This manual page describes the configuration of the Kerberos 5 authentication backend for sssd(8). For a detailed syntax reference, please refer to the "FILE FORMAT" section of the sssd.conf(5) manual page
The Kerberos 5 authentication backend does not contain an identity provider and must be paired with one in order to function properly (for example, id_provider = ldap). Some information required by the Kerberos 5 authentication backend must be provided by the identity provider, such as the user's Kerberos Principal Name (UPN). The configuration of the identity provider should have an entry to specify the UPN. Please refer to the man page for the applicable identity provider for details on how to configure this.
In the case where the UPN is not available in the identity backend sssd will construct a UPN using the format username@krb5_realm.
If the auth-module krb5 is used in a SSSD domain, the following options must be used. See the sssd.conf(5) manual page, section "DOMAIN SECTIONS" for details on the configuration of a SSSD domain.
For more information on failover and server redundancy, see the "FAILOVER" section. Please note that even if there are no more kpasswd servers to try the back end is not switch to offline if authentication against the KDC is still possible.
Default: Use the KDC
If the template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe way.
Please note that this feature currently only available on a Linux plattform.
The failover feature allows back ends to automatically switch to a different server if the primary server fails.
The list of servers is given as a comma-separated list; any number of spaces is allowed around the comma. The servers are listed in order of preference. The list can contain any number of servers.
The failover mechanism distinguishes between a machine and a service. The back end first tries to resolve the hostname of a given machine; if this resolution attempt fails, the machine is considered offline. No further attempts are made to connect to this machine for any other service. If the resolution attempt succeeds, the back end tries to connect to a service on this machine. If the service connection attempt fails, then only this particular service is considered offline and the back end automatically switches over to the next service. The machine is still considered online and might still be tried for another service.
Further connection attempts are made to machines or services marked as offline after a specified period of time; this is currently hard coded to 30 seconds.
If there are no more machines to try, the back end as a whole switches to offline mode, and then attempts to reconnect every 30 seconds.
The service discovery feature allows back ends to automatically find the appropriate servers to connect to using a special DNS query.
If no servers are specified, the back end automatically uses service discovery to try to find a server. Optionally, the user may choose to use both fixed server addresses and service discovery by inserting a special keyword, "_srv_", in the list of servers. The order of preference is maintained. This feature is useful if, for example, the user prefers to use service discovery whenever possible, and fall back to a specific server when no servers can be discovered using DNS.
The name of the SSSD domain is used as the domain part of the service discovery DNS query.
For more information on the service discovery mechanism, refer to RFC 2782.
The following example assumes that SSSD is correctly configured and FOO is one of the domains in the [sssd] section. This example shows only configuration of Kerberos authentication, it does not include any identity provider.
[domain/FOO] auth_provider = krb5 krb5_kdcip = 192.168.1.1 krb5_realm = EXAMPLE.COM
sssd.conf(5), sssd-ldap(5), sssd(8)
The SSSD upstream - http://fedorahosted.org/sssd