sssd-krb5.5.xml revision 6b45f632759293fc9f2a28317fae2e224ac53020
55c79512242fd281202cd57ca18defac696440f5kess<?xml version="1.0" encoding="UTF-8"?>
55c79512242fd281202cd57ca18defac696440f5kess<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
55c79512242fd281202cd57ca18defac696440f5kess"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
55c79512242fd281202cd57ca18defac696440f5kess<reference>
55c79512242fd281202cd57ca18defac696440f5kess<title>SSSD Manual pages</title>
55c79512242fd281202cd57ca18defac696440f5kess<refentry>
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd <refmeta>
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd <refentrytitle>sssd-krb5</refentrytitle>
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd <manvolnum>5</manvolnum>
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd </refmeta>
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd
27e52281f1522522b170cafc76b08b58aa70ccaand <refnamediv id='name'>
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd <refname>sssd-krb5</refname>
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd <refpurpose>the configuration file for SSSD</refpurpose>
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd </refnamediv>
4b5981e276e93df97c34e4da05ca5cf8bbd937dand
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd <refsect1 id='description'>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd <title>DESCRIPTION</title>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd <para>
b05ab3ff5ab54aa22610b13d56eaba6ddfc3db60nd This manual page describes the configuration of the Kerberos
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd 5 authentication backend for
63f06dce77bb2d9b1c5aa5deeb47a1069987fd1end <citerefentry>
63f06dce77bb2d9b1c5aa5deeb47a1069987fd1end <refentrytitle>sssd</refentrytitle>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd <manvolnum>8</manvolnum>
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd </citerefentry>.
55c79512242fd281202cd57ca18defac696440f5kess For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the
55c79512242fd281202cd57ca18defac696440f5kess <citerefentry>
55c79512242fd281202cd57ca18defac696440f5kess <refentrytitle>sssd.conf</refentrytitle>
55c79512242fd281202cd57ca18defac696440f5kess <manvolnum>5</manvolnum>
55c79512242fd281202cd57ca18defac696440f5kess </citerefentry> manual page.
55c79512242fd281202cd57ca18defac696440f5kess </para>
1ce7f356a70d1d9961ec315c212e2f83a1452456nd <para>
8f057347a12e831fdf567da83de2fa581580298dnd The Kerberos 5 authentication backend contains auth and chpass
5b10fd3977e6dfff19afe770e612e276962f7950nd providers. It must be paired with an identity provider in
5b10fd3977e6dfff19afe770e612e276962f7950nd order to function properly (for example, id_provider = ldap). Some
8f057347a12e831fdf567da83de2fa581580298dnd information required by the Kerberos 5 authentication backend must
8f057347a12e831fdf567da83de2fa581580298dnd be provided by the identity provider, such as the user's Kerberos
8f057347a12e831fdf567da83de2fa581580298dnd Principal Name (UPN). The configuration of the identity provider
8f057347a12e831fdf567da83de2fa581580298dnd should have an entry to specify the UPN. Please refer to the man
8f057347a12e831fdf567da83de2fa581580298dnd page for the applicable identity provider for details on how to
8f057347a12e831fdf567da83de2fa581580298dnd configure this.
1ce7f356a70d1d9961ec315c212e2f83a1452456nd </para>
5b10fd3977e6dfff19afe770e612e276962f7950nd <para>
5b10fd3977e6dfff19afe770e612e276962f7950nd This backend also provides access control based on the .k5login
1ce7f356a70d1d9961ec315c212e2f83a1452456nd file in the home directory of the user. See <citerefentry>
2fc082b48b1bfb1182d6b93f5837e74b0c0af3eckess <refentrytitle>.k5login</refentrytitle><manvolnum>5</manvolnum>
2fc082b48b1bfb1182d6b93f5837e74b0c0af3eckess </citerefentry> for more details. Please note that an empty .k5login
74086452b5093fa1a58446034c6ddfd67dab5651kess file will deny all access to this user. To activate this feature,
74086452b5093fa1a58446034c6ddfd67dab5651kess use 'access_provider = krb5' in your SSSD configuration.
de502b36947f981bb79c4b3529b9f9f5edf35b2dkess </para>
de502b36947f981bb79c4b3529b9f9f5edf35b2dkess <para>
b3c7a2279fa7a45f5807d9a404760b9b3760df50nd In the case where the UPN is not available in the identity backend,
b3c7a2279fa7a45f5807d9a404760b9b3760df50nd <command>sssd</command> will construct a UPN using the format
8ba890719035fe67c295c9124693138f9c5aa933kess <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>.
8ba890719035fe67c295c9124693138f9c5aa933kess </para>
55c79512242fd281202cd57ca18defac696440f5kess
55c79512242fd281202cd57ca18defac696440f5kess </refsect1>
8f057347a12e831fdf567da83de2fa581580298dnd
8f057347a12e831fdf567da83de2fa581580298dnd <refsect1 id='file-format'>
8f057347a12e831fdf567da83de2fa581580298dnd <title>CONFIGURATION OPTIONS</title>
62664c6703ed9e8d8f4f8e4c5f5e893559ecefecnd <para>
62664c6703ed9e8d8f4f8e4c5f5e893559ecefecnd If the auth-module krb5 is used in an SSSD domain, the following
8f057347a12e831fdf567da83de2fa581580298dnd options must be used. See the
8f057347a12e831fdf567da83de2fa581580298dnd <citerefentry>
cf60fc8ad0f3a8f4b08351a2a3e346e0662af010nd <refentrytitle>sssd.conf</refentrytitle>
eac1d56b0c6d54ddf717d035f808bdfa61e8bd14nd <manvolnum>5</manvolnum>
b8670d4ea3a3efcd12c3e1eddf68ef6fabef49fend </citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>,
b8670d4ea3a3efcd12c3e1eddf68ef6fabef49fend for details on the configuration of an SSSD domain.
1ce7f356a70d1d9961ec315c212e2f83a1452456nd <variablelist>
1ce7f356a70d1d9961ec315c212e2f83a1452456nd <varlistentry>
1ce7f356a70d1d9961ec315c212e2f83a1452456nd <term>krb5_server, krb5_backup_server (string)</term>
db99fa79ac42b9cc42b63386eb289aecb0f3cb9cnd <listitem>
22d5d84393d960a2027f472036f3fee15d7dbce9nd <para>
22d5d84393d960a2027f472036f3fee15d7dbce9nd Specifies the comma-separated list of IP addresses or hostnames
22d5d84393d960a2027f472036f3fee15d7dbce9nd of the Kerberos servers to which SSSD should
5a98f1b67de38575f3903a03fc5120062b814371kess connect, in the order of preference. For more
55c79512242fd281202cd57ca18defac696440f5kess information on failover and server redundancy,
55c79512242fd281202cd57ca18defac696440f5kess see the <quote>FAILOVER</quote> section. An optional
55c79512242fd281202cd57ca18defac696440f5kess port number (preceded by a colon) may be appended to
55c79512242fd281202cd57ca18defac696440f5kess the addresses or hostnames.
55c79512242fd281202cd57ca18defac696440f5kess If empty, service discovery is enabled;
55c79512242fd281202cd57ca18defac696440f5kess for more information, refer to the
635e08c1d8332adc365b1c20bbe3577d59ebcd78kess <quote>SERVICE DISCOVERY</quote> section.
623eebe956d9c2d6d073ed3eae855b56030b40e9noodl </para>
55c79512242fd281202cd57ca18defac696440f5kess <para>
55c79512242fd281202cd57ca18defac696440f5kess When using service discovery for KDC or kpasswd servers,
ffb88a4885747797937e30a5ac8b1606da3cb4adnd SSSD first searches for DNS entries that specify _udp as
909ce17e2bd0faef7b1c294f2307f009793fd493nd the protocol and falls back to _tcp if none are found.
55c79512242fd281202cd57ca18defac696440f5kess </para>
312d4192f2e32167a1e750034664f1e3c2105c65nd <para>
55c79512242fd281202cd57ca18defac696440f5kess This option was named <quote>krb5_kdcip</quote> in
42af92a661a06b3cebc88d585aad75064a309d51nd earlier releases of SSSD. While the legacy name is recognized
42af92a661a06b3cebc88d585aad75064a309d51nd for the time being, users are advised to migrate their config
ffb88a4885747797937e30a5ac8b1606da3cb4adnd files to use <quote>krb5_server</quote> instead.
6fe26506780e73be2a412d758af77fafdf03291and </para>
55c79512242fd281202cd57ca18defac696440f5kess </listitem>
312d4192f2e32167a1e750034664f1e3c2105c65nd </varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess
55c79512242fd281202cd57ca18defac696440f5kess <varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess <term>krb5_realm (string)</term>
0203b896e484dfb877111aceffb812401d0f216and <listitem>
312d4192f2e32167a1e750034664f1e3c2105c65nd <para>
55c79512242fd281202cd57ca18defac696440f5kess The name of the Kerberos realm. This option is required
55c79512242fd281202cd57ca18defac696440f5kess and must be specified.
55c79512242fd281202cd57ca18defac696440f5kess </para>
1ce7f356a70d1d9961ec315c212e2f83a1452456nd </listitem>
55c79512242fd281202cd57ca18defac696440f5kess </varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess
55c79512242fd281202cd57ca18defac696440f5kess <varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess <term>krb5_kpasswd, krb5_backup_kpasswd (string)</term>
55c79512242fd281202cd57ca18defac696440f5kess <listitem>
1ce7f356a70d1d9961ec315c212e2f83a1452456nd <para>
55c79512242fd281202cd57ca18defac696440f5kess If the change password service is not running on the
55c79512242fd281202cd57ca18defac696440f5kess KDC, alternative servers can be defined here. An
05ede5110427cb9dc071cc671d5aaba5d3b88c79nd optional port number (preceded by a colon) may be
e8b603fa9ccf7b17b11b42df6d8916fd97c2331dnd appended to the addresses or hostnames.
55c79512242fd281202cd57ca18defac696440f5kess </para>
55c79512242fd281202cd57ca18defac696440f5kess <para>
55c79512242fd281202cd57ca18defac696440f5kess For more information on failover and server
55c79512242fd281202cd57ca18defac696440f5kess redundancy, see the <quote>FAILOVER</quote> section.
55c79512242fd281202cd57ca18defac696440f5kess NOTE: Even if there are no more kpasswd
611049e38bfbaeb173d2d7fab2e44a48753436a1nd servers to try, the backend is not switched to operate offline
1ce7f356a70d1d9961ec315c212e2f83a1452456nd if authentication against the KDC is still possible.
55c79512242fd281202cd57ca18defac696440f5kess </para>
55c79512242fd281202cd57ca18defac696440f5kess <para>
55c79512242fd281202cd57ca18defac696440f5kess Default: Use the KDC
55c79512242fd281202cd57ca18defac696440f5kess </para>
d8b761beec42bbe2847bb14e3b706642c6eed47cnd </listitem>
d8b761beec42bbe2847bb14e3b706642c6eed47cnd </varlistentry>
d8b761beec42bbe2847bb14e3b706642c6eed47cnd
55c79512242fd281202cd57ca18defac696440f5kess <varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess <term>krb5_ccachedir (string)</term>
1ce7f356a70d1d9961ec315c212e2f83a1452456nd <listitem>
03a4ff9ac4c9b8009249010e7c53bb86ff05915and <para>
1ce7f356a70d1d9961ec315c212e2f83a1452456nd Directory to store credential caches. All the
55c79512242fd281202cd57ca18defac696440f5kess substitution sequences of krb5_ccname_template can
0203b896e484dfb877111aceffb812401d0f216and be used here, too, except %d and %P. If the
6329991d5f023c1c4ae02cfbbda636c66e6392aand directory does not exist, it will be created. If %u,
55c79512242fd281202cd57ca18defac696440f5kess %U, %p or %h are used, a private directory belonging
55c79512242fd281202cd57ca18defac696440f5kess to the user is created. Otherwise, a public directory
55c79512242fd281202cd57ca18defac696440f5kess with restricted deletion flag (aka sticky bit, as
55c79512242fd281202cd57ca18defac696440f5kess described in
1ce7f356a70d1d9961ec315c212e2f83a1452456nd <citerefentry>
55c79512242fd281202cd57ca18defac696440f5kess <refentrytitle>chmod</refentrytitle>
55c79512242fd281202cd57ca18defac696440f5kess <manvolnum>1</manvolnum>
d2b809e5d72658bff23819d8b77f20e4939af541nd </citerefentry> for details) is created.
55c79512242fd281202cd57ca18defac696440f5kess </para>
1ce7f356a70d1d9961ec315c212e2f83a1452456nd <para>
55c79512242fd281202cd57ca18defac696440f5kess Default: /tmp
55c79512242fd281202cd57ca18defac696440f5kess </para>
55c79512242fd281202cd57ca18defac696440f5kess </listitem>
55c79512242fd281202cd57ca18defac696440f5kess </varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess
55c79512242fd281202cd57ca18defac696440f5kess <varlistentry>
1ce7f356a70d1d9961ec315c212e2f83a1452456nd <term>krb5_ccname_template (string)</term>
c023f60e35022146373e40249f0c8c8d623b6fcfnd <listitem>
1ce7f356a70d1d9961ec315c212e2f83a1452456nd <para>
a43bfa789f4e52dde53ae8e53fa0427b5c1cf977nd Location of the user's credential cache. Two credential
a43bfa789f4e52dde53ae8e53fa0427b5c1cf977nd cache types are currently supported: <quote>FILE</quote>
28c9d384aa958b321280b4ac886941dcad25396bnd and <quote>DIR</quote>. The cache can be specified either
240e1b440b19476ecaa4aa9ff8d79afef74cb14and as <replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute
240e1b440b19476ecaa4aa9ff8d79afef74cb14and path, which implies the <quote>FILE</quote> type. In the
1d980e5489836e977ba59b419e27b0ec875c4bd3takashi template, the following sequences are substituted:
e5ce3ac0e9b720c0fa23782e29168a0810697fdetakashi <variablelist>
240e1b440b19476ecaa4aa9ff8d79afef74cb14and <varlistentry>
240e1b440b19476ecaa4aa9ff8d79afef74cb14and <term>%u</term>
240e1b440b19476ecaa4aa9ff8d79afef74cb14and <listitem><para>login name</para></listitem>
240e1b440b19476ecaa4aa9ff8d79afef74cb14and </varlistentry>
ecc5150d35c0dc5ee5119c2717e6660fa331abbftakashi <varlistentry>
ecc5150d35c0dc5ee5119c2717e6660fa331abbftakashi <term>%U</term>
55c79512242fd281202cd57ca18defac696440f5kess <listitem><para>login UID</para></listitem>
f772e8f448c223e5ea306f1bf92d97d968f972d5jim </varlistentry>
f772e8f448c223e5ea306f1bf92d97d968f972d5jim <varlistentry>
f772e8f448c223e5ea306f1bf92d97d968f972d5jim <term>%p</term>
fac8c35bfb158112226ab43ddf84d59daca5dc30nd <listitem><para>principal name</para>
f772e8f448c223e5ea306f1bf92d97d968f972d5jim </listitem>
55c79512242fd281202cd57ca18defac696440f5kess </varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess <varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess <term>%r</term>
55c79512242fd281202cd57ca18defac696440f5kess <listitem><para>realm name</para></listitem>
55c79512242fd281202cd57ca18defac696440f5kess </varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess <varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess <term>%h</term>
55c79512242fd281202cd57ca18defac696440f5kess <listitem><para>home directory</para>
55c79512242fd281202cd57ca18defac696440f5kess </listitem>
55c79512242fd281202cd57ca18defac696440f5kess </varlistentry>
898711b68797304101de0882fa576c8908acfae6nd <varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess <term>%d</term>
55c79512242fd281202cd57ca18defac696440f5kess <listitem><para>value of krb5ccache_dir
1ce7f356a70d1d9961ec315c212e2f83a1452456nd </para>
55c79512242fd281202cd57ca18defac696440f5kess </listitem>
55c79512242fd281202cd57ca18defac696440f5kess </varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess <varlistentry>
55c79512242fd281202cd57ca18defac696440f5kess <term>%P</term>
55c79512242fd281202cd57ca18defac696440f5kess <listitem><para>the process ID of the SSSD
03c25fb6f628ac81f2ecb637d1e7502dcee783f3nd client</para>
03c25fb6f628ac81f2ecb637d1e7502dcee783f3nd </listitem>
55c79512242fd281202cd57ca18defac696440f5kess </varlistentry>
8f057347a12e831fdf567da83de2fa581580298dnd <varlistentry>
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd <term>%%</term>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd <listitem><para>a literal '%'</para>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd </listitem>
b05ab3ff5ab54aa22610b13d56eaba6ddfc3db60nd </varlistentry>
ad74a0524a06bfe11b7de9e3b4ce7233ab3bd3f7nd </variablelist>
63f06dce77bb2d9b1c5aa5deeb47a1069987fd1end If the template ends with 'XXXXXX' mkstemp(3) is
63f06dce77bb2d9b1c5aa5deeb47a1069987fd1end used to create a unique filename in a safe way.
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd </para>
6eed902e5b4d3e016e220bfbf8769a87c4cb242enoodl <para>
726b11c595edf0b0b71d0d39a2bc9d912c0ee4b5nd Default: FILE:%d/krb5cc_%U_XXXXXX
1ce7f356a70d1d9961ec315c212e2f83a1452456nd </para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_auth_timeout (integer)</term>
<listitem>
<para>
Timeout in seconds after an online authentication request
or change password request is aborted. If possible, the
authentication request is continued offline.
</para>
<para>
Default: 15
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_validate (boolean)</term>
<listitem>
<para>
Verify with the help of krb5_keytab that the TGT
obtained has not been spoofed. The keytab is checked for
entries sequentially, and the first entry with a matching
realm is used for validation. If no entry matches the realm, the last
entry in the keytab is used. This process can be used to validate
environments using cross-realm trust by placing the appropriate
keytab entry as the last entry or the only entry in the keytab file.
</para>
<para>
Default: false
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_keytab (string)</term>
<listitem>
<para>
The location of the keytab to use when validating
credentials obtained from KDCs.
</para>
<para>
Default: /etc/krb5.keytab
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_store_password_if_offline (boolean)</term>
<listitem>
<para>
Store the password of the user if the provider is
offline and use it to request a TGT when the
provider comes online again.
</para>
<para>
NOTE: this feature is only available on Linux.
Passwords stored in this way are kept in
plaintext in the kernel keyring and are
potentially accessible by the root user
(with difficulty).
</para>
<para>
Default: false
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_renewable_lifetime (string)</term>
<listitem>
<para>
Request a renewable ticket with a total
lifetime, given as an integer immediately followed
by a time unit:
</para>
<para>
<emphasis>s</emphasis> for seconds
</para>
<para>
<emphasis>m</emphasis> for minutes
</para>
<para>
<emphasis>h</emphasis> for hours
</para>
<para>
<emphasis>d</emphasis> for days.
</para>
<para>
If there is no unit given, <emphasis>s</emphasis> is
assumed.
</para>
<para>
NOTE: It is not possible to mix units. To set
the renewable lifetime to one and a half hours,
use '90m' instead of '1h30m'.
</para>
<para>
Default: not set, i.e. the TGT is not renewable
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_lifetime (string)</term>
<listitem>
<para>
Request ticket with a with a lifetime, given as an
integer immediately followed by a time unit:
</para>
<para>
<emphasis>s</emphasis> for seconds
</para>
<para>
<emphasis>m</emphasis> for minutes
</para>
<para>
<emphasis>h</emphasis> for hours
</para>
<para>
<emphasis>d</emphasis> for days.
</para>
<para>
If there is no unit given <emphasis>s</emphasis> is
assumed.
</para>
<para>
NOTE: It is not possible to mix units.
To set the lifetime to one and a half
hours please use '90m' instead of '1h30m'.
</para>
<para>
Default: not set, i.e. the default ticket lifetime
configured on the KDC.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_renew_interval (integer)</term>
<listitem>
<para>
The time in seconds between two checks if the TGT
should be renewed. TGTs are renewed if about half
of their lifetime is exceeded.
</para>
<para>
If this option is not set or is 0 the automatic
renewal is disabled.
</para>
<para>
Default: not set
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_use_fast (string)</term>
<listitem>
<para>
Enables flexible authentication secure tunneling
(FAST) for Kerberos pre-authentication. The
following options are supported:
</para>
<para>
<emphasis>never</emphasis> use FAST. This is
equivalent to not setting this option at all.
</para>
<para>
<emphasis>try</emphasis> to use FAST. If the server
does not support FAST, continue the
authentication without it.
</para>
<para>
<emphasis>demand</emphasis> to use FAST. The
authentication fails if the server does not
require fast.
</para>
<para>
Default: not set, i.e. FAST is not used.
</para>
<para>
NOTE: a keytab is required to use FAST.
</para>
<para>
NOTE: SSSD supports FAST only with
MIT Kerberos version 1.8 and later. If SSSD is used
with an older version of MIT Kerberos, using this
option is a configuration error.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_fast_principal (string)</term>
<listitem>
<para>
Specifies the server principal to use for FAST.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>krb5_canonicalize (boolean)</term>
<listitem>
<para>
Specifies if the host and user principal should be
canonicalized. This feature is available with MIT
Kerberos 1.7 and later versions.
</para>
<para>
Default: false
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
<refsect1 id='example'>
<title>EXAMPLE</title>
<para>
The following example assumes that SSSD is correctly
configured and FOO is one of the domains in the
<replaceable>[sssd]</replaceable> section. This example shows
only configuration of Kerberos authentication; it does not include
any identity provider.
</para>
<para>
<programlisting>
[domain/FOO]
auth_provider = krb5
krb5_server = 192.168.1.1
krb5_realm = EXAMPLE.COM
</programlisting>
</para>
</refsect1>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
</refentry>
</reference>