table of contents
SSSD-KRB5(5) | File Formats and Conventions | SSSD-KRB5(5) |
NAME¶
sssd-krb5 - SSSD Kerberos provider
DESCRIPTION¶
This manual page describes the configuration of the Kerberos 5 authentication backend for sssd(8). For a detailed syntax reference, please refer to the “FILE FORMAT” section of the sssd.conf(5) manual page.
The Kerberos 5 authentication backend contains auth and chpass providers. It must be paired with an identity provider in order to function properly (for example, id_provider = ldap). Some information required by the Kerberos 5 authentication backend must be provided by the identity provider, such as the user's Kerberos Principal Name (UPN). The configuration of the identity provider should have an entry to specify the UPN. Please refer to the man page for the applicable identity provider for details on how to configure this.
This backend also provides access control based on the .k5login file in the home directory of the user. See k5login(5) for more details. Please note that an empty .k5login file will deny all access to this user. To activate this feature, use 'access_provider = krb5' in your SSSD configuration.
In the case where the UPN is not available in the identity backend, sssd will construct a UPN using the format username@krb5_realm.
CONFIGURATION OPTIONS¶
If the auth-module krb5 is used in an SSSD domain, the following options must be used. See the sssd.conf(5) manual page, section “DOMAIN SECTIONS”, for details on the configuration of an SSSD domain.
krb5_server, krb5_backup_server (string)
When using service discovery for KDC or kpasswd servers, SSSD first searches for DNS entries that specify _udp as the protocol and falls back to _tcp if none are found.
This option was named “krb5_kdcip” in earlier releases of SSSD. While the legacy name is recognized for the time being, users are advised to migrate their config files to use “krb5_server” instead.
krb5_realm (string)
krb5_kpasswd, krb5_backup_kpasswd (string)
For more information on failover and server redundancy, see the “FAILOVER” section. NOTE: Even if there are no more kpasswd servers to try, the backend is not switched to operate offline if authentication against the KDC is still possible.
Default: Use the KDC
krb5_ccachedir (string)
Default: /tmp
krb5_ccname_template (string)
%u
%U
%p
%r
%h
%d
%P
%%
If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe way.
When using KEYRING types, the only supported mechanism is “KEYRING:persistent:%U”, which uses the Linux kernel keyring to store credentials on a per-UID basis. This is also the recommended choice, as it is the most secure and predictable method.
The default value for the credential cache name is sourced from the profile stored in the system wide krb5.conf configuration file in the [libdefaults] section. The option name is default_ccache_name. See krb5.conf(5)'s PARAMETER EXPANSION paragraph for additional information on the expansion format defined by krb5.conf.
NOTE: Please be aware that libkrb5 ccache expansion template from krb5.conf(5) uses different expansion sequences than SSSD.
Default: (from libkrb5)
krb5_keytab (string)
Default: System keytab, normally /etc/krb5.keytab
krb5_store_password_if_offline (boolean)
NOTE: this feature is only available on Linux. Passwords stored in this way are kept in plaintext in the kernel keyring and are potentially accessible by the root user (with difficulty).
Default: false
krb5_use_fast (string)
never use FAST. This is equivalent to not setting this option at all.
try to use FAST. If the server does not support FAST, continue the authentication without it.
demand to use FAST. The authentication fails if the server does not require fast.
Default: not set, i.e. FAST is not used.
NOTE: a keytab or support for anonymous PKINIT is required to use FAST.
NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If SSSD is used with an older version of MIT Kerberos, using this option is a configuration error.
krb5_fast_principal (string)
krb5_fast_use_anonymous_pkinit (boolean)
Default: false
krb5_use_kdcinfo (boolean)
See the sssd_krb5_locator_plugin(8) manual page for more information on the locator plugin.
Default: true
krb5_kdcinfo_lookahead (string)
The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. The first number represents number of primary servers used and the second number specifies the number of backup servers.
For example 10:0 means that up to 10 primary servers will be handed to sssd_krb5_locator_plugin(8) but no backup servers.
Default: 3:1
krb5_use_enterprise_principal (boolean)
Default: false (AD provider: true)
The IPA provider will set to option to 'true' if it detects that the server is capable of handling enterprise principals and the option is not set explicitly in the config file.
krb5_use_subdomain_realm (boolean)
Default: false
krb5_map_user (string)
example:
krb5_realm = REALM krb5_map_user = joe:juser,dick:richard
“joe” and “dick” are UNIX user names and “juser” and “richard” are primaries of kerberos principals. For user “joe” resp. “dick” SSSD will try to kinit as “juser@REALM” resp. “richard@REALM”.
Default: not set
krb5_auth_timeout (integer)
Default: 6
krb5_validate (boolean)
Default: false (IPA and AD provider: true)
Please note that the ticket validation is the first step when checking the PAC (see 'pac_check' in the sssd.conf(5) manual page for details). If ticket validation is disabled the PAC checks will be skipped as well.
krb5_renewable_lifetime (string)
s for seconds
m for minutes
h for hours
d for days.
If there is no unit given, s is assumed.
NOTE: It is not possible to mix units. To set the renewable lifetime to one and a half hours, use '90m' instead of '1h30m'.
Default: not set, i.e. the TGT is not renewable
krb5_lifetime (string)
s for seconds
m for minutes
h for hours
d for days.
If there is no unit given s is assumed.
NOTE: It is not possible to mix units. To set the lifetime to one and a half hours please use '90m' instead of '1h30m'.
Default: not set, i.e. the default ticket lifetime configured on the KDC.
krb5_renew_interval (string)
s for seconds
m for minutes
h for hours
d for days.
If there is no unit given, s is assumed.
NOTE: It is not possible to mix units. To set the renewable lifetime to one and a half hours, use '90m' instead of '1h30m'.
If this option is not set or is 0 the automatic renewal is disabled.
Default: not set
krb5_canonicalize (boolean)
Default: false
FAILOVER¶
The failover feature allows back ends to automatically switch to a different server if the current server fails.
Failover Syntax¶
The list of servers is given as a comma-separated list; any number of spaces is allowed around the comma. The servers are listed in order of preference. The list can contain any number of servers.
For each failover-enabled config option, two variants exist: primary and backup. The idea is that servers in the primary list are preferred and backup servers are only searched if no primary servers can be reached. If a backup server is selected, a timeout of 31 seconds is set. After this timeout SSSD will periodically try to reconnect to one of the primary servers. If it succeeds, it will replace the current active (backup) server.
The Failover Mechanism¶
The failover mechanism distinguishes between a machine and a service. The back end first tries to resolve the hostname of a given machine; if this resolution attempt fails, the machine is considered offline. No further attempts are made to connect to this machine for any other service. If the resolution attempt succeeds, the back end tries to connect to a service on this machine. If the service connection attempt fails, then only this particular service is considered offline and the back end automatically switches over to the next service. The machine is still considered online and might still be tried for another service.
Further connection attempts are made to machines or services marked as offline after a specified period of time; this is currently hard coded to 30 seconds.
If there are no more machines to try, the back end as a whole switches to offline mode, and then attempts to reconnect every 30 seconds.
Failover time outs and tuning¶
Resolving a server to connect to can be as simple as running a single DNS query or can involve several steps, such as finding the correct site or trying out multiple host names in case some of the configured servers are not reachable. The more complex scenarios can take some time and SSSD needs to balance between providing enough time to finish the resolution process but on the other hand, not trying for too long before falling back to offline mode. If the SSSD debug logs show that the server resolution is timing out before a live server is contacted, you can consider changing the time outs.
This section lists the available tunables. Please refer to their description in the sssd.conf(5), manual page.
dns_resolver_server_timeout
Default: 1000
dns_resolver_op_timeout
Default: 3
dns_resolver_timeout
Default: 6
For LDAP-based providers, the resolve operation is performed as part of an LDAP connection operation. Therefore, also the “ldap_opt_timeout” timeout should be set to a larger value than “dns_resolver_timeout” which in turn should be set to a larger value than “dns_resolver_op_timeout” which should be larger than “dns_resolver_server_timeout”.
SERVICE DISCOVERY¶
The service discovery feature allows back ends to automatically find the appropriate servers to connect to using a special DNS query. This feature is not supported for backup servers.
Configuration¶
If no servers are specified, the back end automatically uses service discovery to try to find a server. Optionally, the user may choose to use both fixed server addresses and service discovery by inserting a special keyword, “_srv_”, in the list of servers. The order of preference is maintained. This feature is useful if, for example, the user prefers to use service discovery whenever possible, and fall back to a specific server when no servers can be discovered using DNS.
The domain name¶
Please refer to the “dns_discovery_domain” parameter in the sssd.conf(5) manual page for more details.
The protocol¶
The queries usually specify _tcp as the protocol. Exceptions are documented in respective option description.
See Also¶
For more information on the service discovery mechanism, refer to RFC 2782.
EXAMPLE¶
The following example assumes that SSSD is correctly configured and FOO is one of the domains in the [sssd] section. This example shows only configuration of Kerberos authentication; it does not include any identity provider.
[domain/FOO] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM
SEE ALSO¶
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) sssd-systemtap(5)
AUTHORS¶
The SSSD upstream - https://github.com/SSSD/sssd/
04/18/2024 | SSSD |