sssd-krb5.5.xml revision 0373e15d34ed1a21b8ce41b42e0d738b3d48d3c8
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <refpurpose>the configuration file for SSSD</refpurpose>
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek </refnamediv>
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek This manual page describes the configuration of the Kerberos
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek 5 authentication backend for
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <citerefentry>
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek </citerefentry>.
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <citerefentry>
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek </citerefentry> manual page
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek The Kerberos 5 authentication backend contains auth and chpass
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek providers. It must be paired with identity provider in
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek order to function properly (for example, id_provider = ldap). Some
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek information required by the Kerberos 5 authentication backend must
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek be provided by the identity provider, such as the user's Kerberos
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Principal Name (UPN). The configuration of the identity provider
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek should have an entry to specify the UPN. Please refer to the man
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek page for the applicable identity provider for details on how to
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek configure this.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek This backend also provides access control based on the .k5login
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek file in the home directory of the user. See <citerefentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <refentrytitle>.k5login</refentrytitle><manvolnum>5</manvolnum>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </citerefentry> for more details. Please note that an empty .k5login
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek file will deny all access to this user. To activate this feature
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek use 'access_provider = krb5' in your sssd configuration.
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek In the case where the UPN is not available in the identity backend
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <command>sssd</command> will construct a UPN using the format
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>.
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek If the auth-module krb5 is used in a SSSD domain, the following
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek options must be used. See the
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <citerefentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek for details on the configuration of a SSSD domain.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <variablelist>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <varlistentry>
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek Specifies the list of IP addresses or hostnames
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek of the Kerberos servers to which SSSD should
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek connect in the order of preference. For more
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek information on failover and server redundancy,
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek see the <quote>FAILOVER</quote> section. An optional
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek port number (preceded by a colon) may be appended to
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek the addresses or hostnames.
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek If empty, service discovery is enabled -
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek for more information, refer to the
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek When using service discovery for KDC or kpasswd servers,
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek SSSD first searches for DNS entries that specify _udp as
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek the protocol and falls back to _tcp if none are found.
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek This option was named <quote>krb5_kdcip</quote> in
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek earlier releases of SSSD. While the legacy name is recognized
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek for the time being, users are advised to migrate their config
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek files to use <quote>krb5_server</quote> instead.
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek </varlistentry>
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <varlistentry>
a63d74f65db2db7389cd373cb37adcdaaa2d56eaMichal Židek The name of the Kerberos realm. This option is required
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek and must be specified.
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek </varlistentry>
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <varlistentry>
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek If the change password service is not running on the
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek KDC alternative servers can be defined here. An
a63d74f65db2db7389cd373cb37adcdaaa2d56eaMichal Židek optional port number (preceded by a colon) may be
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek appended to the addresses or hostnames.
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek For more information on failover and server
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek redundancy, see the <quote>FAILOVER</quote> section.
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek Please note that even if there are no more kpasswd
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek servers to try the back end is not switch to offline
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek if authentication against the KDC is still possible.
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek Default: Use the KDC
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek </varlistentry>
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <varlistentry>
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek Directory to store credential caches. All the
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek substitution sequences of krb5_ccname_template can
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek be used here, too, except %d and %P. If the
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek directory does not exist it will be created. If %u,
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek %U, %p or %h are used a private directory belonging
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek to the user is created. Otherwise a public directory
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek with restricted deletion flag (aka sticky bit, see
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <citerefentry>
a63d74f65db2db7389cd373cb37adcdaaa2d56eaMichal Židek </citerefentry> for details) is created.
b5825c74b6bf7a99ae2172392dbecb51179013a6Jakub Hrozek Default: /tmp
b5825c74b6bf7a99ae2172392dbecb51179013a6Jakub Hrozek </varlistentry>
526a15438525417cd701f837d7085b7f8c8a6325Jakub Hrozek <varlistentry>
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek Location of the user's credential cache. Currently
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek only file based credential caches are supported. In
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek the template the following sequences are
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek substituted:
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek <variablelist>
132b31fd5fb74a7627896cdceaf29c7601ed4795Sumit Bose <varlistentry>
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek </varlistentry>
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek <varlistentry>
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek </varlistentry>
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek <varlistentry>
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek </varlistentry>
132b31fd5fb74a7627896cdceaf29c7601ed4795Sumit Bose <varlistentry>
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek </varlistentry>
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek <varlistentry>
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek </varlistentry>
9af86b9c936d07cff9d0c2054acde908749ea522Jakub Hrozek <varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek client</para>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </variablelist>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek If the template ends with 'XXXXXX' mkstemp(3) is
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek used to create a unique filename in a safe way.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Timeout in seconds after an online authentication or
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek change password request is aborted. If possible the
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek authentication request is continued offline.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </varlistentry>
20348a30feb4be619b3b691c24c9be8131507c46Sumit Bose <varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Verify with the help of krb5_keytab that the TGT obtained has not been spoofed.
20348a30feb4be619b3b691c24c9be8131507c46Sumit Bose Default: false
a63d74f65db2db7389cd373cb37adcdaaa2d56eaMichal Židek </varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek The location of the keytab to use when validating
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek credentials obtained from KDCs.
06d4c022874d4f12d70e79c3c749d52fe020dad6Lukas Slebodnik </varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <term>krb5_store_password_if_offline (boolean)</term>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Store the password of the user if the provider is
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek offline and use it to request a TGT when the
06d4c022874d4f12d70e79c3c749d52fe020dad6Lukas Slebodnik provider gets online again.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Please note that this feature currently only
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek available on a Linux plattform.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Default: false
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Request a renewable ticket with a total
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek lifetime given by an integer immediately followed
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek by one of the following delimiters:
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek If there is no delimiter <emphasis>s</emphasis> is
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Please note that it is not possible to mix units.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek If you want to set the renewable lifetime to one
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek and a half hours please use '90m' instead of
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Default: not set, i.e. the TGT is not renewable
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Request ticket with a with a lifetime given by an
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek integer immediately followed by one of the following
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek If there is no delimiter <emphasis>s</emphasis> is
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Please note that it is not possible to mix units.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek If you want to set the lifetime to one and a half
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek hours please use '90m' instead of '1h30m'.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Default: not set, i.e. the default ticket lifetime
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek configured on the KDC.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek The time in seconds between two checks if the TGT
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek should be renewed. TGTs are renewed if about half
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek of their lifetime is exceeded.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek If this option is not set or 0 the automatic
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek renewal is disabled.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Default: not set
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Enables flexible authentication secure tunneling
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek (FAST) for Kerberos pre-authentication. The
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek following options are supported:
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek equivalent to not set this option at all.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <emphasis>try</emphasis> to use FAST, if the server
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek does not support fast continue without.
132b31fd5fb74a7627896cdceaf29c7601ed4795Sumit Bose <emphasis>demand</emphasis> to use FAST, fail if the
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek server does not require fast.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Default: not set, i.e. FAST is not used.
20348a30feb4be619b3b691c24c9be8131507c46Sumit Bose Please note that a keytab is required to use fast.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek Please note also that sssd supports fast only with
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek MIT Kerberos version 1.8 and above. If sssd used
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek used with an older version using this option is a
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek configuration error.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </varlistentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </variablelist>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek The following example assumes that SSSD is correctly
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek configured and FOO is one of the domains in the
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <replaceable>[sssd]</replaceable> section. This example shows
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek only configuration of Kerberos authentication, it does not include
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek any identity provider.
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek<programlisting>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek auth_provider = krb5
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek krb5_server = 192.168.1.1
06d4c022874d4f12d70e79c3c749d52fe020dad6Lukas Slebodnik</programlisting>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <citerefentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </citerefentry>,
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <citerefentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </citerefentry>,
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <citerefentry>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum>
b50baee36c9ba9e1dd3f6b9c1356482aecd08128Jakub Hrozek </citerefentry>