1SSSD-KCM(8) File Formats and Conventions SSSD-KCM(8)
2
6 sssd-kcm - SSSD Kerberos Cache Manager
7
9 This manual page describes the configuration of the SSSD Kerberos Cache
10 Manager (KCM). KCM is a process that stores, tracks and manages
11 Kerberos credential caches. It originates in the Heimdal Kerberos
12 project, although the MIT Kerberos library also provides client side
13 (more details on that below) support for the KCM credential cache.
14 In a setup where Kerberos caches are managed by KCM, the Kerberos
16 library (typically used through an application, like e.g., kinit(1), is
17 a “"KCM client"” and the KCM daemon is being referred to as a “"KCM
18 server"”. The client and server communicate over a UNIX socket.
19 The KCM server keeps track of each credential caches's owner and
21 performs access check control based on the UID and GID of the KCM
22 client. The root user has access to all credential caches.
23 The KCM credential cache has several interesting properties:
25 · since the process runs in userspace, it is subject to UID
27 namespacing, unlike the kernel keyring
28 · unlike the kernel keyring-based cache, which is shared between all
30 containers, the KCM server is a separate process whose entry point
31 is a UNIX socket
32 · the SSSD implementation stores the ccaches in the SSSD sssd-
34 secrets(5) secrets store, allowing the ccaches to survive KCM
35 server restarts or machine reboots.
36 This allows the system to use a collection-aware credential cache, yet
38 share the credential cache between some or no containers by
39 bind-mounting the socket.
40
42 In order to use KCM credential cache, it must be selected as the
43 default credential type in krb5.conf(5), The credentials cache name
44 must be only “KCM:” without any template expansions. For example:
45 [libdefaults]
47 default_ccache_name = KCM:
48 Next, make sure the Kerberos client libraries and the KCM server must
51 agree on the UNIX socket path. By default, both use the same path
52 /var/run/.heim_org.h5l.kcm-socket. To configure the Kerberos library,
53 change its “kcm_socket” option which is described in the krb5.conf(5)
54 manual page.
55 Finally, make sure the SSSD KCM server can be contacted. The KCM
57 service is typically socket-activated by systemd(1). Unlike other SSSD
58 services, it cannot be started by adding the “kcm” string to the
59 “service” directive.
60 systemctl start sssd-kcm.socket
62 systemctl enable sssd-kcm.socket
63 Please note your distribution may already configure the units for you.
66
68 The credential caches are stored in the SSSD secrets service (see sssd-
69 secrets(5) for more details). Therefore it is important that also the
70 sssd-secrets service is enabled and its socket is started:
71 systemctl start sssd-secrets.socket
73 systemctl enable sssd-secrets.socket
74 Your distribution should already set the dependencies between the
77 services.
78
80 The KCM service is configured in the “kcm” section of the sssd.conf
81 file. Please note that currently, is it not sufficient to restart the
82 sssd-kcm service, because the sssd configuration is only parsed and
83 read to an internal configuration database by the sssd service.
84 Therefore you must restart the sssd service if you change anything in
85 the “kcm” section of sssd.conf. For a detailed syntax reference, refer
86 to the “FILE FORMAT” section of the sssd.conf(5) manual page.
87 The generic SSSD service options such as “debug_level” or “fd_limit”
89 are accepted by the kcm service. Please refer to the sssd.conf(5)
90 manual page for a complete list. In addition, there are some
91 KCM-specific options as well.
92 socket_path (string)
94 The socket the KCM service will listen on.
95 Default: /var/run/.heim_org.h5l.kcm-socket
97
99 sssd(8), sssd.conf(5),
100
102 The SSSD upstream - https://pagure.io/SSSD/sssd/
103SSSD 04/25/2019 SSSD-KCM(8)