From 1c48b5a62f73234ed26bb20f0ab345ab61cda0ab Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 18 Feb 2010 07:49:04 -0500 Subject: Rename server/ directory to src/ Also update BUILD.txt --- src/man/sssd-krb5.5.xml | 250 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 250 insertions(+) create mode 100644 src/man/sssd-krb5.5.xml (limited to 'src/man/sssd-krb5.5.xml') diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml new file mode 100644 index 000000000..32b6c293d --- /dev/null +++ b/src/man/sssd-krb5.5.xml @@ -0,0 +1,250 @@ + + + +SSSD Manual pages + + + + + sssd-krb5 + 5 + File Formats and Conventions + + + + sssd-krb5 + the configuration file for SSSD + + + + DESCRIPTION + + This manual page describes the configuration of the Kerberos + 5 authentication backend for + + sssd + 8 + . + For a detailed syntax reference, please refer to the FILE FORMAT section of the + + sssd.conf + 5 + manual page + + + The Kerberos 5 authentication backend does not contain an identity + provider and must be paired with one in order to function properly (for + example, id_provider = ldap). Some information required by the Kerberos + 5 authentication backend must be provided by the identity provider, such + as the user's Kerberos Principal Name (UPN). The configuration of the + identity provider should have an entry to specify the UPN. Please refer + to the man page for the applicable identity provider for details on how + to configure this. + + + In the case where the UPN is not available in the identity backend + sssd will construct a UPN using the format + username@krb5_realm. + + + + + + CONFIGURATION OPTIONS + + If the auth-module krb5 is used in a SSSD domain, the following + options must be used. See the + + sssd.conf + 5 + manual page, section DOMAIN SECTIONS + for details on the configuration of a SSSD domain. + + + krb5_kdcip (string) + + + Specifies the list of IP addresses or hostnames + of the Kerberos servers to which SSSD should + connect in the order of preference. For more + information on failover and server redundancy, + see the FAILOVER section. + + + + + + krb5_realm (string) + + + The name of the Kerberos realm. + + + + + + krb5_changepw_principal (string) + + + The priciple of the change password service. + If only the 'identifier/instance' part of the + principal are given the realm part is added + automatically. + + + Default: kadmin/changepw + + + + + + krb5_ccachedir (string) + + + Directory to store credential caches. + + + Default: /tmp + + + + + + krb5_ccname_template (string) + + + Location of the user's credential cache. Currently + only file based credential caches are supported. In + the template the following sequences are + substituted: + + + %u + login name + + + %U + login UID + + + %p + principal name + + + + %r + realm name + + + %h + home directory + + + + %d + value of krb5ccache_dir + + + + + %P + the process ID of the sssd + client + + + + %% + a literal '%' + + + + If the template ends with 'XXXXXX' mkstemp(3) is + used to create a unique filename in a safe way. + + + Default: FILE:%d/krb5cc_%U_XXXXXX + + + + + + krb5_auth_timeout (integer) + + + Timeout in seconds after an online authentication or + change password request is aborted. If possible the + authentication request is continued offline. + + + Default: 15 + + + + + + krb5_validate (boolean) + + + Verify with the help of krb5_keytab that the TGT obtained has not been spoofed. + + + Default: false + + + + + + krb5_keytab (string) + + + The location of the keytab to use when validating + credentials obtained from KDCs. + + + Default: /etc/krb5.keytab + + + + + + + + + + + + EXAMPLE + + The following example assumes that SSSD is correctly + configured and FOO is one of the domains in the + [sssd] section. This example shows + only configuration of Kerberos authentication, it does not include + any identity provider. + + + + [domain/FOO] + auth_provider = krb5 + krb5_kdcip = 192.168.1.1 + krb5_realm = EXAMPLE.COM + + + + + + SEE ALSO + + + sssd.conf5 + , + + sssd-ldap5 + , + + sssd8 + + + + + -- cgit