diff options
Diffstat (limited to 'src/man/sssd-krb5.5.xml')
-rw-r--r-- | src/man/sssd-krb5.5.xml | 250 |
1 files changed, 250 insertions, 0 deletions
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml new file mode 100644 index 000000000..32b6c293d --- /dev/null +++ b/src/man/sssd-krb5.5.xml @@ -0,0 +1,250 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>SSSD Manual pages</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd-krb5</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo> + </refmeta> + + <refnamediv id='name'> + <refname>sssd-krb5</refname> + <refpurpose>the configuration file for SSSD</refpurpose> + </refnamediv> + + <refsect1 id='description'> + <title>DESCRIPTION</title> + <para> + This manual page describes the configuration of the Kerberos + 5 authentication backend for + <citerefentry> + <refentrytitle>sssd</refentrytitle> + <manvolnum>8</manvolnum> + </citerefentry>. + For a detailed syntax reference, please refer to the <quote>FILE FORMAT</quote> section of the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page + </para> + <para> + The Kerberos 5 authentication backend does not contain an identity + provider and must be paired with one in order to function properly (for + example, id_provider = ldap). Some information required by the Kerberos + 5 authentication backend must be provided by the identity provider, such + as the user's Kerberos Principal Name (UPN). The configuration of the + identity provider should have an entry to specify the UPN. Please refer + to the man page for the applicable identity provider for details on how + to configure this. + </para> + <para> + In the case where the UPN is not available in the identity backend + <command>sssd</command> will construct a UPN using the format + <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>. + </para> + + </refsect1> + + <refsect1 id='file-format'> + <title>CONFIGURATION OPTIONS</title> + <para> + If the auth-module krb5 is used in a SSSD domain, the following + options must be used. See the + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle> + <manvolnum>5</manvolnum> + </citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote> + for details on the configuration of a SSSD domain. + <variablelist> + <varlistentry> + <term>krb5_kdcip (string)</term> + <listitem> + <para> + Specifies the list of IP addresses or hostnames + of the Kerberos servers to which SSSD should + connect in the order of preference. For more + information on failover and server redundancy, + see the <quote>FAILOVER</quote> section. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_realm (string)</term> + <listitem> + <para> + The name of the Kerberos realm. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_changepw_principal (string)</term> + <listitem> + <para> + The priciple of the change password service. + If only the 'identifier/instance' part of the + principal are given the realm part is added + automatically. + </para> + <para> + Default: kadmin/changepw + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_ccachedir (string)</term> + <listitem> + <para> + Directory to store credential caches. + </para> + <para> + Default: /tmp + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_ccname_template (string)</term> + <listitem> + <para> + Location of the user's credential cache. Currently + only file based credential caches are supported. In + the template the following sequences are + substituted: + <variablelist> + <varlistentry> + <term>%u</term> + <listitem><para>login name</para></listitem> + </varlistentry> + <varlistentry> + <term>%U</term> + <listitem><para>login UID</para></listitem> + </varlistentry> + <varlistentry> + <term>%p</term> + <listitem><para>principal name</para> + </listitem> + </varlistentry> + <varlistentry> + <term>%r</term> + <listitem><para>realm name</para></listitem> + </varlistentry> + <varlistentry> + <term>%h</term> + <listitem><para>home directory</para> + </listitem> + </varlistentry> + <varlistentry> + <term>%d</term> + <listitem><para>value of krb5ccache_dir + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>%P</term> + <listitem><para>the process ID of the sssd + client</para> + </listitem> + </varlistentry> + <varlistentry> + <term>%%</term> + <listitem><para>a literal '%'</para> + </listitem> + </varlistentry> + </variablelist> + If the template ends with 'XXXXXX' mkstemp(3) is + used to create a unique filename in a safe way. + </para> + <para> + Default: FILE:%d/krb5cc_%U_XXXXXX + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_auth_timeout (integer)</term> + <listitem> + <para> + Timeout in seconds after an online authentication or + change password request is aborted. If possible the + authentication request is continued offline. + </para> + <para> + Default: 15 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_validate (boolean)</term> + <listitem> + <para> + Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. + </para> + <para> + Default: false + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_keytab (string)</term> + <listitem> + <para> + The location of the keytab to use when validating + credentials obtained from KDCs. + </para> + <para> + Default: /etc/krb5.keytab + </para> + </listitem> + </varlistentry> + + </variablelist> + </para> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" /> + + <refsect1 id='example'> + <title>EXAMPLE</title> + <para> + The following example assumes that SSSD is correctly + configured and FOO is one of the domains in the + <replaceable>[sssd]</replaceable> section. This example shows + only configuration of Kerberos authentication, it does not include + any identity provider. + </para> + <para> +<programlisting> + [domain/FOO] + auth_provider = krb5 + krb5_kdcip = 192.168.1.1 + krb5_realm = EXAMPLE.COM +</programlisting> + </para> + </refsect1> + + <refsect1 id='see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> +</refentry> +</reference> |