13.2.21. Creating Domains: Kerberos Authentication
krb5_kpasswdoption to specify where the password changing service is running or if it is running on a non-default port. If the
krb5_kpasswdoption is not defined, SSSD tries to use the Kerberos KDC to change the password.
sssd-krb5(5)man page has more information about Kerberos configuration options.
Example 13.13. Basic Kerberos Authentication
# A domain with identities provided by LDAP and authentication by Kerberos [domain/KRBDOMAIN] id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com ldap-tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt auth_provider = krb5 krb5_server = kdc.example.com krb5_backup_server = kerberos.example.com krb5_realm = EXAMPLE.COM krb5_kpasswd = kerberos.admin.example.com krb5_auth_timeout = 15
Example 13.14. Setting Kerberos Ticket Renewal Options
krb5_lifetimeparameter. This specifies how long a single ticket is valid, and overrides any values in the KDC.
krb5_renewable_lifetimeparameter, which sets the maximum lifetime of the ticket, counting all renewals.
krb5_lifetime = 1h krb5_renewable_lifetime = 1d
krb5_renew_intervalparameter, which sets how frequently SSSD checks to see if the ticket needs to be renewed. At half of the ticket lifetime (whatever that setting is), the ticket is renewed automatically. (This value is always in seconds.)
krb5_lifetime = 1h krb5_renewable_lifetime = 1d krb5_renew_interval = 60s
krb5_renewable_lifetimevalue is not set or the
krb5_renew_intervalparameter is not set or is set to zero (0), then ticket renewal is disabled. Both
krb5_renew_intervalare required for ticket renewal to be enabled.
Table 13.10. Kerberos Authentication Configuration Parameters
|chpass_provider||Specifies which service to use for password change operations. This is assumed to be the same as the authentication provider. To use Kerberos, set this to krb5.|
|krb5_server||Gives the primary Kerberos server, by IP address or host names, to which SSSD will connect.|
|krb5_backup_server|| Gives a comma-separated list of IP addresses or host names of Kerberos servers to which SSSD will connect if the primary server is not available. The list is given in order of preference, so the first server in the list is tried first.
After an hour, SSSD will attempt to reconnect to the primary service specified in the
When using service discovery for KDC or kpasswd servers, SSSD first searches for DNS entries that specify UDP as the connection protocol, and then falls back to TCP.
|krb5_realm||Identifies the Kerberos realm served by the KDC.|
|krb5_lifetime||Requests a Kerberos ticket with the specified lifetime in seconds (s), minutes (m), hours (h) or days (d).|
|krb5_renewable_lifetime||Requests a renewable Kerberos ticket with a total lifetime that is specified in seconds (s), minutes (m), hours (h) or days (d).|
|krb5_renew_interval||Sets the time, in seconds, for SSSD to check if tickets should be renewed. Tickets are renewed automatically once they exceed half their lifetime. If this option is missing or set to zero, then automatic ticket renewal is disabled.|
|krb5_store_password_if_offline|| Sets whether to store user passwords if the Kerberos authentication provider is offline, and then to use that cache to request tickets when the provider is back online. The default is |
|krb5_kpasswd||Lists alternate Kerberos kadmin servers to use if the change password service is not running on the KDC.|
|krb5_ccname_template|| Gives the directory to use to store the user's credential cache. This can be templatized, and the following tokens are supported:
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
|krb5_ccachedir|| Specifies the directory to store credential caches. This can be templatized, using the same tokens as |
|krb5_auth_timeout||Gives the time, in seconds, before an online authentication or change password request is aborted. If possible, the authentication request is continued offline. The default is 15 seconds.|