1PAM_SSS_GSS(8)                 SSSD Manual pages                PAM_SSS_GSS(8)
2
3
4

NAME

6       pam_sss_gss - PAM module for SSSD GSSAPI authentication
7

SYNOPSIS

9       pam_sss_gss.so [debug]
10

DESCRIPTION

12       pam_sss_gss.so authenticates user over GSSAPI in cooperation with SSSD.
13
14       This module will try to authenticate the user using the GSSAPI
15       hostbased service name host@hostname which translates to
16       host/hostname@REALM Kerberos principal. The REALM part of the Kerberos
17       principal name is derived by Kerberos internal mechanisms and it can be
18       set explicitly in configuration of [domain_realm] section in
19       /etc/krb5.conf.
20
21       SSSD is used to provide desired service name and to validate the user's
22       credentials using GSSAPI calls. If the service ticket is already
23       present in the Kerberos credentials cache or if user's ticket granting
24       ticket can be used to get the correct service ticket then the user will
25       be authenticated.
26
27       If pam_gssapi_check_upn is True (default) then SSSD requires that the
28       credentials used to obtain the service tickets can be associated with
29       the user. This means that the principal that owns the Kerberos
30       credentials must match with the user principal name as defined in LDAP.
31
32       To enable GSSAPI authentication in SSSD, set pam_gssapi_services option
33       in [pam] or domain section of sssd.conf. The service credentials need
34       to be stored in SSSD's keytab (it is already present if you use ipa or
35       ad provider). The keytab location can be set with krb5_keytab option.
36       See sssd.conf(5) and sssd-krb5(5) for more details on these options.
37
38       Some Kerberos deployments allow to associate authentication indicators
39       with a particular pre-authentication method used to obtain the ticket
40       granting ticket by the user.  pam_sss_gss.so allows to enforce presence
41       of authentication indicators in the service tickets before a particular
42       PAM service can be accessed.
43
44       If pam_gssapi_indicators_map is set in the [pam] or domain section of
45       sssd.conf, then SSSD will perform a check of the presence of any
46       configured indicators in the service ticket.
47

OPTIONS

49       debug
50           Print debugging information.
51

MODULE TYPES PROVIDED

53       Only the auth module type is provided.
54

RETURN VALUES

56       PAM_SUCCESS
57           The PAM operation finished successfully.
58
59       PAM_USER_UNKNOWN
60           The user is not known to the authentication service or the GSSAPI
61           authentication is not supported.
62
63       PAM_AUTH_ERR
64           Authentication failure.
65
66       PAM_AUTHINFO_UNAVAIL
67           Unable to access the authentication information. This might be due
68           to a network or hardware failure.
69
70       PAM_SYSTEM_ERR
71           A system error occurred. The SSSD log files may contain additional
72           information about the error.
73

EXAMPLES

75       The main use case is to provide password-less authentication in sudo
76       but without the need to disable authentication completely. To achieve
77       this, first enable GSSAPI authentication for sudo in sssd.conf:
78
79           [domain/MYDOMAIN]
80           pam_gssapi_services = sudo, sudo-i
81
82
83       And then enable the module in desired PAM stack (e.g. /etc/pam.d/sudo
84       and /etc/pam.d/sudo-i).
85
86           ...
87           auth sufficient pam_sss_gss.so
88           ...
89
90

TROUBLESHOOTING

92       SSSD logs, pam_sss_gss debug output and syslog may contain helpful
93       information about the error. Here are some common issues:
94
95       1. I have KRB5CCNAME environment variable set and the authentication
96       does not work: Depending on your sudo version, it is possible that sudo
97       does not pass this variable to the PAM environment. Try adding
98       KRB5CCNAME to env_keep in /etc/sudoers or in your LDAP sudo rules
99       default options.
100
101       2. Authentication does not work and syslog contains "Server not found
102       in Kerberos database": Kerberos is probably not able to resolve correct
103       realm for the service ticket based on the hostname. Try adding the
104       hostname directly to [domain_realm] in /etc/krb5.conf like so:
105
106       3. Authentication does not work and syslog contains "No Kerberos
107       credentials available": You don't have any credentials that can be used
108       to obtain the required service ticket. Use kinit or authenticate over
109       SSSD to acquire those credentials.
110
111       4. Authentication does not work and SSSD sssd-pam log contains "User
112       with UPN [$UPN] was not found." or "UPN [$UPN] does not match target
113       user [$username].": You are using credentials that can not be mapped to
114       the user that is being authenticated. Try to use kswitch to select
115       different principal, make sure you authenticated with SSSD or consider
116       disabling pam_gssapi_check_upn.
117
118           [domain_realm]
119           .myhostname = MYREALM
120
121

SEE ALSO

123       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
124       sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
125       recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
126       sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
127       sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8).  sss_rpcidmapd(5)
128       sssd-systemtap(5)
129

AUTHORS

131       The SSSD upstream - https://github.com/SSSD/sssd/
132
133
134
135SSSD                              11/08/2021                    PAM_SSS_GSS(8)
Impressum