'\" t
.\"     Title: sssd_krb5_localauth_plugin
.\"    Author: The SSSD upstream - https://github.com/SSSD/sssd/
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 01/16/2025
.\"    Manual: SSSD Manual pages
.\"    Source: SSSD
.\"  Language: English
.\"
.TH "SSSD_KRB5_LOCALAUTH_" "8" "01/16/2025" "SSSD" "SSSD Manual pages"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
sssd_krb5_localauth_plugin \- Kerberos local authorization plugin
.SH "DESCRIPTION"
.PP
The Kerberos local authorization plugin
\fBsssd_krb5_localauth_plugin\fR
is used by libkrb5 to either find the local name for a given Kerberos principal or to check if a given local name and a given Kerberos principal relate to each other\&.
.PP
SSSD handles the local names for users from a remote source and can read the Kerberos user principal name from the remote source as well\&. With this information SSSD can easily handle the mappings mentioned above even if the local name and the Kerberos principal differ considerably\&.
.PP
Additionally with the information read from the remote source SSSD can help to prevent unexpected or unwanted mappings in case the user part of the Kerberos principal accidentally corresponds to a local name of a different user\&. By default libkrb5 might just strip the realm part of the Kerberos principal to get the local name which would lead to wrong mappings in this case\&.
.SH "CONFIGURATION"
.PP
The Kerberos local authorization plugin must be enabled explicitly in the Kerberos configuration, see
\fBkrb5.conf\fR(5)\&. SSSD will create a config snippet with the content like e\&.g\&.
.sp
.if n \{\
.RS 4
.\}
.nf
[plugins]
 localauth = {
  module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin\&.so
 }
.fi
.if n \{\
.RE
.\}
.sp
automatically in the SSSD\*(Aqs public Kerberos configuration snippet directory\&. If this directory is included in the local Kerberos configuration the plugin will be enabled automatically\&.
.SH "SEE ALSO"
.PP
\fBsssd\fR(8),
\fBsssd.conf\fR(5),
\fBsssd-ldap\fR(5),
\fBsssd-ldap-attributes\fR(5),
\fBsssd-krb5\fR(5),
\fBsssd-simple\fR(5),
\fBsssd-ipa\fR(5),
\fBsssd-ad\fR(5),
\fBsssd-files\fR(5),
\fBsssd-sudo\fR(5),
\fBsssd-session-recording\fR(5),
\fBsss_cache\fR(8),
\fBsss_debuglevel\fR(8),
\fBsss_obfuscate\fR(8),
\fBsss_seed\fR(8),
\fBsssd_krb5_locator_plugin\fR(8),
\fBsss_ssh_authorizedkeys\fR(1), \fBsss_ssh_knownhosts\fR(1),
\fBsssd-ifp\fR(5),
\fBpam_sss\fR(8)\&.
\fBsss_rpcidmapd\fR(5)
\fBsssd-systemtap\fR(5)
.SH "AUTHORS"
.PP
\fBThe SSSD upstream \- https://github\&.com/SSSD/sssd/\fR