From fce2d59c622e77451cf622de157bb8d8a0588ef1 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 11 Apr 2013 16:44:18 +0200 Subject: Add more documentation in the gssproxy.conf manpage. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Document options, sections, substitutions and default values. Signed-off-by: Günther Deschner Reviewed-by: Simo Sorce --- proxy/man/gssproxy.conf.5.xml | 176 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 176 insertions(+) (limited to 'proxy') diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml index 9b1dc7a..b733876 100644 --- a/proxy/man/gssproxy.conf.5.xml +++ b/proxy/man/gssproxy.conf.5.xml @@ -24,6 +24,182 @@ Optional configuration directives for the gssproxy daemon. + + The gssproxy.conf file is a classic ini-style configuration file. + Each option consist of a key = value pair. + Any characters behind '#' will be treated as comments and will be ignored. + Boolean parameters accept "1", "true", "yes" and "on" as + positive values. All other values will be considered as negative + values. + + + + + SECTIONS + + A section in the gssproxy.conf file is identified by the sectionname in square brackets ([sectionname]). + + + There is one special section for global gssproxy settings, called + [gssproxy]. + + + Services such as nfs, apache, ssh, etc. are represented by + sections like [service/nfs], [service/apache], etc. and are + identified by the "euid" setting (see below). + + + + + VARIABLE SUBSTITUTIONS + + + String parameters may contain substitution patterns. This allows gssproxy to deal with patterns for + the storage location of keytabs or credential caches easier. + + + + The supported patterns are: + + + + + %U + substitutes to the user's numeric uid (e.g. 123) + + + %u + substitutes to the user's username (e.g. john). + + + + + + OPTIONS + + gssproxy supports the following options: + + + + cred_store (string) + + This parameter allows to control in which way gssproxy should use the cred_store interface provided by GSSAPI. The parameter can be defined multiple times per service. + The syntax of the cred_store parameter is as + follows: + :]]> + Currently this interface supports the following + options: + + + + keytab + Defines the keytab the service should use. Example: cred_store = keytab:/path/to/keytab + + + client_keytab + Defines a client keytab the service should use. Example: cred_store = client_keytab:/path/to/client_keytab. + + + ccache + Defines a credential cache the service should use. Example: cred_store = ccache:/path/to/ccache. + + + + Notably the client_keytab and the ccache setting + typically are used with variable substitution + placeholders (see above). For example: + + + cred_store = keytab:/etc/krb5.keytab + cred_store = ccache:FILE:/var/lib/gssproxy/krb5cc_%U + cred_store = client_keytab:/var/lib/gssproxy/%U.keytab + + + Default: cred_store = + + + + + + debug (boolean) + + Enable debugging to syslog. + Default: debug = false + + + + + euid (integer) + + The numeric effective uid of a running process, required to identify a service. + The "euid" parameter is imperative, any section + without it will be discarded. + Default: euid = + + + + + kernel_nfsd (boolean) + + Boolean flag that allows the Linux kernel to check if gssproxy is running (via /proc/net/rpc/use-gss-proxy). + Default: kernel_nfsd = false + + + + + krb5_principal (string) + + The krb5 principal to be used by this service. + Default: krb5_principal = + + + + + mech (string) + + Currently only krb5 is supported. + The "mech" parameter is imperative, any section + without it will be discarded. + Default: mech = + + + + + socket (string) + + This parameter allows to create a per-service socket file over which gssproxy client and server components communicate. + + When this parameter is not set, gssproxy will + use a compiled-in default. + + + + + trusted (boolean) + Defines whether this service is considered trusted. Use with caution, this enables impersonation. + Default: trusted = false + + + + + worker threads (integer) + + Defines the amount of worker threads gssproxy will create at startup. + Default: worker threads = + + + + + + + + + SEE ALSO + + + gssproxy8 + + -- cgit