1SSSD-KCM(8) File Formats and Conventions SSSD-KCM(8)
2
6 sssd-kcm - SSSD Kerberos Cache Manager
7
9 This manual page describes the configuration of the SSSD Kerberos Cache
10 Manager (KCM). KCM is a process that stores, tracks and manages
11 Kerberos credential caches. It originates in the Heimdal Kerberos
12 project, although the MIT Kerberos library also provides client side
13 (more details on that below) support for the KCM credential cache.
14 In a setup where Kerberos caches are managed by KCM, the Kerberos
16 library (typically used through an application, like e.g., kinit(1), is
17 a “"KCM client"” and the KCM daemon is being referred to as a “"KCM
18 server"”. The client and server communicate over a UNIX socket.
19 The KCM server keeps track of each credential caches's owner and
21 performs access check control based on the UID and GID of the KCM
22 client. The root user has access to all credential caches.
23 The KCM credential cache has several interesting properties:
25 · since the process runs in userspace, it is subject to UID
27 namespacing, unlike the kernel keyring
28 · unlike the kernel keyring-based cache, which is shared between all
30 containers, the KCM server is a separate process whose entry point
31 is a UNIX socket
32 · the SSSD implementation stores the ccaches in a database, typically
34 located at /var/lib/sss/secrets allowing the ccaches to survive KCM
35 server restarts or machine reboots.
36 This allows the system to use a collection-aware credential cache, yet
38 share the credential cache between some or no containers by
39 bind-mounting the socket.
40 The KCM default client idle timeout is 5 minutes, this allows more time
42 for user interaction with command line tools such as kinit.
43
45 In order to use KCM credential cache, it must be selected as the
46 default credential type in krb5.conf(5), The credentials cache name
47 must be only “KCM:” without any template expansions. For example:
48 [libdefaults]
50 default_ccache_name = KCM:
51 Next, make sure the Kerberos client libraries and the KCM server must
54 agree on the UNIX socket path. By default, both use the same path
55 /var/run/.heim_org.h5l.kcm-socket. To configure the Kerberos library,
56 change its “kcm_socket” option which is described in the krb5.conf(5)
57 manual page.
58 Finally, make sure the SSSD KCM server can be contacted. The KCM
60 service is typically socket-activated by systemd(1). Unlike other SSSD
61 services, it cannot be started by adding the “kcm” string to the
62 “service” directive.
63 systemctl start sssd-kcm.socket
65 systemctl enable sssd-kcm.socket
66 Please note your distribution may already configure the units for you.
69
71 The credential caches are stored in a database, much like SSSD caches
72 user or group entries. The database is typically located at
73 “/var/lib/sss/secrets”.
74
76 The sssd-kcm service is typically socket-activated systemd(1). To
77 generate debug logs, add the following either to the
78 /etc/sssd/sssd.conf file directly or as a configuration snippet to
79 /etc/sssd/conf.d/ directory:
80 [kcm]
82 debug_level = 10
83 Then, restart the sssd-kcm service:
86 systemctl restart sssd-kcm.service
88 Finally, run whatever use-case doesn't work for you. The KCM logs will
91 be generated at /var/log/sssd/sssd_kcm.log. It is recommended to
92 disable the debug logs when you no longer need the debugging to be
93 enabled as the sssd-kcm service can generate quite a large amount of
94 debugging information.
95 Please note that configuration snippets are, at the moment, only
97 processed if the main configuration file at /etc/sssd/sssd.conf exists
98 at all.
99
101 The KCM service is configured in the “kcm” section of the sssd.conf
102 file. Please note that because the KCM service is typically
103 socket-activated, it is enough to just restart the “sssd-kcm” service
104 after changing options in the “kcm” section of sssd.conf:
105 systemctl restart sssd-kcm.service
107 The KCM service is configured in the “kcm” For a detailed syntax
110 reference, refer to the “FILE FORMAT” section of the sssd.conf(5)
111 manual page.
112 The generic SSSD service options such as “debug_level” or “fd_limit”
114 are accepted by the kcm service. Please refer to the sssd.conf(5)
115 manual page for a complete list. In addition, there are some
116 KCM-specific options as well.
117 socket_path (string)
119 The socket the KCM service will listen on.
120 Default: /var/run/.heim_org.h5l.kcm-socket
122 Note: on platforms where systemd is supported, the socket path is
124 overwritten by the one defined in the sssd-kcm.socket unit file.
125 max_ccaches (integer)
127 How many credential caches does the KCM database allow for all
128 users.
129 Default: 0 (unlimited, only the per-UID quota is enforced)
131 max_uid_ccaches (integer)
133 How many credential caches does the KCM database allow per UID.
134 This is equivalent to “with how many principals you can kinit”.
135 Default: 64
137 max_ccache_size (integer)
139 How big can a credential cache be per ccache. Each service ticket
140 accounts into this quota.
141 Default: 65536
143
145 sssd(8), sssd.conf(5),
146
148 The SSSD upstream - https://github.com/SSSD/sssd/
149SSSD 02/19/2021 SSSD-KCM(8)