1SSSD-KRB5(5) File Formats and Conventions SSSD-KRB5(5)
2
6 sssd-krb5 - the configuration file for SSSD
7
9 This manual page describes the configuration of the Kerberos 5
10 authentication backend for sssd(8). For a detailed syntax reference,
11 please refer to the “FILE FORMAT” section of the sssd.conf(5) manual
12 page
13 The Kerberos 5 authentication backend contains auth and chpass
15 providers. It must be paired with identity provider in order to
16 function properly (for example, id_provider = ldap). Some information
17 required by the Kerberos 5 authentication backend must be provided by
18 the identity provider, such as the user's Kerberos Principal Name
19 (UPN). The configuration of the identity provider should have an entry
20 to specify the UPN. Please refer to the man page for the applicable
21 identity provider for details on how to configure this.
22 This backend also provides access control based on the .k5login file in
24 the home directory of the user. See .k5login(5) for more details.
25 Please note that an empty .k5login file will deny all access to this
26 user. To activate this feature use 'access_provider = krb5' in your
27 sssd configuration.
28 In the case where the UPN is not available in the identity backend sssd
30 will construct a UPN using the format username@krb5_realm.
31
33 If the auth-module krb5 is used in a SSSD domain, the following options
34 must be used. See the sssd.conf(5) manual page, section “DOMAIN
35 SECTIONS” for details on the configuration of a SSSD domain.
36 krb5_server (string)
38 Specifies the list of IP addresses or hostnames of the Kerberos
39 servers to which SSSD should connect in the order of preference.
40 For more information on failover and server redundancy, see the
41 “FAILOVER” section. An optional port number (preceded by a colon)
42 may be appended to the addresses or hostnames. If empty, service
43 discovery is enabled - for more information, refer to the “SERVICE
44 DISCOVERY” section.
45 When using service discovery for KDC or kpasswd servers, SSSD first
47 searches for DNS entries that specify _udp as the protocol and
48 falls back to _tcp if none are found.
49 This option was named “krb5_kdcip” in earlier releases of SSSD.
51 While the legacy name is recognized for the time being, users are
52 advised to migrate their config files to use “krb5_server” instead.
53 krb5_realm (string)
55 The name of the Kerberos realm. This option is required and must be
56 specified.
57 krb5_kpasswd (string)
59 If the change password service is not running on the KDC
60 alternative servers can be defined here. An optional port number
61 (preceded by a colon) may be appended to the addresses or
62 hostnames.
63 For more information on failover and server redundancy, see the
65 “FAILOVER” section. Please note that even if there are no more
66 kpasswd servers to try the back end is not switch to offline if
67 authentication against the KDC is still possible.
68 Default: Use the KDC
70 krb5_ccachedir (string)
72 Directory to store credential caches. All the substitution
73 sequences of krb5_ccname_template can be used here, too, except %d
74 and %P. If the directory does not exist it will be created. If %u,
75 %U, %p or %h are used a private directory belonging to the user is
76 created. Otherwise a public directory with restricted deletion flag
77 (aka sticky bit, see chmod(1) for details) is created.
78 Default: /tmp
80 krb5_ccname_template (string)
82 Location of the user's credential cache. Currently only file based
83 credential caches are supported. In the template the following
84 sequences are substituted:
85 %u
87 login name
88 %U
90 login UID
91 %p
93 principal name
94 %r
96 realm name
97 %h
99 home directory
100 %d
102 value of krb5ccache_dir
103 %P
105 the process ID of the sssd client
106 %%
108 a literal '%'
109 If the template ends with 'XXXXXX' mkstemp(3) is used to create a
111 unique filename in a safe way.
112 Default: FILE:%d/krb5cc_%U_XXXXXX
114 krb5_auth_timeout (integer)
116 Timeout in seconds after an online authentication or change
117 password request is aborted. If possible the authentication request
118 is continued offline.
119 Default: 15
121 krb5_validate (boolean)
123 Verify with the help of krb5_keytab that the TGT obtained has not
124 been spoofed.
125 Default: false
127 krb5_keytab (string)
129 The location of the keytab to use when validating credentials
130 obtained from KDCs.
131 Default: /etc/krb5.keytab
133 krb5_store_password_if_offline (boolean)
135 Store the password of the user if the provider is offline and use
136 it to request a TGT when the provider gets online again.
137 Please note that this feature currently only available on a Linux
139 platform.
140 Default: false
142 krb5_renewable_lifetime (string)
144 Request a renewable ticket with a total lifetime given by an
145 integer immediately followed by one of the following delimiters:
146 s seconds
149 m minutes
152 h hours
155 d days.
158 If there is no delimiter s is assumed.
160 Please note that it is not possible to mix units. If you want to
162 set the renewable lifetime to one and a half hours please use '90m'
163 instead of '1h30m'.
164 Default: not set, i.e. the TGT is not renewable
166 krb5_lifetime (string)
168 Request ticket with a with a lifetime given by an integer
169 immediately followed by one of the following delimiters:
170 s seconds
173 m minutes
176 h hours
179 d days.
182 If there is no delimiter s is assumed.
184 Please note that it is not possible to mix units. If you want to
186 set the lifetime to one and a half hours please use '90m' instead
187 of '1h30m'.
188 Default: not set, i.e. the default ticket lifetime configured on
190 the KDC.
191 krb5_renew_interval (integer)
193 The time in seconds between two checks if the TGT should be
194 renewed. TGTs are renewed if about half of their lifetime is
195 exceeded.
196 If this option is not set or 0 the automatic renewal is disabled.
198 Default: not set
200 krb5_use_fast (string)
202 Enables flexible authentication secure tunneling (FAST) for
203 Kerberos pre-authentication. The following options are supported:
204 never use FAST, this is equivalent to not set this option at all.
207 try to use FAST, if the server does not support fast continue
210 without.
211 demand to use FAST, fail if the server does not require fast.
214 Default: not set, i.e. FAST is not used.
216 Please note that a keytab is required to use fast.
218 Please note also that sssd supports fast only with MIT Kerberos
220 version 1.8 and above. If sssd used used with an older version
221 using this option is a configuration error.
222
224 The failover feature allows back ends to automatically switch to a
225 different server if the primary server fails.
226 Failover Syntax
228 The list of servers is given as a comma-separated list; any number of
229 spaces is allowed around the comma. The servers are listed in order of
230 preference. The list can contain any number of servers.
231 The Failover Mechanism
233 The failover mechanism distinguishes between a machine and a service.
234 The back end first tries to resolve the hostname of a given machine; if
235 this resolution attempt fails, the machine is considered offline. No
236 further attempts are made to connect to this machine for any other
237 service. If the resolution attempt succeeds, the back end tries to
238 connect to a service on this machine. If the service connection attempt
239 fails, then only this particular service is considered offline and the
240 back end automatically switches over to the next service. The machine
241 is still considered online and might still be tried for another
242 service.
243 Further connection attempts are made to machines or services marked as
245 offline after a specified period of time; this is currently hard coded
246 to 30 seconds.
247 If there are no more machines to try, the back end as a whole switches
249 to offline mode, and then attempts to reconnect every 30 seconds.
250
252 The service discovery feature allows back ends to automatically find
253 the appropriate servers to connect to using a special DNS query.
254 Configuration
256 If no servers are specified, the back end automatically uses service
257 discovery to try to find a server. Optionally, the user may choose to
258 use both fixed server addresses and service discovery by inserting a
259 special keyword, “_srv_”, in the list of servers. The order of
260 preference is maintained. This feature is useful if, for example, the
261 user prefers to use service discovery whenever possible, and fall back
262 to a specific server when no servers can be discovered using DNS.
263 The domain name
265 Please refer to the “dns_discovery_domain” parameter in the
266 sssd.conf(5) manual page for more details.
267 The protocol
269 The queries usually specify _tcp as the protocol. Exceptions are
270 documented in respective option description.
271 See Also
273 For more information on the service discovery mechanism, refer to RFC
274 2782.
275
277 The following example assumes that SSSD is correctly configured and FOO
278 is one of the domains in the [sssd] section. This example shows only
279 configuration of Kerberos authentication, it does not include any
280 identity provider.
281 [domain/FOO]
283 auth_provider = krb5
284 krb5_server = 192.168.1.1
285 krb5_realm = EXAMPLE.COM
286
289 sssd.conf(5), sssd-ldap(5), sssd(8)
290
292 The SSSD upstream - http://fedorahosted.org/sssd
293SSSD 08/05/2011 SSSD-KRB5(5)