GSS Proxy GSS-Proxy - http://fedorahosted.org/gss-proxy gssproxy.conf 5 gssproxy.conf GssProxy Daemon Configuration file Optional configuration directives for the gssproxy daemon. The gssproxy.conf file is a classic ini-style configuration file. Each option consist of a key = value pair. Any characters behind '#' will be treated as comments and will be ignored. Boolean parameters accept "1", "true", "yes" and "on" as positive values. All other values will be considered as negative values. A section in the gssproxy.conf file is identified by the sectionname in square brackets ([sectionname]). There is one special section for global gssproxy settings, called [gssproxy]. Services such as nfs, apache, ssh, etc. are represented by sections like [service/nfs], [service/apache], etc. and are identified by the "euid" setting (see below). String parameters may contain substitution patterns. This allows gssproxy to deal with patterns for the storage location of keytabs or credential caches easier. The supported patterns are: %U substitutes to the user's numeric uid (e.g. 123) %u substitutes to the user's username (e.g. john). gssproxy supports the following options: cred_store (string) This parameter allows to control in which way gssproxy should use the cred_store interface provided by GSSAPI. The parameter can be defined multiple times per service. The syntax of the cred_store parameter is as follows: :]]> Currently this interface supports the following options: keytab Defines the keytab the service should use. Example: cred_store = keytab:/path/to/keytab client_keytab Defines a client keytab the service should use. Example: cred_store = client_keytab:/path/to/client_keytab. ccache Defines a credential cache the service should use. Example: cred_store = ccache:/path/to/ccache. Notably the client_keytab and the ccache setting typically are used with variable substitution placeholders (see above). For example: cred_store = keytab:/etc/krb5.keytab cred_store = ccache:FILE:/var/lib/gssproxy/krb5cc_%U cred_store = client_keytab:/var/lib/gssproxy/%U.keytab Default: cred_store = debug (boolean) Enable debugging to syslog. Default: debug = false euid (integer) The numeric effective uid of a running process, required to identify a service. The "euid" parameter is imperative, any section without it will be discarded. Default: euid = kernel_nfsd (boolean) Boolean flag that allows the Linux kernel to check if gssproxy is running (via /proc/net/rpc/use-gss-proxy). Default: kernel_nfsd = false krb5_principal (string) The krb5 principal to be used by this service. Default: krb5_principal = mechs (string) Currently only krb5 is supported. The "mechs" parameter is imperative, any section without it will be discarded. Default: mechs = socket (string) This parameter allows to create a per-service socket file over which gssproxy client and server components communicate. When this parameter is not set, gssproxy will use a compiled-in default. trusted (boolean) Defines whether this service is considered trusted. Use with caution, this enables impersonation. Default: trusted = false worker threads (integer) Defines the amount of worker threads gssproxy will create at startup. Default: worker threads = gssproxy8 and gssproxy-mech8 .