SSSD-KRB5(5) NAME sssd-krb5 - Kerberos SSSD Kerberos 5 sssd(8). , << >> sssd.conf(5). Kerberos 5 . (, id_provider = ldap). , Kerberos 5, , Kerberos Principal Name (UPN) ' . UPN. UPN (man) . , k5login . k5login(5). , .k5login , . , <> SSSD. , UPN , sssd UPN '_@_krb5. SSSD auth-module krb5, . (man) sssd.conf(5), << >>, SSSD. krb5_server, krb5_backup_server () IP- , , Kerberos, SSSD '. . <<>>. ( ). , . << >>. KDC kpasswd SSSD DNS, _udp. _tcp , . SSSD <>. , <> . krb5_realm () Kerberos. ', . krb5_kpasswd, krb5_backup_kpasswd () KDC, . ( ). <<>>. : kpasswd , , KDC . : KDC krb5_ccachedir () . krb5_ccname_template, %d %P. , , -- 0700. : /tmp krb5_ccname_template () : "FILE", "DIR" "KEYRING:persistent". :, ( , "FILE"). -: %u ' %U %p %r %h %d krb5_ccachedir %P SSSD %% (<<%>>) <>, mkstemp(3). KEYRING, <>, Linux UID. , . , krb5.conf, [libdefaults]. -- default_ccache_name. . (PARAMETER EXPANSION) krb5.conf(5), , krb5.conf. : , ccache libkrb5 krb5.conf(5) , SSSD. : ( libkrb5) krb5_keytab () , , KDC. : , /etc/krb5.keytab krb5_store_password_if_offline ( ) , , TGT ' . : Linux. ( ) , (root), . : false krb5_use_fast () (flexible authentication secure tunneling FAST) Kerberos. : never FAST, , . try -- FAST. FAST, FAST. demand -- FAST. FAST, . : , FAST . : , , FAST PKINIT. : SSSD FAST MIT Kerberos 1.8 . SSSD MIT Kerberos , . krb5_fast_principal () , FAST. krb5_fast_use_anonymous_pkinit ( ) <> PKINIT FAST. krb5_fast_principal . : false krb5_use_kdcinfo ( ) , SSSD Kerberos, KDC . , . , Kerberos krb5.conf(5). . (man) sssd_krb5_locator_plugin(8), . : true krb5_kdcinfo_lookahead () krb5_use_kdcinfo true, , sssd_krb5_locator_plugin(8). , SRV . krb5_kdcinfo_lookahead , . , -- . , 10:0 << 10 sssd_krb5_locator_plugin(8)>>, : 3:1 krb5_use_enterprise_principal ( ) , . . 5 RFC 6806, . : false ( AD: true) IPA <>, , , . krb5_use_subdomain_realm ( ) . <>, upnSuffixes, KDC . <>, SSSD KDC , . : false krb5_map_user () ' <<:>>, <<>> -- ' UNIX, <<>> -- kerberos. ' , <>. : krb5_realm = REALM krb5_map_user = joe:juser,dick:richard "joe" "dick" -- UNIX, "juser" "richard" kerberos. "joe" , , "dick" SSSD kinit "juser@REALM" , , "richard@REALM". : not set krb5_auth_timeout ( ) , . , . : 6 krb5_validate ( ) krb5_keytab, TGT . . . , . ' : . : false ( IPA AD: true) , , PAC (. <> sssd.conf(5), ). , PAC. krb5_renewable_lifetime () , , : s -- m -- h -- d -- . , , s. : . , <<90m>>, <<1h30m>>. : , TGT krb5_lifetime () , , : s -- m -- h -- d -- . , , s. : . , <<90m>>, <<1h30m>>. : , KDC. krb5_renew_interval () , TGT. TGT , : s -- m -- h -- d -- . , , s. : . , <<90m>>, <<1h30m>>. 0, . : not set krb5_canonicalize ( ) , . MIT Kerberos 1.7. : false , ' . , . . . - . : . , , , ' . , 31 . SSSD ' . , . ' . '. , ' ' . ' ' . , ' '. ' , , . ' ' , . ' ' , , , . 30 . ' , ' 30 . ' DNS , , . , SSSD . SSSD , ' , . . , sssd.conf(5). dns_resolver_server_timeout , SSSD DNS, ' . : 1000 dns_resolver_op_timeout , , SSSD DNS ( SRV), . : 3 dns_resolver_timeout SSSD . , DNS SRV . : 6 LDAP ' LDAP. "ldap_opt_timeout" , "dns_resolver_timeout", "dns_resolver_op_timeout", "dns_resolver_server_timeout". ' , DNS. . , . , . , <<_srv_>>, . . , , , , , , DNS . <> (man) sssd.conf(5). _tcp. . RFC 2782. , SSSD , FOO [sssd]. Kerberos, . [domain/FOO] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM sssd(8), sssd.conf(5), sssd-ldap(5), sssd-ldap-attributes(5), sssd- krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd- sudo(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) AUTHORS SSSD -- https://pagure.io/SSSD/sssd/ SSSD 04/09/2024 SSSD-KRB5(5)