krb5_auth_timeout (integer) Timeout in seconds after an online authentication request or change password request is aborted. If possible, the authentication request is continued offline. Default: 6 krb5_validate (boolean) Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. The keytab is checked for entries sequentially, and the first entry with a matching realm is used for validation. If no entry matches the realm, the last entry in the keytab is used. This process can be used to validate environments using cross-realm trust by placing the appropriate keytab entry as the last entry or the only entry in the keytab file. Default: false (IPA and AD provider: true) Please note that the ticket validation is the first step when checking the PAC (see 'pac_check' in the sssd.conf 5 manual page for details). If ticket validation is disabled the PAC checks will be skipped as well. krb5_renewable_lifetime (string) Request a renewable ticket with a total lifetime, given as an integer immediately followed by a time unit: s for seconds m for minutes h for hours d for days. If there is no unit given, s is assumed. NOTE: It is not possible to mix units. To set the renewable lifetime to one and a half hours, use '90m' instead of '1h30m'. Default: not set, i.e. the TGT is not renewable krb5_lifetime (string) Request ticket with a lifetime, given as an integer immediately followed by a time unit: s for seconds m for minutes h for hours d for days. If there is no unit given s is assumed. NOTE: It is not possible to mix units. To set the lifetime to one and a half hours please use '90m' instead of '1h30m'. Default: not set, i.e. the default ticket lifetime configured on the KDC. krb5_renew_interval (string) The time in seconds between two checks if the TGT should be renewed. TGTs are renewed if about half of their lifetime is exceeded, given as an integer immediately followed by a time unit: s for seconds m for minutes h for hours d for days. If there is no unit given, s is assumed. NOTE: It is not possible to mix units. To set the renewable lifetime to one and a half hours, use '90m' instead of '1h30m'. If this option is not set or is 0 the automatic renewal is disabled. Default: not set krb5_canonicalize (boolean) Specifies if the host and user principal should be canonicalized. This feature is available with MIT Kerberos 1.7 and later versions. Default: false