for accesses by UID 0. Instead, credentials must be obtained
manually like all other users. Use of this option means that
"root" must manually obtain Kerberos credentials before
-attemtpting to mount an nfs filesystem requiring Kerberos
+attempting to mount an nfs filesystem requiring Kerberos
authentication.
.TP
.B -k keytab
.I keytab
to obtain "machine credentials".
The default value is "/etc/krb5.keytab".
+.IP
Previous versions of
.B rpc.gssd
used only "nfs/*" keys found within the keytab.
-Now, the first keytab entry for each distinct Kerberos realm
-within the keytab is used. This means that an NFS client
-no longer needs an "nfs/hostname" principal and keytab entry,
-but can instead use a "host/hostname" (or any other) keytab
-entry that is available.
+To be more consistent with other implementations, we now look for
+specific keytab entries. The search order for keytabs to be used
+for "machine credentials" is now:
+.br
+ root/<hostname>@<REALM>
+.br
+ nfs/<hostname>@<REALM>
+.br
+ host/<hostname>@<REALM>
+.br
+ root/<anyname>@<REALM>
+.br
+ nfs/<anyname>@<REALM>
+.br
+ host/<anyname>@<REALM>
.TP
.B -p path
Tells
.B -d directory
Tells
.B rpc.gssd
-where to look for kerberos credential files. The default value is "/tmp".
+where to look for Kerberos credential files. The default value is "/tmp".
+This can also be a colon separated list of directories to be searched
+for Kerberos credential files. Note that if machine credentials are being
+stored in files, then the first directory on this list is where the
+machine credentials are stored.
.TP
.B -v
Increases the verbosity of the output (can be specified multiple times).
.B -r
If the rpcsec_gss library supports setting debug level,
increases the verbosity of the output (can be specified multiple times).
+.TP
+.B -R realm
+Kerberos tickets from this
+.I realm
+will be preferred when scanning available credentials cache files to be
+used to create a context. By default, the default realm, as configured
+in the Kerberos configuration file, is preferred.
+.TP
+.B -t timeout
+Timeout, in seconds, for kernel gss contexts. This option allows you to force
+new kernel contexts to be negotiated after
+.I timeout
+seconds, which allows changing Kerberos tickets and identities frequently.
+The default is no explicit timeout, which means the kernel context will live
+the lifetime of the Kerberos service ticket used in its creation.
.SH SEE ALSO
.BR rpc.svcgssd(8)
.SH AUTHORS