gssd(8) manual page

The gssd program provides support for the kernel GSS-API implementation.

The options are as follows:

-d

Run in debug mode. In this mode, gssd will not fork when it starts.

-h

Enable support for host-based initiator credentials. This permits a kerberized NFS mount to use a service principal in the default Kerberos 5 keytab file for access. Such access is enabled via the gssname option for the mount_nfs(8) command.

-o

Force use of DES and the associated old style GSS-API initialization token. This may be required to make kerberized NFS mounts work against some non-FreeBSD NFS servers.

-v

Run in verbose mode. In this mode, gssd will log activity messages to syslog using LOG_INFO | LOG_DAEMON or to stderr, if the -d option has also been specified. The minor status is logged as a decimal number, since it is actually a Kerberos return status, which is signed.

-s dir-list

Look for an appropriate credential cache file in this list of directories. The list should be full pathnames from root, separated by ':' characters. Usually this list will simply be "/tmp". Without this option, gssd assumes that the credential cache file is called /tmp/krb5cc_<uid>, where <uid> is the effective uid for the RPC caller.

-c file-substring

Set a file-substring for the credential cache file names. Only files with this substring embedded in their names will be selected as candidates when -s has been specified. If not specified, it defaults to "krb5cc_".

-r preferred-realm

Use Kerberos credentials for this realm when searching for credentials in directories specified with -s. If not specified, the default Kerberos realm will be used.

“	This philosophy, in the hands of amateurs, leads to inexplicably mind-numbing botches like the existence of two programs, “head” and “tail,” which print the first part or the last part of a file, depending. Even though their operations are duals of one another, “head” and “tail” are different programs, written by different authors, and take different options!	”
— The Unix Haters' handbook

Manual Pages — GSSD

NAME

CONTENTS

SYNOPSIS

DESCRIPTION

FILES

EXIT STATUS

SEE ALSO

HISTORY

AUTHORS

-d
	Run in debug mode. In this mode, gssd will not fork when it starts.
-h
	Enable support for host-based initiator credentials. This permits a kerberized NFS mount to use a service principal in the default Kerberos 5 keytab file for access. Such access is enabled via the gssname option for the mount_nfs(8) command.
-o
	Force use of DES and the associated old style GSS-API initialization token. This may be required to make kerberized NFS mounts work against some non-FreeBSD NFS servers.
-v
	Run in verbose mode. In this mode, gssd will log activity messages to syslog using LOG_INFO \| LOG_DAEMON or to stderr, if the -d option has also been specified. The minor status is logged as a decimal number, since it is actually a Kerberos return status, which is signed.
-s dir-list
	Look for an appropriate credential cache file in this list of directories. The list should be full pathnames from root, separated by ':' characters. Usually this list will simply be "/tmp". Without this option, gssd assumes that the credential cache file is called /tmp/krb5cc_<uid>, where <uid> is the effective uid for the RPC caller.
-c file-substring
	Set a file-substring for the credential cache file names. Only files with this substring embedded in their names will be selected as candidates when -s has been specified. If not specified, it defaults to "krb5cc_".
-r preferred-realm
	Use Kerberos credentials for this realm when searching for credentials in directories specified with -s. If not specified, the default Kerberos realm will be used.

`/etc/krb5.keytab`
	Contains Kerberos service principals which may be used as credentials by kernel GSS-API services.