Secure NFS on HP-UX 11i v3
10
D. Initialize the gsscred(1M) Database
The gsscred(1M) utility is used to create and maintain a mapping between a Generic Security Service
Application Program Interface (GSS-API) security principal name – in this case the Kerberos credential
– and their matching local UNIX user id or group id. RPC-based services such as NFS need to be
able to map between Kerberos credentials and local UNIX user names and group names in order to
enforce permissions-based security, such as filesystem access rights. The gsscred database is
initialized via the gsscred(1M) utility as shown in Figure 11.
Figure 11 Initialize gsscred(1M) Database on NFS Clients and Servers
E. Configure the gssd(1M) Daemon
The gssd(1M) daemon is used by the kernel RPC subsystem to perform the actual mapping between
UNIX users and groups and their associated GSS-API security tokens. The gssd uses the gsscred table
created in the previous step to perform these mappings. For example, local user “dolker” would map
to the principal
dolker@ATC.VSSN.HP.
The gssd is managed by the Internet Service daemon inetd(1M). By default, the gssd entry is disabled
in the /etc/inetd.conf file and must be un-commented. This can be done via vi(1) or any other
editor. Figure 12 shows the un-commented gssd entry from the /etc/inetd.conf file. Once the
inetd.conf file has been modified, the “/usr/sbin/inetd –c” command is used to force the inetd
daemon to re-read the newly modified configuration file. Once this is done, inetd will launch the gssd
daemon automatically the next time a Secure NFS filesystem is shared (NFS server system) or mounted
(NFS client system).
Figure 12 Uncomment gssd entry and re-initialize inetd on NFS Clients and Servers