X-Git-Url: https://git.decadent.org.uk/gitweb/?p=nfs-utils.git;a=blobdiff_plain;f=utils%2Fgssd%2Fgssd.man;h=e4f68f9d29c2404a1ac9711a3119fb11f804f6d0;hp=d8f9a0f4c52f40f57647912ccba2e0cc4bd1e7fa;hb=1e1c7be98749fff054beec4bf67b436b58f6edac;hpb=f1bfe0916c04d93de7a4fae5315fff6e4ccac23f diff --git a/utils/gssd/gssd.man b/utils/gssd/gssd.man index d8f9a0f..e4f68f9 100644 --- a/utils/gssd/gssd.man +++ b/utils/gssd/gssd.man @@ -2,11 +2,11 @@ .\" rpc.gssd(8) .\" .\" Copyright (C) 2003 J. Bruce Fields -.TH rpc.gssd 8 "17 Mar 2003" +.TH rpc.gssd 8 "14 Mar 2007" .SH NAME rpc.gssd \- rpcsec_gss daemon .SH SYNOPSIS -.B "rpc.gssd [-f] [-k keytab] [-p pipefsdir] [-v]" +.B "rpc.gssd [-f] [-n] [-k keytab] [-p pipefsdir] [-v] [-r] [-d ccachedir]" .SH DESCRIPTION The rpcsec_gss protocol gives a means of using the gss-api generic security api to provide security for protocols using rpc (in particular, nfs). Before @@ -25,22 +25,45 @@ Runs .B rpc.gssd in the foreground and sends output to stderr (as opposed to syslogd) .TP +.B -n +By default, +.B rpc.gssd +treats accesses by the user with UID 0 specially, and uses +"machine credentials" for all accesses by that user which +require Kerberos authentication. +With the \-n option, "machine credentials" will not be used +for accesses by UID 0. Instead, credentials must be obtained +manually like all other users. Use of this option means that +"root" must manually obtain Kerberos credentials before +attempting to mount an nfs filesystem requiring Kerberos +authentication. +.TP .B -k keytab Tells .B rpc.gssd -to use the keys for principals nfs/hostname in +to use the keys found in .I keytab -to obtain machine credentials. +to obtain "machine credentials". The default value is "/etc/krb5.keytab". -.\".TP -.\".B -m -.\"Ordinarily, -.\".B rpc.gssd -.\"looks for a cached ticket for user $UID in /tmp/krb5cc_$UID. -.\"With the -m option, the user with uid 0 will be treated specially, and will -.\"be mapped instead to the credentials for the principal nfs/hostname found in -.\"the keytab file. -.\"(This option is now the default and is ignored if specified.) +.IP +Previous versions of +.B rpc.gssd +used only "nfs/*" keys found within the keytab. +To be more consistent with other implementations, we now look for +specific keytab entries. The search order for keytabs to be used +for "machine credentials" is now: +.br + root/@ +.br + nfs/@ +.br + host/@ +.br + root/@ +.br + nfs/@ +.br + host/@ .TP .B -p path Tells @@ -48,8 +71,29 @@ Tells where to look for the rpc_pipefs filesystem. The default value is "/var/lib/nfs/rpc_pipefs". .TP +.B -d directory +Tells +.B rpc.gssd +where to look for Kerberos credential files. The default value is "/tmp". +This can also be a colon separated list of directories to be searched +for Kerberos credential files. Note that if machine credentials are being +stored in files, then the first directory on this list is where the +machine credentials are stored. +.TP .B -v Increases the verbosity of the output (can be specified multiple times). +.TP +.B -r +If the rpcsec_gss library supports setting debug level, +increases the verbosity of the output (can be specified multiple times). +.TP +.B -t timeout +Timeout, in seconds, for kernel gss contexts. This option allows you to force +new kernel contexts to be negotiated after +.I timeout +seconds, which allows changing Kerberos tickets and identities frequently. +The default is no explicit timeout, which means the kernel context will live +the lifetime of the Kerberos service ticket used in its creation. .SH SEE ALSO .BR rpc.svcgssd(8) .SH AUTHORS