SSSD\-KRB5Section: File Formats and Conventions (5)
Index Return to Main Contents
NAMEsssd-krb5 - the configuration file for SSSD
This manual page describes the configuration of the Kerberos 5 authentication backend for sssd(8). For a detailed syntax reference, please refer to the lqFILE FORMATrq section of the sssd.conf(5) manual page
The Kerberos 5 authentication backend contains auth and chpass providers. It must be paired with identity provider in order to function properly (for example, id_provider = ldap). Some information required by the Kerberos 5 authentication backend must be provided by the identity provider, such as the user's Kerberos Principal Name (UPN). The configuration of the identity provider should have an entry to specify the UPN. Please refer to the man page for the applicable identity provider for details on how to configure this.
This backend also provides access control based on the .k5login file in the home directory of the user. See .k5login(5) for more details. Please note that an empty .k5login file will deny all access to this user. To activate this feature use 'access_provider = krb5' in your sssd configuration.
If the auth-module krb5 is used in a SSSD domain, the following options must be used. See the sssd.conf(5) manual page, section lqDOMAIN SECTIONSrq for details on the configuration of a SSSD domain.
Specifies the comma-separated list of IP addresses or hostnames of the Kerberos servers to which SSSD should connect in the order of preference. For more information on failover and server redundancy, see the
section. An optional port number (preceded by a colon) may be appended to the addresses or hostnames. If empty, service discovery is enabled - for more information, refer to the
When using service discovery for KDC or kpasswd servers, SSSD first searches for DNS entries that specify _udp as the protocol and falls back to _tcp if none are found.
This option was named lqkrb5_kdciprq in earlier releases of SSSD. While the legacy name is recognized for the time being, users are advised to migrate their config files to use lqkrb5_serverrq instead.
- The name of the Kerberos realm. This option is required and must be specified.
If the change password service is not running on the KDC alternative servers can be defined here. An optional port number (preceded by a colon) may be appended to the addresses or hostnames.
For more information on failover and server redundancy, see the lqFAILOVERrq section. Please note that even if there are no more kpasswd servers to try the back end is not switch to offline if authentication against the KDC is still possible.
Default: Use the KDC
Directory to store credential caches. All the substitution sequences of krb5_ccname_template can be used here, too, except %d and %P. If the directory does not exist it will be created. If %u, %U, %p or %h are used a private directory belonging to the user is created. Otherwise a public directory with restricted deletion flag (aka sticky bit, see
for details) is created.
Location of the user's credential cache. Currently only file based credential caches are supported. In the template the following sequences are substituted:
- login name
- login UID
- principal name
- realm name
- home directory
- value of krb5ccache_dir
- the process ID of the sssd client
- a literal '%'
If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe way.
Timeout in seconds after an online authentication or change password request is aborted. If possible the authentication request is continued offline.
Verify with the help of krb5_keytab that the TGT obtained has not been spoofed.
The location of the keytab to use when validating credentials obtained from KDCs.
Store the password of the user if the provider is offline and use it to request a TGT when the provider gets online again.
Please note that this feature currently only available on a Linux platform. Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).
Request a renewable ticket with a total lifetime given by an integer immediately followed by one of the following delimiters:
If there is no delimiter s is assumed.
Please note that it is not possible to mix units. If you want to set the renewable lifetime to one and a half hours please use '90m' instead of '1h30m'.
Default: not set, i.e. the TGT is not renewable
Request ticket with a with a lifetime given by an integer immediately followed by one of the following delimiters:
If there is no delimiter s is assumed.
Please note that it is not possible to mix units. If you want to set the lifetime to one and a half hours please use '90m' instead of '1h30m'.
Default: not set, i.e. the default ticket lifetime configured on the KDC.
The time in seconds between two checks if the TGT should be renewed. TGTs are renewed if about half of their lifetime is exceeded.
If this option is not set or 0 the automatic renewal is disabled.
Default: not set
Enables flexible authentication secure tunneling (FAST) for Kerberos pre-authentication. The following options are supported:
never use FAST, this is equivalent to not set this option at all.
try to use FAST, if the server does not support fast continue without.
demand to use FAST, fail if the server does not require fast.
Default: not set, i.e. FAST is not used.
Please note that a keytab is required to use fast.
Please note also that sssd supports fast only with MIT Kerberos version 1.8 and above. If sssd used with an older version using this option is a configuration error.
- Specifies the server principal to use for FAST.
Specifies if the host and user principal should be canonicalized. This feature is available with MIT Kerberos >= 1.7
The Failover Mechanism
The failover mechanism distinguishes between a machine and a service. The back end first tries to resolve the hostname of a given machine; if this resolution attempt fails, the machine is considered offline. No further attempts are made to connect to this machine for any other service. If the resolution attempt succeeds, the back end tries to connect to a service on this machine. If the service connection attempt fails, then only this particular service is considered offline and the back end automatically switches over to the next service. The machine is still considered online and might still be tried for another service.
Further connection attempts are made to machines or services marked as offline after a specified period of time; this is currently hard coded to 30 seconds.
If no servers are specified, the back end automatically uses service discovery to try to find a server. Optionally, the user may choose to use both fixed server addresses and service discovery by inserting a special keyword, lq_srv_rq, in the list of servers. The order of preference is maintained. This feature is useful if, for example, the user prefers to use service discovery whenever possible, and fall back to a specific server when no servers can be discovered using DNS.
The domain name
Please refer to the lqdns_discovery_domainrq parameter in the sssd.conf(5) manual page for more details.
The following example assumes that SSSD is correctly configured and FOO is one of the domains in the [sssd] section. This example shows only configuration of Kerberos authentication, it does not include any identity provider.
[domain/FOO] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM
The SSSD upstream - http://fedorahosted.org/sssd
- CONFIGURATION OPTIONS
- SERVICE DISCOVERY
- SEE ALSO
This document was created by man2html, using the manual pages.
Time: 05:34:00 GMT, December 24, 2015