Create network_fs_clients.md

Described steps to have differentiated access methods for client side NFS and SMB if needed.

docs/network_fs_clients.md

@@ -0,0 +1,40 @@
+# Introduction
+
+Following changes to cifs.upcall, extending its functionality to leverage gssapi for ticket acquisition, 99-nfs-client.conf has been renamed to 99-network-fs-clients.conf. This allows the upcall programs for client side NFS and SMB, rpc.gssd and cifs.upcall, to leverage the same configuration file. However, there may be circumstances where having differentiated access for each remote filesystem is preferred or even necessary.
+
+## Creating configuration files
+
+If different behavior for client side NFS and SMB is needed:
+
+1) Remove /etc/gssproxy/99-network-fs-clients.conf
+
+2) Create configuration files for cifs-client and nfs-client services. The `program =` option **must** be included if both programs are going to access the default socket, `/var/lib/gssproxy/default.sock`
+
+~~~~
+# cat /etc/gssproxy/99-cifs-client.conf
+[service/cifs-client]
+  mechs = krb5
+  cred_store = keytab:/etc/krb5.keytab
+  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
+  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
+  cred_usage = initiate
+  allow_any_uid = yes
+  trusted = yes
+  euid = 0
+  program = /usr/sbin/cifs.upcall
+~~~~
+
+~~~~
+[service/nfs-client]
+  mechs = krb5
+  cred_store = keytab:/etc/krb5.keytab
+  cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
+  cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
+  cred_usage = initiate
+  allow_any_uid = yes
+  trusted = yes
+  euid = 0
+  program = /usr/sbin/rpc.gssd
+~~~~
+
+3) Customize the above files as needed. The existing docs/NFS.md file discusses Keytab based Client initiation as well as User Impersonation and Constrainted Delegation. Resource Base Constrained Delegation is also possible and requires no additional client side configuration changes as RBCD is a server side configuration change.