5_realm (string)</term>
106
The name of the Kerberos realm. This option is required
107
and must be specified.
113
<term>krb5_kpasswd (string)</term>
116
If the change password service is not running on the
117
KDC alternative servers can be defined here. An
118
optional port number (preceded by a colon) may be
119
appended to the addresses or hostnames.
122
For more information on failover and server
123
redundancy, see the <quote>FAILOVER</quote> section.
124
Please note that even if there are no more kpasswd
125
servers to try the back end is not switch to offline
126
if authentication against the KDC is still possible.
135
<term>krb5_ccachedir (string)</term>
138
Directory to store credential caches. All the
139
substitution sequences of krb5_ccname_template can
140
be used here, too, except %d and %P. If the
141
directory does not exist it will be created. If %u,
142
%U, %p or %h are used a private directory belonging
143
to the user is created. Otherwise a public directory
144
with restricted deletion flag (aka sticky bit, see
146
<refentrytitle>chmod</refentrytitle>
147
<manvolnum>1</manvolnum>
148
</citerefentry> for details) is created.
157
<term>krb5_ccname_template (string)</term>
160
Location of the user's credential cache. Currently
161
only file based credential caches are supported. In
162
the template the following sequences are
167
<listitem><para>login name</para></listitem>
171
<listitem><para>login UID</para></listitem>
175
<listitem><para>principal name</para>
180
<listitem><para>realm name</para></listitem>
184
<listitem><para>home directory</para>
189
<listitem><para>value of krb5ccache_dir
195
<listitem><para>the process ID of the sssd
201
<listitem><para>a literal '%'</para>
205
If the template ends with 'XXXXXX' mkstemp(3) is
206
used to create a unique filename in a safe way.
209
Default: FILE:%d/krb5cc_%U_XXXXXX
215
<term>krb5_auth_timeout (integer)</term>
218
Timeout in seconds after an online authentication or
219
change password request is aborted. If possible the
220
authentication request is continued offline.
229
<term>krb5_validate (boolean)</term>
232
Verify with the help of krb5_keytab that the TGT obtained has not been spoofed.
241
<term>krb5_keytab (string)</term>
244
The location of the keytab to use when validating
245
credentials obtained from KDCs.
248
Default: /etc/krb5.keytab
254
<term>krb5_store_password_if_offline (boolean)</term>
257
Store the password of the user if the provider is
258
offline and use it to request a TGT when the
259
provider gets online again.
262
Please note that this feature currently only
263
available on a Linux platform.
272
<term>krb5_renewable_lifetime (string)</term>
275
Request a renewable ticket with a total
276
lifetime given by an integer immediately followed
277
by one of the following delimiters:
280
<emphasis>s</emphasis> seconds
283
<emphasis>m</emphasis> minutes
286
<emphasis>h</emphasis> hours
289
<emphasis>d</emphasis> days.
292
If there is no delimiter <emphasis>s</emphasis> is
296
Please note that it is not possible to mix units.
297
If you want to set the renewable lifetime to one
298
and a half hours please use '90m' instead of
302
Default: not set, i.e. the TGT is not renewable
308
<term>krb5_lifetime (string)</term>
311
Request ticket with a with a lifetime given by an
312
integer immediately followed by one of the following
316
<emphasis>s</emphasis> seconds
319
<emphasis>m</emphasis> minutes
322
<emphasis>h</emphasis> hours
325
<emphasis>d</emphasis> days.
328
If there is no delimiter <emphasis>s</emphasis> is
332
Please note that it is not possible to mix units.
333
If you want to set the lifetime to one and a half
334
hours please use '90m' instead of '1h30m'.
337
Default: not set, i.e. the default ticket lifetime
338
configured on the KDC.
344
<term>krb5_renew_interval (integer)</term>
347
The time in seconds between two checks if the TGT
348
should be renewed. TGTs are renewed if about half
349
of their lifetime is exceeded.
352
If this option is not set or 0 the automatic
362
<term>krb5_use_fast (string)</term>
365
Enables flexible authentication secure tunneling
366
(FAST) for Kerberos pre-authentication. The
367
following options are supported:
370
<emphasis>never</emphasis> use FAST, this is
371
equivalent to not set this option at all.
374
<emphasis>try</emphasis> to use FAST, if the server
375
does not support fast continue without.
378
<emphasis>demand</emphasis> to use FAST, fail if the
379
server does not require fast.
382
Default: not set, i.e. FAST is not used.
385
Please note that a keytab is required to use fast.
388
Please note also that sssd supports fast only with
389
MIT Kerberos version 1.8 and above. If sssd used
390
used with an older version using this option is a
400
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
402
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
404
<refsect1 id='example'>
405
<title>EXAMPLE</title>
407
The following example assumes that SSSD is correctly
408
configured and FOO is one of the domains in the
409
<replaceable>[sssd]</replaceable> section. This example shows
410
only configuration of Kerberos authentication, it does not include
411
any identity provider.
417
krb5_server = 192.168.1.1
418
krb5_realm = EXAMPLE.COM
423
<refsect1 id='see_also'>
424
<title>SEE ALSO</title>
427
<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
430
<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
433
<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum>