sssd-krb5 5 File Formats and Conventions sssd-krb5 SSSD Kerberos provider This manual page describes the configuration of the Kerberos 5 authentication backend for sssd 8 . For a detailed syntax reference, please refer to the FILE FORMAT section of the sssd.conf 5 manual page. The Kerberos 5 authentication backend contains auth and chpass providers. It must be paired with an identity provider in order to function properly (for example, id_provider = ldap). Some information required by the Kerberos 5 authentication backend must be provided by the identity provider, such as the user's Kerberos Principal Name (UPN). The configuration of the identity provider should have an entry to specify the UPN. Please refer to the man page for the applicable identity provider for details on how to configure this. This backend also provides access control based on the .k5login file in the home directory of the user. See k5login5 for more details. Please note that an empty .k5login file will deny all access to this user. To activate this feature, use 'access_provider = krb5' in your SSSD configuration. In the case where the UPN is not available in the identity backend, sssd will construct a UPN using the format username@krb5_realm. If the auth-module krb5 is used in an SSSD domain, the following options must be used. See the sssd.conf 5 manual page, section DOMAIN SECTIONS, for details on the configuration of an SSSD domain. krb5_server, krb5_backup_server (string) Specifies the comma-separated list of IP addresses or hostnames of the Kerberos servers to which SSSD should connect, in the order of preference. For more information on failover and server redundancy, see the FAILOVER section. An optional port number (preceded by a colon) may be appended to the addresses or hostnames. If empty, service discovery is enabled; for more information, refer to the SERVICE DISCOVERY section. When using service discovery for KDC or kpasswd servers, SSSD first searches for DNS entries that specify _udp as the protocol and falls back to _tcp if none are found. This option was named krb5_kdcip in earlier releases of SSSD. While the legacy name is recognized for the time being, users are advised to migrate their config files to use krb5_server instead. krb5_realm (string) The name of the Kerberos realm. This option is required and must be specified. krb5_kpasswd, krb5_backup_kpasswd (string) If the change password service is not running on the KDC, alternative servers can be defined here. An optional port number (preceded by a colon) may be appended to the addresses or hostnames. For more information on failover and server redundancy, see the FAILOVER section. NOTE: Even if there are no more kpasswd servers to try, the backend is not switched to operate offline if authentication against the KDC is still possible. Default: Use the KDC krb5_ccachedir (string) Directory to store credential caches. All the substitution sequences of krb5_ccname_template can be used here, too, except %d and %P. The directory is created as private and owned by the user, with permissions set to 0700. Default: /tmp krb5_ccname_template (string) Location of the user's credential cache. Three credential cache types are currently supported: FILE, DIR and KEYRING:persistent. The cache can be specified either as TYPE:RESIDUAL, or as an absolute path, which implies the FILE type. In the template, the following sequences are substituted: %u login name %U login UID %p principal name %r realm name %h home directory %d value of krb5_ccachedir %P the process ID of the SSSD client %% a literal '%' If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe way. When using KEYRING types, the only supported mechanism is KEYRING:persistent:%U, which uses the Linux kernel keyring to store credentials on a per-UID basis. This is also the recommended choice, as it is the most secure and predictable method. The default value for the credential cache name is sourced from the profile stored in the system wide krb5.conf configuration file in the [libdefaults] section. The option name is default_ccache_name. See krb5.conf(5)'s PARAMETER EXPANSION paragraph for additional information on the expansion format defined by krb5.conf. NOTE: Please be aware that libkrb5 ccache expansion template from krb5.conf 5 uses different expansion sequences than SSSD. Default: (from libkrb5) krb5_keytab (string) The location of the keytab to use when validating credentials obtained from KDCs. Default: System keytab, normally /etc/krb5.keytab krb5_store_password_if_offline (boolean) Store the password of the user if the provider is offline and use it to request a TGT when the provider comes online again. NOTE: this feature is only available on Linux. Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty). Default: false krb5_use_fast (string) Enables flexible authentication secure tunneling (FAST) for Kerberos pre-authentication. The following options are supported: never use FAST. This is equivalent to not setting this option at all. try to use FAST. If the server does not support FAST, continue the authentication without it. demand to use FAST. The authentication fails if the server does not require fast. Default: not set, i.e. FAST is not used. NOTE: a keytab or support for anonymous PKINIT is required to use FAST. NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If SSSD is used with an older version of MIT Kerberos, using this option is a configuration error. krb5_fast_principal (string) Specifies the server principal to use for FAST. krb5_fast_use_anonymous_pkinit (boolean) If set to true try to use anonymous PKINIT instead of a keytab to get the required credential for FAST. The krb5_fast_principal options is ignored in this case. Default: false krb5_use_kdcinfo (boolean) Specifies if the SSSD should instruct the Kerberos libraries what realm and which KDCs to use. This option is on by default, if you disable it, you need to configure the Kerberos library using the krb5.conf 5 configuration file. See the sssd_krb5_locator_plugin 8 manual page for more information on the locator plugin. Default: true krb5_kdcinfo_lookahead (string) When krb5_use_kdcinfo is set to true, you can limit the amount of servers handed to sssd_krb5_locator_plugin 8 . This might be helpful when there are too many servers discovered using SRV record. The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. The first number represents number of primary servers used and the second number specifies the number of backup servers. For example 10:0 means that up to 10 primary servers will be handed to sssd_krb5_locator_plugin 8 but no backup servers. Default: 3:1 krb5_use_enterprise_principal (boolean) Specifies if the user principal should be treated as enterprise principal. See section 5 of RFC 6806 for more details about enterprise principals. Default: false (AD provider: true) The IPA provider will set to option to 'true' if it detects that the server is capable of handling enterprise principals and the option is not set explicitly in the config file. krb5_use_subdomain_realm (boolean) Specifies to use subdomains realms for the authentication of users from trusted domains. This option can be set to 'true' if enterprise principals are used with upnSuffixes which are not known on the parent domain KDCs. If the option is set to 'true' SSSD will try to send the request directly to a KDC of the trusted domain the user is coming from. Default: false krb5_map_user (string) The list of mappings is given as a comma-separated list of pairs username:primary where username is a UNIX user name and primary is a user part of a kerberos principal. This mapping is used when user is authenticating using auth_provider = krb5. example: krb5_realm = REALM krb5_map_user = joe:juser,dick:richard joe and dick are UNIX user names and juser and richard are primaries of kerberos principals. For user joe resp. dick SSSD will try to kinit as juser@REALM resp. richard@REALM. Default: not set The following example assumes that SSSD is correctly configured and FOO is one of the domains in the [sssd] section. This example shows only configuration of Kerberos authentication; it does not include any identity provider. [domain/FOO] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM