focal (8) sssd-kcm.8.gz

Provided by: sssd-kcm_2.2.3-3ubuntu0.13_amd64 bug

NAME
       sssd-kcm - SSSD Kerberos Cache Manager


DESCRIPTION
       This manual page describes the configuration of the SSSD Kerberos Cache Manager (KCM). KCM is a process
       that stores, tracks and manages Kerberos credential caches. It originates in the Heimdal Kerberos
       project, although the MIT Kerberos library also provides client side (more details on that below) support
       for the KCM credential cache.

       In a setup where Kerberos caches are managed by KCM, the Kerberos library (typically used through an
       application, like e.g., kinit(1), is a “"KCM client"” and the KCM daemon is being referred to as a “"KCM
       server"”. The client and server communicate over a UNIX socket.

       The KCM server keeps track of each credential caches's owner and performs access check control based on
       the UID and GID of the KCM client. The root user has access to all credential caches.

       The KCM credential cache has several interesting properties:

       •   since the process runs in userspace, it is subject to UID namespacing, unlike the kernel keyring

       •   unlike the kernel keyring-based cache, which is shared between all containers, the KCM server is a
           separate process whose entry point is a UNIX socket

       •   the SSSD implementation stores the ccaches in a database, typically located at /var/lib/sss/secrets
           allowing the ccaches to survive KCM server restarts or machine reboots.

       This allows the system to use a collection-aware credential cache, yet share the credential cache between
       some or no containers by bind-mounting the socket.


USING THE KCM CREDENTIAL CACHE
       In order to use KCM credential cache, it must be selected as the default credential type in krb5.conf(5),
       The credentials cache name must be only “KCM:” without any template expansions. For example:

           [libdefaults]
               default_ccache_name = KCM:

       Next, make sure the Kerberos client libraries and the KCM server must agree on the UNIX socket path. By
       default, both use the same path /var/run/.heim_org.h5l.kcm-socket. To configure the Kerberos library,
       change its “kcm_socket” option which is described in the krb5.conf(5) manual page.

       Finally, make sure the SSSD KCM server can be contacted. The KCM service is typically socket-activated by
       systemd(1). Unlike other SSSD services, it cannot be started by adding the “kcm” string to the “service”
       directive.

           systemctl start sssd-kcm.socket
           systemctl enable sssd-kcm.socket

       Please note your distribution may already configure the units for you.


THE CREDENTIAL CACHE STORAGE
       The credential caches are stored in a database, much like SSSD caches user or group entries. The database
       is typically located at “/var/lib/sss/secrets”.


OBTAINING DEBUG LOGS
       The sssd-kcm service is typically socket-activated systemd(1). To generate debug logs, add the following
       either to the /etc/sssd/sssd.conf file directly or as a configuration snippet to /etc/sssd/conf.d/
       directory:

           [kcm]
           debug_level = 10

       Then, restart the sssd-kcm service:

           systemctl restart sssd-kcm.service

       Finally, run whatever use-case doesn't work for you. The KCM logs will be generated at
       /var/log/sssd/sssd_kcm.log. It is recommended to disable the debug logs when you no longer need the
       debugging to be enabled as the sssd-kcm service can generate quite a large amount of debugging
       information.

       Please note that configuration snippets are, at the moment, only processed if the main configuration file
       at /etc/sssd/sssd.conf exists at all.


CONFIGURATION OPTIONS
       The KCM service is configured in the “kcm” section of the sssd.conf file. Please note that because the
       KCM service is typically socket-activated, it is enough to just restart the “sssd-kcm” service after
       changing options in the “kcm” section of sssd.conf:

           systemctl restart sssd-kcm.service

       The KCM service is configured in the “kcm” For a detailed syntax reference, refer to the “FILE FORMAT”
       section of the sssd.conf(5) manual page.

       The generic SSSD service options such as “debug_level” or “fd_limit” are accepted by the kcm service.
       Please refer to the sssd.conf(5) manual page for a complete list. In addition, there are some
       KCM-specific options as well.

       socket_path (string)
           The socket the KCM service will listen on.

           Default: /var/run/.heim_org.h5l.kcm-socket

       max_ccaches (integer)
           How many credential caches does the KCM database allow for all users.

           Default: 0 (unlimited, only the per-UID quota is enforced)

       max_uid_ccaches (integer)
           How many credential caches does the KCM database allow per UID. This is equivalent to “with how many
           principals you can kinit”.

           Default: 64

       max_ccache_size (integer)
           How big can a credential cache be per ccache. Each service ticket accounts into this quota.

           Default: 65536


SEE ALSO
       sssd(8), sssd.conf(5),


AUTHORS
       The SSSD upstream - https://pagure.io/SSSD/sssd/