1SSSD-KCM(8)              File Formats and Conventions              SSSD-KCM(8)
2
3
4

NAME

6       sssd-kcm - SSSD Kerberos Cache Manager
7

DESCRIPTION

9       This manual page describes the configuration of the SSSD Kerberos Cache
10       Manager (KCM). KCM is a process that stores, tracks and manages
11       Kerberos credential caches. It originates in the Heimdal Kerberos
12       project, although the MIT Kerberos library also provides client side
13       (more details on that below) support for the KCM credential cache.
14
15       In a setup where Kerberos caches are managed by KCM, the Kerberos
16       library (typically used through an application, like e.g., kinit(1), is
17       a “"KCM client"” and the KCM daemon is being referred to as a “"KCM
18       server"”. The client and server communicate over a UNIX socket.
19
20       The KCM server keeps track of each credential caches's owner and
21       performs access check control based on the UID and GID of the KCM
22       client. The root user has access to all credential caches.
23
24       The KCM credential cache has several interesting properties:
25
26       ·   since the process runs in userspace, it is subject to UID
27           namespacing, unlike the kernel keyring
28
29       ·   unlike the kernel keyring-based cache, which is shared between all
30           containers, the KCM server is a separate process whose entry point
31           is a UNIX socket
32
33       ·   the SSSD implementation stores the ccaches in a database, typically
34           located at /var/lib/sss/secrets allowing the ccaches to survive KCM
35           server restarts or machine reboots.
36
37       This allows the system to use a collection-aware credential cache, yet
38       share the credential cache between some or no containers by
39       bind-mounting the socket.
40

USING THE KCM CREDENTIAL CACHE

42       In order to use KCM credential cache, it must be selected as the
43       default credential type in krb5.conf(5), The credentials cache name
44       must be only “KCM:” without any template expansions. For example:
45
46           [libdefaults]
47               default_ccache_name = KCM:
48
49
50       Next, make sure the Kerberos client libraries and the KCM server must
51       agree on the UNIX socket path. By default, both use the same path
52       /var/run/.heim_org.h5l.kcm-socket. To configure the Kerberos library,
53       change its “kcm_socket” option which is described in the krb5.conf(5)
54       manual page.
55
56       Finally, make sure the SSSD KCM server can be contacted. The KCM
57       service is typically socket-activated by systemd(1). Unlike other SSSD
58       services, it cannot be started by adding the “kcm” string to the
59       “service” directive.
60
61           systemctl start sssd-kcm.socket
62           systemctl enable sssd-kcm.socket
63
64
65       Please note your distribution may already configure the units for you.
66

THE CREDENTIAL CACHE STORAGE

68       The credential caches are stored in a database, much like SSSD caches
69       user or group entries. The database is typically located at
70       “/var/lib/sss/secrets”.
71

OBTAINING DEBUG LOGS

73       The sssd-kcm service is typically socket-activated systemd(1). To
74       generate debug logs, add the following either to the
75       /etc/sssd/sssd.conf file directly or as a configuration snippet to
76       /etc/sssd/conf.d/ directory:
77
78           [kcm]
79           debug_level = 10
80
81
82       Then, restart the sssd-kcm service:
83
84           systemctl restart sssd-kcm.service
85
86
87       Finally, run whatever use-case doesn't work for you. The KCM logs will
88       be generated at /var/log/sssd/sssd_kcm.log. It is recommended to
89       disable the debug logs when you no longer need the debugging to be
90       enabled as the sssd-kcm service can generate quite a large amount of
91       debugging information.
92
93       Please note that configuration snippets are, at the moment, only
94       processed if the main configuration file at /etc/sssd/sssd.conf exists
95       at all.
96

CONFIGURATION OPTIONS

98       The KCM service is configured in the “kcm” section of the sssd.conf
99       file. Please note that because the KCM service is typically
100       socket-activated, it is enough to just restart the “sssd-kcm” service
101       after changing options in the “kcm” section of sssd.conf:
102
103           systemctl restart sssd-kcm.service
104
105
106       The KCM service is configured in the “kcm” For a detailed syntax
107       reference, refer to the “FILE FORMAT” section of the sssd.conf(5)
108       manual page.
109
110       The generic SSSD service options such as “debug_level” or “fd_limit”
111       are accepted by the kcm service. Please refer to the sssd.conf(5)
112       manual page for a complete list. In addition, there are some
113       KCM-specific options as well.
114
115       socket_path (string)
116           The socket the KCM service will listen on.
117
118           Default: /var/run/.heim_org.h5l.kcm-socket
119
120       max_ccaches (integer)
121           How many credential caches does the KCM database allow for all
122           users.
123
124           Default: 0 (unlimited, only the per-UID quota is enforced)
125
126       max_uid_ccaches (integer)
127           How many credential caches does the KCM database allow per UID.
128           This is equivalent to “with how many principals you can kinit”.
129
130           Default: 64
131
132       max_ccache_size (integer)
133           How big can a credential cache be per ccache. Each service ticket
134           accounts into this quota.
135
136           Default: 65536
137

SEE ALSO

139       sssd(8), sssd.conf(5),
140

AUTHORS

142       The SSSD upstream - https://pagure.io/SSSD/sssd/
143
144
145
146SSSD                              10/22/2019                       SSSD-KCM(8)
Impressum