sssd and Kerberos

Issues related to applications and software problems and general support
Post Reply
jscarville
Posts: 135
Joined: 2014/06/17 21:50:37

sssd and Kerberos

Post by jscarville » 2021/04/14 14:59:13

For several years I have used Kerberos and PAM to provide authentication for most users. However, pam_krb5.so does not appear to be in CentOS 8. Is there a way to add Kerberos authentication? I do not mean using using Active Directory and/or LDAP. Just plain vanilla Kerberos

I searched out sssd which claims to supports Kerberos but I could not find any documentation on how to enable it.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: sssd and Kerberos

Post by jlehtone » 2021/04/15 07:17:59

SSSD includes packages sssd-krb5 and sssd-krb5-common.
For the settings in sssd.conf, see man sssd-krb5

It takes about these for sssd to talk to kerberos:

Code: Select all

[domain/awesome]
auth_provider = krb5
chpass_provider = krb5
krb5_kpasswd = ...
krb5_server = ...
krb5_realm = ...

jscarville
Posts: 135
Joined: 2014/06/17 21:50:37

Re: sssd and Kerberos

Post by jscarville » 2021/04/15 23:21:53

Thank you. Dunno how I overlooked it but I now have a place to start.

jscarville
Posts: 135
Joined: 2014/06/17 21:50:37

Re: sssd and Kerberos

Post by jscarville » 2021/04/26 22:04:34

I was able to get sssd to work with kerberos by putting the following in /etc/sssd/sssd.conf:

Code: Select all

[sssd]
  config_file_version = 2
  domains = LOCAL
  services = nss, pam

[domain/LOCAL]
  id_provider = files
  auth_provider = krb5
  krb5_server = kdc01.lereta.net
  krb5_realm = TOTALFLOOD.COM
  cache_credentials = true
  enumerate = false

[nss]
  filter_groups = root
  filter_users = root
  reconnection_retries = 3

[pam]
  reconnection_retries = 3
  offline_credentials_expiration = 2
  offline_failed_login_attempts = 3
  offline_failed_login_delay = 5
This worked for sudo but I still need to do some more testing for ssh.

Post Reply