1SSSD_KRB5_LOCATOR_PL(8)        SSSD Manual pages       SSSD_KRB5_LOCATOR_PL(8)
2
3
4

NAME

6       sssd_krb5_locator_plugin - Kerberos locator plugin
7

DESCRIPTION

9       The Kerberos locator plugin sssd_krb5_locator_plugin is used by libkrb5
10       to find KDCs for a given Kerberos realm. SSSD provides such a plugin to
11       guide all Kerberos clients on a system to a single KDC. In general it
12       should not matter to which KDC a client process is talking to. But
13       there are cases, e.g. after a password change, where not all KDCs are
14       in the same state because the new data has to be replicated first. To
15       avoid unexpected authentication failures and maybe even account
16       lockings it would be good to talk to a single KDC as long as possible.
17
18       libkrb5 will search the locator plugin in the libkrb5 sub-directory of
19       the Kerberos plugin directory, see plugin_base_dir in krb5.conf(5) for
20       details. The plugin can only be disabled by removing the plugin file.
21       There is no option in the Kerberos configuration to disable it. But the
22       SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to disable
23       the plugin for individual commands. Alternatively the SSSD option
24       krb5_use_kdcinfo=False can be used to not generate the data needed by
25       the plugin. With this the plugin is still called but will provide no
26       data to the caller so that libkrb5 can fall back to other methods
27       defined in krb5.conf.
28
29       The plugin reads the information about the KDCs of a given realm from a
30       file called kdcinfo.REALM. The file should contain one or more DNS
31       names or IP addresses either in dotted-decimal IPv4 notation or the
32       hexadecimal IPv6 notation. An optional port number can be added to the
33       end separated with a colon, the IPv6 address has to be enclosed in
34       squared brackets in this case as usual. Valid entries are:
35
36       •   kdc.example.com
37
38       •   kdc.example.com:321
39
40       •   1.2.3.4
41
42       •   5.6.7.8:99
43
44       •   2001:db8:85a3::8a2e:370:7334
45
46       •   [2001:db8:85a3::8a2e:370:7334]:321
47
48       SSSD's krb5 auth-provider which is used by the IPA and AD providers as
49       well adds the address of the current KDC or domain controller SSSD is
50       using to this file.
51
52       In environments with read-only and read-write KDCs where clients are
53       expected to use the read-only instances for the general operations and
54       only the read-write KDC for config changes like password changes a
55       kpasswdinfo.REALM is used as well to identify read-write KDCs. If this
56       file exists for the given realm the content will be used by the plugin
57       to reply to requests for a kpasswd or kadmin server or for the MIT
58       Kerberos specific master KDC. If the address contains a port number the
59       default KDC port 88 will be used for the latter.
60

NOTES

62       Not all Kerberos implementations support the use of plugins. If
63       sssd_krb5_locator_plugin is not available on your system you have to
64       edit /etc/krb5.conf to reflect your Kerberos setup.
65
66       If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value
67       debug messages will be sent to stderr.
68
69       If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any
70       value the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE
71       to the caller.
72
73       If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is
74       set to any value plugin will try to resolve all DNS names in kdcinfo
75       file. By default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller
76       immediately on first DNS resolving failure.
77

SEE ALSO

79       sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5),
80       sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-
81       recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8),
82       sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8),
83       sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8).  sss_rpcidmapd(5)
84       sssd-systemtap(5)
85

AUTHORS

87       The SSSD upstream - https://github.com/SSSD/sssd/
88
89
90
91SSSD                              07/04/2022           SSSD_KRB5_LOCATOR_PL(8)
Impressum