SSSD-KRB5(5) NAME sssd-krb5 - Kerberos SSSD Kerberos 5 sssd(8). " " sssd.conf(5). Kerberos 5 (auth) (chpass). (, id_provider = ldap). , Kerberos 5, (, Kerberos (UPN)). UPN. , , . .k5login . k5login(5). , , .k5login . , <> SSSD. UPN, sssd UPN username@krb5_realm. SSSD krb5, . SSSD sssd.conf(5), " ". krb5_server, krb5_backup_server () IP- Kerberos, SSSD . " ". () ( ). , -- " ". KDC kpasswd SSSD DNS, _udp. , SSSD DNS, _tcp. SSSD "krb5_kdcip". , "krb5_server" . krb5_realm () Kerberos. . krb5_kpasswd, krb5_backup_kpasswd () KDC , . ( ). " ". : kpasswd , , KDC. : KDC krb5_ccachedir () . krb5_ccname_template, %d %P. , , -- 0700. : /tmp krb5_ccname_template () . : "FILE", "DIR" "KEYRING:persistent". TYPE:RESIDUAL, , "FILE". : %u %U UID %p %r %h %d krb5_ccachedir %P SSSD %% <<%>> <>, mkstemp(3). KEYRING, "KEYRING:persistent:%U", Linux UID. , . , krb5.conf [libdefaults]. -- default_ccache_name. , krb5.conf, (PARAMETER EXPANSION) krb5.conf(5). : , ccache libkrb5 krb5.conf(5) , SSSD. : ( libkrb5) krb5_keytab () , , KDC. : , /etc/krb5.keytab krb5_store_password_if_offline ( ) , , TGT, . : Linux. , , root ( ). : false krb5_use_fast () (FAST) Kerberos. : never -- FAST. , . try -- FAST. FAST, . demand -- FAST. , FAST. : , FAST . : FAST PKINIT. : SSSD FAST MIT Kerberos 1.8 . SSSD MIT Kerberos, . krb5_fast_principal () -, FAST. krb5_fast_use_anonymous_pkinit ( ) <>, PKINIT FAST. krb5_fast_principal . : false krb5_use_kdcinfo ( ) , SSSD , KDC . . , Kerberos krb5.conf(5). sssd_krb5_locator_plugin(8). : true krb5_kdcinfo_lookahead () krb5_use_kdcinfo <>, , sssd_krb5_locator_plugin(8). , SRV . krb5_kdcinfo_lookahead , . , -- . , 10:0 , sssd_krb5_locator_plugin(8) 10 , . : 3:1 krb5_use_enterprise_principal ( ) , - -. - 5 RFC 6806. : false ( AD: true) IPA <>, , -, . krb5_use_subdomain_realm ( ) . <>, - upnSuffixes, KDC . <>, SSSD KDC , . : false krb5_map_user () "username:primary", "username" -- UNIX, "primary" -- Kerberos. , "auth_provider = krb5". : krb5_realm = REALM krb5_map_user = joe:juser,dick:richard "joe" "dick" -- UNIX, "juser" "richard" -- Kerberos. "joe" "dick" SSSD kinit , , "juser@REALM" "richard@REALM". : krb5_auth_timeout ( ) - . , . : 6 krb5_validate ( ) krb5_keytab, TGT . , . , . , , . : false ( IPA AD: true) , -- PAC ( <> sssd.conf(5)). , PAC . krb5_renewable_lifetime () , , : s m h d . , , s. : . , <<90m>>, <<1h30m>>. : , TGT krb5_lifetime () , , : s m h d . , , s. : . , <<90m>>, <<1h30m>>. : , , KDC. krb5_renew_interval () , TGT. TGT , , , : s m h d . , , s. : . , <<90m>>, <<1h30m>>. <<0>>, . : krb5_canonicalize ( ) , - -. MIT Kerberos 1.7 . : false . ; . . . : (primary) (backup). , , , . , 31- -. SSSD . , () . . ; , . . , . , , . , . , , , ; 30 . , 30 . - , , DNS, , , , . , SSSD . SSSD , , -. . sssd.conf(5). dns_resolver_server_timeout ( ), SSSD DNS . : 1000 dns_resolver_op_timeout ( ), SSSD DNS (, SRV) . : 3 dns_resolver_timeout SSSD . , , SRV DNS . : 6 LDAP LDAP-. , - "ldap_opt_timeout" , "dns_resolver_timeout", , , , "dns_resolver_op_timeout", "dns_resolver_server_timeout". , , DNS. . , , . () , , "_srv_". . , , , , , DNS. "dns_discovery_domain" sssd.conf(5). _tcp. . . RFC 2782. , SSSD FOO -- [sssd]. Kerberos; - . [domain/FOO] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM . sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd- krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd- sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) AUTHORS (<<>>) SSSD -- https://github.com/SSSD/sssd/ SSSD 04/09/2024 SSSD-KRB5(5)