Forge Home


Manipulate the gssproxy service and config


176 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.3 (latest)
  • 0.1.2
  • 0.1.1
  • 0.1.0
released Sep 1st 2023
This version is compatible with:
  • Puppet Enterprise 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 9.0.0
  • CentOS, OracleLinux, RedHat, , Debian, Ubuntu, Fedora, SLES

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'jcpunk-gssproxy', '0.1.3'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add jcpunk-gssproxy
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install jcpunk-gssproxy --version 0.1.3

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



jcpunk/gssproxy — version 0.1.3 Sep 1st 2023


Manage and configure the gssproxy service

Table of Contents

  1. Description
  2. Usage - Configuration options and additional functionality
  3. Limitations - OS compatibility, etc.
  4. Development - Guide for contributing to the module


The gssproxy service is used in a number of contexts to proxy kerberos authentication for various applications. The most common use is with Kerberized NFS.

This module will setup the gssproxy service, but leave defining them to you. See Usage - Configuration options and additional functionality for more information.


By default this class will define zero services for gssproxy to work with. The idea here is that the service using gssproxy probably requires its own configuration settings there, and it makes more sense to export an interface for other services (such as nfs) to define their settings along side the service itself.

But if you want to instead manage the gssproxy interface here you can do so with something like:

class { 'gssproxy':
  services => {
    'service/nfs-client' => {
      'settings' => {
         'mechs' => 'krb5',
         'cred_store' => [
            'client_keytab:/var/lib/gssproxy/clients/%U.keytab' ],
         'cred_usage' =>  'initiate',
         'allow_any_uid' => 'yes',
         'trusted' => 'yes',
         'euid' => 0,
    } },

    'service/nfs-server' => {
      'settings' =>
        'mechs' => 'krb5',
        'socket' => '/run/gssproxy.sock',
        'cred_store' => 'keytab:/etc/krb5.keytab',
        'trusted' => 'yes',
        'kernel_nfsd' => 'yes',
        'euid' => 0,

or in hiera

       mechs: krb5
         - keytab:/etc/krb5.keytab
         - ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
         - client_keytab:/var/lib/gssproxy/clients/%U.keytab
       cred_usage:  initiate
       allow_any_uid: 'yes'
       trusted: 'yes'
       euid: 0

      mechs: krb5
      socket: /run/gssproxy.sock
      cred_store: keytab:/etc/krb5.keytab
      trusted: 'yes'
      kernel_nfsd: 'yes'
      euid: 0

Include usage examples for common use cases in the Usage section. Show your users how to use your module to solve problems, and be sure to include code examples. Include three to five examples of the most important or common tasks a user can accomplish with your module. Show users how to accomplish more complex tasks that involve different types, classes, and functions working in tandem.


If you disable the management of the system service, the service defined type will not automatically notify the system service of the change as it may be undefined or have an unknown name.


Development takes place within the github repo.