'\" t .\" Title: sssd_krb5_localauth_plugin .\" Author: The SSSD upstream - https://github.com/SSSD/sssd/ .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 06/09/2026 .\" Manual: SSSD Manual pages .\" Source: SSSD .\" Language: English .\" .TH "SSSD_KRB5_LOCALAUTH_" "8" "06/09/2026" "SSSD" "SSSD Manual pages" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" sssd_krb5_localauth_plugin \- Kerberos local authorization plugin .SH "DESCRIPTION" .PP The Kerberos local authorization plugin \fBsssd_krb5_localauth_plugin\fR is used by libkrb5 to either find the local name for a given Kerberos principal or to check if a given local name and a given Kerberos principal relate to each other\&. .PP SSSD handles the local names for users from a remote source and can read the Kerberos user principal name from the remote source as well\&. With this information SSSD can easily handle the mappings mentioned above even if the local name and the Kerberos principal differ considerably\&. .PP Additionally with the information read from the remote source SSSD can help to prevent unexpected or unwanted mappings in case the user part of the Kerberos principal accidentally corresponds to a local name of a different user\&. By default libkrb5 might just strip the realm part of the Kerberos principal to get the local name which would lead to wrong mappings in this case\&. .SH "CONFIGURATION" .PP The Kerberos local authorization plugin must be enabled explicitly in the Kerberos configuration, see \fBkrb5.conf\fR(5)\&. SSSD will create a config snippet with the content like e\&.g\&. .sp .if n \{\ .RS 4 .\} .nf [plugins] localauth = { disable = an2ln module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin\&.so } .fi .if n \{\ .RE .\} .sp automatically in the SSSD\*(Aqs public Kerberos configuration snippet directory\&. If this directory is included in the local Kerberos configuration the plugin will be enabled automatically\&. .PP This configuration snippet also disables the \fBan2ln\fR module provided by MIT Kerberos if SSSD is configured to use the AD or IPA provider\&. In those environments \fBsssd_krb5_localauth_plugin\fR can reliably map the system user names to Kerberos principals\&. A fallback to \fBan2ln\fR might cause issues in environments where users have the privilege to create Kerberos principals on their own which might collide with names of other users used in the system\&. Other modules provided by MIT Kerberos, e\&.g\&. \fBk5login\fR are not affected\&. .PP Note: If using \(lqauth_provider = krb5\(rq then \fBsssd_krb5_localauth_plugin\fR is not used, therefore the above text is not applicable\&. .SH "SEE ALSO" .PP \fBsssd\fR(8), \fBsssd.conf\fR(5), \fBsssd-ldap\fR(5), \fBsssd-ldap-attributes\fR(5), \fBsssd-krb5\fR(5), \fBsssd-simple\fR(5), \fBsssd-ipa\fR(5), \fBsssd-ad\fR(5), \fBsssd-idp\fR(5), \fBsssd-sudo\fR(5), \fBsssd-session-recording\fR(5), \fBsss_cache\fR(8), \fBsss_debuglevel\fR(8), \fBsss_obfuscate\fR(8), \fBsss_seed\fR(8), \fBsssd_krb5_locator_plugin\fR(8), \fBsss_ssh_authorizedkeys\fR(1), \fBsss_ssh_knownhosts\fR(1), \fBsssd-ifp\fR(5), \fBpam_sss\fR(8)\&. \fBsss_rpcidmapd\fR(5) .SH "AUTHORS" .PP \fBThe SSSD upstream \- https://github\&.com/SSSD/sssd/\fR