Provided by: sssd_1.0.5-0ubuntu1_i386 bug


       sssd-krb5 - the configuration file for SSSD


       This manual page describes the configuration of the Kerberos 5
       authentication backend for sssd(8). For a detailed syntax reference,
       please refer to the “FILE FORMAT” section of the sssd.conf(5) manual

       The Kerberos 5 authentication backend does not contain an identity
       provider and must be paired with one in order to function properly (for
       example, id_provider = ldap). Some information required by the Kerberos
       5 authentication backend must be provided by the identity provider,
       such as the user´s Kerberos Principal Name (UPN). The configuration of
       the identity provider should have an entry to specify the UPN. Please
       refer to the man page for the applicable identity provider for details
       on how to configure this.

       In the case where the UPN is not available in the identity backend sssd
       will construct a UPN using the format username@krb5_realm.


       If the auth-module krb5 is used in a SSSD domain, the following options
       must be used. See the sssd.conf(5) manual page, section “DOMAIN
       SECTIONS” for details on the configuration of a SSSD domain.

       krb5_kdcip (string)
           Specifies the list of IP addresses or hostnames of the Kerberos
           servers to which SSSD should connect in the order of preference.
           For more information on failover and server redundancy, see the
           “FAILOVER” section.

       krb5_realm (string)
           The name of the Kerberos realm.

       krb5_changepw_principal (string)
           The priciple of the change password service. If only the
           ´identifier/instance´ part of the principal are given the realm
           part is added automatically.

           Default: kadmin/changepw

       krb5_ccachedir (string)
           Directory to store credential caches.

           Default: /tmp

       krb5_ccname_template (string)
           Location of the user´s credential cache. Currently only file based
           credential caches are supported. In the template the following
           sequences are substituted:

               login name

               login UID

               principal name

               realm name

               home directory

               value of krb5ccache_dir

               the process ID of the sssd client

               a literal ´%´

           If the template ends with ´XXXXXX´ mkstemp(3) is used to create a
           unique filename in a safe way.

           Default: FILE:%d/krb5cc_%U_XXXXXX

       krb5_auth_timeout (integer)
           Timeout in seconds after an online authentication or change
           password request is aborted. If possible the authentication request
           is continued offline.

           Default: 15

       krb5_validate (boolean)
           Verify with the help of krb5_keytab that the TGT obtained has not
           been spoofed.

           Default: false

       krb5_keytab (string)
           The location of the keytab to use when validating credentials
           obtained from KDCs.

           Default: /etc/krb5.keytab


       The failover feature allows back ends to automatically switch to a
       different server if the primary server fails.

   Failover Syntax
       The list of servers is given as a comma-separated list; any number of
       spaces is allowed around the comma. The servers are listed in order of
       preference. The list can contain any number of servers.

   The Failover Mechanism
       The failover mechanism distinguishes between a machine and a service.
       The back end first tries to resolve the hostname of a given machine; if
       this resolution attempt fails, the machine is considered offline. No
       further attempts are made to connect to this machine for any other
       service. If the resolution attempt succeeds, the back end tries to
       connect to a service on this machine. If the service connection attempt
       fails, then only this particular service is considered offline and the
       back end automatically switches over to the next service. The machine
       is still considered online and might still be tried for another

       Further connection attempts are made to machines or services marked as
       offline after a specified period of time; this is currently hard coded
       to 30 seconds.

       If there are no more machines to try, the back end as a whole switches
       to offline mode, and then attempts to reconnect every 30 seconds.


       The following example assumes that SSSD is correctly configured and FOO
       is one of the domains in the [sssd] section. This example shows only
       configuration of Kerberos authentication, it does not include any
       identity provider.

               auth_provider = krb5
               krb5_kdcip =
               krb5_realm = EXAMPLE.COM


       sssd.conf(5), sssd(8)


       The SSSD upstream -