gssd(8) - Manual pages

NAME

gssd — Generic Security Services Daemon

SYNOPSIS

gssd [-d] [-h] [-o] [-v] [-s dir-list] [-c file-substring] [-r preferred-realm]

DESCRIPTION

The gssd program provides support for the kernel GSS-API implementation.

The options are as follows:

-d: Run in debug mode. In this mode, gssd will not fork when it starts.
-h: Enable support for host-based initiator credentials. This permits a kerberized NFS mount to use a service principal in the default Kerberos 5 keytab file for access. Such access is enabled via the gssname option for the mount_nfs(8) command.
-o: Force use of DES and the associated old style GSS-API initialization token. This may be required to make kerberized NFS mounts work against some non-FreeBSD NFS servers.
-v: Run in verbose mode. In this mode, gssd will log activity messages to syslog using LOG_INFO | LOG_DAEMON or to stderr, if the -d option has also been specified. The minor status is logged as a decimal number, since it is actually a Kerberos return status, which is signed.
-s dir-list: Look for an appropriate credential cache file in this list of directories. The list should be full pathnames from root, separated by ':' characters. Usually this list will simply be "/tmp". Without this option, gssd assumes that the credential cache file is called /tmp/krb5cc_<uid>, where <uid> is the effective uid for the RPC caller.
-c file-substring: Set a file-substring for the credential cache file names. Only files with this substring embedded in their names will be selected as candidates when -s has been specified. If not specified, it defaults to "krb5cc_".
-r preferred-realm: Use Kerberos credentials for this realm when searching for credentials in directories specified with -s. If not specified, the default Kerberos realm will be used.