PAM_SSS_GSS(8) SSSD PAM_SSS_GSS(8) NAME pam_sss_gss - PAM GSSAPI SSSD SYNOPSIS pam_sss_gss.so [debug] pam_sss_gss.so GSSAPI SSSD. GSSAPI host@hostname, Kerberos host/hostname@REALM. REALM Kerberos Kerberos. [domain_realm] /etc/krb5.conf. SSSD GSSAPI. Kerberos , . pam_gssapi_check_upn <> ( ), SSSD , . , , Kerberos, -, LDAP. SSSD GSSAPI, pam_gssapi_services [pam] sssd.conf. SSSD ( , IPA AD). krb5_keytab. sssd.conf(5) sssd-krb5(5). Kerberos , . pam_sss_gss.so PAM. pam_gssapi_indicators_map [pam] sssd.conf, SSSD . debug . auth. PAM_SUCCESS PAM . PAM_USER_UNKNOWN GSSAPI. PAM_AUTH_ERR . PAM_AUTHINFO_UNAVAIL . . PAM_SYSTEM_ERR . SSSD . -- sudo, . GSSAPI sudo sssd.conf: [domain/MYDOMAIN] pam_gssapi_services = sudo, sudo-i PAM (, /etc/pam.d/sudo /etc/pam.d/sudo-i). ... auth sufficient pam_sss_gss.so ... SSSD, pam_sss_gss . : 1. KRB5CCNAME , : sudo, , sudo PAM. KRB5CCNAME env_keep /etc/sudoers sudo LDAP. 2. , <>: , Kerberos . [domain_realm] /etc/krb5.conf : 3. , <>: , . kinit SSSD . 4. , sssd-pam SSSD <> <>: , , . kswitch , , SSSD , pam_gssapi_check_upn. [domain_realm] .myhostname = MYREALM . sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd- krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd- sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) AUTHORS (<<>>) SSSD -- https://github.com/SSSD/sssd/ SSSD 05/17/2024 PAM_SSS_GSS(8)