Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

How to Create and Modify a Credential Table

The gsscred credential table is used by an NFS server to map Kerberos credentials to a UNIX UID. By default, the primary part of the principal name is matched to a UNIX login name. You create this table if the default mapping is not sufficient.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Ensure that the security mechanism indicated in /etc/gss/gsscred.conf is files.
    # cat /etc/gss/gsscred.conf
    # Syslog (auth.debug) a message for GSS cred to Unix cred mapping
  2. Create the credential table by using the gsscred command.
    # gsscred -m kerberos_v5 -a

    The gsscred command gathers information from all sources that are listed with the passwd entry in the svc:/system/name-service/switch:default service. If you do not want the local password entries included in the credential table, you can temporarily remove the files entry. For more information, see the gsscred(1M) man page.

  3. (Optional) Add an entry to the credential table.

    For example, as the root role on the NFS server, add an entry to map the principal sandy/admin to UID 3736. The –a option adds the entry to the credential table.

    # gsscred -m kerberos_v5 -n sandy/admin -u 3736 -a
Example 4-10  Adding a Principal in a Different Domain to the Kerberos Credential Table

In this example, you use a fully-qualified domain name (FQDN) to specify a principal in a different domain.

# gsscred -m kerberos_v5 -n sandy/admin@EXAMPLE.COM -u 3736 -a