X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=utils%2Fgssd%2Fgssd.man;h=f2ecd69995f589832198066f78b90136bceba951;hb=72e1cf8784fbcb1bffa28b08f663ea9469634590;hp=250d26fe3e36af41b649ef77c620289d02858b8e;hpb=a6037e23a8c9d649bf5946ac9d23114f9097b997;p=nfs-utils.git diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man index 250d26f..f2ecd69 100644 --- a/utils/gssd/gssd.man +++ b/utils/gssd/gssd.man @@ -2,11 +2,11 @@ .\" rpc.gssd(8) .\" .\" Copyright (C) 2003 J. Bruce Fields -.TH rpc.gssd 8 "17 Mar 2003" +.TH rpc.gssd 8 "14 Mar 2007" .SH NAME rpc.gssd \- rpcsec_gss daemon .SH SYNOPSIS -.B "rpc.gssd [-f] [-k keytab] [-p pipefsdir] [-v] [-r] [-d ccachedir]" +.B "rpc.gssd [-f] [-n] [-k keytab] [-p pipefsdir] [-v] [-r] [-d ccachedir]" .SH DESCRIPTION The rpcsec_gss protocol gives a means of using the gss-api generic security api to provide security for protocols using rpc (in particular, nfs). Before @@ -25,22 +25,34 @@ Runs .B rpc.gssd in the foreground and sends output to stderr (as opposed to syslogd) .TP +.B -n +By default, +.B rpc.gssd +treats accesses by the user with UID 0 specially, and uses +"machine credentials" for all accesses by that user which +require Kerberos authentication. +With the \-n option, "machine credentials" will not be used +for accesses by UID 0. Instead, credentials must be obtained +manually like all other users. Use of this option means that +"root" must manually obtain Kerberos credentials before +attemtpting to mount an nfs filesystem requiring Kerberos +authentication. +.TP .B -k keytab Tells .B rpc.gssd -to use the keys for principals nfs/hostname in +to use the keys found in .I keytab -to obtain machine credentials. +to obtain "machine credentials". The default value is "/etc/krb5.keytab". -.\".TP -.\".B -m -.\"Ordinarily, -.\".B rpc.gssd -.\"looks for a cached ticket for user $UID in /tmp/krb5cc_$UID. -.\"With the -m option, the user with uid 0 will be treated specially, and will -.\"be mapped instead to the credentials for the principal nfs/hostname found in -.\"the keytab file. -.\"(This option is now the default and is ignored if specified.) +Previous versions of +.B rpc.gssd +used only "nfs/*" keys found within the keytab. +Now, the first keytab entry for each distinct Kerberos realm +within the keytab is used. This means that an NFS client +no longer needs an "nfs/hostname" principal and keytab entry, +but can instead use a "host/hostname" (or any other) keytab +entry that is available. .TP .B -p path Tells