Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | The CIFS VFS support for Linux supports many advanced network filesystem |
Uwe Kleine-König | 1b3c371 | 2007-02-17 19:23:03 +0100 | [diff] [blame^] | 2 | features such as hierarchical dfs like namespace, hardlinks, locking and more. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 3 | It was designed to comply with the SNIA CIFS Technical Reference (which |
| 4 | supersedes the 1992 X/Open SMB Standard) as well as to perform best practice |
| 5 | practical interoperability with Windows 2000, Windows XP, Samba and equivalent |
| 6 | servers. |
| 7 | |
| 8 | For questions or bug reports please contact: |
| 9 | sfrench@samba.org (sfrench@us.ibm.com) |
| 10 | |
| 11 | Build instructions: |
| 12 | ================== |
| 13 | For Linux 2.4: |
| 14 | 1) Get the kernel source (e.g.from http://www.kernel.org) |
| 15 | and download the cifs vfs source (see the project page |
| 16 | at http://us1.samba.org/samba/Linux_CIFS_client.html) |
| 17 | and change directory into the top of the kernel directory |
| 18 | then patch the kernel (e.g. "patch -p1 < cifs_24.patch") |
| 19 | to add the cifs vfs to your kernel configure options if |
| 20 | it has not already been added (e.g. current SuSE and UL |
| 21 | users do not need to apply the cifs_24.patch since the cifs vfs is |
| 22 | already in the kernel configure menu) and then |
| 23 | mkdir linux/fs/cifs and then copy the current cifs vfs files from |
| 24 | the cifs download to your kernel build directory e.g. |
| 25 | |
| 26 | cp <cifs_download_dir>/fs/cifs/* to <kernel_download_dir>/fs/cifs |
| 27 | |
| 28 | 2) make menuconfig (or make xconfig) |
| 29 | 3) select cifs from within the network filesystem choices |
| 30 | 4) save and exit |
| 31 | 5) make dep |
| 32 | 6) make modules (or "make" if CIFS VFS not to be built as a module) |
| 33 | |
| 34 | For Linux 2.6: |
Adrian Bunk | dfc1e14 | 2005-05-05 16:15:51 -0700 | [diff] [blame] | 35 | 1) Download the kernel (e.g. from http://www.kernel.org) |
| 36 | and change directory into the top of the kernel directory tree |
| 37 | (e.g. /usr/src/linux-2.5.73) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 38 | 2) make menuconfig (or make xconfig) |
| 39 | 3) select cifs from within the network filesystem choices |
| 40 | 4) save and exit |
| 41 | 5) make |
| 42 | |
| 43 | |
| 44 | Installation instructions: |
| 45 | ========================= |
| 46 | If you have built the CIFS vfs as module (successfully) simply |
| 47 | type "make modules_install" (or if you prefer, manually copy the file to |
| 48 | the modules directory e.g. /lib/modules/2.4.10-4GB/kernel/fs/cifs/cifs.o). |
| 49 | |
| 50 | If you have built the CIFS vfs into the kernel itself, follow the instructions |
| 51 | for your distribution on how to install a new kernel (usually you |
| 52 | would simply type "make install"). |
| 53 | |
| 54 | If you do not have the utility mount.cifs (in the Samba 3.0 source tree and on |
| 55 | the CIFS VFS web site) copy it to the same directory in which mount.smbfs and |
| 56 | similar files reside (usually /sbin). Although the helper software is not |
| 57 | required, mount.cifs is recommended. Eventually the Samba 3.0 utility program |
| 58 | "net" may also be helpful since it may someday provide easier mount syntax for |
| 59 | users who are used to Windows e.g. net use <mount point> <UNC name or cifs URL> |
| 60 | Note that running the Winbind pam/nss module (logon service) on all of your |
| 61 | Linux clients is useful in mapping Uids and Gids consistently across the |
| 62 | domain to the proper network user. The mount.cifs mount helper can be |
| 63 | trivially built from Samba 3.0 or later source e.g. by executing: |
| 64 | |
| 65 | gcc samba/source/client/mount.cifs.c -o mount.cifs |
| 66 | |
| 67 | If cifs is built as a module, then the size and number of network buffers |
| 68 | and maximum number of simultaneous requests to one server can be configured. |
| 69 | Changing these from their defaults is not recommended. By executing modinfo |
| 70 | modinfo kernel/fs/cifs/cifs.ko |
| 71 | on kernel/fs/cifs/cifs.ko the list of configuration changes that can be made |
| 72 | at module initialization time (by running insmod cifs.ko) can be seen. |
| 73 | |
| 74 | Allowing User Mounts |
| 75 | ==================== |
| 76 | To permit users to mount and unmount over directories they own is possible |
| 77 | with the cifs vfs. A way to enable such mounting is to mark the mount.cifs |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 78 | utility as suid (e.g. "chmod +s /sbin/mount.cifs). To enable users to |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 79 | umount shares they mount requires |
| 80 | 1) mount.cifs version 1.4 or later |
| 81 | 2) an entry for the share in /etc/fstab indicating that a user may |
| 82 | unmount it e.g. |
| 83 | //server/usersharename /mnt/username cifs user 0 0 |
| 84 | |
| 85 | Note that when the mount.cifs utility is run suid (allowing user mounts), |
| 86 | in order to reduce risks, the "nosuid" mount flag is passed in on mount to |
| 87 | disallow execution of an suid program mounted on the remote target. |
| 88 | When mount is executed as root, nosuid is not passed in by default, |
| 89 | and execution of suid programs on the remote target would be enabled |
| 90 | by default. This can be changed, as with nfs and other filesystems, |
| 91 | by simply specifying "nosuid" among the mount options. For user mounts |
| 92 | though to be able to pass the suid flag to mount requires rebuilding |
| 93 | mount.cifs with the following flag: |
| 94 | |
| 95 | gcc samba/source/client/mount.cifs.c -DCIFS_ALLOW_USR_SUID -o mount.cifs |
| 96 | |
| 97 | There is a corresponding manual page for cifs mounting in the Samba 3.0 and |
| 98 | later source tree in docs/manpages/mount.cifs.8 |
| 99 | |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 100 | Allowing User Unmounts |
| 101 | ====================== |
| 102 | To permit users to ummount directories that they have user mounted (see above), |
| 103 | the utility umount.cifs may be used. It may be invoked directly, or if |
Steve French | 0cb766a | 2005-04-28 22:41:11 -0700 | [diff] [blame] | 104 | umount.cifs is placed in /sbin, umount can invoke the cifs umount helper |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 105 | (at least for most versions of the umount utility) for umount of cifs |
Steve French | 0cb766a | 2005-04-28 22:41:11 -0700 | [diff] [blame] | 106 | mounts, unless umount is invoked with -i (which will avoid invoking a umount |
| 107 | helper). As with mount.cifs, to enable user unmounts umount.cifs must be marked |
| 108 | as suid (e.g. "chmod +s /sbin/umount.cifs") or equivalent (some distributions |
| 109 | allow adding entries to a file to the /etc/permissions file to achieve the |
| 110 | equivalent suid effect). For this utility to succeed the target path |
| 111 | must be a cifs mount, and the uid of the current user must match the uid |
| 112 | of the user who mounted the resource. |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 113 | |
| 114 | Also note that the customary way of allowing user mounts and unmounts is |
| 115 | (instead of using mount.cifs and unmount.cifs as suid) to add a line |
| 116 | to the file /etc/fstab for each //server/share you wish to mount, but |
| 117 | this can become unwieldy when potential mount targets include many |
| 118 | or unpredictable UNC names. |
| 119 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 120 | Samba Considerations |
| 121 | ==================== |
| 122 | To get the maximum benefit from the CIFS VFS, we recommend using a server that |
| 123 | supports the SNIA CIFS Unix Extensions standard (e.g. Samba 2.2.5 or later or |
| 124 | Samba 3.0) but the CIFS vfs works fine with a wide variety of CIFS servers. |
| 125 | Note that uid, gid and file permissions will display default values if you do |
| 126 | not have a server that supports the Unix extensions for CIFS (such as Samba |
| 127 | 2.2.5 or later). To enable the Unix CIFS Extensions in the Samba server, add |
| 128 | the line: |
| 129 | |
| 130 | unix extensions = yes |
| 131 | |
| 132 | to your smb.conf file on the server. Note that the following smb.conf settings |
| 133 | are also useful (on the Samba server) when the majority of clients are Unix or |
| 134 | Linux: |
| 135 | |
| 136 | case sensitive = yes |
| 137 | delete readonly = yes |
| 138 | ea support = yes |
| 139 | |
| 140 | Note that server ea support is required for supporting xattrs from the Linux |
| 141 | cifs client, and that EA support is present in later versions of Samba (e.g. |
| 142 | 3.0.6 and later (also EA support works in all versions of Windows, at least to |
| 143 | shares on NTFS filesystems). Extended Attribute (xattr) support is an optional |
| 144 | feature of most Linux filesystems which may require enabling via |
| 145 | make menuconfig. Client support for extended attributes (user xattr) can be |
| 146 | disabled on a per-mount basis by specifying "nouser_xattr" on mount. |
| 147 | |
| 148 | The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba servers |
| 149 | version 3.10 and later. Setting POSIX ACLs requires enabling both XATTR and |
| 150 | then POSIX support in the CIFS configuration options when building the cifs |
| 151 | module. POSIX ACL support can be disabled on a per mount basic by specifying |
| 152 | "noacl" on mount. |
| 153 | |
| 154 | Some administrators may want to change Samba's smb.conf "map archive" and |
| 155 | "create mask" parameters from the default. Unless the create mask is changed |
| 156 | newly created files can end up with an unnecessarily restrictive default mode, |
| 157 | which may not be what you want, although if the CIFS Unix extensions are |
| 158 | enabled on the server and client, subsequent setattr calls (e.g. chmod) can |
| 159 | fix the mode. Note that creating special devices (mknod) remotely |
| 160 | may require specifying a mkdev function to Samba if you are not using |
| 161 | Samba 3.0.6 or later. For more information on these see the manual pages |
| 162 | ("man smb.conf") on the Samba server system. Note that the cifs vfs, |
| 163 | unlike the smbfs vfs, does not read the smb.conf on the client system |
| 164 | (the few optional settings are passed in on mount via -o parameters instead). |
| 165 | Note that Samba 2.2.7 or later includes a fix that allows the CIFS VFS to delete |
| 166 | open files (required for strict POSIX compliance). Windows Servers already |
| 167 | supported this feature. Samba server does not allow symlinks that refer to files |
| 168 | outside of the share, so in Samba versions prior to 3.0.6, most symlinks to |
| 169 | files with absolute paths (ie beginning with slash) such as: |
| 170 | ln -s /mnt/foo bar |
| 171 | would be forbidden. Samba 3.0.6 server or later includes the ability to create |
| 172 | such symlinks safely by converting unsafe symlinks (ie symlinks to server |
| 173 | files that are outside of the share) to a samba specific format on the server |
| 174 | that is ignored by local server applications and non-cifs clients and that will |
| 175 | not be traversed by the Samba server). This is opaque to the Linux client |
| 176 | application using the cifs vfs. Absolute symlinks will work to Samba 3.0.5 or |
| 177 | later, but only for remote clients using the CIFS Unix extensions, and will |
| 178 | be invisbile to Windows clients and typically will not affect local |
| 179 | applications running on the same server as Samba. |
| 180 | |
| 181 | Use instructions: |
| 182 | ================ |
| 183 | Once the CIFS VFS support is built into the kernel or installed as a module |
| 184 | (cifs.o), you can use mount syntax like the following to access Samba or Windows |
| 185 | servers: |
| 186 | |
| 187 | mount -t cifs //9.53.216.11/e$ /mnt -o user=myname,pass=mypassword |
| 188 | |
| 189 | Before -o the option -v may be specified to make the mount.cifs |
| 190 | mount helper display the mount steps more verbosely. |
| 191 | After -o the following commonly used cifs vfs specific options |
| 192 | are supported: |
| 193 | |
| 194 | user=<username> |
| 195 | pass=<password> |
| 196 | domain=<domain name> |
| 197 | |
| 198 | Other cifs mount options are described below. Use of TCP names (in addition to |
| 199 | ip addresses) is available if the mount helper (mount.cifs) is installed. If |
| 200 | you do not trust the server to which are mounted, or if you do not have |
| 201 | cifs signing enabled (and the physical network is insecure), consider use |
| 202 | of the standard mount options "noexec" and "nosuid" to reduce the risk of |
| 203 | running an altered binary on your local system (downloaded from a hostile server |
| 204 | or altered by a hostile router). |
| 205 | |
| 206 | Although mounting using format corresponding to the CIFS URL specification is |
| 207 | not possible in mount.cifs yet, it is possible to use an alternate format |
| 208 | for the server and sharename (which is somewhat similar to NFS style mount |
| 209 | syntax) instead of the more widely used UNC format (i.e. \\server\share): |
| 210 | mount -t cifs tcp_name_of_server:share_name /mnt -o user=myname,pass=mypasswd |
| 211 | |
| 212 | When using the mount helper mount.cifs, passwords may be specified via alternate |
| 213 | mechanisms, instead of specifying it after -o using the normal "pass=" syntax |
| 214 | on the command line: |
| 215 | 1) By including it in a credential file. Specify credentials=filename as one |
| 216 | of the mount options. Credential files contain two lines |
| 217 | username=someuser |
| 218 | password=your_password |
| 219 | 2) By specifying the password in the PASSWD environment variable (similarly |
| 220 | the user name can be taken from the USER environment variable). |
| 221 | 3) By specifying the password in a file by name via PASSWD_FILE |
| 222 | 4) By specifying the password in a file by file descriptor via PASSWD_FD |
| 223 | |
| 224 | If no password is provided, mount.cifs will prompt for password entry |
| 225 | |
| 226 | Restrictions |
| 227 | ============ |
| 228 | Servers must support the NTLM SMB dialect (which is the most recent, supported |
| 229 | by Samba and Windows NT version 4, 2000 and XP and many other SMB/CIFS servers) |
| 230 | Servers must support either "pure-TCP" (port 445 TCP/IP CIFS connections) or RFC |
| 231 | 1001/1002 support for "Netbios-Over-TCP/IP." Neither of these is likely to be a |
| 232 | problem as most servers support this. IPv6 support is planned for the future, |
| 233 | and is almost complete. |
| 234 | |
| 235 | Valid filenames differ between Windows and Linux. Windows typically restricts |
| 236 | filenames which contain certain reserved characters (e.g.the character : |
| 237 | which is used to delimit the beginning of a stream name by Windows), while |
| 238 | Linux allows a slightly wider set of valid characters in filenames. Windows |
| 239 | servers can remap such characters when an explicit mapping is specified in |
| 240 | the Server's registry. Samba starting with version 3.10 will allow such |
| 241 | filenames (ie those which contain valid Linux characters, which normally |
| 242 | would be forbidden for Windows/CIFS semantics) as long as the server is |
| 243 | configured for Unix Extensions (and the client has not disabled |
| 244 | /proc/fs/cifs/LinuxExtensionsEnabled). |
| 245 | |
| 246 | |
| 247 | CIFS VFS Mount Options |
| 248 | ====================== |
| 249 | A partial list of the supported mount options follows: |
| 250 | user The user name to use when trying to establish |
| 251 | the CIFS session. |
| 252 | password The user password. If the mount helper is |
| 253 | installed, the user will be prompted for password |
| 254 | if it is not supplied. |
| 255 | ip The ip address of the target server |
| 256 | unc The target server Universal Network Name (export) to |
| 257 | mount. |
| 258 | domain Set the SMB/CIFS workgroup name prepended to the |
| 259 | username during CIFS session establishment |
| 260 | uid If CIFS Unix extensions are not supported by the server |
| 261 | this overrides the default uid for inodes. For mounts to |
| 262 | servers which do support the CIFS Unix extensions, such |
| 263 | as a properly configured Samba server, the server provides |
| 264 | the uid, gid and mode. For servers which do not support |
| 265 | the Unix extensions, the default uid (and gid) returned on |
| 266 | lookup of existing files is the uid (gid) of the person |
| 267 | who executed the mount (root, except when mount.cifs |
| 268 | is configured setuid for user mounts) unless the "uid=" |
| 269 | (gid) mount option is specified. For the uid (gid) of newly |
| 270 | created files and directories, ie files created since |
| 271 | the last mount of the server share, the expected uid |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 272 | (gid) is cached as long as the inode remains in |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 273 | memory on the client. Also note that permission |
| 274 | checks (authorization checks) on accesses to a file occur |
| 275 | at the server, but there are cases in which an administrator |
| 276 | may want to restrict at the client as well. For those |
| 277 | servers which do not report a uid/gid owner |
| 278 | (such as Windows), permissions can also be checked at the |
| 279 | client, and a crude form of client side permission checking |
| 280 | can be enabled by specifying file_mode and dir_mode on |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 281 | the client. Note that the mount.cifs helper must be |
| 282 | at version 1.10 or higher to support specifying the uid |
| 283 | (or gid) in non-numberic form. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 284 | gid If CIFS Unix extensions are not supported by the server |
| 285 | this overrides the default gid for inodes. |
| 286 | file_mode If CIFS Unix extensions are not supported by the server |
| 287 | this overrides the default mode for file inodes. |
| 288 | dir_mode If CIFS Unix extensions are not supported by the server |
| 289 | this overrides the default mode for directory inodes. |
| 290 | port attempt to contact the server on this tcp port, before |
| 291 | trying the usual ports (port 445, then 139). |
| 292 | iocharset Codepage used to convert local path names to and from |
| 293 | Unicode. Unicode is used by default for network path |
| 294 | names if the server supports it. If iocharset is |
| 295 | not specified then the nls_default specified |
| 296 | during the local client kernel build will be used. |
| 297 | If server does not support Unicode, this parameter is |
| 298 | unused. |
Steve French | 190fdeb | 2005-10-10 11:48:26 -0700 | [diff] [blame] | 299 | rsize default read size (usually 16K) |
| 300 | wsize default write size (usually 16K, 32K is often better over GigE) |
Steve French | 4ca9c19 | 2005-10-10 19:52:13 -0700 | [diff] [blame] | 301 | maximum wsize currently allowed by CIFS is 57344 (14 4096 byte |
| 302 | pages) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 303 | rw mount the network share read-write (note that the |
| 304 | server may still consider the share read-only) |
| 305 | ro mount network share read-only |
| 306 | version used to distinguish different versions of the |
| 307 | mount helper utility (not typically needed) |
| 308 | sep if first mount option (after the -o), overrides |
| 309 | the comma as the separator between the mount |
| 310 | parms. e.g. |
| 311 | -o user=myname,password=mypassword,domain=mydom |
| 312 | could be passed instead with period as the separator by |
| 313 | -o sep=.user=myname.password=mypassword.domain=mydom |
| 314 | this might be useful when comma is contained within username |
| 315 | or password or domain. This option is less important |
| 316 | when the cifs mount helper cifs.mount (version 1.1 or later) |
| 317 | is used. |
| 318 | nosuid Do not allow remote executables with the suid bit |
| 319 | program to be executed. This is only meaningful for mounts |
| 320 | to servers such as Samba which support the CIFS Unix Extensions. |
| 321 | If you do not trust the servers in your network (your mount |
| 322 | targets) it is recommended that you specify this option for |
| 323 | greater security. |
| 324 | exec Permit execution of binaries on the mount. |
| 325 | noexec Do not permit execution of binaries on the mount. |
| 326 | dev Recognize block devices on the remote mount. |
| 327 | nodev Do not recognize devices on the remote mount. |
| 328 | suid Allow remote files on this mountpoint with suid enabled to |
| 329 | be executed (default for mounts when executed as root, |
| 330 | nosuid is default for user mounts). |
| 331 | credentials Although ignored by the cifs kernel component, it is used by |
| 332 | the mount helper, mount.cifs. When mount.cifs is installed it |
| 333 | opens and reads the credential file specified in order |
| 334 | to obtain the userid and password arguments which are passed to |
| 335 | the cifs vfs. |
| 336 | guest Although ignored by the kernel component, the mount.cifs |
| 337 | mount helper will not prompt the user for a password |
| 338 | if guest is specified on the mount options. If no |
| 339 | password is specified a null password will be used. |
| 340 | perm Client does permission checks (vfs_permission check of uid |
| 341 | and gid of the file against the mode and desired operation), |
| 342 | Note that this is in addition to the normal ACL check on the |
| 343 | target machine done by the server software. |
| 344 | Client permission checking is enabled by default. |
| 345 | noperm Client does not do permission checks. This can expose |
| 346 | files on this mount to access by other users on the local |
| 347 | client system. It is typically only needed when the server |
| 348 | supports the CIFS Unix Extensions but the UIDs/GIDs on the |
| 349 | client and server system do not match closely enough to allow |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 350 | access by the user doing the mount, but it may be useful with |
| 351 | non CIFS Unix Extension mounts for cases in which the default |
| 352 | mode is specified on the mount but is not to be enforced on the |
| 353 | client (e.g. perhaps when MultiUserMount is enabled) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 354 | Note that this does not affect the normal ACL check on the |
| 355 | target machine done by the server software (of the server |
| 356 | ACL against the user name provided at mount time). |
| 357 | serverino Use servers inode numbers instead of generating automatically |
| 358 | incrementing inode numbers on the client. Although this will |
| 359 | make it easier to spot hardlinked files (as they will have |
| 360 | the same inode numbers) and inode numbers may be persistent, |
| 361 | note that the server does not guarantee that the inode numbers |
| 362 | are unique if multiple server side mounts are exported under a |
| 363 | single share (since inode numbers on the servers might not |
| 364 | be unique if multiple filesystems are mounted under the same |
| 365 | shared higher level directory). Note that this requires that |
| 366 | the server support the CIFS Unix Extensions as other servers |
| 367 | do not return a unique IndexNumber on SMB FindFirst (most |
| 368 | servers return zero as the IndexNumber). Parameter has no |
| 369 | effect to Windows servers and others which do not support the |
| 370 | CIFS Unix Extensions. |
| 371 | noserverino Client generates inode numbers (rather than using the actual one |
| 372 | from the server) by default. |
| 373 | setuids If the CIFS Unix extensions are negotiated with the server |
| 374 | the client will attempt to set the effective uid and gid of |
| 375 | the local process on newly created files, directories, and |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 376 | devices (create, mkdir, mknod). If the CIFS Unix Extensions |
| 377 | are not negotiated, for newly created files and directories |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 378 | instead of using the default uid and gid specified on |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 379 | the mount, cache the new file's uid and gid locally which means |
| 380 | that the uid for the file can change when the inode is |
| 381 | reloaded (or the user remounts the share). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 382 | nosetuids The client will not attempt to set the uid and gid on |
| 383 | on newly created files, directories, and devices (create, |
| 384 | mkdir, mknod) which will result in the server setting the |
| 385 | uid and gid to the default (usually the server uid of the |
Steve French | 67594fe | 2005-05-17 13:04:49 -0500 | [diff] [blame] | 386 | user who mounted the share). Letting the server (rather than |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 387 | the client) set the uid and gid is the default. If the CIFS |
| 388 | Unix Extensions are not negotiated then the uid and gid for |
| 389 | new files will appear to be the uid (gid) of the mounter or the |
| 390 | uid (gid) parameter specified on the mount. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 391 | netbiosname When mounting to servers via port 139, specifies the RFC1001 |
| 392 | source name to use to represent the client netbios machine |
| 393 | name when doing the RFC1001 netbios session initialize. |
| 394 | direct Do not do inode data caching on files opened on this mount. |
| 395 | This precludes mmaping files on this mount. In some cases |
| 396 | with fast networks and little or no caching benefits on the |
| 397 | client (e.g. when the application is doing large sequential |
| 398 | reads bigger than page size without rereading the same data) |
| 399 | this can provide better performance than the default |
Steve French | 67594fe | 2005-05-17 13:04:49 -0500 | [diff] [blame] | 400 | behavior which caches reads (readahead) and writes |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 401 | (writebehind) through the local Linux client pagecache |
| 402 | if oplock (caching token) is granted and held. Note that |
| 403 | direct allows write operations larger than page size |
| 404 | to be sent to the server. |
| 405 | acl Allow setfacl and getfacl to manage posix ACLs if server |
| 406 | supports them. (default) |
| 407 | noacl Do not allow setfacl and getfacl calls on this mount |
| 408 | user_xattr Allow getting and setting user xattrs as OS/2 EAs (extended |
| 409 | attributes) to the server (default) e.g. via setfattr |
| 410 | and getfattr utilities. |
Steve French | ea4c07d | 2006-08-16 19:44:25 +0000 | [diff] [blame] | 411 | nouser_xattr Do not allow getfattr/setfattr to get/set/list xattrs |
Steve French | 737b758 | 2005-04-28 22:41:06 -0700 | [diff] [blame] | 412 | mapchars Translate six of the seven reserved characters (not backslash) |
| 413 | *?<>|: |
Steve French | 6a0b482 | 2005-04-28 22:41:05 -0700 | [diff] [blame] | 414 | to the remap range (above 0xF000), which also |
| 415 | allows the CIFS client to recognize files created with |
| 416 | such characters by Windows's POSIX emulation. This can |
| 417 | also be useful when mounting to most versions of Samba |
| 418 | (which also forbids creating and opening files |
| 419 | whose names contain any of these seven characters). |
| 420 | This has no effect if the server does not support |
| 421 | Unicode on the wire. |
| 422 | nomapchars Do not translate any of these seven characters (default). |
Steve French | c46fa8a | 2005-08-18 20:49:57 -0700 | [diff] [blame] | 423 | nocase Request case insensitive path name matching (case |
| 424 | sensitive is the default if the server suports it). |
Steve French | 82940a4 | 2006-03-02 03:24:57 +0000 | [diff] [blame] | 425 | posixpaths If CIFS Unix extensions are supported, attempt to |
| 426 | negotiate posix path name support which allows certain |
| 427 | characters forbidden in typical CIFS filenames, without |
| 428 | requiring remapping. (default) |
| 429 | noposixpaths If CIFS Unix extensions are supported, do not request |
| 430 | posix path name support (this may cause servers to |
| 431 | reject creatingfile with certain reserved characters). |
Steve French | c46fa8a | 2005-08-18 20:49:57 -0700 | [diff] [blame] | 432 | nobrl Do not send byte range lock requests to the server. |
| 433 | This is necessary for certain applications that break |
| 434 | with cifs style mandatory byte range locks (and most |
| 435 | cifs servers do not yet support requesting advisory |
| 436 | byte range locks). |
Steve French | 0cb766a | 2005-04-28 22:41:11 -0700 | [diff] [blame] | 437 | remount remount the share (often used to change from ro to rw mounts |
| 438 | or vice versa) |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 439 | sfu When the CIFS Unix Extensions are not negotiated, attempt to |
| 440 | create device files and fifos in a format compatible with |
| 441 | Services for Unix (SFU). In addition retrieve bits 10-12 |
| 442 | of the mode via the SETFILEBITS extended attribute (as |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 443 | SFU does). In the future the bottom 9 bits of the |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 444 | mode also will be emulated using queries of the security |
| 445 | descriptor (ACL). |
Steve French | 750d115 | 2006-06-27 06:28:30 +0000 | [diff] [blame] | 446 | sign Must use packet signing (helps avoid unwanted data modification |
| 447 | by intermediate systems in the route). Note that signing |
| 448 | does not work with lanman or plaintext authentication. |
| 449 | sec Security mode. Allowed values are: |
Steve French | bf82067 | 2005-12-01 22:32:42 -0800 | [diff] [blame] | 450 | none attempt to connection as a null user (no name) |
| 451 | krb5 Use Kerberos version 5 authentication |
| 452 | krb5i Use Kerberos authentication and packet signing |
| 453 | ntlm Use NTLM password hashing (default) |
| 454 | ntlmi Use NTLM password hashing with signing (if |
| 455 | /proc/fs/cifs/PacketSigningEnabled on or if |
| 456 | server requires signing also can be the default) |
| 457 | ntlmv2 Use NTLMv2 password hashing |
| 458 | ntlmv2i Use NTLMv2 password hashing with packet signing |
Steve French | 189acaa | 2006-06-23 02:33:48 +0000 | [diff] [blame] | 459 | lanman (if configured in kernel config) use older |
| 460 | lanman hash |
Steve French | bf82067 | 2005-12-01 22:32:42 -0800 | [diff] [blame] | 461 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 462 | The mount.cifs mount helper also accepts a few mount options before -o |
| 463 | including: |
| 464 | |
| 465 | -S take password from stdin (equivalent to setting the environment |
| 466 | variable "PASSWD_FD=0" |
| 467 | -V print mount.cifs version |
| 468 | -? display simple usage information |
| 469 | |
| 470 | With recent 2.6 kernel versions of modutils, the version of the cifs kernel |
| 471 | module can be displayed via modinfo. |
| 472 | |
| 473 | Misc /proc/fs/cifs Flags and Debug Info |
| 474 | ======================================= |
| 475 | Informational pseudo-files: |
| 476 | DebugData Displays information about active CIFS sessions |
Steve French | 09d1db5 | 2005-04-28 22:41:08 -0700 | [diff] [blame] | 477 | and shares, as well as the cifs.ko version. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 478 | Stats Lists summary resource usage information as well as per |
| 479 | share statistics, if CONFIG_CIFS_STATS in enabled |
| 480 | in the kernel configuration. |
| 481 | |
| 482 | Configuration pseudo-files: |
| 483 | MultiuserMount If set to one, more than one CIFS session to |
| 484 | the same server ip address can be established |
| 485 | if more than one uid accesses the same mount |
| 486 | point and if the uids user/password mapping |
| 487 | information is available. (default is 0) |
| 488 | PacketSigningEnabled If set to one, cifs packet signing is enabled |
| 489 | and will be used if the server requires |
| 490 | it. If set to two, cifs packet signing is |
| 491 | required even if the server considers packet |
| 492 | signing optional. (default 1) |
Steve French | 254e55e | 2006-06-04 05:53:15 +0000 | [diff] [blame] | 493 | SecurityFlags Flags which control security negotiation and |
| 494 | also packet signing. Authentication (may/must) |
| 495 | flags (e.g. for NTLM and/or NTLMv2) may be combined with |
| 496 | the signing flags. Specifying two different password |
| 497 | hashing mechanisms (as "must use") on the other hand |
| 498 | does not make much sense. Default flags are |
| 499 | 0x07007 |
| 500 | (NTLM, NTLMv2 and packet signing allowed). Maximum |
| 501 | allowable flags if you want to allow mounts to servers |
| 502 | using weaker password hashes is 0x37037 (lanman, |
| 503 | plaintext, ntlm, ntlmv2, signing allowed): |
| 504 | |
| 505 | may use packet signing 0x00001 |
| 506 | must use packet signing 0x01001 |
| 507 | may use NTLM (most common password hash) 0x00002 |
| 508 | must use NTLM 0x02002 |
| 509 | may use NTLMv2 0x00004 |
| 510 | must use NTLMv2 0x04004 |
| 511 | may use Kerberos security (not implemented yet) 0x00008 |
| 512 | must use Kerberos (not implemented yet) 0x08008 |
| 513 | may use lanman (weak) password hash 0x00010 |
| 514 | must use lanman password hash 0x10010 |
| 515 | may use plaintext passwords 0x00020 |
| 516 | must use plaintext passwords 0x20020 |
| 517 | (reserved for future packet encryption) 0x00040 |
| 518 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 519 | cifsFYI If set to one, additional debug information is |
| 520 | logged to the system error log. (default 0) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 521 | traceSMB If set to one, debug information is logged to the |
| 522 | system error log with the start of smb requests |
| 523 | and responses (default 0) |
| 524 | LookupCacheEnable If set to one, inode information is kept cached |
| 525 | for one second improving performance of lookups |
| 526 | (default 1) |
| 527 | OplockEnabled If set to one, safe distributed caching enabled. |
| 528 | (default 1) |
| 529 | LinuxExtensionsEnabled If set to one then the client will attempt to |
| 530 | use the CIFS "UNIX" extensions which are optional |
| 531 | protocol enhancements that allow CIFS servers |
| 532 | to return accurate UID/GID information as well |
| 533 | as support symbolic links. If you use servers |
| 534 | such as Samba that support the CIFS Unix |
| 535 | extensions but do not want to use symbolic link |
| 536 | support and want to map the uid and gid fields |
| 537 | to values supplied at mount (rather than the |
| 538 | actual values, then set this to zero. (default 1) |
Steve French | 6080823 | 2006-04-22 15:53:05 +0000 | [diff] [blame] | 539 | Experimental When set to 1 used to enable certain experimental |
| 540 | features (currently enables multipage writes |
| 541 | when signing is enabled, the multipage write |
| 542 | performance enhancement was disabled when |
| 543 | signing turned on in case buffer was modified |
| 544 | just before it was sent, also this flag will |
| 545 | be used to use the new experimental sessionsetup |
| 546 | code). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 547 | |
| 548 | These experimental features and tracing can be enabled by changing flags in |
| 549 | /proc/fs/cifs (after the cifs module has been installed or built into the |
| 550 | kernel, e.g. insmod cifs). To enable a feature set it to 1 e.g. to enable |
| 551 | tracing to the kernel message log type: |
| 552 | |
Steve French | 1047abc | 2005-10-11 19:58:06 -0700 | [diff] [blame] | 553 | echo 7 > /proc/fs/cifs/cifsFYI |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 554 | |
Steve French | 1047abc | 2005-10-11 19:58:06 -0700 | [diff] [blame] | 555 | cifsFYI functions as a bit mask. Setting it to 1 enables additional kernel |
| 556 | logging of various informational messages. 2 enables logging of non-zero |
| 557 | SMB return codes while 4 enables logging of requests that take longer |
| 558 | than one second to complete (except for byte range lock requests). |
| 559 | Setting it to 4 requires defining CONFIG_CIFS_STATS2 manually in the |
| 560 | source code (typically by setting it in the beginning of cifsglob.h), |
| 561 | and setting it to seven enables all three. Finally, tracing |
| 562 | the start of smb requests and responses can be enabled via: |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 563 | |
| 564 | echo 1 > /proc/fs/cifs/traceSMB |
| 565 | |
| 566 | Two other experimental features are under development and to test |
| 567 | require enabling CONFIG_CIFS_EXPERIMENTAL |
| 568 | |
Steve French | 09d1db5 | 2005-04-28 22:41:08 -0700 | [diff] [blame] | 569 | More efficient write operations |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 570 | |
| 571 | DNOTIFY fcntl: needed for support of directory change |
| 572 | notification and perhaps later for file leases) |
| 573 | |
| 574 | Per share (per client mount) statistics are available in /proc/fs/cifs/Stats |
| 575 | if the kernel was configured with cifs statistics enabled. The statistics |
| 576 | represent the number of successful (ie non-zero return code from the server) |
| 577 | SMB responses to some of the more common commands (open, delete, mkdir etc.). |
| 578 | Also recorded is the total bytes read and bytes written to the server for |
| 579 | that share. Note that due to client caching effects this can be less than the |
| 580 | number of bytes read and written by the application running on the client. |
| 581 | The statistics for the number of total SMBs and oplock breaks are different in |
| 582 | that they represent all for that share, not just those for which the server |
| 583 | returned success. |
| 584 | |
| 585 | Also note that "cat /proc/fs/cifs/DebugData" will display information about |
| 586 | the active sessions and the shares that are mounted. Note: NTLMv2 enablement |
Steve French | 09d1db5 | 2005-04-28 22:41:08 -0700 | [diff] [blame] | 587 | will not work since its implementation is not quite complete yet. Do not alter |
| 588 | the ExtendedSecurity configuration value unless you are doing specific testing. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 589 | Enabling extended security works to Windows 2000 Workstations and XP but not to |
| 590 | Windows 2000 server or Samba since it does not usually send "raw NTLMSSP" |
| 591 | (instead it sends NTLMSSP encapsulated in SPNEGO/GSSAPI, which support is not |
| 592 | complete in the CIFS VFS yet). |