1SSSD-KRB5(5) File Formats and Conventions SSSD-KRB5(5)
2
3
4
6 sssd-krb5 - SSSD Kerberos provider
7
9 This manual page describes the configuration of the Kerberos 5
10 authentication backend for sssd(8). For a detailed syntax reference,
11 please refer to the “FILE FORMAT” section of the sssd.conf(5) manual
12 page.
13
14 The Kerberos 5 authentication backend contains auth and chpass
15 providers. It must be paired with an identity provider in order to
16 function properly (for example, id_provider = ldap). Some information
17 required by the Kerberos 5 authentication backend must be provided by
18 the identity provider, such as the user's Kerberos Principal Name
19 (UPN). The configuration of the identity provider should have an entry
20 to specify the UPN. Please refer to the man page for the applicable
21 identity provider for details on how to configure this.
22
23 This backend also provides access control based on the .k5login file in
24 the home directory of the user. See k5login(5) for more details. Please
25 note that an empty .k5login file will deny all access to this user. To
26 activate this feature, use 'access_provider = krb5' in your SSSD
27 configuration.
28
29 In the case where the UPN is not available in the identity backend,
30 sssd will construct a UPN using the format username@krb5_realm.
31
33 If the auth-module krb5 is used in an SSSD domain, the following
34 options must be used. See the sssd.conf(5) manual page, section “DOMAIN
35 SECTIONS”, for details on the configuration of an SSSD domain.
36
37 krb5_server, krb5_backup_server (string)
38 Specifies the comma-separated list of IP addresses or hostnames of
39 the Kerberos servers to which SSSD should connect, in the order of
40 preference. For more information on failover and server redundancy,
41 see the “FAILOVER” section. An optional port number (preceded by a
42 colon) may be appended to the addresses or hostnames. If empty,
43 service discovery is enabled; for more information, refer to the
44 “SERVICE DISCOVERY” section.
45
46 When using service discovery for KDC or kpasswd servers, SSSD first
47 searches for DNS entries that specify _udp as the protocol and
48 falls back to _tcp if none are found.
49
50 This option was named “krb5_kdcip” in earlier releases of SSSD.
51 While the legacy name is recognized for the time being, users are
52 advised to migrate their config files to use “krb5_server” instead.
53
54 krb5_realm (string)
55 The name of the Kerberos realm. This option is required and must be
56 specified.
57
58 krb5_kpasswd, krb5_backup_kpasswd (string)
59 If the change password service is not running on the KDC,
60 alternative servers can be defined here. An optional port number
61 (preceded by a colon) may be appended to the addresses or
62 hostnames.
63
64 For more information on failover and server redundancy, see the
65 “FAILOVER” section. NOTE: Even if there are no more kpasswd servers
66 to try, the backend is not switched to operate offline if
67 authentication against the KDC is still possible.
68
69 Default: Use the KDC
70
71 krb5_ccachedir (string)
72 Directory to store credential caches. All the substitution
73 sequences of krb5_ccname_template can be used here, too, except %d
74 and %P. The directory is created as private and owned by the user,
75 with permissions set to 0700.
76
77 Default: /tmp
78
79 krb5_ccname_template (string)
80 Location of the user's credential cache. Three credential cache
81 types are currently supported: “FILE”, “DIR” and
82 “KEYRING:persistent”. The cache can be specified either as
83 TYPE:RESIDUAL, or as an absolute path, which implies the “FILE”
84 type. In the template, the following sequences are substituted:
85
86 %u
87 login name
88
89 %U
90 login UID
91
92 %p
93 principal name
94
95 %r
96 realm name
97
98 %h
99 home directory
100
101 %d
102 value of krb5_ccachedir
103
104 %P
105 the process ID of the SSSD client
106
107 %%
108 a literal '%'
109
110 If the template ends with 'XXXXXX' mkstemp(3) is used to create a
111 unique filename in a safe way.
112
113 When using KEYRING types, the only supported mechanism is
114 “KEYRING:persistent:%U”, which uses the Linux kernel keyring to
115 store credentials on a per-UID basis. This is also the recommended
116 choice, as it is the most secure and predictable method.
117
118 The default value for the credential cache name is sourced from the
119 profile stored in the system wide krb5.conf configuration file in
120 the [libdefaults] section. The option name is default_ccache_name.
121 See krb5.conf(5)'s PARAMETER EXPANSION paragraph for additional
122 information on the expansion format defined by krb5.conf.
123
124 NOTE: Please be aware that libkrb5 ccache expansion template from
125 krb5.conf(5) uses different expansion sequences than SSSD.
126
127 Default: (from libkrb5)
128
129 krb5_keytab (string)
130 The location of the keytab to use when validating credentials
131 obtained from KDCs.
132
133 Default: System keytab, normally /etc/krb5.keytab
134
135 krb5_store_password_if_offline (boolean)
136 Store the password of the user if the provider is offline and use
137 it to request a TGT when the provider comes online again.
138
139 NOTE: this feature is only available on Linux. Passwords stored in
140 this way are kept in plaintext in the kernel keyring and are
141 potentially accessible by the root user (with difficulty).
142
143 Default: false
144
145 krb5_use_fast (string)
146 Enables flexible authentication secure tunneling (FAST) for
147 Kerberos pre-authentication. The following options are supported:
148
149 never use FAST. This is equivalent to not setting this option at
150 all.
151
152 try to use FAST. If the server does not support FAST, continue the
153 authentication without it.
154
155 demand to use FAST. The authentication fails if the server does not
156 require fast.
157
158 Default: not set, i.e. FAST is not used.
159
160 NOTE: a keytab is required to use FAST.
161
162 NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and
163 later. If SSSD is used with an older version of MIT Kerberos, using
164 this option is a configuration error.
165
166 krb5_fast_principal (string)
167 Specifies the server principal to use for FAST.
168
169 krb5_use_kdcinfo (boolean)
170 Specifies if the SSSD should instruct the Kerberos libraries what
171 realm and which KDCs to use. This option is on by default, if you
172 disable it, you need to configure the Kerberos library using the
173 krb5.conf(5) configuration file.
174
175 See the sssd_krb5_locator_plugin(8) manual page for more
176 information on the locator plugin.
177
178 Default: true
179
180 krb5_kdcinfo_lookahead (string)
181 When krb5_use_kdcinfo is set to true, you can limit the amount of
182 servers handed to sssd_krb5_locator_plugin(8). This might be
183 helpful when there are too many servers discovered using SRV
184 record.
185
186 The krb5_kdcinfo_lookahead option contains two numbers separated by
187 a colon. The first number represents number of primary servers used
188 and the second number specifies the number of backup servers.
189
190 For example 10:0 means that up to 10 primary servers will be handed
191 to sssd_krb5_locator_plugin(8) but no backup servers.
192
193 Default: 3:1
194
195 krb5_use_enterprise_principal (boolean)
196 Specifies if the user principal should be treated as enterprise
197 principal. See section 5 of RFC 6806 for more details about
198 enterprise principals.
199
200 Default: false (AD provider: true)
201
202 The IPA provider will set to option to 'true' if it detects that
203 the server is capable of handling enterprise principals and the
204 option is not set explicitly in the config file.
205
206 krb5_use_subdomain_realm (boolean)
207 Specifies to use subdomains realms for the authentication of users
208 from trusted domains. This option can be set to 'true' if
209 enterprise principals are used with upnSuffixes which are not known
210 on the parent domain KDCs. If the option is set to 'true' SSSD will
211 try to send the request directly to a KDC of the trusted domain the
212 user is coming from.
213
214 Default: false
215
216 krb5_map_user (string)
217 The list of mappings is given as a comma-separated list of pairs
218 “username:primary” where “username” is a UNIX user name and
219 “primary” is a user part of a kerberos principal. This mapping is
220 used when user is authenticating using “auth_provider = krb5”.
221
222 example:
223
224 krb5_realm = REALM
225 krb5_map_user = joe:juser,dick:richard
226
227 “joe” and “dick” are UNIX user names and “juser” and “richard” are
228 primaries of kerberos principals. For user “joe” resp. “dick” SSSD
229 will try to kinit as “juser@REALM” resp. “richard@REALM”.
230
231 Default: not set
232
233 krb5_auth_timeout (integer)
234 Timeout in seconds after an online authentication request or change
235 password request is aborted. If possible, the authentication
236 request is continued offline.
237
238 Default: 6
239
240 krb5_validate (boolean)
241 Verify with the help of krb5_keytab that the TGT obtained has not
242 been spoofed. The keytab is checked for entries sequentially, and
243 the first entry with a matching realm is used for validation. If no
244 entry matches the realm, the last entry in the keytab is used. This
245 process can be used to validate environments using cross-realm
246 trust by placing the appropriate keytab entry as the last entry or
247 the only entry in the keytab file.
248
249 Default: false
250
251 krb5_renewable_lifetime (string)
252 Request a renewable ticket with a total lifetime, given as an
253 integer immediately followed by a time unit:
254
255 s for seconds
256
257 m for minutes
258
259 h for hours
260
261 d for days.
262
263 If there is no unit given, s is assumed.
264
265 NOTE: It is not possible to mix units. To set the renewable
266 lifetime to one and a half hours, use '90m' instead of '1h30m'.
267
268 Default: not set, i.e. the TGT is not renewable
269
270 krb5_lifetime (string)
271 Request ticket with a lifetime, given as an integer immediately
272 followed by a time unit:
273
274 s for seconds
275
276 m for minutes
277
278 h for hours
279
280 d for days.
281
282 If there is no unit given s is assumed.
283
284 NOTE: It is not possible to mix units. To set the lifetime to one
285 and a half hours please use '90m' instead of '1h30m'.
286
287 Default: not set, i.e. the default ticket lifetime configured on
288 the KDC.
289
290 krb5_renew_interval (string)
291 The time in seconds between two checks if the TGT should be
292 renewed. TGTs are renewed if about half of their lifetime is
293 exceeded, given as an integer immediately followed by a time unit:
294
295 s for seconds
296
297 m for minutes
298
299 h for hours
300
301 d for days.
302
303 If there is no unit given, s is assumed.
304
305 NOTE: It is not possible to mix units. To set the renewable
306 lifetime to one and a half hours, use '90m' instead of '1h30m'.
307
308 If this option is not set or is 0 the automatic renewal is
309 disabled.
310
311 Default: not set
312
313 krb5_canonicalize (boolean)
314 Specifies if the host and user principal should be canonicalized.
315 This feature is available with MIT Kerberos 1.7 and later versions.
316
317 Default: false
318
320 The failover feature allows back ends to automatically switch to a
321 different server if the current server fails.
322
323 Failover Syntax
324 The list of servers is given as a comma-separated list; any number of
325 spaces is allowed around the comma. The servers are listed in order of
326 preference. The list can contain any number of servers.
327
328 For each failover-enabled config option, two variants exist: primary
329 and backup. The idea is that servers in the primary list are preferred
330 and backup servers are only searched if no primary servers can be
331 reached. If a backup server is selected, a timeout of 31 seconds is
332 set. After this timeout SSSD will periodically try to reconnect to one
333 of the primary servers. If it succeeds, it will replace the current
334 active (backup) server.
335
336 The Failover Mechanism
337 The failover mechanism distinguishes between a machine and a service.
338 The back end first tries to resolve the hostname of a given machine; if
339 this resolution attempt fails, the machine is considered offline. No
340 further attempts are made to connect to this machine for any other
341 service. If the resolution attempt succeeds, the back end tries to
342 connect to a service on this machine. If the service connection attempt
343 fails, then only this particular service is considered offline and the
344 back end automatically switches over to the next service. The machine
345 is still considered online and might still be tried for another
346 service.
347
348 Further connection attempts are made to machines or services marked as
349 offline after a specified period of time; this is currently hard coded
350 to 30 seconds.
351
352 If there are no more machines to try, the back end as a whole switches
353 to offline mode, and then attempts to reconnect every 30 seconds.
354
355 Failover time outs and tuning
356 Resolving a server to connect to can be as simple as running a single
357 DNS query or can involve several steps, such as finding the correct
358 site or trying out multiple host names in case some of the configured
359 servers are not reachable. The more complex scenarios can take some
360 time and SSSD needs to balance between providing enough time to finish
361 the resolution process but on the other hand, not trying for too long
362 before falling back to offline mode. If the SSSD debug logs show that
363 the server resolution is timing out before a live server is contacted,
364 you can consider changing the time outs.
365
366 This section lists the available tunables. Please refer to their
367 description in the sssd.conf(5), manual page.
368
369 dns_resolver_server_timeout
370 Time in milliseconds that sets how long would SSSD talk to a single
371 DNS server before trying next one.
372
373 Default: 1000
374
375 dns_resolver_op_timeout
376 Time in seconds to tell how long would SSSD try to resolve single
377 DNS query (e.g. resolution of a hostname or an SRV record) before
378 trying the next hostname or discovery domain.
379
380 Default: 3
381
382 dns_resolver_timeout
383 How long would SSSD try to resolve a failover service. This service
384 resolution internally might include several steps, such as
385 resolving DNS SRV queries or locating the site.
386
387 Default: 6
388
389 For LDAP-based providers, the resolve operation is performed as part of
390 an LDAP connection operation. Therefore, also the “ldap_opt_timeout”
391 timeout should be set to a larger value than “dns_resolver_timeout”
392 which in turn should be set to a larger value than
393 “dns_resolver_op_timeout” which should be larger than
394 “dns_resolver_server_timeout”.
395
397 The service discovery feature allows back ends to automatically find
398 the appropriate servers to connect to using a special DNS query. This
399 feature is not supported for backup servers.
400
401 Configuration
402 If no servers are specified, the back end automatically uses service
403 discovery to try to find a server. Optionally, the user may choose to
404 use both fixed server addresses and service discovery by inserting a
405 special keyword, “_srv_”, in the list of servers. The order of
406 preference is maintained. This feature is useful if, for example, the
407 user prefers to use service discovery whenever possible, and fall back
408 to a specific server when no servers can be discovered using DNS.
409
410 The domain name
411 Please refer to the “dns_discovery_domain” parameter in the
412 sssd.conf(5) manual page for more details.
413
414 The protocol
415 The queries usually specify _tcp as the protocol. Exceptions are
416 documented in respective option description.
417
418 See Also
419 For more information on the service discovery mechanism, refer to RFC
420 2782.
421
423 The following example assumes that SSSD is correctly configured and FOO
424 is one of the domains in the [sssd] section. This example shows only
425 configuration of Kerberos authentication; it does not include any
426 identity provider.
427
428 [domain/FOO]
429 auth_provider = krb5
430 krb5_server = 192.168.1.1
431 krb5_realm = EXAMPLE.COM
432
433
435 sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
436 sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
437 recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
438 sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
439 sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5)
440 sssd-systemtap(5)
441
443 The SSSD upstream - https://github.com/SSSD/sssd/
444
445
446
447SSSD 11/08/2021 SSSD-KRB5(5)