summaryrefslogtreecommitdiffstats
path: root/src/man/sssd-krb5.5.xml
diff options
context:
space:
mode:
Diffstat (limited to 'src/man/sssd-krb5.5.xml')
-rw-r--r--src/man/sssd-krb5.5.xml250
1 files changed, 250 insertions, 0 deletions
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
new file mode 100644
index 000000000..32b6c293d
--- /dev/null
+++ b/src/man/sssd-krb5.5.xml
@@ -0,0 +1,250 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sssd-krb5</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sssd-krb5</refname>
+ <refpurpose>the configuration file for SSSD</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='description'>
+ <title>DESCRIPTION</title>
+ <para>
+ This manual page describes the configuration of the Kerberos
+ 5 authentication backend for
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>.
+ For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page
+ </para>
+ <para>
+ The Kerberos 5 authentication backend does not contain an identity
+ provider and must be paired with one in order to function properly (for
+ example, id_provider = ldap). Some information required by the Kerberos
+ 5 authentication backend must be provided by the identity provider, such
+ as the user's Kerberos Principal Name (UPN). The configuration of the
+ identity provider should have an entry to specify the UPN. Please refer
+ to the man page for the applicable identity provider for details on how
+ to configure this.
+ </para>
+ <para>
+ In the case where the UPN is not available in the identity backend
+ <command>sssd</command> will construct a UPN using the format
+ <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>.
+ </para>
+
+ </refsect1>
+
+ <refsect1 id='file-format'>
+ <title>CONFIGURATION OPTIONS</title>
+ <para>
+ If the auth-module krb5 is used in a SSSD domain, the following
+ options must be used. See the
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>
+ for details on the configuration of a SSSD domain.
+ <variablelist>
+ <varlistentry>
+ <term>krb5_kdcip (string)</term>
+ <listitem>
+ <para>
+ Specifies the list of IP addresses or hostnames
+ of the Kerberos servers to which SSSD should
+ connect in the order of preference. For more
+ information on failover and server redundancy,
+ see the <quote>FAILOVER</quote> section.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_realm (string)</term>
+ <listitem>
+ <para>
+ The name of the Kerberos realm.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_changepw_principal (string)</term>
+ <listitem>
+ <para>
+ The priciple of the change password service.
+ If only the 'identifier/instance' part of the
+ principal are given the realm part is added
+ automatically.
+ </para>
+ <para>
+ Default: kadmin/changepw
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_ccachedir (string)</term>
+ <listitem>
+ <para>
+ Directory to store credential caches.
+ </para>
+ <para>
+ Default: /tmp
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_ccname_template (string)</term>
+ <listitem>
+ <para>
+ Location of the user's credential cache. Currently
+ only file based credential caches are supported. In
+ the template the following sequences are
+ substituted:
+ <variablelist>
+ <varlistentry>
+ <term>%u</term>
+ <listitem><para>login name</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%U</term>
+ <listitem><para>login UID</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%p</term>
+ <listitem><para>principal name</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%r</term>
+ <listitem><para>realm name</para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%h</term>
+ <listitem><para>home directory</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%d</term>
+ <listitem><para>value of krb5ccache_dir
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%P</term>
+ <listitem><para>the process ID of the sssd
+ client</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>%%</term>
+ <listitem><para>a literal '%'</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ If the template ends with 'XXXXXX' mkstemp(3) is
+ used to create a unique filename in a safe way.
+ </para>
+ <para>
+ Default: FILE:%d/krb5cc_%U_XXXXXX
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_auth_timeout (integer)</term>
+ <listitem>
+ <para>
+ Timeout in seconds after an online authentication or
+ change password request is aborted. If possible the
+ authentication request is continued offline.
+ </para>
+ <para>
+ Default: 15
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_validate (boolean)</term>
+ <listitem>
+ <para>
+ Verify with the help of krb5_keytab that the TGT obtained has not been spoofed.
+ </para>
+ <para>
+ Default: false
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>krb5_keytab (string)</term>
+ <listitem>
+ <para>
+ The location of the keytab to use when validating
+ credentials obtained from KDCs.
+ </para>
+ <para>
+ Default: /etc/krb5.keytab
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </para>
+ </refsect1>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
+
+ <refsect1 id='example'>
+ <title>EXAMPLE</title>
+ <para>
+ The following example assumes that SSSD is correctly
+ configured and FOO is one of the domains in the
+ <replaceable>[sssd]</replaceable> section. This example shows
+ only configuration of Kerberos authentication, it does not include
+ any identity provider.
+ </para>
+ <para>
+<programlisting>
+ [domain/FOO]
+ auth_provider = krb5
+ krb5_kdcip = 192.168.1.1
+ krb5_realm = EXAMPLE.COM
+</programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+</refentry>
+</reference>