sssd-krb5.5.xml revision 1091c0ae2f1596ceb161e5b765a91c23c413b369
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
<reference>
<title>SSSD Manual pages</title>
<refentry>
<refmeta>
<refentrytitle>sssd-krb5</refentrytitle>
<manvolnum>5</manvolnum>
<refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>sssd-krb5</refname>
<refpurpose>the configuration file for SSSD</refpurpose>
</refnamediv>
<refsect1 id='description'>
<title>DESCRIPTION</title>
<para>
This manual page describes the configuration of the Kerberos
5 authentication backend for
<citerefentry>
<refentrytitle>sssd</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>.
For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the
<citerefentry>
<manvolnum>5</manvolnum>
</citerefentry> manual page.
</para>
<para>
The Kerberos 5 authentication backend contains auth and chpass
providers. It must be paired with an identity provider in
order to function properly (for example, id_provider = ldap). Some
information required by the Kerberos 5 authentication backend must
be provided by the identity provider, such as the user's Kerberos
Principal Name (UPN). The configuration of the identity provider
should have an entry to specify the UPN. Please refer to the man
page for the applicable identity provider for details on how to
configure this.
</para>
<para>
This backend also provides access control based on the .k5login
file in the home directory of the user. See <citerefentry>
<refentrytitle>.k5login</refentrytitle><manvolnum>5</manvolnum>
</citerefentry> for more details. Please note that an empty .k5login
file will deny all access to this user. To activate this feature,
use 'access_provider = krb5' in your SSSD configuration.
</para>
<para>
In the case where the UPN is not available in the identity backend,
<command>sssd</command> will construct a UPN using the format
<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>.
</para>
</refsect1>
<refsect1 id='file-format'>
<title>CONFIGURATION OPTIONS</title>
<para>
If the auth-module krb5 is used in an SSSD domain, the following
options must be used. See the
<citerefentry>
<manvolnum>5</manvolnum>
</citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>,
for details on the configuration of an SSSD domain.
<variablelist>
<varlistentry>
<term>krb5_server, krb5_backup_server (string)</term>
<listitem>
<para>
Specifies the comma-separated list of IP addresses or hostnames
of the Kerberos servers to which SSSD should
connect, in the order of preference. For more
information on failover and server redundancy,
see the <quote>FAILOVER</quote> section. An optional
port number (preceded by a colon) may be appended to
the addresses or hostnames.
If empty, service discovery is enabled;
for more information, refer to the
<quote>SERVICE DISCOVERY</quote> section.
</para>
<para>
When using service discovery for KDC or kpasswd servers,
SSSD first searches for DNS entries that specify _udp as
the protocol and falls back to _tcp if none are found.
</para>
<para>
This option was named <quote>krb5_kdcip</quote> in
earlier releases of SSSD. While the legacy name is recognized
for the time being, users are advised to migrate their config
files to use <quote>krb5_server</quote> instead.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_realm (string)</term>
<listitem>
<para>
The name of the Kerberos realm. This option is required
and must be specified.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_kpasswd, krb5_backup_kpasswd (string)</term>
<listitem>
<para>
If the change password service is not running on the
KDC, alternative servers can be defined here. An
optional port number (preceded by a colon) may be
appended to the addresses or hostnames.
</para>
<para>
For more information on failover and server
redundancy, see the <quote>FAILOVER</quote> section.
NOTE: Even if there are no more kpasswd
servers to try, the backend is not switched to operate offline
if authentication against the KDC is still possible.
</para>
<para>
Default: Use the KDC
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_ccachedir (string)</term>
<listitem>
<para>
Directory to store credential caches. All the
substitution sequences of krb5_ccname_template can
be used here, too, except %d and %P. If the
directory does not exist, it will be created. If %u,
%U, %p or %h are used, a private directory belonging
to the user is created. Otherwise, a public directory
with restricted deletion flag (aka sticky bit, as
described in
<citerefentry>
<refentrytitle>chmod</refentrytitle>
<manvolnum>1</manvolnum>
</citerefentry> for details) is created.
</para>
<para>
Default: /tmp
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_ccname_template (string)</term>
<listitem>
<para>
Location of the user's credential cache. Two credential
cache types are currently supported: <quote>FILE</quote>
and <quote>DIR</quote>. The cache can be specified either
as <replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute
path, which implies the <quote>FILE</quote> type. In the
template, the following sequences are substituted:
<variablelist>
<varlistentry>
<term>%u</term>
<listitem><para>login name</para></listitem>
</varlistentry>
<varlistentry>
<term>%U</term>
<listitem><para>login UID</para></listitem>
</varlistentry>
<varlistentry>
<term>%p</term>
<listitem><para>principal name</para>
</listitem>
</varlistentry>
<varlistentry>
<term>%r</term>
<listitem><para>realm name</para></listitem>
</varlistentry>
<varlistentry>
<term>%h</term>
<listitem><para>home directory</para>
</listitem>
</varlistentry>
<varlistentry>
<term>%d</term>
<listitem><para>value of krb5ccache_dir
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>%P</term>
<listitem><para>the process ID of the SSSD
client</para>
</listitem>
</varlistentry>
<varlistentry>
<term>%%</term>
<listitem><para>a literal '%'</para>
</listitem>
</varlistentry>
</variablelist>
If the template ends with 'XXXXXX' mkstemp(3) is
used to create a unique filename in a safe way.
</para>
<para>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_auth_timeout (integer)</term>
<listitem>
<para>
Timeout in seconds after an online authentication request
or change password request is aborted. If possible, the
authentication request is continued offline.
</para>
<para>
Default: 6
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_validate (boolean)</term>
<listitem>
<para>
Verify with the help of krb5_keytab that the TGT
obtained has not been spoofed. The keytab is checked for
entries sequentially, and the first entry with a matching
realm is used for validation. If no entry matches the realm, the last
entry in the keytab is used. This process can be used to validate
environments using cross-realm trust by placing the appropriate
keytab entry as the last entry or the only entry in the keytab file.
</para>
<para>
Default: false
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_keytab (string)</term>
<listitem>
<para>
The location of the keytab to use when validating
credentials obtained from KDCs.
</para>
<para>
Default: /etc/krb5.keytab
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_store_password_if_offline (boolean)</term>
<listitem>
<para>
Store the password of the user if the provider is
offline and use it to request a TGT when the
provider comes online again.
</para>
<para>
NOTE: this feature is only available on Linux.
Passwords stored in this way are kept in
plaintext in the kernel keyring and are
potentially accessible by the root user
(with difficulty).
</para>
<para>
Default: false
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_renewable_lifetime (string)</term>
<listitem>
<para>
Request a renewable ticket with a total
lifetime, given as an integer immediately followed
by a time unit:
</para>
<para>
<emphasis>s</emphasis> for seconds
</para>
<para>
<emphasis>m</emphasis> for minutes
</para>
<para>
<emphasis>h</emphasis> for hours
</para>
<para>
<emphasis>d</emphasis> for days.
</para>
<para>
If there is no unit given, <emphasis>s</emphasis> is
assumed.
</para>
<para>
NOTE: It is not possible to mix units. To set
the renewable lifetime to one and a half hours,
use '90m' instead of '1h30m'.
</para>
<para>
Default: not set, i.e. the TGT is not renewable
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_lifetime (string)</term>
<listitem>
<para>
Request ticket with a lifetime, given as an
integer immediately followed by a time unit:
</para>
<para>
<emphasis>s</emphasis> for seconds
</para>
<para>
<emphasis>m</emphasis> for minutes
</para>
<para>
<emphasis>h</emphasis> for hours
</para>
<para>
<emphasis>d</emphasis> for days.
</para>
<para>
If there is no unit given <emphasis>s</emphasis> is
assumed.
</para>
<para>
NOTE: It is not possible to mix units.
To set the lifetime to one and a half
hours please use '90m' instead of '1h30m'.
</para>
<para>
Default: not set, i.e. the default ticket lifetime
configured on the KDC.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_renew_interval (string)</term>
<listitem>
<para>
The time in seconds between two checks if the TGT
should be renewed. TGTs are renewed if about half
of their lifetime is exceeded, given as an integer
immediately followed by a time unit:
</para>
<para>
<emphasis>s</emphasis> for seconds
</para>
<para>
<emphasis>m</emphasis> for minutes
</para>
<para>
<emphasis>h</emphasis> for hours
</para>
<para>
<emphasis>d</emphasis> for days.
</para>
<para>
If there is no unit given, <emphasis>s</emphasis> is
assumed.
</para>
<para>
NOTE: It is not possible to mix units. To set
the renewable lifetime to one and a half hours,
use '90m' instead of '1h30m'.
</para>
<para>
If this option is not set or is 0 the automatic
renewal is disabled.
</para>
<para>
Default: not set
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_use_fast (string)</term>
<listitem>
<para>
Enables flexible authentication secure tunneling
(FAST) for Kerberos pre-authentication. The
following options are supported:
</para>
<para>
<emphasis>never</emphasis> use FAST. This is
equivalent to not setting this option at all.
</para>
<para>
<emphasis>try</emphasis> to use FAST. If the server
does not support FAST, continue the
authentication without it.
</para>
<para>
<emphasis>demand</emphasis> to use FAST. The
authentication fails if the server does not
require fast.
</para>
<para>
Default: not set, i.e. FAST is not used.
</para>
<para>
NOTE: a keytab is required to use FAST.
</para>
<para>
NOTE: SSSD supports FAST only with
MIT Kerberos version 1.8 and later. If SSSD is used
with an older version of MIT Kerberos, using this
option is a configuration error.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_fast_principal (string)</term>
<listitem>
<para>
Specifies the server principal to use for FAST.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_canonicalize (boolean)</term>
<listitem>
<para>
Specifies if the host and user principal should be
canonicalized. This feature is available with MIT
Kerberos 1.7 and later versions.
</para>
<para>
Default: false
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_use_kdcinfo (boolean)</term>
<listitem>
<para>
Specifies if the SSSD should instruct the Kerberos
libraries what realm and which KDCs to use. This option
is on by default, if you disable it, you need to configure
the Kerberos library using the
<citerefentry>
<manvolnum>5</manvolnum>
</citerefentry>
configuration file.
</para>
<para>
See the
<citerefentry>
<refentrytitle>sssd_krb5_locator_plugin</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>
manual page for more information on the locator plugin.
</para>
<para>
Default: true
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_use_enterprise_principal (boolean)</term>
<listitem>
<para>
Specifies if the user principal should be treated
as enterprise principal. See section 5 of RFC 6806
for more details about enterprise principals.
</para>
<para>
Default: false (AD provide: true)
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 id='example'>
<title>EXAMPLE</title>
<para>
The following example assumes that SSSD is correctly
configured and FOO is one of the domains in the
<replaceable>[sssd]</replaceable> section. This example shows
only configuration of Kerberos authentication; it does not include
any identity provider.
</para>
<para>
<programlisting>
auth_provider = krb5
krb5_server = 192.168.1.1
krb5_realm = EXAMPLE.COM
</programlisting>
</para>
</refsect1>
</refentry>
</reference>