Using the gsscred Table

The gsscred table is used by an NFS server when the server is trying to identify a SEAM user. The NFS services use UNIX IDs to identify users and these IDs are not part of a user principal or credential. The gsscred table provides a mapping from UNIX UIDs (from the password file) to principal names. The table must be created and administered after the KDC database is populated.

When a client request comes in, the NFS services try to map the principal name to a UNIX ID. If the mapping fails, the gsscred table is consulted. With the kerberos_v5 mechanism, a root/hostname principal is automatically mapped to UID 0, and the gsscred table is not consulted. This means that there is no way to do special remappings of root through the gsscred table.

Which Mechanism to Select for the gsscred Table

Choosing the correct mechanism for the gsscred table depends on several factors.

• Are you interested in improving the lookup time?

• Are you interested in increasing data access security?

• Do you need to build the file quickly?

This is a list of all of the back-end mechanisms that can be selected along with a description of advantages of the mechanism.

files

The gsscred table is stored on a file system. A local file system that is not shared provides the most secure back-end, since no transmissions are done over the net after the table is created. This version of the file builds the quickest.

xfn_files

The gsscred table is stored within the /var/fn file system. This file system can be shared or not. All xfn files take a long time to build.

xfn_nis

The gsscred table is stored within the NIS namespace. The lookups in this file system are not secure. All xfn files take a long time to build.

xfn_nisplus

The gsscred table is stored within the NIS+ namespace. The lookups in this file system are not secure. All xfn files take a long time to build.

xfn

The gsscred table is stored within the default system for xfn. All xfn files take a long time to build.

For the files back-end mechanism, the initial lookup can be slow. For the other mechanisms, the initial lookup can be faster using a name service. For all of the mechanisms, after the data is cached the retrieval time should be about the same.