| b.liu | e958203 | 2025-04-17 19:18:16 +0800 | [diff] [blame^] | 1 | ===== | 
|  | 2 | Usage | 
|  | 3 | ===== | 
|  | 4 |  | 
|  | 5 | This module supports the SMB3 family of advanced network protocols (as well | 
|  | 6 | as older dialects, originally called "CIFS" or SMB1). | 
|  | 7 |  | 
|  | 8 | The CIFS VFS module for Linux supports many advanced network filesystem | 
|  | 9 | features such as hierarchical DFS like namespace, hardlinks, locking and more. | 
|  | 10 | It was designed to comply with the SNIA CIFS Technical Reference (which | 
|  | 11 | supersedes the 1992 X/Open SMB Standard) as well as to perform best practice | 
|  | 12 | practical interoperability with Windows 2000, Windows XP, Samba and equivalent | 
|  | 13 | servers.  This code was developed in participation with the Protocol Freedom | 
|  | 14 | Information Foundation.  CIFS and now SMB3 has now become a defacto | 
|  | 15 | standard for interoperating between Macs and Windows and major NAS appliances. | 
|  | 16 |  | 
|  | 17 | Please see | 
|  | 18 | MS-SMB2 (for detailed SMB2/SMB3/SMB3.1.1 protocol specification) | 
|  | 19 | http://protocolfreedom.org/ and | 
|  | 20 | http://samba.org/samba/PFIF/ | 
|  | 21 | for more details. | 
|  | 22 |  | 
|  | 23 |  | 
|  | 24 | For questions or bug reports please contact: | 
|  | 25 |  | 
|  | 26 | smfrench@gmail.com | 
|  | 27 |  | 
|  | 28 | See the project page at: https://wiki.samba.org/index.php/LinuxCIFS_utils | 
|  | 29 |  | 
|  | 30 | Build instructions | 
|  | 31 | ================== | 
|  | 32 |  | 
|  | 33 | For Linux: | 
|  | 34 |  | 
|  | 35 | 1) Download the kernel (e.g. from http://www.kernel.org) | 
|  | 36 | and change directory into the top of the kernel directory tree | 
|  | 37 | (e.g. /usr/src/linux-2.5.73) | 
|  | 38 | 2) make menuconfig (or make xconfig) | 
|  | 39 | 3) select cifs from within the network filesystem choices | 
|  | 40 | 4) save and exit | 
|  | 41 | 5) make | 
|  | 42 |  | 
|  | 43 |  | 
|  | 44 | Installation instructions | 
|  | 45 | ========================= | 
|  | 46 |  | 
|  | 47 | If you have built the CIFS vfs as module (successfully) simply | 
|  | 48 | type ``make modules_install`` (or if you prefer, manually copy the file to | 
|  | 49 | the modules directory e.g. /lib/modules/2.4.10-4GB/kernel/fs/cifs/cifs.ko). | 
|  | 50 |  | 
|  | 51 | If you have built the CIFS vfs into the kernel itself, follow the instructions | 
|  | 52 | for your distribution on how to install a new kernel (usually you | 
|  | 53 | would simply type ``make install``). | 
|  | 54 |  | 
|  | 55 | If you do not have the utility mount.cifs (in the Samba 4.x source tree and on | 
|  | 56 | the CIFS VFS web site) copy it to the same directory in which mount helpers | 
|  | 57 | reside (usually /sbin).  Although the helper software is not | 
|  | 58 | required, mount.cifs is recommended.  Most distros include a ``cifs-utils`` | 
|  | 59 | package that includes this utility so it is recommended to install this. | 
|  | 60 |  | 
|  | 61 | Note that running the Winbind pam/nss module (logon service) on all of your | 
|  | 62 | Linux clients is useful in mapping Uids and Gids consistently across the | 
|  | 63 | domain to the proper network user.  The mount.cifs mount helper can be | 
|  | 64 | found at cifs-utils.git on git.samba.org | 
|  | 65 |  | 
|  | 66 | If cifs is built as a module, then the size and number of network buffers | 
|  | 67 | and maximum number of simultaneous requests to one server can be configured. | 
|  | 68 | Changing these from their defaults is not recommended. By executing modinfo:: | 
|  | 69 |  | 
|  | 70 | modinfo kernel/fs/cifs/cifs.ko | 
|  | 71 |  | 
|  | 72 | on kernel/fs/cifs/cifs.ko the list of configuration changes that can be made | 
|  | 73 | at module initialization time (by running insmod cifs.ko) can be seen. | 
|  | 74 |  | 
|  | 75 | Recommendations | 
|  | 76 | =============== | 
|  | 77 |  | 
|  | 78 | To improve security the SMB2.1 dialect or later (usually will get SMB3) is now | 
|  | 79 | the new default. To use old dialects (e.g. to mount Windows XP) use "vers=1.0" | 
|  | 80 | on mount (or vers=2.0 for Windows Vista).  Note that the CIFS (vers=1.0) is | 
|  | 81 | much older and less secure than the default dialect SMB3 which includes | 
|  | 82 | many advanced security features such as downgrade attack detection | 
|  | 83 | and encrypted shares and stronger signing and authentication algorithms. | 
|  | 84 | There are additional mount options that may be helpful for SMB3 to get | 
|  | 85 | improved POSIX behavior (NB: can use vers=3.0 to force only SMB3, never 2.1): | 
|  | 86 |  | 
|  | 87 | ``mfsymlinks`` and ``cifsacl`` and ``idsfromsid`` | 
|  | 88 |  | 
|  | 89 | Allowing User Mounts | 
|  | 90 | ==================== | 
|  | 91 |  | 
|  | 92 | To permit users to mount and unmount over directories they own is possible | 
|  | 93 | with the cifs vfs.  A way to enable such mounting is to mark the mount.cifs | 
|  | 94 | utility as suid (e.g. ``chmod +s /sbin/mount.cifs``). To enable users to | 
|  | 95 | umount shares they mount requires | 
|  | 96 |  | 
|  | 97 | 1) mount.cifs version 1.4 or later | 
|  | 98 | 2) an entry for the share in /etc/fstab indicating that a user may | 
|  | 99 | unmount it e.g.:: | 
|  | 100 |  | 
|  | 101 | //server/usersharename  /mnt/username cifs user 0 0 | 
|  | 102 |  | 
|  | 103 | Note that when the mount.cifs utility is run suid (allowing user mounts), | 
|  | 104 | in order to reduce risks, the ``nosuid`` mount flag is passed in on mount to | 
|  | 105 | disallow execution of an suid program mounted on the remote target. | 
|  | 106 | When mount is executed as root, nosuid is not passed in by default, | 
|  | 107 | and execution of suid programs on the remote target would be enabled | 
|  | 108 | by default. This can be changed, as with nfs and other filesystems, | 
|  | 109 | by simply specifying ``nosuid`` among the mount options. For user mounts | 
|  | 110 | though to be able to pass the suid flag to mount requires rebuilding | 
|  | 111 | mount.cifs with the following flag: CIFS_ALLOW_USR_SUID | 
|  | 112 |  | 
|  | 113 | There is a corresponding manual page for cifs mounting in the Samba 3.0 and | 
|  | 114 | later source tree in docs/manpages/mount.cifs.8 | 
|  | 115 |  | 
|  | 116 | Allowing User Unmounts | 
|  | 117 | ====================== | 
|  | 118 |  | 
|  | 119 | To permit users to ummount directories that they have user mounted (see above), | 
|  | 120 | the utility umount.cifs may be used.  It may be invoked directly, or if | 
|  | 121 | umount.cifs is placed in /sbin, umount can invoke the cifs umount helper | 
|  | 122 | (at least for most versions of the umount utility) for umount of cifs | 
|  | 123 | mounts, unless umount is invoked with -i (which will avoid invoking a umount | 
|  | 124 | helper). As with mount.cifs, to enable user unmounts umount.cifs must be marked | 
|  | 125 | as suid (e.g. ``chmod +s /sbin/umount.cifs``) or equivalent (some distributions | 
|  | 126 | allow adding entries to a file to the /etc/permissions file to achieve the | 
|  | 127 | equivalent suid effect).  For this utility to succeed the target path | 
|  | 128 | must be a cifs mount, and the uid of the current user must match the uid | 
|  | 129 | of the user who mounted the resource. | 
|  | 130 |  | 
|  | 131 | Also note that the customary way of allowing user mounts and unmounts is | 
|  | 132 | (instead of using mount.cifs and unmount.cifs as suid) to add a line | 
|  | 133 | to the file /etc/fstab for each //server/share you wish to mount, but | 
|  | 134 | this can become unwieldy when potential mount targets include many | 
|  | 135 | or  unpredictable UNC names. | 
|  | 136 |  | 
|  | 137 | Samba Considerations | 
|  | 138 | ==================== | 
|  | 139 |  | 
|  | 140 | Most current servers support SMB2.1 and SMB3 which are more secure, | 
|  | 141 | but there are useful protocol extensions for the older less secure CIFS | 
|  | 142 | dialect, so to get the maximum benefit if mounting using the older dialect | 
|  | 143 | (CIFS/SMB1), we recommend using a server that supports the SNIA CIFS | 
|  | 144 | Unix Extensions standard (e.g. almost any  version of Samba ie version | 
|  | 145 | 2.2.5 or later) but the CIFS vfs works fine with a wide variety of CIFS servers. | 
|  | 146 | Note that uid, gid and file permissions will display default values if you do | 
|  | 147 | not have a server that supports the Unix extensions for CIFS (such as Samba | 
|  | 148 | 2.2.5 or later).  To enable the Unix CIFS Extensions in the Samba server, add | 
|  | 149 | the line:: | 
|  | 150 |  | 
|  | 151 | unix extensions = yes | 
|  | 152 |  | 
|  | 153 | to your smb.conf file on the server.  Note that the following smb.conf settings | 
|  | 154 | are also useful (on the Samba server) when the majority of clients are Unix or | 
|  | 155 | Linux:: | 
|  | 156 |  | 
|  | 157 | case sensitive = yes | 
|  | 158 | delete readonly = yes | 
|  | 159 | ea support = yes | 
|  | 160 |  | 
|  | 161 | Note that server ea support is required for supporting xattrs from the Linux | 
|  | 162 | cifs client, and that EA support is present in later versions of Samba (e.g. | 
|  | 163 | 3.0.6 and later (also EA support works in all versions of Windows, at least to | 
|  | 164 | shares on NTFS filesystems).  Extended Attribute (xattr) support is an optional | 
|  | 165 | feature of most Linux filesystems which may require enabling via | 
|  | 166 | make menuconfig. Client support for extended attributes (user xattr) can be | 
|  | 167 | disabled on a per-mount basis by specifying ``nouser_xattr`` on mount. | 
|  | 168 |  | 
|  | 169 | The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba servers | 
|  | 170 | version 3.10 and later.  Setting POSIX ACLs requires enabling both XATTR and | 
|  | 171 | then POSIX support in the CIFS configuration options when building the cifs | 
|  | 172 | module.  POSIX ACL support can be disabled on a per mount basic by specifying | 
|  | 173 | ``noacl`` on mount. | 
|  | 174 |  | 
|  | 175 | Some administrators may want to change Samba's smb.conf ``map archive`` and | 
|  | 176 | ``create mask`` parameters from the default.  Unless the create mask is changed | 
|  | 177 | newly created files can end up with an unnecessarily restrictive default mode, | 
|  | 178 | which may not be what you want, although if the CIFS Unix extensions are | 
|  | 179 | enabled on the server and client, subsequent setattr calls (e.g. chmod) can | 
|  | 180 | fix the mode.  Note that creating special devices (mknod) remotely | 
|  | 181 | may require specifying a mkdev function to Samba if you are not using | 
|  | 182 | Samba 3.0.6 or later.  For more information on these see the manual pages | 
|  | 183 | (``man smb.conf``) on the Samba server system.  Note that the cifs vfs, | 
|  | 184 | unlike the smbfs vfs, does not read the smb.conf on the client system | 
|  | 185 | (the few optional settings are passed in on mount via -o parameters instead). | 
|  | 186 | Note that Samba 2.2.7 or later includes a fix that allows the CIFS VFS to delete | 
|  | 187 | open files (required for strict POSIX compliance).  Windows Servers already | 
|  | 188 | supported this feature. Samba server does not allow symlinks that refer to files | 
|  | 189 | outside of the share, so in Samba versions prior to 3.0.6, most symlinks to | 
|  | 190 | files with absolute paths (ie beginning with slash) such as:: | 
|  | 191 |  | 
|  | 192 | ln -s /mnt/foo bar | 
|  | 193 |  | 
|  | 194 | would be forbidden. Samba 3.0.6 server or later includes the ability to create | 
|  | 195 | such symlinks safely by converting unsafe symlinks (ie symlinks to server | 
|  | 196 | files that are outside of the share) to a samba specific format on the server | 
|  | 197 | that is ignored by local server applications and non-cifs clients and that will | 
|  | 198 | not be traversed by the Samba server).  This is opaque to the Linux client | 
|  | 199 | application using the cifs vfs. Absolute symlinks will work to Samba 3.0.5 or | 
|  | 200 | later, but only for remote clients using the CIFS Unix extensions, and will | 
|  | 201 | be invisbile to Windows clients and typically will not affect local | 
|  | 202 | applications running on the same server as Samba. | 
|  | 203 |  | 
|  | 204 | Use instructions | 
|  | 205 | ================ | 
|  | 206 |  | 
|  | 207 | Once the CIFS VFS support is built into the kernel or installed as a module | 
|  | 208 | (cifs.ko), you can use mount syntax like the following to access Samba or | 
|  | 209 | Mac or Windows servers:: | 
|  | 210 |  | 
|  | 211 | mount -t cifs //9.53.216.11/e$ /mnt -o username=myname,password=mypassword | 
|  | 212 |  | 
|  | 213 | Before -o the option -v may be specified to make the mount.cifs | 
|  | 214 | mount helper display the mount steps more verbosely. | 
|  | 215 | After -o the following commonly used cifs vfs specific options | 
|  | 216 | are supported:: | 
|  | 217 |  | 
|  | 218 | username=<username> | 
|  | 219 | password=<password> | 
|  | 220 | domain=<domain name> | 
|  | 221 |  | 
|  | 222 | Other cifs mount options are described below.  Use of TCP names (in addition to | 
|  | 223 | ip addresses) is available if the mount helper (mount.cifs) is installed. If | 
|  | 224 | you do not trust the server to which are mounted, or if you do not have | 
|  | 225 | cifs signing enabled (and the physical network is insecure), consider use | 
|  | 226 | of the standard mount options ``noexec`` and ``nosuid`` to reduce the risk of | 
|  | 227 | running an altered binary on your local system (downloaded from a hostile server | 
|  | 228 | or altered by a hostile router). | 
|  | 229 |  | 
|  | 230 | Although mounting using format corresponding to the CIFS URL specification is | 
|  | 231 | not possible in mount.cifs yet, it is possible to use an alternate format | 
|  | 232 | for the server and sharename (which is somewhat similar to NFS style mount | 
|  | 233 | syntax) instead of the more widely used UNC format (i.e. \\server\share):: | 
|  | 234 |  | 
|  | 235 | mount -t cifs tcp_name_of_server:share_name /mnt -o user=myname,pass=mypasswd | 
|  | 236 |  | 
|  | 237 | When using the mount helper mount.cifs, passwords may be specified via alternate | 
|  | 238 | mechanisms, instead of specifying it after -o using the normal ``pass=`` syntax | 
|  | 239 | on the command line: | 
|  | 240 | 1) By including it in a credential file. Specify credentials=filename as one | 
|  | 241 | of the mount options. Credential files contain two lines:: | 
|  | 242 |  | 
|  | 243 | username=someuser | 
|  | 244 | password=your_password | 
|  | 245 |  | 
|  | 246 | 2) By specifying the password in the PASSWD environment variable (similarly | 
|  | 247 | the user name can be taken from the USER environment variable). | 
|  | 248 | 3) By specifying the password in a file by name via PASSWD_FILE | 
|  | 249 | 4) By specifying the password in a file by file descriptor via PASSWD_FD | 
|  | 250 |  | 
|  | 251 | If no password is provided, mount.cifs will prompt for password entry | 
|  | 252 |  | 
|  | 253 | Restrictions | 
|  | 254 | ============ | 
|  | 255 |  | 
|  | 256 | Servers must support either "pure-TCP" (port 445 TCP/IP CIFS connections) or RFC | 
|  | 257 | 1001/1002 support for "Netbios-Over-TCP/IP." This is not likely to be a | 
|  | 258 | problem as most servers support this. | 
|  | 259 |  | 
|  | 260 | Valid filenames differ between Windows and Linux.  Windows typically restricts | 
|  | 261 | filenames which contain certain reserved characters (e.g.the character : | 
|  | 262 | which is used to delimit the beginning of a stream name by Windows), while | 
|  | 263 | Linux allows a slightly wider set of valid characters in filenames. Windows | 
|  | 264 | servers can remap such characters when an explicit mapping is specified in | 
|  | 265 | the Server's registry.  Samba starting with version 3.10 will allow such | 
|  | 266 | filenames (ie those which contain valid Linux characters, which normally | 
|  | 267 | would be forbidden for Windows/CIFS semantics) as long as the server is | 
|  | 268 | configured for Unix Extensions (and the client has not disabled | 
|  | 269 | /proc/fs/cifs/LinuxExtensionsEnabled). In addition the mount option | 
|  | 270 | ``mapposix`` can be used on CIFS (vers=1.0) to force the mapping of | 
|  | 271 | illegal Windows/NTFS/SMB characters to a remap range (this mount parm | 
|  | 272 | is the default for SMB3). This remap (``mapposix``) range is also | 
|  | 273 | compatible with Mac (and "Services for Mac" on some older Windows). | 
|  | 274 |  | 
|  | 275 | CIFS VFS Mount Options | 
|  | 276 | ====================== | 
|  | 277 | A partial list of the supported mount options follows: | 
|  | 278 |  | 
|  | 279 | username | 
|  | 280 | The user name to use when trying to establish | 
|  | 281 | the CIFS session. | 
|  | 282 | password | 
|  | 283 | The user password.  If the mount helper is | 
|  | 284 | installed, the user will be prompted for password | 
|  | 285 | if not supplied. | 
|  | 286 | ip | 
|  | 287 | The ip address of the target server | 
|  | 288 | unc | 
|  | 289 | The target server Universal Network Name (export) to | 
|  | 290 | mount. | 
|  | 291 | domain | 
|  | 292 | Set the SMB/CIFS workgroup name prepended to the | 
|  | 293 | username during CIFS session establishment | 
|  | 294 | forceuid | 
|  | 295 | Set the default uid for inodes to the uid | 
|  | 296 | passed in on mount. For mounts to servers | 
|  | 297 | which do support the CIFS Unix extensions, such as a | 
|  | 298 | properly configured Samba server, the server provides | 
|  | 299 | the uid, gid and mode so this parameter should not be | 
|  | 300 | specified unless the server and clients uid and gid | 
|  | 301 | numbering differ.  If the server and client are in the | 
|  | 302 | same domain (e.g. running winbind or nss_ldap) and | 
|  | 303 | the server supports the Unix Extensions then the uid | 
|  | 304 | and gid can be retrieved from the server (and uid | 
|  | 305 | and gid would not have to be specified on the mount. | 
|  | 306 | For servers which do not support the CIFS Unix | 
|  | 307 | extensions, the default uid (and gid) returned on lookup | 
|  | 308 | of existing files will be the uid (gid) of the person | 
|  | 309 | who executed the mount (root, except when mount.cifs | 
|  | 310 | is configured setuid for user mounts) unless the ``uid=`` | 
|  | 311 | (gid) mount option is specified. Also note that permission | 
|  | 312 | checks (authorization checks) on accesses to a file occur | 
|  | 313 | at the server, but there are cases in which an administrator | 
|  | 314 | may want to restrict at the client as well.  For those | 
|  | 315 | servers which do not report a uid/gid owner | 
|  | 316 | (such as Windows), permissions can also be checked at the | 
|  | 317 | client, and a crude form of client side permission checking | 
|  | 318 | can be enabled by specifying file_mode and dir_mode on | 
|  | 319 | the client.  (default) | 
|  | 320 | forcegid | 
|  | 321 | (similar to above but for the groupid instead of uid) (default) | 
|  | 322 | noforceuid | 
|  | 323 | Fill in file owner information (uid) by requesting it from | 
|  | 324 | the server if possible. With this option, the value given in | 
|  | 325 | the uid= option (on mount) will only be used if the server | 
|  | 326 | can not support returning uids on inodes. | 
|  | 327 | noforcegid | 
|  | 328 | (similar to above but for the group owner, gid, instead of uid) | 
|  | 329 | uid | 
|  | 330 | Set the default uid for inodes, and indicate to the | 
|  | 331 | cifs kernel driver which local user mounted. If the server | 
|  | 332 | supports the unix extensions the default uid is | 
|  | 333 | not used to fill in the owner fields of inodes (files) | 
|  | 334 | unless the ``forceuid`` parameter is specified. | 
|  | 335 | gid | 
|  | 336 | Set the default gid for inodes (similar to above). | 
|  | 337 | file_mode | 
|  | 338 | If CIFS Unix extensions are not supported by the server | 
|  | 339 | this overrides the default mode for file inodes. | 
|  | 340 | fsc | 
|  | 341 | Enable local disk caching using FS-Cache (off by default). This | 
|  | 342 | option could be useful to improve performance on a slow link, | 
|  | 343 | heavily loaded server and/or network where reading from the | 
|  | 344 | disk is faster than reading from the server (over the network). | 
|  | 345 | This could also impact scalability positively as the | 
|  | 346 | number of calls to the server are reduced. However, local | 
|  | 347 | caching is not suitable for all workloads for e.g. read-once | 
|  | 348 | type workloads. So, you need to consider carefully your | 
|  | 349 | workload/scenario before using this option. Currently, local | 
|  | 350 | disk caching is functional for CIFS files opened as read-only. | 
|  | 351 | dir_mode | 
|  | 352 | If CIFS Unix extensions are not supported by the server | 
|  | 353 | this overrides the default mode for directory inodes. | 
|  | 354 | port | 
|  | 355 | attempt to contact the server on this tcp port, before | 
|  | 356 | trying the usual ports (port 445, then 139). | 
|  | 357 | iocharset | 
|  | 358 | Codepage used to convert local path names to and from | 
|  | 359 | Unicode. Unicode is used by default for network path | 
|  | 360 | names if the server supports it.  If iocharset is | 
|  | 361 | not specified then the nls_default specified | 
|  | 362 | during the local client kernel build will be used. | 
|  | 363 | If server does not support Unicode, this parameter is | 
|  | 364 | unused. | 
|  | 365 | rsize | 
|  | 366 | default read size (usually 16K). The client currently | 
|  | 367 | can not use rsize larger than CIFSMaxBufSize. CIFSMaxBufSize | 
|  | 368 | defaults to 16K and may be changed (from 8K to the maximum | 
|  | 369 | kmalloc size allowed by your kernel) at module install time | 
|  | 370 | for cifs.ko. Setting CIFSMaxBufSize to a very large value | 
|  | 371 | will cause cifs to use more memory and may reduce performance | 
|  | 372 | in some cases.  To use rsize greater than 127K (the original | 
|  | 373 | cifs protocol maximum) also requires that the server support | 
|  | 374 | a new Unix Capability flag (for very large read) which some | 
|  | 375 | newer servers (e.g. Samba 3.0.26 or later) do. rsize can be | 
|  | 376 | set from a minimum of 2048 to a maximum of 130048 (127K or | 
|  | 377 | CIFSMaxBufSize, whichever is smaller) | 
|  | 378 | wsize | 
|  | 379 | default write size (default 57344) | 
|  | 380 | maximum wsize currently allowed by CIFS is 57344 (fourteen | 
|  | 381 | 4096 byte pages) | 
|  | 382 | actimeo=n | 
|  | 383 | attribute cache timeout in seconds (default 1 second). | 
|  | 384 | After this timeout, the cifs client requests fresh attribute | 
|  | 385 | information from the server. This option allows to tune the | 
|  | 386 | attribute cache timeout to suit the workload needs. Shorter | 
|  | 387 | timeouts mean better the cache coherency, but increased number | 
|  | 388 | of calls to the server. Longer timeouts mean reduced number | 
|  | 389 | of calls to the server at the expense of less stricter cache | 
|  | 390 | coherency checks (i.e. incorrect attribute cache for a short | 
|  | 391 | period of time). | 
|  | 392 | rw | 
|  | 393 | mount the network share read-write (note that the | 
|  | 394 | server may still consider the share read-only) | 
|  | 395 | ro | 
|  | 396 | mount network share read-only | 
|  | 397 | version | 
|  | 398 | used to distinguish different versions of the | 
|  | 399 | mount helper utility (not typically needed) | 
|  | 400 | sep | 
|  | 401 | if first mount option (after the -o), overrides | 
|  | 402 | the comma as the separator between the mount | 
|  | 403 | parms. e.g.:: | 
|  | 404 |  | 
|  | 405 | -o user=myname,password=mypassword,domain=mydom | 
|  | 406 |  | 
|  | 407 | could be passed instead with period as the separator by:: | 
|  | 408 |  | 
|  | 409 | -o sep=.user=myname.password=mypassword.domain=mydom | 
|  | 410 |  | 
|  | 411 | this might be useful when comma is contained within username | 
|  | 412 | or password or domain. This option is less important | 
|  | 413 | when the cifs mount helper cifs.mount (version 1.1 or later) | 
|  | 414 | is used. | 
|  | 415 | nosuid | 
|  | 416 | Do not allow remote executables with the suid bit | 
|  | 417 | program to be executed.  This is only meaningful for mounts | 
|  | 418 | to servers such as Samba which support the CIFS Unix Extensions. | 
|  | 419 | If you do not trust the servers in your network (your mount | 
|  | 420 | targets) it is recommended that you specify this option for | 
|  | 421 | greater security. | 
|  | 422 | exec | 
|  | 423 | Permit execution of binaries on the mount. | 
|  | 424 | noexec | 
|  | 425 | Do not permit execution of binaries on the mount. | 
|  | 426 | dev | 
|  | 427 | Recognize block devices on the remote mount. | 
|  | 428 | nodev | 
|  | 429 | Do not recognize devices on the remote mount. | 
|  | 430 | suid | 
|  | 431 | Allow remote files on this mountpoint with suid enabled to | 
|  | 432 | be executed (default for mounts when executed as root, | 
|  | 433 | nosuid is default for user mounts). | 
|  | 434 | credentials | 
|  | 435 | Although ignored by the cifs kernel component, it is used by | 
|  | 436 | the mount helper, mount.cifs. When mount.cifs is installed it | 
|  | 437 | opens and reads the credential file specified in order | 
|  | 438 | to obtain the userid and password arguments which are passed to | 
|  | 439 | the cifs vfs. | 
|  | 440 | guest | 
|  | 441 | Although ignored by the kernel component, the mount.cifs | 
|  | 442 | mount helper will not prompt the user for a password | 
|  | 443 | if guest is specified on the mount options.  If no | 
|  | 444 | password is specified a null password will be used. | 
|  | 445 | perm | 
|  | 446 | Client does permission checks (vfs_permission check of uid | 
|  | 447 | and gid of the file against the mode and desired operation), | 
|  | 448 | Note that this is in addition to the normal ACL check on the | 
|  | 449 | target machine done by the server software. | 
|  | 450 | Client permission checking is enabled by default. | 
|  | 451 | noperm | 
|  | 452 | Client does not do permission checks.  This can expose | 
|  | 453 | files on this mount to access by other users on the local | 
|  | 454 | client system. It is typically only needed when the server | 
|  | 455 | supports the CIFS Unix Extensions but the UIDs/GIDs on the | 
|  | 456 | client and server system do not match closely enough to allow | 
|  | 457 | access by the user doing the mount, but it may be useful with | 
|  | 458 | non CIFS Unix Extension mounts for cases in which the default | 
|  | 459 | mode is specified on the mount but is not to be enforced on the | 
|  | 460 | client (e.g. perhaps when MultiUserMount is enabled) | 
|  | 461 | Note that this does not affect the normal ACL check on the | 
|  | 462 | target machine done by the server software (of the server | 
|  | 463 | ACL against the user name provided at mount time). | 
|  | 464 | serverino | 
|  | 465 | Use server's inode numbers instead of generating automatically | 
|  | 466 | incrementing inode numbers on the client.  Although this will | 
|  | 467 | make it easier to spot hardlinked files (as they will have | 
|  | 468 | the same inode numbers) and inode numbers may be persistent, | 
|  | 469 | note that the server does not guarantee that the inode numbers | 
|  | 470 | are unique if multiple server side mounts are exported under a | 
|  | 471 | single share (since inode numbers on the servers might not | 
|  | 472 | be unique if multiple filesystems are mounted under the same | 
|  | 473 | shared higher level directory).  Note that some older | 
|  | 474 | (e.g. pre-Windows 2000) do not support returning UniqueIDs | 
|  | 475 | or the CIFS Unix Extensions equivalent and for those | 
|  | 476 | this mount option will have no effect.  Exporting cifs mounts | 
|  | 477 | under nfsd requires this mount option on the cifs mount. | 
|  | 478 | This is now the default if server supports the | 
|  | 479 | required network operation. | 
|  | 480 | noserverino | 
|  | 481 | Client generates inode numbers (rather than using the actual one | 
|  | 482 | from the server). These inode numbers will vary after | 
|  | 483 | unmount or reboot which can confuse some applications, | 
|  | 484 | but not all server filesystems support unique inode | 
|  | 485 | numbers. | 
|  | 486 | setuids | 
|  | 487 | If the CIFS Unix extensions are negotiated with the server | 
|  | 488 | the client will attempt to set the effective uid and gid of | 
|  | 489 | the local process on newly created files, directories, and | 
|  | 490 | devices (create, mkdir, mknod).  If the CIFS Unix Extensions | 
|  | 491 | are not negotiated, for newly created files and directories | 
|  | 492 | instead of using the default uid and gid specified on | 
|  | 493 | the mount, cache the new file's uid and gid locally which means | 
|  | 494 | that the uid for the file can change when the inode is | 
|  | 495 | reloaded (or the user remounts the share). | 
|  | 496 | nosetuids | 
|  | 497 | The client will not attempt to set the uid and gid on | 
|  | 498 | on newly created files, directories, and devices (create, | 
|  | 499 | mkdir, mknod) which will result in the server setting the | 
|  | 500 | uid and gid to the default (usually the server uid of the | 
|  | 501 | user who mounted the share).  Letting the server (rather than | 
|  | 502 | the client) set the uid and gid is the default. If the CIFS | 
|  | 503 | Unix Extensions are not negotiated then the uid and gid for | 
|  | 504 | new files will appear to be the uid (gid) of the mounter or the | 
|  | 505 | uid (gid) parameter specified on the mount. | 
|  | 506 | netbiosname | 
|  | 507 | When mounting to servers via port 139, specifies the RFC1001 | 
|  | 508 | source name to use to represent the client netbios machine | 
|  | 509 | name when doing the RFC1001 netbios session initialize. | 
|  | 510 | direct | 
|  | 511 | Do not do inode data caching on files opened on this mount. | 
|  | 512 | This precludes mmapping files on this mount. In some cases | 
|  | 513 | with fast networks and little or no caching benefits on the | 
|  | 514 | client (e.g. when the application is doing large sequential | 
|  | 515 | reads bigger than page size without rereading the same data) | 
|  | 516 | this can provide better performance than the default | 
|  | 517 | behavior which caches reads (readahead) and writes | 
|  | 518 | (writebehind) through the local Linux client pagecache | 
|  | 519 | if oplock (caching token) is granted and held. Note that | 
|  | 520 | direct allows write operations larger than page size | 
|  | 521 | to be sent to the server. | 
|  | 522 | strictcache | 
|  | 523 | Use for switching on strict cache mode. In this mode the | 
|  | 524 | client read from the cache all the time it has Oplock Level II, | 
|  | 525 | otherwise - read from the server. All written data are stored | 
|  | 526 | in the cache, but if the client doesn't have Exclusive Oplock, | 
|  | 527 | it writes the data to the server. | 
|  | 528 | rwpidforward | 
|  | 529 | Forward pid of a process who opened a file to any read or write | 
|  | 530 | operation on that file. This prevent applications like WINE | 
|  | 531 | from failing on read and write if we use mandatory brlock style. | 
|  | 532 | acl | 
|  | 533 | Allow setfacl and getfacl to manage posix ACLs if server | 
|  | 534 | supports them.  (default) | 
|  | 535 | noacl | 
|  | 536 | Do not allow setfacl and getfacl calls on this mount | 
|  | 537 | user_xattr | 
|  | 538 | Allow getting and setting user xattrs (those attributes whose | 
|  | 539 | name begins with ``user.`` or ``os2.``) as OS/2 EAs (extended | 
|  | 540 | attributes) to the server.  This allows support of the | 
|  | 541 | setfattr and getfattr utilities. (default) | 
|  | 542 | nouser_xattr | 
|  | 543 | Do not allow getfattr/setfattr to get/set/list xattrs | 
|  | 544 | mapchars | 
|  | 545 | Translate six of the seven reserved characters (not backslash):: | 
|  | 546 |  | 
|  | 547 | *?<>|: | 
|  | 548 |  | 
|  | 549 | to the remap range (above 0xF000), which also | 
|  | 550 | allows the CIFS client to recognize files created with | 
|  | 551 | such characters by Windows's POSIX emulation. This can | 
|  | 552 | also be useful when mounting to most versions of Samba | 
|  | 553 | (which also forbids creating and opening files | 
|  | 554 | whose names contain any of these seven characters). | 
|  | 555 | This has no effect if the server does not support | 
|  | 556 | Unicode on the wire. | 
|  | 557 | nomapchars | 
|  | 558 | Do not translate any of these seven characters (default). | 
|  | 559 | nocase | 
|  | 560 | Request case insensitive path name matching (case | 
|  | 561 | sensitive is the default if the server supports it). | 
|  | 562 | (mount option ``ignorecase`` is identical to ``nocase``) | 
|  | 563 | posixpaths | 
|  | 564 | If CIFS Unix extensions are supported, attempt to | 
|  | 565 | negotiate posix path name support which allows certain | 
|  | 566 | characters forbidden in typical CIFS filenames, without | 
|  | 567 | requiring remapping. (default) | 
|  | 568 | noposixpaths | 
|  | 569 | If CIFS Unix extensions are supported, do not request | 
|  | 570 | posix path name support (this may cause servers to | 
|  | 571 | reject creatingfile with certain reserved characters). | 
|  | 572 | nounix | 
|  | 573 | Disable the CIFS Unix Extensions for this mount (tree | 
|  | 574 | connection). This is rarely needed, but it may be useful | 
|  | 575 | in order to turn off multiple settings all at once (ie | 
|  | 576 | posix acls, posix locks, posix paths, symlink support | 
|  | 577 | and retrieving uids/gids/mode from the server) or to | 
|  | 578 | work around a bug in server which implement the Unix | 
|  | 579 | Extensions. | 
|  | 580 | nobrl | 
|  | 581 | Do not send byte range lock requests to the server. | 
|  | 582 | This is necessary for certain applications that break | 
|  | 583 | with cifs style mandatory byte range locks (and most | 
|  | 584 | cifs servers do not yet support requesting advisory | 
|  | 585 | byte range locks). | 
|  | 586 | forcemandatorylock | 
|  | 587 | Even if the server supports posix (advisory) byte range | 
|  | 588 | locking, send only mandatory lock requests.  For some | 
|  | 589 | (presumably rare) applications, originally coded for | 
|  | 590 | DOS/Windows, which require Windows style mandatory byte range | 
|  | 591 | locking, they may be able to take advantage of this option, | 
|  | 592 | forcing the cifs client to only send mandatory locks | 
|  | 593 | even if the cifs server would support posix advisory locks. | 
|  | 594 | ``forcemand`` is accepted as a shorter form of this mount | 
|  | 595 | option. | 
|  | 596 | nostrictsync | 
|  | 597 | If this mount option is set, when an application does an | 
|  | 598 | fsync call then the cifs client does not send an SMB Flush | 
|  | 599 | to the server (to force the server to write all dirty data | 
|  | 600 | for this file immediately to disk), although cifs still sends | 
|  | 601 | all dirty (cached) file data to the server and waits for the | 
|  | 602 | server to respond to the write.  Since SMB Flush can be | 
|  | 603 | very slow, and some servers may be reliable enough (to risk | 
|  | 604 | delaying slightly flushing the data to disk on the server), | 
|  | 605 | turning on this option may be useful to improve performance for | 
|  | 606 | applications that fsync too much, at a small risk of server | 
|  | 607 | crash.  If this mount option is not set, by default cifs will | 
|  | 608 | send an SMB flush request (and wait for a response) on every | 
|  | 609 | fsync call. | 
|  | 610 | nodfs | 
|  | 611 | Disable DFS (global name space support) even if the | 
|  | 612 | server claims to support it.  This can help work around | 
|  | 613 | a problem with parsing of DFS paths with Samba server | 
|  | 614 | versions 3.0.24 and 3.0.25. | 
|  | 615 | remount | 
|  | 616 | remount the share (often used to change from ro to rw mounts | 
|  | 617 | or vice versa) | 
|  | 618 | cifsacl | 
|  | 619 | Report mode bits (e.g. on stat) based on the Windows ACL for | 
|  | 620 | the file. (EXPERIMENTAL) | 
|  | 621 | servern | 
|  | 622 | Specify the server 's netbios name (RFC1001 name) to use | 
|  | 623 | when attempting to setup a session to the server. | 
|  | 624 | This is needed for mounting to some older servers (such | 
|  | 625 | as OS/2 or Windows 98 and Windows ME) since they do not | 
|  | 626 | support a default server name.  A server name can be up | 
|  | 627 | to 15 characters long and is usually uppercased. | 
|  | 628 | sfu | 
|  | 629 | When the CIFS Unix Extensions are not negotiated, attempt to | 
|  | 630 | create device files and fifos in a format compatible with | 
|  | 631 | Services for Unix (SFU).  In addition retrieve bits 10-12 | 
|  | 632 | of the mode via the SETFILEBITS extended attribute (as | 
|  | 633 | SFU does).  In the future the bottom 9 bits of the | 
|  | 634 | mode also will be emulated using queries of the security | 
|  | 635 | descriptor (ACL). | 
|  | 636 | mfsymlinks | 
|  | 637 | Enable support for Minshall+French symlinks | 
|  | 638 | (see http://wiki.samba.org/index.php/UNIX_Extensions#Minshall.2BFrench_symlinks) | 
|  | 639 | This option is ignored when specified together with the | 
|  | 640 | 'sfu' option. Minshall+French symlinks are used even if | 
|  | 641 | the server supports the CIFS Unix Extensions. | 
|  | 642 | sign | 
|  | 643 | Must use packet signing (helps avoid unwanted data modification | 
|  | 644 | by intermediate systems in the route).  Note that signing | 
|  | 645 | does not work with lanman or plaintext authentication. | 
|  | 646 | seal | 
|  | 647 | Must seal (encrypt) all data on this mounted share before | 
|  | 648 | sending on the network.  Requires support for Unix Extensions. | 
|  | 649 | Note that this differs from the sign mount option in that it | 
|  | 650 | causes encryption of data sent over this mounted share but other | 
|  | 651 | shares mounted to the same server are unaffected. | 
|  | 652 | locallease | 
|  | 653 | This option is rarely needed. Fcntl F_SETLEASE is | 
|  | 654 | used by some applications such as Samba and NFSv4 server to | 
|  | 655 | check to see whether a file is cacheable.  CIFS has no way | 
|  | 656 | to explicitly request a lease, but can check whether a file | 
|  | 657 | is cacheable (oplocked).  Unfortunately, even if a file | 
|  | 658 | is not oplocked, it could still be cacheable (ie cifs client | 
|  | 659 | could grant fcntl leases if no other local processes are using | 
|  | 660 | the file) for cases for example such as when the server does not | 
|  | 661 | support oplocks and the user is sure that the only updates to | 
|  | 662 | the file will be from this client. Specifying this mount option | 
|  | 663 | will allow the cifs client to check for leases (only) locally | 
|  | 664 | for files which are not oplocked instead of denying leases | 
|  | 665 | in that case. (EXPERIMENTAL) | 
|  | 666 | sec | 
|  | 667 | Security mode.  Allowed values are: | 
|  | 668 |  | 
|  | 669 | none | 
|  | 670 | attempt to connection as a null user (no name) | 
|  | 671 | krb5 | 
|  | 672 | Use Kerberos version 5 authentication | 
|  | 673 | krb5i | 
|  | 674 | Use Kerberos authentication and packet signing | 
|  | 675 | ntlm | 
|  | 676 | Use NTLM password hashing (default) | 
|  | 677 | ntlmi | 
|  | 678 | Use NTLM password hashing with signing (if | 
|  | 679 | /proc/fs/cifs/PacketSigningEnabled on or if | 
|  | 680 | server requires signing also can be the default) | 
|  | 681 | ntlmv2 | 
|  | 682 | Use NTLMv2 password hashing | 
|  | 683 | ntlmv2i | 
|  | 684 | Use NTLMv2 password hashing with packet signing | 
|  | 685 | lanman | 
|  | 686 | (if configured in kernel config) use older | 
|  | 687 | lanman hash | 
|  | 688 | hard | 
|  | 689 | Retry file operations if server is not responding | 
|  | 690 | soft | 
|  | 691 | Limit retries to unresponsive servers (usually only | 
|  | 692 | one retry) before returning an error.  (default) | 
|  | 693 |  | 
|  | 694 | The mount.cifs mount helper also accepts a few mount options before -o | 
|  | 695 | including: | 
|  | 696 |  | 
|  | 697 | =============== =============================================================== | 
|  | 698 | -S      take password from stdin (equivalent to setting the environment | 
|  | 699 | variable ``PASSWD_FD=0`` | 
|  | 700 | -V      print mount.cifs version | 
|  | 701 | -?      display simple usage information | 
|  | 702 | =============== =============================================================== | 
|  | 703 |  | 
|  | 704 | With most 2.6 kernel versions of modutils, the version of the cifs kernel | 
|  | 705 | module can be displayed via modinfo. | 
|  | 706 |  | 
|  | 707 | Misc /proc/fs/cifs Flags and Debug Info | 
|  | 708 | ======================================= | 
|  | 709 |  | 
|  | 710 | Informational pseudo-files: | 
|  | 711 |  | 
|  | 712 | ======================= ======================================================= | 
|  | 713 | DebugData		Displays information about active CIFS sessions and | 
|  | 714 | shares, features enabled as well as the cifs.ko | 
|  | 715 | version. | 
|  | 716 | Stats			Lists summary resource usage information as well as per | 
|  | 717 | share statistics. | 
|  | 718 | ======================= ======================================================= | 
|  | 719 |  | 
|  | 720 | Configuration pseudo-files: | 
|  | 721 |  | 
|  | 722 | ======================= ======================================================= | 
|  | 723 | SecurityFlags		Flags which control security negotiation and | 
|  | 724 | also packet signing. Authentication (may/must) | 
|  | 725 | flags (e.g. for NTLM and/or NTLMv2) may be combined with | 
|  | 726 | the signing flags.  Specifying two different password | 
|  | 727 | hashing mechanisms (as "must use") on the other hand | 
|  | 728 | does not make much sense. Default flags are:: | 
|  | 729 |  | 
|  | 730 | 0x07007 | 
|  | 731 |  | 
|  | 732 | (NTLM, NTLMv2 and packet signing allowed).  The maximum | 
|  | 733 | allowable flags if you want to allow mounts to servers | 
|  | 734 | using weaker password hashes is 0x37037 (lanman, | 
|  | 735 | plaintext, ntlm, ntlmv2, signing allowed).  Some | 
|  | 736 | SecurityFlags require the corresponding menuconfig | 
|  | 737 | options to be enabled (lanman and plaintext require | 
|  | 738 | CONFIG_CIFS_WEAK_PW_HASH for example).  Enabling | 
|  | 739 | plaintext authentication currently requires also | 
|  | 740 | enabling lanman authentication in the security flags | 
|  | 741 | because the cifs module only supports sending | 
|  | 742 | laintext passwords using the older lanman dialect | 
|  | 743 | form of the session setup SMB.  (e.g. for authentication | 
|  | 744 | using plain text passwords, set the SecurityFlags | 
|  | 745 | to 0x30030):: | 
|  | 746 |  | 
|  | 747 | may use packet signing			0x00001 | 
|  | 748 | must use packet signing			0x01001 | 
|  | 749 | may use NTLM (most common password hash)	0x00002 | 
|  | 750 | must use NTLM					0x02002 | 
|  | 751 | may use NTLMv2				0x00004 | 
|  | 752 | must use NTLMv2				0x04004 | 
|  | 753 | may use Kerberos security			0x00008 | 
|  | 754 | must use Kerberos				0x08008 | 
|  | 755 | may use lanman (weak) password hash		0x00010 | 
|  | 756 | must use lanman password hash			0x10010 | 
|  | 757 | may use plaintext passwords			0x00020 | 
|  | 758 | must use plaintext passwords			0x20020 | 
|  | 759 | (reserved for future packet encryption)	0x00040 | 
|  | 760 |  | 
|  | 761 | cifsFYI			If set to non-zero value, additional debug information | 
|  | 762 | will be logged to the system error log.  This field | 
|  | 763 | contains three flags controlling different classes of | 
|  | 764 | debugging entries.  The maximum value it can be set | 
|  | 765 | to is 7 which enables all debugging points (default 0). | 
|  | 766 | Some debugging statements are not compiled into the | 
|  | 767 | cifs kernel unless CONFIG_CIFS_DEBUG2 is enabled in the | 
|  | 768 | kernel configuration. cifsFYI may be set to one or | 
|  | 769 | nore of the following flags (7 sets them all):: | 
|  | 770 |  | 
|  | 771 | +-----------------------------------------------+------+ | 
|  | 772 | | log cifs informational messages		  | 0x01 | | 
|  | 773 | +-----------------------------------------------+------+ | 
|  | 774 | | log return codes from cifs entry points	  | 0x02 | | 
|  | 775 | +-----------------------------------------------+------+ | 
|  | 776 | | log slow responses				  | 0x04 | | 
|  | 777 | | (ie which take longer than 1 second)	  |      | | 
|  | 778 | |                                               |      | | 
|  | 779 | | CONFIG_CIFS_STATS2 must be enabled in .config |      | | 
|  | 780 | +-----------------------------------------------+------+ | 
|  | 781 |  | 
|  | 782 | traceSMB		If set to one, debug information is logged to the | 
|  | 783 | system error log with the start of smb requests | 
|  | 784 | and responses (default 0) | 
|  | 785 | LookupCacheEnable	If set to one, inode information is kept cached | 
|  | 786 | for one second improving performance of lookups | 
|  | 787 | (default 1) | 
|  | 788 | LinuxExtensionsEnabled	If set to one then the client will attempt to | 
|  | 789 | use the CIFS "UNIX" extensions which are optional | 
|  | 790 | protocol enhancements that allow CIFS servers | 
|  | 791 | to return accurate UID/GID information as well | 
|  | 792 | as support symbolic links. If you use servers | 
|  | 793 | such as Samba that support the CIFS Unix | 
|  | 794 | extensions but do not want to use symbolic link | 
|  | 795 | support and want to map the uid and gid fields | 
|  | 796 | to values supplied at mount (rather than the | 
|  | 797 | actual values, then set this to zero. (default 1) | 
|  | 798 | ======================= ======================================================= | 
|  | 799 |  | 
|  | 800 | These experimental features and tracing can be enabled by changing flags in | 
|  | 801 | /proc/fs/cifs (after the cifs module has been installed or built into the | 
|  | 802 | kernel, e.g.  insmod cifs).  To enable a feature set it to 1 e.g.  to enable | 
|  | 803 | tracing to the kernel message log type:: | 
|  | 804 |  | 
|  | 805 | echo 7 > /proc/fs/cifs/cifsFYI | 
|  | 806 |  | 
|  | 807 | cifsFYI functions as a bit mask. Setting it to 1 enables additional kernel | 
|  | 808 | logging of various informational messages.  2 enables logging of non-zero | 
|  | 809 | SMB return codes while 4 enables logging of requests that take longer | 
|  | 810 | than one second to complete (except for byte range lock requests). | 
|  | 811 | Setting it to 4 requires CONFIG_CIFS_STATS2 to be set in kernel configuration | 
|  | 812 | (.config). Setting it to seven enables all three.  Finally, tracing | 
|  | 813 | the start of smb requests and responses can be enabled via:: | 
|  | 814 |  | 
|  | 815 | echo 1 > /proc/fs/cifs/traceSMB | 
|  | 816 |  | 
|  | 817 | Per share (per client mount) statistics are available in /proc/fs/cifs/Stats. | 
|  | 818 | Additional information is available if CONFIG_CIFS_STATS2 is enabled in the | 
|  | 819 | kernel configuration (.config).  The statistics returned include counters which | 
|  | 820 | represent the number of attempted and failed (ie non-zero return code from the | 
|  | 821 | server) SMB3 (or cifs) requests grouped by request type (read, write, close etc.). | 
|  | 822 | Also recorded is the total bytes read and bytes written to the server for | 
|  | 823 | that share.  Note that due to client caching effects this can be less than the | 
|  | 824 | number of bytes read and written by the application running on the client. | 
|  | 825 | Statistics can be reset to zero by ``echo 0 > /proc/fs/cifs/Stats`` which may be | 
|  | 826 | useful if comparing performance of two different scenarios. | 
|  | 827 |  | 
|  | 828 | Also note that ``cat /proc/fs/cifs/DebugData`` will display information about | 
|  | 829 | the active sessions and the shares that are mounted. | 
|  | 830 |  | 
|  | 831 | Enabling Kerberos (extended security) works but requires version 1.2 or later | 
|  | 832 | of the helper program cifs.upcall to be present and to be configured in the | 
|  | 833 | /etc/request-key.conf file.  The cifs.upcall helper program is from the Samba | 
|  | 834 | project(http://www.samba.org). NTLM and NTLMv2 and LANMAN support do not | 
|  | 835 | require this helper. Note that NTLMv2 security (which does not require the | 
|  | 836 | cifs.upcall helper program), instead of using Kerberos, is sufficient for | 
|  | 837 | some use cases. | 
|  | 838 |  | 
|  | 839 | DFS support allows transparent redirection to shares in an MS-DFS name space. | 
|  | 840 | In addition, DFS support for target shares which are specified as UNC | 
|  | 841 | names which begin with host names (rather than IP addresses) requires | 
|  | 842 | a user space helper (such as cifs.upcall) to be present in order to | 
|  | 843 | translate host names to ip address, and the user space helper must also | 
|  | 844 | be configured in the file /etc/request-key.conf.  Samba, Windows servers and | 
|  | 845 | many NAS appliances support DFS as a way of constructing a global name | 
|  | 846 | space to ease network configuration and improve reliability. | 
|  | 847 |  | 
|  | 848 | To use cifs Kerberos and DFS support, the Linux keyutils package should be | 
|  | 849 | installed and something like the following lines should be added to the | 
|  | 850 | /etc/request-key.conf file:: | 
|  | 851 |  | 
|  | 852 | create cifs.spnego * * /usr/local/sbin/cifs.upcall %k | 
|  | 853 | create dns_resolver * * /usr/local/sbin/cifs.upcall %k | 
|  | 854 |  | 
|  | 855 | CIFS kernel module parameters | 
|  | 856 | ============================= | 
|  | 857 | These module parameters can be specified or modified either during the time of | 
|  | 858 | module loading or during the runtime by using the interface:: | 
|  | 859 |  | 
|  | 860 | /proc/module/cifs/parameters/<param> | 
|  | 861 |  | 
|  | 862 | i.e.:: | 
|  | 863 |  | 
|  | 864 | echo "value" > /sys/module/cifs/parameters/<param> | 
|  | 865 |  | 
|  | 866 | ================= ========================================================== | 
|  | 867 | 1. enable_oplocks Enable or disable oplocks. Oplocks are enabled by default. | 
|  | 868 | [Y/y/1]. To disable use any of [N/n/0]. | 
|  | 869 | ================= ========================================================== |