Configuring Kerberos Aut hent icat ion wit h an Ident it y Provider

Both LDAP and proxy identity providers can use a separate Kerberos domain to supply

authentication. Configuring a Kerberos authentication provider requires the key distribution center (KDC) and the Kerberos domain. All of the principal names must be available in the specified identity provider; if they are not, SSSD constructs the principals using the format username@REALM.

Note

Kerberos can only provide authentication; it cannot provide an identity database.

SSSD assumes that the Kerberos KDC is also a Kerberos kadmin server. However, production environments commonly have multiple, read-only replicas of the KDC and only a single kadmin server. Use the krb5_kpasswd option to specify where the password changing service is running or if it is running on a non-default port. If the krb5_kpasswd option is not defined, SSSD tries to use the Kerberos KDC to change the password.

The basic Kerberos configuration options are listed in Table 3.12, “ Kerberos Authentication Configuration Parameters”. The sssd -krb5(5) man page has more information about Kerberos configuration options.

Examp le 3.11. Basic Kerb ero s Au t h en t icat io n

# A domain with identities provided by LDAP and authentication by Kerberos

The Kerberos authentication provider, among other tasks, requests ticket granting tickets (TGT) for users and services. These tickets are used to generate other tickets dynamically for specific

services, as accessed by the ticket principal (the user).

The TGT initially granted to the user principal is valid only for the lifetime of the ticket (by default, whatever is configured in the configured KDC). After that, the ticket cannot be renewed or extended.

However, not renewing tickets can cause problems with some services when they try to access a service in the middle of operations and their ticket has expired.

Kerberos tickets are not renewable by default, but ticket renewal can be enabled using the krb5_renewabl e_l i feti me and krb5_renew_i nterval parameters.

The lifetime for a ticket is set in SSSD with the krb5_l i feti me parameter. This specifies how long a single ticket is valid, and overrides any values in the KDC.

Ticket renewal itself is enabled in the krb5_renewabl e_l i feti me parameter, which sets the maximum lifetime of the ticket, counting all renewals.

For example, the ticket lifetime is set at one hour and the renewable lifetime is set at 24 hours:

krb5_lifetime = 1h

krb5_renewable_lifetime = 1d

This means that the ticket expires every hour and can be renewed continually up to one day.

The lifetime and renewable lifetime values can be in seconds (s), minutes (m), hours (h), or days (d).

The other option — which must also be set for ticket renewal — is the krb5_renew_i nterval parameter, which sets how frequently SSSD checks to see if the ticket needs to be renewed. At half of the ticket lifetime (whatever that setting is), the ticket is renewed automatically. (This value is always in seconds.)

krb5_lifetime = 1h

krb5_renewable_lifetime = 1d krb5_renew_interval = 60s

NOTE

If the krb5_renewabl e_l i feti me value is not set or the krb5_renew_i nterval parameter is not set or is set to zero (0), then ticket renewal is disabled. Both

krb5_renewabl e_l i feti me and krb5_renew_i nterval are required for ticket renewal to be enabled.

T ab le 3.12. Kerb ero s Au t h en t icat io n Co n f ig u rat io n Paramet ers

Paramet er Descrip t io n

chpass_provider Specifies which service to use for password

change operations. This is assumed to be the same as the authentication provider. To use Kerberos, set this to krb5.

krb5_server Gives the primary Kerberos server, by IP address or hostnames, to which SSSD will connect.

krb5_backup_server Gives a comma-separated list of IP addresses or hostnames of Kerberos servers to which SSSD will connect if the primary server is not available.

The list is given in order of preference, so the first server in the list is tried first. After an hour, SSSD will attempt to reconnect to the primary service specified in the krb5_server

parameter.

When using service discovery for KDC or kpasswd servers, SSSD first searches for DNS entries that specify UDP as the connection protocol, and then falls back to TCP.

krb5_realm Identies the Kerberos realm served by the KDC.

krb5_lifetime Requests a Kerberos ticket with the specified

lifetime in seconds (s), minutes (m), hours (h) or days (d).

krb5_renewable_lifetime Requests a renewable Kerberos ticket with a total lifetime that is specified in seconds (s), minutes (m), hours (h) or days (d).

krb5_renew_interval Sets the time, in seconds, for SSSD to check if tickets should be renewed. Tickets are renewed automatically once they exceed half their lifetime. If this option is missing or set to zero, then automatic ticket renewal is disabled.

krb5_store_password_if_offline Sets whether to store user passwords if the Kerberos authentication provider is offline, and then to use that cache to request tickets when the provider is back online. The default is fal se, which does not store passwords.

krb5_kpasswd Lists alternate Kerberos kadmin servers to use if

the change password service is not running on the KDC.

Paramet er Descrip t io n

krb5_ccname_template Gives the directory to use to store the user's credential cache. This can be templatized, and the following tokens are supported:

%d, the value of the krb5ccache_d i r parameter

%P, the process ID of the SSSD client.

%%, a literal percent sign (% )

XXXXXX, a string at the end of the template which instructs SSSD to create a unique filename safely

For example:

krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX

krb5_ccachedir Specifies the directory to store credential

caches. This can be templatized, using the same tokens as krb5_ccname_templ ate, except for

%d and %P. If %u, %U, %p, or %h are used, then SSSD creates a private directory for each user;

otherwise, it creates a public directory.

krb5_auth_timeout Gives the time, in seconds, before an online authentication or change password request is aborted. If possible, the authentication request is continued offline. The default is 15 seconds.

krb5_use_kdcinfo Sets whether to create Kerberos information files used by the Kerberos locator plug-in. This is set to true by default. If it is set to fal se, then the files are not created by SSSD, and the Kerberos options must be set manually in the krb5. co nf file.

Paramet er Descrip t io n