dwww Home | Manual pages | Find package

rpc.gssd(8)                 System Manager's Manual                rpc.gssd(8)

NAME
       rpc.gssd - RPCSEC_GSS daemon

SYNOPSIS
       rpc.gssd  [-DfMnlvrHC]  [-k  keytab]  [-p pipefsdir] [-d ccachedir] [-t
       timeout] [-T timeout] [-U timeout] [-R realm]

INTRODUCTION
       The RPCSEC_GSS protocol, defined in RFC 5403, is used to provide strong
       security for RPC-based protocols such as NFS.

       Before exchanging RPC requests using RPCSEC_GSS, an RPC client must es-
       tablish a GSS security context.  A security context is shared state  on
       each end of a network transport that enables GSS-API security services.

       Security  contexts  are established using security credentials.  A cre-
       dential grants temporary access to a secure network service, much as  a
       railway ticket grants temporary access to use a rail service.

       A  user  typically  obtains a credential by providing a password to the
       kinit(1) command, or via a PAM library at login time.  A credential ac-
       quired with a user principal is known as a user  credential  (see  ker-
       beros(1) for more on principals).

       Certain  operations  require a credential that represents no particular
       user or represents the host itself.  This kind of credential is  called
       a machine credential.

       A  host  establishes  its  machine credential using a service principal
       whose encrypted password is stored in a local file known as  a  keytab.
       A  machine  credential  remains  effective without user intervention as
       long as the host can renew it.

       Once obtained, credentials are  typically  stored  in  local  temporary
       files with well-known pathnames.

DESCRIPTION
       To  establish  GSS  security contexts using these credential files, the
       Linux kernel RPC client depends on a userspace daemon called  rpc.gssd.
       The  rpc.gssd daemon uses the rpc_pipefs filesystem to communicate with
       the kernel.

   User Credentials
       When a user authenticates using a command such as kinit(1), the result-
       ing credential is stored in a file with a well-known  name  constructed
       using the user's UID.

       To  interact  with an NFS server on behalf of a particular Kerberos-au-
       thenticated user, the Linux kernel RPC client  requests  that  rpc.gssd
       initialize  a  security context with the credential in that user's cre-
       dential file.

       Typically, credential files are placed in /tmp.  However, rpc.gssd  can
       search  for  credential  files in more than one directory.  See the de-
       scription of the -d option for details.

   Machine Credentials
       rpc.gssd searches the default keytab, /etc/krb5.keytab, in the  follow-
       ing order for a principal and password to use when establishing the ma-
       chine  credential.   For  the  search, rpc.gssd replaces <hostname> and
       <REALM> with the local system's hostname and Kerberos realm.

          <HOSTNAME>$@<REALM>
          root/<hostname>@<REALM>
          nfs/<hostname>@<REALM>
          host/<hostname>@<REALM>
          root/<anyname>@<REALM>
          nfs/<anyname>@<REALM>
          host/<anyname>@<REALM>

       rpc.gssd selects one of the <anyname> entries if it  does  not  find  a
       service principal matching the local hostname, e.g. if DHCP assigns the
       local  hostname dynamically.  The <anyname> facility enables the use of
       the same keytab on multiple systems.  However, using the  same  service
       principal  to establish a machine credential on multiple hosts can cre-
       ate unwanted security exposures and is therefore not recommended.

       Note that <HOSTNAME>$@<REALM> is a user principal that enables  Kerber-
       ized  NFS when the local system is joined to an Active Directory domain
       using Samba.  The keytab provides the password for this principal.

       You  can  specify  a  different  keytab  by  using  the  -k  option  if
       /etc/krb5.keytab  does not exist or does not provide one of these prin-
       cipals.

   Credentials for UID 0
       UID 0 is a special case.  By default rpc.gssd uses the system's machine
       credentials for UID 0 accesses that require GSS  authentication.   This
       limits the privileges of the root user when accessing network resources
       that require authentication.

       Specify the -n option when starting rpc.gssd if you'd like to force the
       root  user  to  obtain a user credential rather than use the local sys-
       tem's machine credential.

       When -n is specified, the kernel continues to request a GSS context es-
       tablished with a machine credential for NFSv4 operations, such as  SET-
       CLIENTID  or RENEW, that manage state.  If rpc.gssd cannot obtain a ma-
       chine credential (say, the local system has no  keytab),  NFSv4  opera-
       tions that require machine credentials will fail.

   Encryption types
       A  realm  administrator  can  choose to add keys encoded in a number of
       different encryption types to the local system's keytab.  For instance,
       a host/ principal might  have  keys  for  the  aes256-cts-hmac-sha1-96,
       aes128-cts-hmac-sha1-96,  des3-cbc-sha1,  and  arcfour-hmac  encryption
       types.  This permits rpc.gssd to choose an appropriate encryption  type
       that the target NFS server supports.

       These  encryption  types are stronger than legacy single-DES encryption
       types.  To interoperate in environments where servers support only weak
       encryption types, you can restrict your client to use  only  single-DES
       encryption types by specifying the -l option when starting rpc.gssd.

OPTIONS
       -D     The  server name passed to GSSAPI for authentication is normally
              the name exactly as requested.  e.g. for NFS it  is  the  server
              name  in  the  "servername:/path"  mount  request.  Only if this
              servername appears to be an IP address (IPv4 or IPv6) or an  un-
              qualified  name (no dots) will a reverse DNS lookup will be per-
              formed to get the canoncial server name.

              If -D is present, a reverse DNS lookup will always be used, even
              if the server name looks like a canonical name.  So it is needed
              if partially qualified, or non  canonical  names  are  regularly
              used.

              Using -D can introduce a security vulnerability, so it is recom-
              mended  that  -D not be used, and that canonical names always be
              used when requesting services.

       -f     Runs rpc.gssd in the foreground and sends output to  stderr  (as
              opposed to syslogd)

       -n     When specified, UID 0 is forced to obtain user credentials which
              are used instead of the local system's machine credentials.

       -k keytab
              Tells rpc.gssd to use the keys found in keytab to obtain machine
              credentials.  The default value is /etc/krb5.keytab.

       -l     When  specified,  restricts rpc.gssd to sessions to weak encryp-
              tion types such as des-cbc-crc.  This option is  available  only
              when  the  local system's Kerberos library supports settable en-
              cryption types.

       -p path
              Tells rpc.gssd where to look for the rpc_pipefs filesystem.  The
              default value is /var/lib/nfs/rpc_pipefs.

       -d search-path
              This option specifies a colon separated list of directories that
              rpc.gssd searches for credential files.  The  default  value  is
              /tmp:/run/user/%U.   The  literal sequence "%U" can be specified
              to substitue the UID of the user for whom credentials are  being
              searched.

       -M     By default, machine credentials are stored in files in the first
              directory  in  the  credential directory search path (see the -d
              option).  When -M is set, rpc.gssd stores machine credentials in
              memory instead.

       -v     Increases the verbosity of the output (can be specified multiple
              times).

       -r     If the RPCSEC_GSS library  supports  setting  debug  level,  in-
              creases  the  verbosity of the output (can be specified multiple
              times).

       -R realm
              Kerberos tickets from this realm will be preferred when scanning
              available credentials cache files to be used to  create  a  con-
              text.   By default, the default realm, as configured in the Ker-
              beros configuration file, is preferred.

       -t timeout
              Timeout, in seconds, for kernel GSS contexts. This option allows
              you to force new kernel contexts to be negotiated after  timeout
              seconds,  which  allows changing Kerberos tickets and identities
              frequently.  The default is no explicit timeout, which means the
              kernel context will live the lifetime of  the  Kerberos  service
              ticket used in its creation.

       -T timeout
              Timeout,  in  seconds, to create an RPC connection with a server
              while establishing an authenticated gss context for a user.  The
              default timeout is set to 5 seconds.  If you get  messages  like
              "WARNING:  can't  create tcp rpc_clnt to server %servername% for
              user with uid %uid%: RPC: Remote system error - Connection timed
              out", you should consider an increase of this timeout.

       -U timeout
              Timeout, in seconds,  for  upcall  threads.   Threads  executing
              longer  than  timeout  seconds will cause an error message to be
              logged.  The default timeout is 30 seconds.  The  minimum  is  5
              seconds.  The maximum is 600 seconds.

       -C     In  addition  to  logging an error message for threads that have
              timed out, the thread will be canceled and an error of  -ETIMED-
              OUT will be reported to the kernel.

       -H     Avoids  setting  $HOME  to "/". This allows rpc.gssd to read per
              user k5identity files versus trying  to  read  /.k5identity  for
              each user.

              If  -H  is  not  set, rpc.gssd will use the first match found in
              /var/kerberos/krb5/user/$EUID/client.keytab and will not  use  a
              principal  based  on  host  and/or  service parameters listed in
              $HOME/.k5identity.

CONFIGURATION FILE
       Many of the options that can be set on the command  line  can  also  be
       controlled   through   values   set   in  the  [gssd]  section  of  the
       /etc/nfs.conf configuration file.  Values recognized include:

       verbosity
              Value which is equivalent to the number of -v.

       rpc-verbosity
              Value which is equivalent to the number of -r.

       use-memcache
              A Boolean flag equivalent to -M.

       use-machine-creds
              A Boolean flag. Setting to false is equivalent to giving the  -n
              flag.

       avoid-dns
              Setting to false is equivalent to providing the -D flag.

       limit-to-legacy-enctypes
              Equivalent to -l.

       context-timeout
              Equivalent to -t.

       rpc-timeout
              Equivalent to -T.

       keytab-file
              Equivalent to -k.

       cred-cache-directory
              Equivalent to -d.

       preferred-realm
              Equivalent to -R.

       upcall-timeout
              Equivalent to -U.

       cancel-timed-out-upcalls
              Setting to true is equivalent to providing the -C flag.

       set-home
              Setting to false is equivalent to providing the -H flag.

       In  addtion,  the following value is recognized from the [general] sec-
       tion:

       pipefs-directory
              Equivalent to -p.

SEE ALSO
       rpc.svcgssd(8), kerberos(1), kinit(1), krb5.conf(5)

AUTHORS
       Dug Song <dugsong@umich.edu>
       Andy Adamson <andros@umich.edu>
       Marius Aamodt Eriksen <marius@umich.edu>
       J. Bruce Fields <bfields@umich.edu>

                                  20 Feb 2013                      rpc.gssd(8)

Generated by dwww version 1.16 on Tue Jul 14 11:14:59 CEST 2026.