Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | The CIFS VFS support for Linux supports many advanced network filesystem |
Uwe Kleine-König | 1b3c371 | 2007-02-17 19:23:03 +0100 | [diff] [blame] | 2 | features such as hierarchical dfs like namespace, hardlinks, locking and more. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 3 | It was designed to comply with the SNIA CIFS Technical Reference (which |
| 4 | supersedes the 1992 X/Open SMB Standard) as well as to perform best practice |
| 5 | practical interoperability with Windows 2000, Windows XP, Samba and equivalent |
| 6 | servers. |
| 7 | |
| 8 | For questions or bug reports please contact: |
| 9 | sfrench@samba.org (sfrench@us.ibm.com) |
| 10 | |
| 11 | Build instructions: |
| 12 | ================== |
| 13 | For Linux 2.4: |
| 14 | 1) Get the kernel source (e.g.from http://www.kernel.org) |
| 15 | and download the cifs vfs source (see the project page |
| 16 | at http://us1.samba.org/samba/Linux_CIFS_client.html) |
| 17 | and change directory into the top of the kernel directory |
| 18 | then patch the kernel (e.g. "patch -p1 < cifs_24.patch") |
| 19 | to add the cifs vfs to your kernel configure options if |
| 20 | it has not already been added (e.g. current SuSE and UL |
| 21 | users do not need to apply the cifs_24.patch since the cifs vfs is |
| 22 | already in the kernel configure menu) and then |
| 23 | mkdir linux/fs/cifs and then copy the current cifs vfs files from |
| 24 | the cifs download to your kernel build directory e.g. |
| 25 | |
| 26 | cp <cifs_download_dir>/fs/cifs/* to <kernel_download_dir>/fs/cifs |
| 27 | |
| 28 | 2) make menuconfig (or make xconfig) |
| 29 | 3) select cifs from within the network filesystem choices |
| 30 | 4) save and exit |
| 31 | 5) make dep |
| 32 | 6) make modules (or "make" if CIFS VFS not to be built as a module) |
| 33 | |
| 34 | For Linux 2.6: |
Adrian Bunk | dfc1e14 | 2005-05-05 16:15:51 -0700 | [diff] [blame] | 35 | 1) Download the kernel (e.g. from http://www.kernel.org) |
| 36 | and change directory into the top of the kernel directory tree |
| 37 | (e.g. /usr/src/linux-2.5.73) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 38 | 2) make menuconfig (or make xconfig) |
| 39 | 3) select cifs from within the network filesystem choices |
| 40 | 4) save and exit |
| 41 | 5) make |
| 42 | |
| 43 | |
| 44 | Installation instructions: |
| 45 | ========================= |
| 46 | If you have built the CIFS vfs as module (successfully) simply |
| 47 | type "make modules_install" (or if you prefer, manually copy the file to |
| 48 | the modules directory e.g. /lib/modules/2.4.10-4GB/kernel/fs/cifs/cifs.o). |
| 49 | |
| 50 | If you have built the CIFS vfs into the kernel itself, follow the instructions |
| 51 | for your distribution on how to install a new kernel (usually you |
| 52 | would simply type "make install"). |
| 53 | |
| 54 | If you do not have the utility mount.cifs (in the Samba 3.0 source tree and on |
| 55 | the CIFS VFS web site) copy it to the same directory in which mount.smbfs and |
| 56 | similar files reside (usually /sbin). Although the helper software is not |
| 57 | required, mount.cifs is recommended. Eventually the Samba 3.0 utility program |
| 58 | "net" may also be helpful since it may someday provide easier mount syntax for |
| 59 | users who are used to Windows e.g. net use <mount point> <UNC name or cifs URL> |
| 60 | Note that running the Winbind pam/nss module (logon service) on all of your |
| 61 | Linux clients is useful in mapping Uids and Gids consistently across the |
| 62 | domain to the proper network user. The mount.cifs mount helper can be |
| 63 | trivially built from Samba 3.0 or later source e.g. by executing: |
| 64 | |
| 65 | gcc samba/source/client/mount.cifs.c -o mount.cifs |
| 66 | |
| 67 | If cifs is built as a module, then the size and number of network buffers |
| 68 | and maximum number of simultaneous requests to one server can be configured. |
| 69 | Changing these from their defaults is not recommended. By executing modinfo |
| 70 | modinfo kernel/fs/cifs/cifs.ko |
| 71 | on kernel/fs/cifs/cifs.ko the list of configuration changes that can be made |
| 72 | at module initialization time (by running insmod cifs.ko) can be seen. |
| 73 | |
| 74 | Allowing User Mounts |
| 75 | ==================== |
| 76 | To permit users to mount and unmount over directories they own is possible |
| 77 | with the cifs vfs. A way to enable such mounting is to mark the mount.cifs |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 78 | utility as suid (e.g. "chmod +s /sbin/mount.cifs). To enable users to |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 79 | umount shares they mount requires |
| 80 | 1) mount.cifs version 1.4 or later |
| 81 | 2) an entry for the share in /etc/fstab indicating that a user may |
| 82 | unmount it e.g. |
| 83 | //server/usersharename /mnt/username cifs user 0 0 |
| 84 | |
| 85 | Note that when the mount.cifs utility is run suid (allowing user mounts), |
| 86 | in order to reduce risks, the "nosuid" mount flag is passed in on mount to |
| 87 | disallow execution of an suid program mounted on the remote target. |
| 88 | When mount is executed as root, nosuid is not passed in by default, |
| 89 | and execution of suid programs on the remote target would be enabled |
| 90 | by default. This can be changed, as with nfs and other filesystems, |
| 91 | by simply specifying "nosuid" among the mount options. For user mounts |
| 92 | though to be able to pass the suid flag to mount requires rebuilding |
| 93 | mount.cifs with the following flag: |
| 94 | |
| 95 | gcc samba/source/client/mount.cifs.c -DCIFS_ALLOW_USR_SUID -o mount.cifs |
| 96 | |
| 97 | There is a corresponding manual page for cifs mounting in the Samba 3.0 and |
| 98 | later source tree in docs/manpages/mount.cifs.8 |
| 99 | |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 100 | Allowing User Unmounts |
| 101 | ====================== |
| 102 | To permit users to ummount directories that they have user mounted (see above), |
| 103 | the utility umount.cifs may be used. It may be invoked directly, or if |
Steve French | 0cb766a | 2005-04-28 22:41:11 -0700 | [diff] [blame] | 104 | umount.cifs is placed in /sbin, umount can invoke the cifs umount helper |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 105 | (at least for most versions of the umount utility) for umount of cifs |
Steve French | 0cb766a | 2005-04-28 22:41:11 -0700 | [diff] [blame] | 106 | mounts, unless umount is invoked with -i (which will avoid invoking a umount |
| 107 | helper). As with mount.cifs, to enable user unmounts umount.cifs must be marked |
| 108 | as suid (e.g. "chmod +s /sbin/umount.cifs") or equivalent (some distributions |
| 109 | allow adding entries to a file to the /etc/permissions file to achieve the |
| 110 | equivalent suid effect). For this utility to succeed the target path |
| 111 | must be a cifs mount, and the uid of the current user must match the uid |
| 112 | of the user who mounted the resource. |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 113 | |
| 114 | Also note that the customary way of allowing user mounts and unmounts is |
| 115 | (instead of using mount.cifs and unmount.cifs as suid) to add a line |
| 116 | to the file /etc/fstab for each //server/share you wish to mount, but |
| 117 | this can become unwieldy when potential mount targets include many |
| 118 | or unpredictable UNC names. |
| 119 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 120 | Samba Considerations |
| 121 | ==================== |
| 122 | To get the maximum benefit from the CIFS VFS, we recommend using a server that |
| 123 | supports the SNIA CIFS Unix Extensions standard (e.g. Samba 2.2.5 or later or |
| 124 | Samba 3.0) but the CIFS vfs works fine with a wide variety of CIFS servers. |
| 125 | Note that uid, gid and file permissions will display default values if you do |
| 126 | not have a server that supports the Unix extensions for CIFS (such as Samba |
| 127 | 2.2.5 or later). To enable the Unix CIFS Extensions in the Samba server, add |
| 128 | the line: |
| 129 | |
| 130 | unix extensions = yes |
| 131 | |
| 132 | to your smb.conf file on the server. Note that the following smb.conf settings |
| 133 | are also useful (on the Samba server) when the majority of clients are Unix or |
| 134 | Linux: |
| 135 | |
| 136 | case sensitive = yes |
| 137 | delete readonly = yes |
| 138 | ea support = yes |
| 139 | |
| 140 | Note that server ea support is required for supporting xattrs from the Linux |
| 141 | cifs client, and that EA support is present in later versions of Samba (e.g. |
| 142 | 3.0.6 and later (also EA support works in all versions of Windows, at least to |
| 143 | shares on NTFS filesystems). Extended Attribute (xattr) support is an optional |
| 144 | feature of most Linux filesystems which may require enabling via |
| 145 | make menuconfig. Client support for extended attributes (user xattr) can be |
| 146 | disabled on a per-mount basis by specifying "nouser_xattr" on mount. |
| 147 | |
| 148 | The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba servers |
| 149 | version 3.10 and later. Setting POSIX ACLs requires enabling both XATTR and |
| 150 | then POSIX support in the CIFS configuration options when building the cifs |
| 151 | module. POSIX ACL support can be disabled on a per mount basic by specifying |
| 152 | "noacl" on mount. |
| 153 | |
| 154 | Some administrators may want to change Samba's smb.conf "map archive" and |
| 155 | "create mask" parameters from the default. Unless the create mask is changed |
| 156 | newly created files can end up with an unnecessarily restrictive default mode, |
| 157 | which may not be what you want, although if the CIFS Unix extensions are |
| 158 | enabled on the server and client, subsequent setattr calls (e.g. chmod) can |
| 159 | fix the mode. Note that creating special devices (mknod) remotely |
| 160 | may require specifying a mkdev function to Samba if you are not using |
| 161 | Samba 3.0.6 or later. For more information on these see the manual pages |
| 162 | ("man smb.conf") on the Samba server system. Note that the cifs vfs, |
| 163 | unlike the smbfs vfs, does not read the smb.conf on the client system |
| 164 | (the few optional settings are passed in on mount via -o parameters instead). |
| 165 | Note that Samba 2.2.7 or later includes a fix that allows the CIFS VFS to delete |
| 166 | open files (required for strict POSIX compliance). Windows Servers already |
| 167 | supported this feature. Samba server does not allow symlinks that refer to files |
| 168 | outside of the share, so in Samba versions prior to 3.0.6, most symlinks to |
| 169 | files with absolute paths (ie beginning with slash) such as: |
| 170 | ln -s /mnt/foo bar |
| 171 | would be forbidden. Samba 3.0.6 server or later includes the ability to create |
| 172 | such symlinks safely by converting unsafe symlinks (ie symlinks to server |
| 173 | files that are outside of the share) to a samba specific format on the server |
| 174 | that is ignored by local server applications and non-cifs clients and that will |
| 175 | not be traversed by the Samba server). This is opaque to the Linux client |
| 176 | application using the cifs vfs. Absolute symlinks will work to Samba 3.0.5 or |
| 177 | later, but only for remote clients using the CIFS Unix extensions, and will |
| 178 | be invisbile to Windows clients and typically will not affect local |
| 179 | applications running on the same server as Samba. |
| 180 | |
| 181 | Use instructions: |
| 182 | ================ |
| 183 | Once the CIFS VFS support is built into the kernel or installed as a module |
| 184 | (cifs.o), you can use mount syntax like the following to access Samba or Windows |
| 185 | servers: |
| 186 | |
| 187 | mount -t cifs //9.53.216.11/e$ /mnt -o user=myname,pass=mypassword |
| 188 | |
| 189 | Before -o the option -v may be specified to make the mount.cifs |
| 190 | mount helper display the mount steps more verbosely. |
| 191 | After -o the following commonly used cifs vfs specific options |
| 192 | are supported: |
| 193 | |
| 194 | user=<username> |
| 195 | pass=<password> |
| 196 | domain=<domain name> |
| 197 | |
| 198 | Other cifs mount options are described below. Use of TCP names (in addition to |
| 199 | ip addresses) is available if the mount helper (mount.cifs) is installed. If |
| 200 | you do not trust the server to which are mounted, or if you do not have |
| 201 | cifs signing enabled (and the physical network is insecure), consider use |
| 202 | of the standard mount options "noexec" and "nosuid" to reduce the risk of |
| 203 | running an altered binary on your local system (downloaded from a hostile server |
| 204 | or altered by a hostile router). |
| 205 | |
| 206 | Although mounting using format corresponding to the CIFS URL specification is |
| 207 | not possible in mount.cifs yet, it is possible to use an alternate format |
| 208 | for the server and sharename (which is somewhat similar to NFS style mount |
| 209 | syntax) instead of the more widely used UNC format (i.e. \\server\share): |
| 210 | mount -t cifs tcp_name_of_server:share_name /mnt -o user=myname,pass=mypasswd |
| 211 | |
| 212 | When using the mount helper mount.cifs, passwords may be specified via alternate |
| 213 | mechanisms, instead of specifying it after -o using the normal "pass=" syntax |
| 214 | on the command line: |
| 215 | 1) By including it in a credential file. Specify credentials=filename as one |
| 216 | of the mount options. Credential files contain two lines |
| 217 | username=someuser |
| 218 | password=your_password |
| 219 | 2) By specifying the password in the PASSWD environment variable (similarly |
| 220 | the user name can be taken from the USER environment variable). |
| 221 | 3) By specifying the password in a file by name via PASSWD_FILE |
| 222 | 4) By specifying the password in a file by file descriptor via PASSWD_FD |
| 223 | |
| 224 | If no password is provided, mount.cifs will prompt for password entry |
| 225 | |
| 226 | Restrictions |
| 227 | ============ |
| 228 | Servers must support the NTLM SMB dialect (which is the most recent, supported |
| 229 | by Samba and Windows NT version 4, 2000 and XP and many other SMB/CIFS servers) |
| 230 | Servers must support either "pure-TCP" (port 445 TCP/IP CIFS connections) or RFC |
| 231 | 1001/1002 support for "Netbios-Over-TCP/IP." Neither of these is likely to be a |
| 232 | problem as most servers support this. IPv6 support is planned for the future, |
| 233 | and is almost complete. |
| 234 | |
| 235 | Valid filenames differ between Windows and Linux. Windows typically restricts |
| 236 | filenames which contain certain reserved characters (e.g.the character : |
| 237 | which is used to delimit the beginning of a stream name by Windows), while |
| 238 | Linux allows a slightly wider set of valid characters in filenames. Windows |
| 239 | servers can remap such characters when an explicit mapping is specified in |
| 240 | the Server's registry. Samba starting with version 3.10 will allow such |
| 241 | filenames (ie those which contain valid Linux characters, which normally |
| 242 | would be forbidden for Windows/CIFS semantics) as long as the server is |
| 243 | configured for Unix Extensions (and the client has not disabled |
| 244 | /proc/fs/cifs/LinuxExtensionsEnabled). |
| 245 | |
| 246 | |
| 247 | CIFS VFS Mount Options |
| 248 | ====================== |
| 249 | A partial list of the supported mount options follows: |
| 250 | user The user name to use when trying to establish |
| 251 | the CIFS session. |
| 252 | password The user password. If the mount helper is |
| 253 | installed, the user will be prompted for password |
| 254 | if it is not supplied. |
| 255 | ip The ip address of the target server |
| 256 | unc The target server Universal Network Name (export) to |
| 257 | mount. |
| 258 | domain Set the SMB/CIFS workgroup name prepended to the |
| 259 | username during CIFS session establishment |
Steve French | 4523cc3 | 2007-04-30 20:13:06 +0000 | [diff] [blame] | 260 | uid Set the default uid for inodes. For mounts to servers |
| 261 | which do support the CIFS Unix extensions, such as a |
| 262 | properly configured Samba server, the server provides |
| 263 | the uid, gid and mode so this parameter should not be |
| 264 | specified unless the server and clients uid and gid |
| 265 | numbering differ. If the server and client are in the |
| 266 | same domain (e.g. running winbind or nss_ldap) and |
| 267 | the server supports the Unix Extensions then the uid |
| 268 | and gid can be retrieved from the server (and uid |
| 269 | and gid would not have to be specifed on the mount. |
| 270 | For servers which do not support the CIFS Unix |
| 271 | extensions, the default uid (and gid) returned on lookup |
| 272 | of existing files will be the uid (gid) of the person |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 273 | who executed the mount (root, except when mount.cifs |
| 274 | is configured setuid for user mounts) unless the "uid=" |
| 275 | (gid) mount option is specified. For the uid (gid) of newly |
| 276 | created files and directories, ie files created since |
| 277 | the last mount of the server share, the expected uid |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 278 | (gid) is cached as long as the inode remains in |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 279 | memory on the client. Also note that permission |
| 280 | checks (authorization checks) on accesses to a file occur |
| 281 | at the server, but there are cases in which an administrator |
| 282 | may want to restrict at the client as well. For those |
| 283 | servers which do not report a uid/gid owner |
| 284 | (such as Windows), permissions can also be checked at the |
| 285 | client, and a crude form of client side permission checking |
| 286 | can be enabled by specifying file_mode and dir_mode on |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 287 | the client. Note that the mount.cifs helper must be |
| 288 | at version 1.10 or higher to support specifying the uid |
| 289 | (or gid) in non-numberic form. |
Steve French | 4523cc3 | 2007-04-30 20:13:06 +0000 | [diff] [blame] | 290 | gid Set the default gid for inodes (similar to above). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 291 | file_mode If CIFS Unix extensions are not supported by the server |
| 292 | this overrides the default mode for file inodes. |
| 293 | dir_mode If CIFS Unix extensions are not supported by the server |
| 294 | this overrides the default mode for directory inodes. |
| 295 | port attempt to contact the server on this tcp port, before |
| 296 | trying the usual ports (port 445, then 139). |
| 297 | iocharset Codepage used to convert local path names to and from |
| 298 | Unicode. Unicode is used by default for network path |
| 299 | names if the server supports it. If iocharset is |
| 300 | not specified then the nls_default specified |
| 301 | during the local client kernel build will be used. |
| 302 | If server does not support Unicode, this parameter is |
| 303 | unused. |
Steve French | 75865f8c | 2007-06-24 18:30:48 +0000 | [diff] [blame] | 304 | rsize default read size (usually 16K). The client currently |
| 305 | can not use rsize larger than CIFSMaxBufSize. CIFSMaxBufSize |
| 306 | defaults to 16K and may be changed (from 8K to the maximum |
| 307 | kmalloc size allowed by your kernel) at module install time |
| 308 | for cifs.ko. Setting CIFSMaxBufSize to a very large value |
| 309 | will cause cifs to use more memory and may reduce performance |
| 310 | in some cases. To use rsize greater than 127K (the original |
| 311 | cifs protocol maximum) also requires that the server support |
| 312 | a new Unix Capability flag (for very large read) which some |
| 313 | newer servers (e.g. Samba 3.0.26 or later) do. rsize can be |
| 314 | set from a minimum of 2048 to a maximum of 130048 (127K or |
| 315 | CIFSMaxBufSize, whichever is smaller) |
| 316 | wsize default write size (default 57344) |
| 317 | maximum wsize currently allowed by CIFS is 57344 (fourteen |
| 318 | 4096 byte pages) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 319 | rw mount the network share read-write (note that the |
| 320 | server may still consider the share read-only) |
| 321 | ro mount network share read-only |
| 322 | version used to distinguish different versions of the |
| 323 | mount helper utility (not typically needed) |
| 324 | sep if first mount option (after the -o), overrides |
| 325 | the comma as the separator between the mount |
| 326 | parms. e.g. |
| 327 | -o user=myname,password=mypassword,domain=mydom |
| 328 | could be passed instead with period as the separator by |
| 329 | -o sep=.user=myname.password=mypassword.domain=mydom |
| 330 | this might be useful when comma is contained within username |
| 331 | or password or domain. This option is less important |
| 332 | when the cifs mount helper cifs.mount (version 1.1 or later) |
| 333 | is used. |
| 334 | nosuid Do not allow remote executables with the suid bit |
| 335 | program to be executed. This is only meaningful for mounts |
| 336 | to servers such as Samba which support the CIFS Unix Extensions. |
| 337 | If you do not trust the servers in your network (your mount |
| 338 | targets) it is recommended that you specify this option for |
| 339 | greater security. |
| 340 | exec Permit execution of binaries on the mount. |
| 341 | noexec Do not permit execution of binaries on the mount. |
| 342 | dev Recognize block devices on the remote mount. |
| 343 | nodev Do not recognize devices on the remote mount. |
| 344 | suid Allow remote files on this mountpoint with suid enabled to |
| 345 | be executed (default for mounts when executed as root, |
| 346 | nosuid is default for user mounts). |
| 347 | credentials Although ignored by the cifs kernel component, it is used by |
| 348 | the mount helper, mount.cifs. When mount.cifs is installed it |
| 349 | opens and reads the credential file specified in order |
| 350 | to obtain the userid and password arguments which are passed to |
| 351 | the cifs vfs. |
| 352 | guest Although ignored by the kernel component, the mount.cifs |
| 353 | mount helper will not prompt the user for a password |
| 354 | if guest is specified on the mount options. If no |
| 355 | password is specified a null password will be used. |
| 356 | perm Client does permission checks (vfs_permission check of uid |
| 357 | and gid of the file against the mode and desired operation), |
| 358 | Note that this is in addition to the normal ACL check on the |
| 359 | target machine done by the server software. |
| 360 | Client permission checking is enabled by default. |
| 361 | noperm Client does not do permission checks. This can expose |
| 362 | files on this mount to access by other users on the local |
| 363 | client system. It is typically only needed when the server |
| 364 | supports the CIFS Unix Extensions but the UIDs/GIDs on the |
| 365 | client and server system do not match closely enough to allow |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 366 | access by the user doing the mount, but it may be useful with |
| 367 | non CIFS Unix Extension mounts for cases in which the default |
| 368 | mode is specified on the mount but is not to be enforced on the |
| 369 | client (e.g. perhaps when MultiUserMount is enabled) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 370 | Note that this does not affect the normal ACL check on the |
| 371 | target machine done by the server software (of the server |
| 372 | ACL against the user name provided at mount time). |
Steve French | 7521a3c | 2007-07-11 18:30:34 +0000 | [diff] [blame^] | 373 | serverino Use server's inode numbers instead of generating automatically |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 374 | incrementing inode numbers on the client. Although this will |
| 375 | make it easier to spot hardlinked files (as they will have |
| 376 | the same inode numbers) and inode numbers may be persistent, |
| 377 | note that the server does not guarantee that the inode numbers |
| 378 | are unique if multiple server side mounts are exported under a |
| 379 | single share (since inode numbers on the servers might not |
| 380 | be unique if multiple filesystems are mounted under the same |
Steve French | 7521a3c | 2007-07-11 18:30:34 +0000 | [diff] [blame^] | 381 | shared higher level directory). Note that some older |
| 382 | (e.g. pre-Windows 2000) do not support returning UniqueIDs |
| 383 | or the CIFS Unix Extensions equivalent and for those |
| 384 | this mount option will have no effect. Exporting cifs mounts |
| 385 | under nfsd requires this mount option on the cifs mount. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 386 | noserverino Client generates inode numbers (rather than using the actual one |
| 387 | from the server) by default. |
| 388 | setuids If the CIFS Unix extensions are negotiated with the server |
| 389 | the client will attempt to set the effective uid and gid of |
| 390 | the local process on newly created files, directories, and |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 391 | devices (create, mkdir, mknod). If the CIFS Unix Extensions |
| 392 | are not negotiated, for newly created files and directories |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 393 | instead of using the default uid and gid specified on |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 394 | the mount, cache the new file's uid and gid locally which means |
| 395 | that the uid for the file can change when the inode is |
| 396 | reloaded (or the user remounts the share). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 397 | nosetuids The client will not attempt to set the uid and gid on |
| 398 | on newly created files, directories, and devices (create, |
| 399 | mkdir, mknod) which will result in the server setting the |
| 400 | uid and gid to the default (usually the server uid of the |
Steve French | 67594fe | 2005-05-17 13:04:49 -0500 | [diff] [blame] | 401 | user who mounted the share). Letting the server (rather than |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 402 | the client) set the uid and gid is the default. If the CIFS |
| 403 | Unix Extensions are not negotiated then the uid and gid for |
| 404 | new files will appear to be the uid (gid) of the mounter or the |
| 405 | uid (gid) parameter specified on the mount. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 406 | netbiosname When mounting to servers via port 139, specifies the RFC1001 |
| 407 | source name to use to represent the client netbios machine |
| 408 | name when doing the RFC1001 netbios session initialize. |
| 409 | direct Do not do inode data caching on files opened on this mount. |
| 410 | This precludes mmaping files on this mount. In some cases |
| 411 | with fast networks and little or no caching benefits on the |
| 412 | client (e.g. when the application is doing large sequential |
| 413 | reads bigger than page size without rereading the same data) |
| 414 | this can provide better performance than the default |
Steve French | 67594fe | 2005-05-17 13:04:49 -0500 | [diff] [blame] | 415 | behavior which caches reads (readahead) and writes |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 416 | (writebehind) through the local Linux client pagecache |
| 417 | if oplock (caching token) is granted and held. Note that |
| 418 | direct allows write operations larger than page size |
| 419 | to be sent to the server. |
| 420 | acl Allow setfacl and getfacl to manage posix ACLs if server |
| 421 | supports them. (default) |
| 422 | noacl Do not allow setfacl and getfacl calls on this mount |
| 423 | user_xattr Allow getting and setting user xattrs as OS/2 EAs (extended |
| 424 | attributes) to the server (default) e.g. via setfattr |
| 425 | and getfattr utilities. |
Steve French | ea4c07d | 2006-08-16 19:44:25 +0000 | [diff] [blame] | 426 | nouser_xattr Do not allow getfattr/setfattr to get/set/list xattrs |
Steve French | 737b758 | 2005-04-28 22:41:06 -0700 | [diff] [blame] | 427 | mapchars Translate six of the seven reserved characters (not backslash) |
| 428 | *?<>|: |
Steve French | 6a0b482 | 2005-04-28 22:41:05 -0700 | [diff] [blame] | 429 | to the remap range (above 0xF000), which also |
| 430 | allows the CIFS client to recognize files created with |
| 431 | such characters by Windows's POSIX emulation. This can |
| 432 | also be useful when mounting to most versions of Samba |
| 433 | (which also forbids creating and opening files |
| 434 | whose names contain any of these seven characters). |
| 435 | This has no effect if the server does not support |
| 436 | Unicode on the wire. |
| 437 | nomapchars Do not translate any of these seven characters (default). |
Steve French | c46fa8a | 2005-08-18 20:49:57 -0700 | [diff] [blame] | 438 | nocase Request case insensitive path name matching (case |
| 439 | sensitive is the default if the server suports it). |
Steve French | 82940a4 | 2006-03-02 03:24:57 +0000 | [diff] [blame] | 440 | posixpaths If CIFS Unix extensions are supported, attempt to |
| 441 | negotiate posix path name support which allows certain |
| 442 | characters forbidden in typical CIFS filenames, without |
| 443 | requiring remapping. (default) |
| 444 | noposixpaths If CIFS Unix extensions are supported, do not request |
| 445 | posix path name support (this may cause servers to |
| 446 | reject creatingfile with certain reserved characters). |
Steve French | c46fa8a | 2005-08-18 20:49:57 -0700 | [diff] [blame] | 447 | nobrl Do not send byte range lock requests to the server. |
| 448 | This is necessary for certain applications that break |
| 449 | with cifs style mandatory byte range locks (and most |
| 450 | cifs servers do not yet support requesting advisory |
| 451 | byte range locks). |
Steve French | 0cb766a | 2005-04-28 22:41:11 -0700 | [diff] [blame] | 452 | remount remount the share (often used to change from ro to rw mounts |
| 453 | or vice versa) |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 454 | sfu When the CIFS Unix Extensions are not negotiated, attempt to |
| 455 | create device files and fifos in a format compatible with |
| 456 | Services for Unix (SFU). In addition retrieve bits 10-12 |
| 457 | of the mode via the SETFILEBITS extended attribute (as |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 458 | SFU does). In the future the bottom 9 bits of the |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 459 | mode also will be emulated using queries of the security |
| 460 | descriptor (ACL). |
Steve French | 750d115 | 2006-06-27 06:28:30 +0000 | [diff] [blame] | 461 | sign Must use packet signing (helps avoid unwanted data modification |
| 462 | by intermediate systems in the route). Note that signing |
| 463 | does not work with lanman or plaintext authentication. |
| 464 | sec Security mode. Allowed values are: |
Steve French | bf82067 | 2005-12-01 22:32:42 -0800 | [diff] [blame] | 465 | none attempt to connection as a null user (no name) |
| 466 | krb5 Use Kerberos version 5 authentication |
| 467 | krb5i Use Kerberos authentication and packet signing |
| 468 | ntlm Use NTLM password hashing (default) |
| 469 | ntlmi Use NTLM password hashing with signing (if |
| 470 | /proc/fs/cifs/PacketSigningEnabled on or if |
| 471 | server requires signing also can be the default) |
| 472 | ntlmv2 Use NTLMv2 password hashing |
| 473 | ntlmv2i Use NTLMv2 password hashing with packet signing |
Steve French | 189acaa | 2006-06-23 02:33:48 +0000 | [diff] [blame] | 474 | lanman (if configured in kernel config) use older |
| 475 | lanman hash |
Steve French | bf82067 | 2005-12-01 22:32:42 -0800 | [diff] [blame] | 476 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 477 | The mount.cifs mount helper also accepts a few mount options before -o |
| 478 | including: |
| 479 | |
| 480 | -S take password from stdin (equivalent to setting the environment |
| 481 | variable "PASSWD_FD=0" |
| 482 | -V print mount.cifs version |
| 483 | -? display simple usage information |
| 484 | |
Jeff Layton | 8426c39 | 2007-05-05 03:27:49 +0000 | [diff] [blame] | 485 | With most 2.6 kernel versions of modutils, the version of the cifs kernel |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 486 | module can be displayed via modinfo. |
| 487 | |
| 488 | Misc /proc/fs/cifs Flags and Debug Info |
| 489 | ======================================= |
| 490 | Informational pseudo-files: |
| 491 | DebugData Displays information about active CIFS sessions |
Steve French | 09d1db5 | 2005-04-28 22:41:08 -0700 | [diff] [blame] | 492 | and shares, as well as the cifs.ko version. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 493 | Stats Lists summary resource usage information as well as per |
| 494 | share statistics, if CONFIG_CIFS_STATS in enabled |
| 495 | in the kernel configuration. |
| 496 | |
| 497 | Configuration pseudo-files: |
| 498 | MultiuserMount If set to one, more than one CIFS session to |
| 499 | the same server ip address can be established |
| 500 | if more than one uid accesses the same mount |
| 501 | point and if the uids user/password mapping |
| 502 | information is available. (default is 0) |
| 503 | PacketSigningEnabled If set to one, cifs packet signing is enabled |
| 504 | and will be used if the server requires |
| 505 | it. If set to two, cifs packet signing is |
| 506 | required even if the server considers packet |
| 507 | signing optional. (default 1) |
Steve French | 254e55e | 2006-06-04 05:53:15 +0000 | [diff] [blame] | 508 | SecurityFlags Flags which control security negotiation and |
| 509 | also packet signing. Authentication (may/must) |
| 510 | flags (e.g. for NTLM and/or NTLMv2) may be combined with |
| 511 | the signing flags. Specifying two different password |
| 512 | hashing mechanisms (as "must use") on the other hand |
| 513 | does not make much sense. Default flags are |
| 514 | 0x07007 |
| 515 | (NTLM, NTLMv2 and packet signing allowed). Maximum |
| 516 | allowable flags if you want to allow mounts to servers |
| 517 | using weaker password hashes is 0x37037 (lanman, |
| 518 | plaintext, ntlm, ntlmv2, signing allowed): |
| 519 | |
| 520 | may use packet signing 0x00001 |
| 521 | must use packet signing 0x01001 |
| 522 | may use NTLM (most common password hash) 0x00002 |
| 523 | must use NTLM 0x02002 |
| 524 | may use NTLMv2 0x00004 |
| 525 | must use NTLMv2 0x04004 |
| 526 | may use Kerberos security (not implemented yet) 0x00008 |
| 527 | must use Kerberos (not implemented yet) 0x08008 |
| 528 | may use lanman (weak) password hash 0x00010 |
| 529 | must use lanman password hash 0x10010 |
| 530 | may use plaintext passwords 0x00020 |
| 531 | must use plaintext passwords 0x20020 |
| 532 | (reserved for future packet encryption) 0x00040 |
| 533 | |
Jeff Layton | 8426c39 | 2007-05-05 03:27:49 +0000 | [diff] [blame] | 534 | cifsFYI If set to non-zero value, additional debug information |
| 535 | will be logged to the system error log. This field |
| 536 | contains three flags controlling different classes of |
| 537 | debugging entries. The maximum value it can be set |
| 538 | to is 7 which enables all debugging points (default 0). |
| 539 | Some debugging statements are not compiled into the |
| 540 | cifs kernel unless CONFIG_CIFS_DEBUG2 is enabled in the |
| 541 | kernel configuration. cifsFYI may be set to one or |
| 542 | nore of the following flags (7 sets them all): |
| 543 | |
| 544 | log cifs informational messages 0x01 |
| 545 | log return codes from cifs entry points 0x02 |
Steve French | 0ec54aa | 2007-05-05 22:08:06 +0000 | [diff] [blame] | 546 | log slow responses (ie which take longer than 1 second) |
| 547 | CONFIG_CIFS_STATS2 must be enabled in .config 0x04 |
Jeff Layton | 8426c39 | 2007-05-05 03:27:49 +0000 | [diff] [blame] | 548 | |
| 549 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 550 | traceSMB If set to one, debug information is logged to the |
| 551 | system error log with the start of smb requests |
| 552 | and responses (default 0) |
| 553 | LookupCacheEnable If set to one, inode information is kept cached |
| 554 | for one second improving performance of lookups |
| 555 | (default 1) |
| 556 | OplockEnabled If set to one, safe distributed caching enabled. |
| 557 | (default 1) |
| 558 | LinuxExtensionsEnabled If set to one then the client will attempt to |
| 559 | use the CIFS "UNIX" extensions which are optional |
| 560 | protocol enhancements that allow CIFS servers |
| 561 | to return accurate UID/GID information as well |
| 562 | as support symbolic links. If you use servers |
| 563 | such as Samba that support the CIFS Unix |
| 564 | extensions but do not want to use symbolic link |
| 565 | support and want to map the uid and gid fields |
| 566 | to values supplied at mount (rather than the |
| 567 | actual values, then set this to zero. (default 1) |
Steve French | 6080823 | 2006-04-22 15:53:05 +0000 | [diff] [blame] | 568 | Experimental When set to 1 used to enable certain experimental |
| 569 | features (currently enables multipage writes |
| 570 | when signing is enabled, the multipage write |
| 571 | performance enhancement was disabled when |
| 572 | signing turned on in case buffer was modified |
| 573 | just before it was sent, also this flag will |
| 574 | be used to use the new experimental sessionsetup |
| 575 | code). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 576 | |
| 577 | These experimental features and tracing can be enabled by changing flags in |
| 578 | /proc/fs/cifs (after the cifs module has been installed or built into the |
| 579 | kernel, e.g. insmod cifs). To enable a feature set it to 1 e.g. to enable |
| 580 | tracing to the kernel message log type: |
| 581 | |
Steve French | 1047abc | 2005-10-11 19:58:06 -0700 | [diff] [blame] | 582 | echo 7 > /proc/fs/cifs/cifsFYI |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 583 | |
Steve French | 1047abc | 2005-10-11 19:58:06 -0700 | [diff] [blame] | 584 | cifsFYI functions as a bit mask. Setting it to 1 enables additional kernel |
| 585 | logging of various informational messages. 2 enables logging of non-zero |
| 586 | SMB return codes while 4 enables logging of requests that take longer |
| 587 | than one second to complete (except for byte range lock requests). |
| 588 | Setting it to 4 requires defining CONFIG_CIFS_STATS2 manually in the |
| 589 | source code (typically by setting it in the beginning of cifsglob.h), |
| 590 | and setting it to seven enables all three. Finally, tracing |
| 591 | the start of smb requests and responses can be enabled via: |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 592 | |
| 593 | echo 1 > /proc/fs/cifs/traceSMB |
| 594 | |
Steve French | 75865f8c | 2007-06-24 18:30:48 +0000 | [diff] [blame] | 595 | Two other experimental features are under development. To test these |
| 596 | requires enabling CONFIG_CIFS_EXPERIMENTAL |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 597 | |
Steve French | 75865f8c | 2007-06-24 18:30:48 +0000 | [diff] [blame] | 598 | ipv6 enablement |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 599 | |
| 600 | DNOTIFY fcntl: needed for support of directory change |
| 601 | notification and perhaps later for file leases) |
| 602 | |
| 603 | Per share (per client mount) statistics are available in /proc/fs/cifs/Stats |
| 604 | if the kernel was configured with cifs statistics enabled. The statistics |
| 605 | represent the number of successful (ie non-zero return code from the server) |
| 606 | SMB responses to some of the more common commands (open, delete, mkdir etc.). |
| 607 | Also recorded is the total bytes read and bytes written to the server for |
| 608 | that share. Note that due to client caching effects this can be less than the |
| 609 | number of bytes read and written by the application running on the client. |
| 610 | The statistics for the number of total SMBs and oplock breaks are different in |
| 611 | that they represent all for that share, not just those for which the server |
| 612 | returned success. |
| 613 | |
| 614 | Also note that "cat /proc/fs/cifs/DebugData" will display information about |
| 615 | the active sessions and the shares that are mounted. Note: NTLMv2 enablement |
Steve French | 09d1db5 | 2005-04-28 22:41:08 -0700 | [diff] [blame] | 616 | will not work since its implementation is not quite complete yet. Do not alter |
| 617 | the ExtendedSecurity configuration value unless you are doing specific testing. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 618 | Enabling extended security works to Windows 2000 Workstations and XP but not to |
| 619 | Windows 2000 server or Samba since it does not usually send "raw NTLMSSP" |
| 620 | (instead it sends NTLMSSP encapsulated in SPNEGO/GSSAPI, which support is not |
| 621 | complete in the CIFS VFS yet). |