Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   29550 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

GSSPROXY.CONF(5)	     GssProxy Manual pages	      GSSPROXY.CONF(5)

NAME
       gssproxy.conf - GssProxy Daemon Configuration file

DESCRIPTION
       Optional configuration directives for the gssproxy daemon.

       The gssproxy.conf file is a classic ini-style configuration file. Each
       option consist of a key = value pair. Any characters behind '#' will be
       treated as comments and will be ignored. Boolean parameters accept "1",
       "true", "yes" and "on" as positive values. All other values will be
       considered as negative values.

SECTIONS
       A section in the gssproxy.conf file is identified by the sectionname in
       square brackets ([sectionname]).

       There is one special section for global gssproxy settings, called
       [gssproxy].

       Services such as nfs, apache, ssh, etc. are represented by sections
       like [service/nfs], [service/apache], etc. and are identified by the
       "euid" setting (see below).

VARIABLE SUBSTITUTIONS
       String parameters may contain substitution patterns. This allows
       gssproxy to deal with patterns for the storage location of keytabs or
       credential caches easier.

       The supported patterns are:

       %U
	   substitutes to the user's numeric uid (e.g. 123)

       %u
	   substitutes to the user's username (e.g. john).

OPTIONS
       gssproxy supports the following options:

       allow_any_uid (boolean)
	   Allow any process of any user to use this service.

	   Note that absent a custom socket or selinux_context option this
	   option may cause a service definition to mask access to following
	   services. To avoid issues change the order of services in your
	   configuation file so that services with allow_any_uid enabled are
	   listed last, or define a custom socket for other services.

	   Default: false

       cred_usage (string)
	   Allow to restrict the kind of operations permitted for this
	   service.

	   The allowed options are: initiate, accept, both

	   Default: cred_usage = both

       cred_store (string)
	   This parameter allows to control in which way gssproxy should use
	   the cred_store interface provided by GSSAPI. The parameter can be
	   defined multiple times per service.

	   The syntax of the cred_store parameter is as follows: cred_store =
	   <cred_store_option>:<cred_store_value>

	   Currently this interface supports the following options:

	   keytab
	       Defines the keytab the service should use. Example: cred_store
	       = keytab:/path/to/keytab

	   client_keytab
	       Defines a client keytab the service should use. Example:
	       cred_store = client_keytab:/path/to/client_keytab.

	   ccache
	       Defines a credential cache the service should use. Example:
	       cred_store = ccache:/path/to/ccache.

	   Notably the client_keytab and the ccache setting typically are used
	   with variable substitution placeholders (see above). For example:

		   cred_store = keytab:/etc/krb5.keytab
		   cred_store = ccache:FILE:/var/lib/gssproxy/krb5cc_%U
		   cred_store = client_keytab:/var/lib/gssproxy/%U.keytab

	   Default: cred_store =

       debug (boolean)
	   Enable debugging to syslog.

	   Default: debug = false

       euid (integer)
	   The numeric effective uid of a running process, required to
	   identify a service.

	   The "euid" parameter is imperative, any section without it will be
	   discarded.

	   Default: euid =

       impersonate (boolean)
	   Use impersonation (s4u2self + s4u2proxy) to obtain credentials

	   Default: impersonate = false

       kernel_nfsd (boolean)
	   Boolean flag that allows the Linux kernel to check if gssproxy is
	   running (via /proc/net/rpc/use-gss-proxy).

	   Default: kernel_nfsd = false

       krb5_principal (string)
	   The krb5 principal to be used by this service.

	   Default: krb5_principal =

       mechs (string)
	   Currently only krb5 is supported.

	   The "mechs" parameter is imperative, any section without it will be
	   discarded.

	   Default: mechs =

       selinux_context (string)
	   This parameter instructs the proxy to allow map a request to the
	   service only if the context of the connecting client matches the
	   one defined here.

	   When this parameter is not set any client will be allowed
	   regardless of their selinux context.

	   Example: selinux_context = system_u:system_r:gssd_t

       socket (string)
	   This parameter allows to create a per-service socket file over
	   which gssproxy client and server components communicate.

	   When this parameter is not set, gssproxy will use a compiled-in
	   default.

       trusted (boolean)
	   Defines whether this service is considered trusted. Use with
	   caution, this enables impersonation.

	   Default: trusted = false

       worker threads (integer)
	   Defines the amount of worker threads gssproxy will create at
	   startup.

	   Default: worker threads =

SEE ALSO
       gssproxy(8) and gssproxy-mech(8).

AUTHORS
       GSS-Proxy - http://fedorahosted.org/gss-proxy

GSS Proxy			  10/28/2013		      GSSPROXY.CONF(5)

Vote for polarhome