gssd(8) - phpMan

rpc.gssd(8) System Manager's Manual rpc.gssd(8)

NAME
rpc.gssd - RPCSEC_GSS daemon

SYNOPSIS
rpc.gssd [-DfMnlvrHC] [-k keytab] [-p pipefsdir] [-d ccachedir] [-t timeout] [-T timeout]
[-U timeout] [-R realm]

INTRODUCTION
The RPCSEC_GSS protocol, defined in RFC 5403, is used to provide strong security for RPC-
based protocols such as NFS.

Before exchanging RPC requests using RPCSEC_GSS, an RPC client must establish a GSS secu-
rity context. A security context is shared state on each end of a network transport that
enables GSS-API security services.

Security contexts are established using security credentials. A credential grants tempo-
rary access to a secure network service, much as a railway ticket grants temporary access
to use a rail service.

A user typically obtains a credential by providing a password to the kinit(1) command, or
via a PAM library at login time. A credential acquired with a user principal is known as
a user credential (see kerberos(1) for more on principals).

Certain operations require a credential that represents no particular user or represents
the host itself. This kind of credential is called a machine credential.

A host establishes its machine credential using a service principal whose encrypted pass-
word is stored in a local file known as a keytab. A machine credential remains effective
without user intervention as long as the host can renew it.

Once obtained, credentials are typically stored in local temporary files with well-known
pathnames.

DESCRIPTION
To establish GSS security contexts using these credential files, the Linux kernel RPC
client depends on a userspace daemon called rpc.gssd. The rpc.gssd daemon uses the
rpc_pipefs filesystem to communicate with the kernel.

User Credentials
When a user authenticates using a command such as kinit(1), the resulting credential is
stored in a file with a well-known name constructed using the user's UID.

To interact with an NFS server on behalf of a particular Kerberos-authenticated user, the
Linux kernel RPC client requests that rpc.gssd initialize a security context with the cre-
dential in that user's credential file.

Typically, credential files are placed in /tmp. However, rpc.gssd can search for creden-
tial files in more than one directory. See the description of the -d option for details.

Machine Credentials
rpc.gssd searches the default keytab, /etc/krb5.keytab, in the following order for a prin-
cipal and password to use when establishing the machine credential. For the search,
rpc.gssd replaces <hostname> and <REALM> with the local system's hostname and Kerberos
realm.

rpc.gssd selects one of the <anyname> entries if it does not find a service principal
matching the local hostname, e.g. if DHCP assigns the local hostname dynamically. The
<anyname> facility enables the use of the same keytab on multiple systems. However, using
the same service principal to establish a machine credential on multiple hosts can create
unwanted security exposures and is therefore not recommended.

Note that <HOSTNAME>$@<REALM> is a user principal that enables Kerberized NFS when the lo-
cal system is joined to an Active Directory domain using Samba. The keytab provides the
password for this principal.

You can specify a different keytab by using the -k option if /etc/krb5.keytab does not ex-
ist or does not provide one of these principals.

Credentials for UID 0
UID 0 is a special case. By default rpc.gssd uses the system's machine credentials for
UID 0 accesses that require GSS authentication. This limits the privileges of the root
user when accessing network resources that require authentication.

Specify the -n option when starting rpc.gssd if you'd like to force the root user to ob-
tain a user credential rather than use the local system's machine credential.

When -n is specified, the kernel continues to request a GSS context established with a ma-
chine credential for NFSv4 operations, such as SETCLIENTID or RENEW, that manage state.
If rpc.gssd cannot obtain a machine credential (say, the local system has no keytab),
NFSv4 operations that require machine credentials will fail.

Encryption types
A realm administrator can choose to add keys encoded in a number of different encryption
types to the local system's keytab. For instance, a host/ principal might have keys for
the aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, and arcfour-hmac en-
cryption types. This permits rpc.gssd to choose an appropriate encryption type that the
target NFS server supports.

These encryption types are stronger than legacy single-DES encryption types. To interop-
erate in environments where servers support only weak encryption types, you can restrict
your client to use only single-DES encryption types by specifying the -l option when
starting rpc.gssd.

OPTIONS
-D The server name passed to GSSAPI for authentication is normally the name exactly as
requested. e.g. for NFS it is the server name in the "servername:/path" mount re-
quest. Only if this servername appears to be an IP address (IPv4 or IPv6) or an
unqualified name (no dots) will a reverse DNS lookup will be performed to get the
canoncial server name.

If -D is present, a reverse DNS lookup will always be used, even if the server name
looks like a canonical name. So it is needed if partially qualified, or non canon-
ical names are regularly used.

Using -D can introduce a security vulnerability, so it is recommended that -D not
be used, and that canonical names always be used when requesting services.

-f Runs rpc.gssd in the foreground and sends output to stderr (as opposed to syslogd)

-n When specified, UID 0 is forced to obtain user credentials which are used instead
of the local system's machine credentials.

-k keytab
Tells rpc.gssd to use the keys found in keytab to obtain machine credentials. The
default value is /etc/krb5.keytab.

-l When specified, restricts rpc.gssd to sessions to weak encryption types such as
des-cbc-crc. This option is available only when the local system's Kerberos li-
brary supports settable encryption types.

-p path
Tells rpc.gssd where to look for the rpc_pipefs filesystem. The default value is
/var/lib/nfs/rpc_pipefs.

-d search-path
This option specifies a colon separated list of directories that rpc.gssd searches
for credential files. The default value is /tmp:/run/user/%U. The literal se-
quence "%U" can be specified to substitue the UID of the user for whom credentials
are being searched.

-M By default, machine credentials are stored in files in the first directory in the
credential directory search path (see the -d option). When -M is set, rpc.gssd
stores machine credentials in memory instead.

-v Increases the verbosity of the output (can be specified multiple times).

-r If the RPCSEC_GSS library supports setting debug level, increases the verbosity of
the output (can be specified multiple times).

-R realm
Kerberos tickets from this realm will be preferred when scanning available creden-
tials cache files to be used to create a context. By default, the default realm,
as configured in the Kerberos configuration file, is preferred.

-t timeout
Timeout, in seconds, for kernel GSS contexts. This option allows you to force new
kernel contexts to be negotiated after timeout seconds, which allows changing Ker-
beros tickets and identities frequently. The default is no explicit timeout, which
means the kernel context will live the lifetime of the Kerberos service ticket used
in its creation.

-T timeout
Timeout, in seconds, to create an RPC connection with a server while establishing
an authenticated gss context for a user. The default timeout is set to 5 seconds.
If you get messages like "WARNING: can't create tcp rpc_clnt to server %servername%
for user with uid %uid%: RPC: Remote system error - Connection timed out", you
should consider an increase of this timeout.

-U timeout
Timeout, in seconds, for upcall threads. Threads executing longer than timeout
seconds will cause an error message to be logged. The default timeout is 30 sec-
onds. The minimum is 5 seconds. The maximum is 600 seconds.

-C In addition to logging an error message for threads that have timed out, the thread
will be canceled and an error of -ETIMEDOUT will be reported to the kernel.

-H Avoids setting $HOME to "/". This allows rpc.gssd to read per user k5identity files
versus trying to read /.k5identity for each user.

If -H is not set, rpc.gssd will use the first match found in /var/ker-
beros/krb5/user/$EUID/client.keytab and will not use a principal based on host
and/or service parameters listed in $HOME/.k5identity.

CONFIGURATION FILE
Many of the options that can be set on the command line can also be controlled through
values set in the [gssd] section of the /etc/nfs.conf configuration file. Values recog-
nized include:

verbosity
Value which is equivalent to the number of -v.

rpc-verbosity
Value which is equivalent to the number of -r.

use-memcache
A Boolean flag equivalent to -M.

use-machine-creds
A Boolean flag. Setting to false is equivalent to giving the -n flag.

avoid-dns
Setting to false is equivalent to providing the -D flag.

limit-to-legacy-enctypes
Equivalent to -l.

context-timeout
Equivalent to -t.

rpc-timeout
Equivalent to -T.

keytab-file
Equivalent to -k.

cred-cache-directory
Equivalent to -d.

preferred-realm
Equivalent to -R.

upcall-timeout
Equivalent to -U.

cancel-timed-out-upcalls
Setting to true is equivalent to providing the -C flag.

set-home
Setting to false is equivalent to providing the -H flag.

In addtion, the following value is recognized from the [general] section:

pipefs-directory
Equivalent to -p.

SEE ALSO
rpc.svcgssd(8), kerberos(1), kinit(1), krb5.conf(5)

AUTHORS
Dug Song <dugsong AT umich.edu>
Andy Adamson <andros AT umich.edu>
Marius Aamodt Eriksen <marius AT umich.edu>
J. Bruce Fields <bfields AT umich.edu>

20 Feb 2013 rpc.gssd(8)

Generated by $Id: phpMan.php,v 4.55 2007/09/05 04:42:51 chedong Exp $ Author: Che Dong
On Apache
Under GNU General Public License
2025-01-15 05:54 @3.14.254.103 CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)