xref: /titanic_50/usr/src/man/man1m/gsscred.1m (revision 4445fffbbb1ea25fd0e9ea68b9380dd7a6709025)
te
Copyright (c) 1998, Sun Microsystems, Inc. All Rights Reserved
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
GSSCRED 1M "Feb 11, 2004"
NAME
gsscred - add, remove, and list gsscred table entries
SYNOPSIS

gsscred [-n user [-o oid] [-u uid]] [-c comment] -m mech -a

gsscred [-n user [-o oid]] [-u uid] [-m mech] -r

gsscred [-n user [-o oid]] [-u uid] [-m mech] -l
DESCRIPTION

The gsscred utility is used to create and maintain a mapping between a security principal name and a local UNIX uid. The format of the user name is assumed to be GSS_C_NT_USER_NAME. You can use the -o option to specify the object identifier of the name type. The OID must be specified in dot-separated notation, for example: 1.2.3.45464.3.1

The gsscred table is used on server machines to lookup the uid of incoming clients connected using RPCSEC_GSS.

When adding users, if no user name is specified, an entry is created in the table for each user from the passwd table. If no comment is specified, the gsscred utility inserts a comment that specifies the user name as an ASCII string and the GSS-APIsecurity mechanism that applies to it. The security mechanism will be in string representation as defined in the /etc/gss/mech file.

The parameters are interpreted the same way by the gsscred utility to delete users as they are to create users. At least one of the following options must be specified: -n, -u, or -m. If no security mechanism is specified, then all entries will be deleted for the user identified by either the uid or user name. If only the security mechanism is specified, then all user entries for that security mechanism will be deleted.

Again, the parameters are interpreted the same way by the gsscred utility to search for users as they are to create users. If no options are specified, then the entire table is returned. If the user name or uid is specified, then all entries for that user are returned. If a security mechanism is specified, then all user entries for that security mechanism are returned.

OPTIONS
-a

Add a table entry.

-c comment

Insert comment about this table entry.

-l

Search table for entry.

-m mech

Specify the mechanism for which this name is to be translated.

-n user

Specify the optional principal name.

-o oid

Specify the OID indicating the name type of the user.

-r

Remove the entry from the table.

-u uid

Specify the uid for the user if the user is not local.

EXAMPLES

Example 1 Creating a gsscred Table for the Kerberos v5 Security Mechanism

The following shows how to create a gsscred table for the kerberos v5 security mechanism. gsscred obtains user names and uid's from the passwd table to populate the table.

example% gsscred -m kerberos_v5 -a

Example 2 Adding an Entry for root/host1 for the Kerberos v5 Security Mechanism

The following shows how to add an entry for root/host1 with a specified uid of 0 for the kerberos v5 security mechanism.

example% gsscred -m kerberos_v5 -n root/host1 -u 0 -a

Example 3 Listing All User Mappings for the Kerberos v5 Security Mechanism

The following lists all user mappings for the kerberos v5 security mechanism.

example% gsscred -m kerberos_v5 -l

Example 4 Listing All Mappings for All Security Mechanism for a Specified User

The following lists all mappings for all security mechanisms for the user bsimpson.

example% gsscred -n bsimpson -l
EXIT STATUS

The following exit values are returned: 0

Successful completion.

>0

An error occurred.

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Evolving
SEE ALSO

gssd(1m), gsscred.conf(4), attributes(5)

NOTES

Some GSS mechanisms, such as kerberos_v5, provide their own authenticated-name-to-local-name (uid) mapping and thus do not usually have to be mapped using gsscred. See gsscred.conf(4) for more information.