Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | The CIFS VFS support for Linux supports many advanced network filesystem |
Uwe Kleine-König | 1b3c371 | 2007-02-17 19:23:03 +0100 | [diff] [blame] | 2 | features such as hierarchical dfs like namespace, hardlinks, locking and more. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 3 | It was designed to comply with the SNIA CIFS Technical Reference (which |
| 4 | supersedes the 1992 X/Open SMB Standard) as well as to perform best practice |
| 5 | practical interoperability with Windows 2000, Windows XP, Samba and equivalent |
| 6 | servers. |
| 7 | |
| 8 | For questions or bug reports please contact: |
| 9 | sfrench@samba.org (sfrench@us.ibm.com) |
| 10 | |
| 11 | Build instructions: |
| 12 | ================== |
| 13 | For Linux 2.4: |
| 14 | 1) Get the kernel source (e.g.from http://www.kernel.org) |
| 15 | and download the cifs vfs source (see the project page |
| 16 | at http://us1.samba.org/samba/Linux_CIFS_client.html) |
| 17 | and change directory into the top of the kernel directory |
| 18 | then patch the kernel (e.g. "patch -p1 < cifs_24.patch") |
| 19 | to add the cifs vfs to your kernel configure options if |
| 20 | it has not already been added (e.g. current SuSE and UL |
| 21 | users do not need to apply the cifs_24.patch since the cifs vfs is |
| 22 | already in the kernel configure menu) and then |
| 23 | mkdir linux/fs/cifs and then copy the current cifs vfs files from |
| 24 | the cifs download to your kernel build directory e.g. |
| 25 | |
| 26 | cp <cifs_download_dir>/fs/cifs/* to <kernel_download_dir>/fs/cifs |
| 27 | |
| 28 | 2) make menuconfig (or make xconfig) |
| 29 | 3) select cifs from within the network filesystem choices |
| 30 | 4) save and exit |
| 31 | 5) make dep |
| 32 | 6) make modules (or "make" if CIFS VFS not to be built as a module) |
| 33 | |
| 34 | For Linux 2.6: |
Adrian Bunk | dfc1e14 | 2005-05-05 16:15:51 -0700 | [diff] [blame] | 35 | 1) Download the kernel (e.g. from http://www.kernel.org) |
| 36 | and change directory into the top of the kernel directory tree |
| 37 | (e.g. /usr/src/linux-2.5.73) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 38 | 2) make menuconfig (or make xconfig) |
| 39 | 3) select cifs from within the network filesystem choices |
| 40 | 4) save and exit |
| 41 | 5) make |
| 42 | |
| 43 | |
| 44 | Installation instructions: |
| 45 | ========================= |
| 46 | If you have built the CIFS vfs as module (successfully) simply |
| 47 | type "make modules_install" (or if you prefer, manually copy the file to |
| 48 | the modules directory e.g. /lib/modules/2.4.10-4GB/kernel/fs/cifs/cifs.o). |
| 49 | |
| 50 | If you have built the CIFS vfs into the kernel itself, follow the instructions |
| 51 | for your distribution on how to install a new kernel (usually you |
| 52 | would simply type "make install"). |
| 53 | |
| 54 | If you do not have the utility mount.cifs (in the Samba 3.0 source tree and on |
| 55 | the CIFS VFS web site) copy it to the same directory in which mount.smbfs and |
| 56 | similar files reside (usually /sbin). Although the helper software is not |
| 57 | required, mount.cifs is recommended. Eventually the Samba 3.0 utility program |
| 58 | "net" may also be helpful since it may someday provide easier mount syntax for |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame^] | 59 | users who are used to Windows e.g. |
| 60 | net use <mount point> <UNC name or cifs URL> |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 61 | Note that running the Winbind pam/nss module (logon service) on all of your |
| 62 | Linux clients is useful in mapping Uids and Gids consistently across the |
| 63 | domain to the proper network user. The mount.cifs mount helper can be |
| 64 | trivially built from Samba 3.0 or later source e.g. by executing: |
| 65 | |
| 66 | gcc samba/source/client/mount.cifs.c -o mount.cifs |
| 67 | |
| 68 | If cifs is built as a module, then the size and number of network buffers |
| 69 | and maximum number of simultaneous requests to one server can be configured. |
| 70 | Changing these from their defaults is not recommended. By executing modinfo |
| 71 | modinfo kernel/fs/cifs/cifs.ko |
| 72 | on kernel/fs/cifs/cifs.ko the list of configuration changes that can be made |
| 73 | at module initialization time (by running insmod cifs.ko) can be seen. |
| 74 | |
| 75 | Allowing User Mounts |
| 76 | ==================== |
| 77 | To permit users to mount and unmount over directories they own is possible |
| 78 | with the cifs vfs. A way to enable such mounting is to mark the mount.cifs |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 79 | utility as suid (e.g. "chmod +s /sbin/mount.cifs). To enable users to |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 80 | umount shares they mount requires |
| 81 | 1) mount.cifs version 1.4 or later |
| 82 | 2) an entry for the share in /etc/fstab indicating that a user may |
| 83 | unmount it e.g. |
| 84 | //server/usersharename /mnt/username cifs user 0 0 |
| 85 | |
| 86 | Note that when the mount.cifs utility is run suid (allowing user mounts), |
| 87 | in order to reduce risks, the "nosuid" mount flag is passed in on mount to |
| 88 | disallow execution of an suid program mounted on the remote target. |
| 89 | When mount is executed as root, nosuid is not passed in by default, |
| 90 | and execution of suid programs on the remote target would be enabled |
| 91 | by default. This can be changed, as with nfs and other filesystems, |
| 92 | by simply specifying "nosuid" among the mount options. For user mounts |
| 93 | though to be able to pass the suid flag to mount requires rebuilding |
| 94 | mount.cifs with the following flag: |
| 95 | |
| 96 | gcc samba/source/client/mount.cifs.c -DCIFS_ALLOW_USR_SUID -o mount.cifs |
| 97 | |
| 98 | There is a corresponding manual page for cifs mounting in the Samba 3.0 and |
| 99 | later source tree in docs/manpages/mount.cifs.8 |
| 100 | |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 101 | Allowing User Unmounts |
| 102 | ====================== |
| 103 | To permit users to ummount directories that they have user mounted (see above), |
| 104 | the utility umount.cifs may be used. It may be invoked directly, or if |
Steve French | 0cb766a | 2005-04-28 22:41:11 -0700 | [diff] [blame] | 105 | umount.cifs is placed in /sbin, umount can invoke the cifs umount helper |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 106 | (at least for most versions of the umount utility) for umount of cifs |
Steve French | 0cb766a | 2005-04-28 22:41:11 -0700 | [diff] [blame] | 107 | mounts, unless umount is invoked with -i (which will avoid invoking a umount |
| 108 | helper). As with mount.cifs, to enable user unmounts umount.cifs must be marked |
| 109 | as suid (e.g. "chmod +s /sbin/umount.cifs") or equivalent (some distributions |
| 110 | allow adding entries to a file to the /etc/permissions file to achieve the |
| 111 | equivalent suid effect). For this utility to succeed the target path |
| 112 | must be a cifs mount, and the uid of the current user must match the uid |
| 113 | of the user who mounted the resource. |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 114 | |
| 115 | Also note that the customary way of allowing user mounts and unmounts is |
| 116 | (instead of using mount.cifs and unmount.cifs as suid) to add a line |
| 117 | to the file /etc/fstab for each //server/share you wish to mount, but |
| 118 | this can become unwieldy when potential mount targets include many |
| 119 | or unpredictable UNC names. |
| 120 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 121 | Samba Considerations |
| 122 | ==================== |
| 123 | To get the maximum benefit from the CIFS VFS, we recommend using a server that |
| 124 | supports the SNIA CIFS Unix Extensions standard (e.g. Samba 2.2.5 or later or |
| 125 | Samba 3.0) but the CIFS vfs works fine with a wide variety of CIFS servers. |
| 126 | Note that uid, gid and file permissions will display default values if you do |
| 127 | not have a server that supports the Unix extensions for CIFS (such as Samba |
| 128 | 2.2.5 or later). To enable the Unix CIFS Extensions in the Samba server, add |
| 129 | the line: |
| 130 | |
| 131 | unix extensions = yes |
| 132 | |
| 133 | to your smb.conf file on the server. Note that the following smb.conf settings |
| 134 | are also useful (on the Samba server) when the majority of clients are Unix or |
| 135 | Linux: |
| 136 | |
| 137 | case sensitive = yes |
| 138 | delete readonly = yes |
| 139 | ea support = yes |
| 140 | |
| 141 | Note that server ea support is required for supporting xattrs from the Linux |
| 142 | cifs client, and that EA support is present in later versions of Samba (e.g. |
| 143 | 3.0.6 and later (also EA support works in all versions of Windows, at least to |
| 144 | shares on NTFS filesystems). Extended Attribute (xattr) support is an optional |
| 145 | feature of most Linux filesystems which may require enabling via |
| 146 | make menuconfig. Client support for extended attributes (user xattr) can be |
| 147 | disabled on a per-mount basis by specifying "nouser_xattr" on mount. |
| 148 | |
| 149 | The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba servers |
| 150 | version 3.10 and later. Setting POSIX ACLs requires enabling both XATTR and |
| 151 | then POSIX support in the CIFS configuration options when building the cifs |
| 152 | module. POSIX ACL support can be disabled on a per mount basic by specifying |
| 153 | "noacl" on mount. |
| 154 | |
| 155 | Some administrators may want to change Samba's smb.conf "map archive" and |
| 156 | "create mask" parameters from the default. Unless the create mask is changed |
| 157 | newly created files can end up with an unnecessarily restrictive default mode, |
| 158 | which may not be what you want, although if the CIFS Unix extensions are |
| 159 | enabled on the server and client, subsequent setattr calls (e.g. chmod) can |
| 160 | fix the mode. Note that creating special devices (mknod) remotely |
| 161 | may require specifying a mkdev function to Samba if you are not using |
| 162 | Samba 3.0.6 or later. For more information on these see the manual pages |
| 163 | ("man smb.conf") on the Samba server system. Note that the cifs vfs, |
| 164 | unlike the smbfs vfs, does not read the smb.conf on the client system |
| 165 | (the few optional settings are passed in on mount via -o parameters instead). |
| 166 | Note that Samba 2.2.7 or later includes a fix that allows the CIFS VFS to delete |
| 167 | open files (required for strict POSIX compliance). Windows Servers already |
| 168 | supported this feature. Samba server does not allow symlinks that refer to files |
| 169 | outside of the share, so in Samba versions prior to 3.0.6, most symlinks to |
| 170 | files with absolute paths (ie beginning with slash) such as: |
| 171 | ln -s /mnt/foo bar |
| 172 | would be forbidden. Samba 3.0.6 server or later includes the ability to create |
| 173 | such symlinks safely by converting unsafe symlinks (ie symlinks to server |
| 174 | files that are outside of the share) to a samba specific format on the server |
| 175 | that is ignored by local server applications and non-cifs clients and that will |
| 176 | not be traversed by the Samba server). This is opaque to the Linux client |
| 177 | application using the cifs vfs. Absolute symlinks will work to Samba 3.0.5 or |
| 178 | later, but only for remote clients using the CIFS Unix extensions, and will |
| 179 | be invisbile to Windows clients and typically will not affect local |
| 180 | applications running on the same server as Samba. |
| 181 | |
| 182 | Use instructions: |
| 183 | ================ |
| 184 | Once the CIFS VFS support is built into the kernel or installed as a module |
| 185 | (cifs.o), you can use mount syntax like the following to access Samba or Windows |
| 186 | servers: |
| 187 | |
| 188 | mount -t cifs //9.53.216.11/e$ /mnt -o user=myname,pass=mypassword |
| 189 | |
| 190 | Before -o the option -v may be specified to make the mount.cifs |
| 191 | mount helper display the mount steps more verbosely. |
| 192 | After -o the following commonly used cifs vfs specific options |
| 193 | are supported: |
| 194 | |
| 195 | user=<username> |
| 196 | pass=<password> |
| 197 | domain=<domain name> |
| 198 | |
| 199 | Other cifs mount options are described below. Use of TCP names (in addition to |
| 200 | ip addresses) is available if the mount helper (mount.cifs) is installed. If |
| 201 | you do not trust the server to which are mounted, or if you do not have |
| 202 | cifs signing enabled (and the physical network is insecure), consider use |
| 203 | of the standard mount options "noexec" and "nosuid" to reduce the risk of |
| 204 | running an altered binary on your local system (downloaded from a hostile server |
| 205 | or altered by a hostile router). |
| 206 | |
| 207 | Although mounting using format corresponding to the CIFS URL specification is |
| 208 | not possible in mount.cifs yet, it is possible to use an alternate format |
| 209 | for the server and sharename (which is somewhat similar to NFS style mount |
| 210 | syntax) instead of the more widely used UNC format (i.e. \\server\share): |
| 211 | mount -t cifs tcp_name_of_server:share_name /mnt -o user=myname,pass=mypasswd |
| 212 | |
| 213 | When using the mount helper mount.cifs, passwords may be specified via alternate |
| 214 | mechanisms, instead of specifying it after -o using the normal "pass=" syntax |
| 215 | on the command line: |
| 216 | 1) By including it in a credential file. Specify credentials=filename as one |
| 217 | of the mount options. Credential files contain two lines |
| 218 | username=someuser |
| 219 | password=your_password |
| 220 | 2) By specifying the password in the PASSWD environment variable (similarly |
| 221 | the user name can be taken from the USER environment variable). |
| 222 | 3) By specifying the password in a file by name via PASSWD_FILE |
| 223 | 4) By specifying the password in a file by file descriptor via PASSWD_FD |
| 224 | |
| 225 | If no password is provided, mount.cifs will prompt for password entry |
| 226 | |
| 227 | Restrictions |
| 228 | ============ |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 229 | Servers must support either "pure-TCP" (port 445 TCP/IP CIFS connections) or RFC |
Jeff Layton | cea2180 | 2007-11-20 23:19:03 +0000 | [diff] [blame] | 230 | 1001/1002 support for "Netbios-Over-TCP/IP." This is not likely to be a |
| 231 | problem as most servers support this. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 232 | |
| 233 | Valid filenames differ between Windows and Linux. Windows typically restricts |
| 234 | filenames which contain certain reserved characters (e.g.the character : |
| 235 | which is used to delimit the beginning of a stream name by Windows), while |
| 236 | Linux allows a slightly wider set of valid characters in filenames. Windows |
| 237 | servers can remap such characters when an explicit mapping is specified in |
| 238 | the Server's registry. Samba starting with version 3.10 will allow such |
| 239 | filenames (ie those which contain valid Linux characters, which normally |
| 240 | would be forbidden for Windows/CIFS semantics) as long as the server is |
| 241 | configured for Unix Extensions (and the client has not disabled |
| 242 | /proc/fs/cifs/LinuxExtensionsEnabled). |
| 243 | |
| 244 | |
| 245 | CIFS VFS Mount Options |
| 246 | ====================== |
| 247 | A partial list of the supported mount options follows: |
| 248 | user The user name to use when trying to establish |
| 249 | the CIFS session. |
| 250 | password The user password. If the mount helper is |
| 251 | installed, the user will be prompted for password |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame^] | 252 | if not supplied. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 253 | ip The ip address of the target server |
| 254 | unc The target server Universal Network Name (export) to |
| 255 | mount. |
| 256 | domain Set the SMB/CIFS workgroup name prepended to the |
| 257 | username during CIFS session establishment |
Steve French | 4523cc3 | 2007-04-30 20:13:06 +0000 | [diff] [blame] | 258 | uid Set the default uid for inodes. For mounts to servers |
| 259 | which do support the CIFS Unix extensions, such as a |
| 260 | properly configured Samba server, the server provides |
| 261 | the uid, gid and mode so this parameter should not be |
| 262 | specified unless the server and clients uid and gid |
| 263 | numbering differ. If the server and client are in the |
| 264 | same domain (e.g. running winbind or nss_ldap) and |
| 265 | the server supports the Unix Extensions then the uid |
| 266 | and gid can be retrieved from the server (and uid |
| 267 | and gid would not have to be specifed on the mount. |
| 268 | For servers which do not support the CIFS Unix |
| 269 | extensions, the default uid (and gid) returned on lookup |
| 270 | of existing files will be the uid (gid) of the person |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 271 | who executed the mount (root, except when mount.cifs |
| 272 | is configured setuid for user mounts) unless the "uid=" |
| 273 | (gid) mount option is specified. For the uid (gid) of newly |
| 274 | created files and directories, ie files created since |
| 275 | the last mount of the server share, the expected uid |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 276 | (gid) is cached as long as the inode remains in |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 277 | memory on the client. Also note that permission |
| 278 | checks (authorization checks) on accesses to a file occur |
| 279 | at the server, but there are cases in which an administrator |
| 280 | may want to restrict at the client as well. For those |
| 281 | servers which do not report a uid/gid owner |
| 282 | (such as Windows), permissions can also be checked at the |
| 283 | client, and a crude form of client side permission checking |
| 284 | can be enabled by specifying file_mode and dir_mode on |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 285 | the client. Note that the mount.cifs helper must be |
| 286 | at version 1.10 or higher to support specifying the uid |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame^] | 287 | (or gid) in non-numeric form. |
Steve French | 4523cc3 | 2007-04-30 20:13:06 +0000 | [diff] [blame] | 288 | gid Set the default gid for inodes (similar to above). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 289 | file_mode If CIFS Unix extensions are not supported by the server |
| 290 | this overrides the default mode for file inodes. |
| 291 | dir_mode If CIFS Unix extensions are not supported by the server |
| 292 | this overrides the default mode for directory inodes. |
| 293 | port attempt to contact the server on this tcp port, before |
| 294 | trying the usual ports (port 445, then 139). |
| 295 | iocharset Codepage used to convert local path names to and from |
| 296 | Unicode. Unicode is used by default for network path |
| 297 | names if the server supports it. If iocharset is |
| 298 | not specified then the nls_default specified |
| 299 | during the local client kernel build will be used. |
| 300 | If server does not support Unicode, this parameter is |
| 301 | unused. |
Steve French | 75865f8c | 2007-06-24 18:30:48 +0000 | [diff] [blame] | 302 | rsize default read size (usually 16K). The client currently |
| 303 | can not use rsize larger than CIFSMaxBufSize. CIFSMaxBufSize |
| 304 | defaults to 16K and may be changed (from 8K to the maximum |
| 305 | kmalloc size allowed by your kernel) at module install time |
| 306 | for cifs.ko. Setting CIFSMaxBufSize to a very large value |
| 307 | will cause cifs to use more memory and may reduce performance |
| 308 | in some cases. To use rsize greater than 127K (the original |
| 309 | cifs protocol maximum) also requires that the server support |
| 310 | a new Unix Capability flag (for very large read) which some |
| 311 | newer servers (e.g. Samba 3.0.26 or later) do. rsize can be |
| 312 | set from a minimum of 2048 to a maximum of 130048 (127K or |
| 313 | CIFSMaxBufSize, whichever is smaller) |
| 314 | wsize default write size (default 57344) |
| 315 | maximum wsize currently allowed by CIFS is 57344 (fourteen |
| 316 | 4096 byte pages) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 317 | rw mount the network share read-write (note that the |
| 318 | server may still consider the share read-only) |
| 319 | ro mount network share read-only |
| 320 | version used to distinguish different versions of the |
| 321 | mount helper utility (not typically needed) |
| 322 | sep if first mount option (after the -o), overrides |
| 323 | the comma as the separator between the mount |
| 324 | parms. e.g. |
| 325 | -o user=myname,password=mypassword,domain=mydom |
| 326 | could be passed instead with period as the separator by |
| 327 | -o sep=.user=myname.password=mypassword.domain=mydom |
| 328 | this might be useful when comma is contained within username |
| 329 | or password or domain. This option is less important |
| 330 | when the cifs mount helper cifs.mount (version 1.1 or later) |
| 331 | is used. |
| 332 | nosuid Do not allow remote executables with the suid bit |
| 333 | program to be executed. This is only meaningful for mounts |
| 334 | to servers such as Samba which support the CIFS Unix Extensions. |
| 335 | If you do not trust the servers in your network (your mount |
| 336 | targets) it is recommended that you specify this option for |
| 337 | greater security. |
| 338 | exec Permit execution of binaries on the mount. |
| 339 | noexec Do not permit execution of binaries on the mount. |
| 340 | dev Recognize block devices on the remote mount. |
| 341 | nodev Do not recognize devices on the remote mount. |
| 342 | suid Allow remote files on this mountpoint with suid enabled to |
| 343 | be executed (default for mounts when executed as root, |
| 344 | nosuid is default for user mounts). |
| 345 | credentials Although ignored by the cifs kernel component, it is used by |
| 346 | the mount helper, mount.cifs. When mount.cifs is installed it |
| 347 | opens and reads the credential file specified in order |
| 348 | to obtain the userid and password arguments which are passed to |
| 349 | the cifs vfs. |
| 350 | guest Although ignored by the kernel component, the mount.cifs |
| 351 | mount helper will not prompt the user for a password |
| 352 | if guest is specified on the mount options. If no |
| 353 | password is specified a null password will be used. |
| 354 | perm Client does permission checks (vfs_permission check of uid |
| 355 | and gid of the file against the mode and desired operation), |
| 356 | Note that this is in addition to the normal ACL check on the |
| 357 | target machine done by the server software. |
| 358 | Client permission checking is enabled by default. |
| 359 | noperm Client does not do permission checks. This can expose |
| 360 | files on this mount to access by other users on the local |
| 361 | client system. It is typically only needed when the server |
| 362 | supports the CIFS Unix Extensions but the UIDs/GIDs on the |
| 363 | client and server system do not match closely enough to allow |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 364 | access by the user doing the mount, but it may be useful with |
| 365 | non CIFS Unix Extension mounts for cases in which the default |
| 366 | mode is specified on the mount but is not to be enforced on the |
| 367 | client (e.g. perhaps when MultiUserMount is enabled) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 368 | Note that this does not affect the normal ACL check on the |
| 369 | target machine done by the server software (of the server |
| 370 | ACL against the user name provided at mount time). |
Steve French | 7521a3c | 2007-07-11 18:30:34 +0000 | [diff] [blame] | 371 | serverino Use server's inode numbers instead of generating automatically |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 372 | incrementing inode numbers on the client. Although this will |
| 373 | make it easier to spot hardlinked files (as they will have |
| 374 | the same inode numbers) and inode numbers may be persistent, |
| 375 | note that the server does not guarantee that the inode numbers |
| 376 | are unique if multiple server side mounts are exported under a |
| 377 | single share (since inode numbers on the servers might not |
| 378 | be unique if multiple filesystems are mounted under the same |
Steve French | 7521a3c | 2007-07-11 18:30:34 +0000 | [diff] [blame] | 379 | shared higher level directory). Note that some older |
| 380 | (e.g. pre-Windows 2000) do not support returning UniqueIDs |
| 381 | or the CIFS Unix Extensions equivalent and for those |
| 382 | this mount option will have no effect. Exporting cifs mounts |
| 383 | under nfsd requires this mount option on the cifs mount. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 384 | noserverino Client generates inode numbers (rather than using the actual one |
| 385 | from the server) by default. |
| 386 | setuids If the CIFS Unix extensions are negotiated with the server |
| 387 | the client will attempt to set the effective uid and gid of |
| 388 | the local process on newly created files, directories, and |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 389 | devices (create, mkdir, mknod). If the CIFS Unix Extensions |
| 390 | are not negotiated, for newly created files and directories |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 391 | instead of using the default uid and gid specified on |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 392 | the mount, cache the new file's uid and gid locally which means |
| 393 | that the uid for the file can change when the inode is |
| 394 | reloaded (or the user remounts the share). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 395 | nosetuids The client will not attempt to set the uid and gid on |
| 396 | on newly created files, directories, and devices (create, |
| 397 | mkdir, mknod) which will result in the server setting the |
| 398 | uid and gid to the default (usually the server uid of the |
Steve French | 67594fe | 2005-05-17 13:04:49 -0500 | [diff] [blame] | 399 | user who mounted the share). Letting the server (rather than |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 400 | the client) set the uid and gid is the default. If the CIFS |
| 401 | Unix Extensions are not negotiated then the uid and gid for |
| 402 | new files will appear to be the uid (gid) of the mounter or the |
| 403 | uid (gid) parameter specified on the mount. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 404 | netbiosname When mounting to servers via port 139, specifies the RFC1001 |
| 405 | source name to use to represent the client netbios machine |
| 406 | name when doing the RFC1001 netbios session initialize. |
| 407 | direct Do not do inode data caching on files opened on this mount. |
| 408 | This precludes mmaping files on this mount. In some cases |
| 409 | with fast networks and little or no caching benefits on the |
| 410 | client (e.g. when the application is doing large sequential |
| 411 | reads bigger than page size without rereading the same data) |
| 412 | this can provide better performance than the default |
Steve French | 67594fe | 2005-05-17 13:04:49 -0500 | [diff] [blame] | 413 | behavior which caches reads (readahead) and writes |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 414 | (writebehind) through the local Linux client pagecache |
| 415 | if oplock (caching token) is granted and held. Note that |
| 416 | direct allows write operations larger than page size |
| 417 | to be sent to the server. |
| 418 | acl Allow setfacl and getfacl to manage posix ACLs if server |
| 419 | supports them. (default) |
| 420 | noacl Do not allow setfacl and getfacl calls on this mount |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame^] | 421 | user_xattr Allow getting and setting user xattrs (those attributes whose |
| 422 | name begins with "user." or "os2.") as OS/2 EAs (extended |
| 423 | attributes) to the server. This allows support of the |
| 424 | setfattr and getfattr utilities. (default) |
Steve French | ea4c07d | 2006-08-16 19:44:25 +0000 | [diff] [blame] | 425 | nouser_xattr Do not allow getfattr/setfattr to get/set/list xattrs |
Steve French | 737b758 | 2005-04-28 22:41:06 -0700 | [diff] [blame] | 426 | mapchars Translate six of the seven reserved characters (not backslash) |
| 427 | *?<>|: |
Steve French | 6a0b482 | 2005-04-28 22:41:05 -0700 | [diff] [blame] | 428 | to the remap range (above 0xF000), which also |
| 429 | allows the CIFS client to recognize files created with |
| 430 | such characters by Windows's POSIX emulation. This can |
| 431 | also be useful when mounting to most versions of Samba |
| 432 | (which also forbids creating and opening files |
| 433 | whose names contain any of these seven characters). |
| 434 | This has no effect if the server does not support |
| 435 | Unicode on the wire. |
| 436 | nomapchars Do not translate any of these seven characters (default). |
Steve French | c46fa8a | 2005-08-18 20:49:57 -0700 | [diff] [blame] | 437 | nocase Request case insensitive path name matching (case |
| 438 | sensitive is the default if the server suports it). |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame^] | 439 | (mount option "ignorecase" is identical to "nocase") |
Steve French | 82940a4 | 2006-03-02 03:24:57 +0000 | [diff] [blame] | 440 | posixpaths If CIFS Unix extensions are supported, attempt to |
| 441 | negotiate posix path name support which allows certain |
| 442 | characters forbidden in typical CIFS filenames, without |
| 443 | requiring remapping. (default) |
| 444 | noposixpaths If CIFS Unix extensions are supported, do not request |
| 445 | posix path name support (this may cause servers to |
| 446 | reject creatingfile with certain reserved characters). |
Steve French | a403a0a | 2007-07-26 15:54:16 +0000 | [diff] [blame] | 447 | nounix Disable the CIFS Unix Extensions for this mount (tree |
| 448 | connection). This is rarely needed, but it may be useful |
| 449 | in order to turn off multiple settings all at once (ie |
| 450 | posix acls, posix locks, posix paths, symlink support |
| 451 | and retrieving uids/gids/mode from the server) or to |
| 452 | work around a bug in server which implement the Unix |
| 453 | Extensions. |
Steve French | c46fa8a | 2005-08-18 20:49:57 -0700 | [diff] [blame] | 454 | nobrl Do not send byte range lock requests to the server. |
| 455 | This is necessary for certain applications that break |
| 456 | with cifs style mandatory byte range locks (and most |
| 457 | cifs servers do not yet support requesting advisory |
| 458 | byte range locks). |
Steve French | 0cb766a | 2005-04-28 22:41:11 -0700 | [diff] [blame] | 459 | remount remount the share (often used to change from ro to rw mounts |
| 460 | or vice versa) |
Jeff Layton | cea2180 | 2007-11-20 23:19:03 +0000 | [diff] [blame] | 461 | cifsacl Report mode bits (e.g. on stat) based on the Windows ACL for |
| 462 | the file. (EXPERIMENTAL) |
Cyrill Gorcunov | 5e6e623 | 2007-08-18 00:15:20 +0000 | [diff] [blame] | 463 | servern Specify the server 's netbios name (RFC1001 name) to use |
| 464 | when attempting to setup a session to the server. This is |
| 465 | This is needed for mounting to some older servers (such |
| 466 | as OS/2 or Windows 98 and Windows ME) since they do not |
| 467 | support a default server name. A server name can be up |
| 468 | to 15 characters long and is usually uppercased. |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 469 | sfu When the CIFS Unix Extensions are not negotiated, attempt to |
| 470 | create device files and fifos in a format compatible with |
| 471 | Services for Unix (SFU). In addition retrieve bits 10-12 |
| 472 | of the mode via the SETFILEBITS extended attribute (as |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 473 | SFU does). In the future the bottom 9 bits of the |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 474 | mode also will be emulated using queries of the security |
| 475 | descriptor (ACL). |
Steve French | 750d115 | 2006-06-27 06:28:30 +0000 | [diff] [blame] | 476 | sign Must use packet signing (helps avoid unwanted data modification |
| 477 | by intermediate systems in the route). Note that signing |
| 478 | does not work with lanman or plaintext authentication. |
| 479 | sec Security mode. Allowed values are: |
Steve French | bf82067 | 2005-12-01 22:32:42 -0800 | [diff] [blame] | 480 | none attempt to connection as a null user (no name) |
| 481 | krb5 Use Kerberos version 5 authentication |
| 482 | krb5i Use Kerberos authentication and packet signing |
| 483 | ntlm Use NTLM password hashing (default) |
| 484 | ntlmi Use NTLM password hashing with signing (if |
| 485 | /proc/fs/cifs/PacketSigningEnabled on or if |
| 486 | server requires signing also can be the default) |
| 487 | ntlmv2 Use NTLMv2 password hashing |
| 488 | ntlmv2i Use NTLMv2 password hashing with packet signing |
Steve French | 189acaa | 2006-06-23 02:33:48 +0000 | [diff] [blame] | 489 | lanman (if configured in kernel config) use older |
| 490 | lanman hash |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame^] | 491 | hard Retry file operations if server is not responding |
| 492 | soft Limit retries to unresponsive servers (usually only |
| 493 | one retry) before returning an error. (default) |
Steve French | bf82067 | 2005-12-01 22:32:42 -0800 | [diff] [blame] | 494 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 495 | The mount.cifs mount helper also accepts a few mount options before -o |
| 496 | including: |
| 497 | |
| 498 | -S take password from stdin (equivalent to setting the environment |
| 499 | variable "PASSWD_FD=0" |
| 500 | -V print mount.cifs version |
| 501 | -? display simple usage information |
| 502 | |
Jeff Layton | 8426c39 | 2007-05-05 03:27:49 +0000 | [diff] [blame] | 503 | With most 2.6 kernel versions of modutils, the version of the cifs kernel |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 504 | module can be displayed via modinfo. |
| 505 | |
| 506 | Misc /proc/fs/cifs Flags and Debug Info |
| 507 | ======================================= |
| 508 | Informational pseudo-files: |
| 509 | DebugData Displays information about active CIFS sessions |
Steve French | 09d1db5 | 2005-04-28 22:41:08 -0700 | [diff] [blame] | 510 | and shares, as well as the cifs.ko version. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 511 | Stats Lists summary resource usage information as well as per |
| 512 | share statistics, if CONFIG_CIFS_STATS in enabled |
| 513 | in the kernel configuration. |
| 514 | |
| 515 | Configuration pseudo-files: |
| 516 | MultiuserMount If set to one, more than one CIFS session to |
| 517 | the same server ip address can be established |
| 518 | if more than one uid accesses the same mount |
| 519 | point and if the uids user/password mapping |
| 520 | information is available. (default is 0) |
| 521 | PacketSigningEnabled If set to one, cifs packet signing is enabled |
| 522 | and will be used if the server requires |
| 523 | it. If set to two, cifs packet signing is |
| 524 | required even if the server considers packet |
| 525 | signing optional. (default 1) |
Steve French | 254e55e | 2006-06-04 05:53:15 +0000 | [diff] [blame] | 526 | SecurityFlags Flags which control security negotiation and |
| 527 | also packet signing. Authentication (may/must) |
| 528 | flags (e.g. for NTLM and/or NTLMv2) may be combined with |
| 529 | the signing flags. Specifying two different password |
| 530 | hashing mechanisms (as "must use") on the other hand |
| 531 | does not make much sense. Default flags are |
| 532 | 0x07007 |
| 533 | (NTLM, NTLMv2 and packet signing allowed). Maximum |
| 534 | allowable flags if you want to allow mounts to servers |
| 535 | using weaker password hashes is 0x37037 (lanman, |
| 536 | plaintext, ntlm, ntlmv2, signing allowed): |
| 537 | |
| 538 | may use packet signing 0x00001 |
| 539 | must use packet signing 0x01001 |
| 540 | may use NTLM (most common password hash) 0x00002 |
| 541 | must use NTLM 0x02002 |
| 542 | may use NTLMv2 0x00004 |
| 543 | must use NTLMv2 0x04004 |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame^] | 544 | may use Kerberos security 0x00008 |
| 545 | must use Kerberos 0x08008 |
Steve French | 254e55e | 2006-06-04 05:53:15 +0000 | [diff] [blame] | 546 | may use lanman (weak) password hash 0x00010 |
| 547 | must use lanman password hash 0x10010 |
| 548 | may use plaintext passwords 0x00020 |
| 549 | must use plaintext passwords 0x20020 |
| 550 | (reserved for future packet encryption) 0x00040 |
| 551 | |
Jeff Layton | 8426c39 | 2007-05-05 03:27:49 +0000 | [diff] [blame] | 552 | cifsFYI If set to non-zero value, additional debug information |
| 553 | will be logged to the system error log. This field |
| 554 | contains three flags controlling different classes of |
| 555 | debugging entries. The maximum value it can be set |
| 556 | to is 7 which enables all debugging points (default 0). |
| 557 | Some debugging statements are not compiled into the |
| 558 | cifs kernel unless CONFIG_CIFS_DEBUG2 is enabled in the |
| 559 | kernel configuration. cifsFYI may be set to one or |
| 560 | nore of the following flags (7 sets them all): |
| 561 | |
| 562 | log cifs informational messages 0x01 |
| 563 | log return codes from cifs entry points 0x02 |
Steve French | 0ec54aa | 2007-05-05 22:08:06 +0000 | [diff] [blame] | 564 | log slow responses (ie which take longer than 1 second) |
| 565 | CONFIG_CIFS_STATS2 must be enabled in .config 0x04 |
Jeff Layton | 8426c39 | 2007-05-05 03:27:49 +0000 | [diff] [blame] | 566 | |
| 567 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 568 | traceSMB If set to one, debug information is logged to the |
| 569 | system error log with the start of smb requests |
| 570 | and responses (default 0) |
| 571 | LookupCacheEnable If set to one, inode information is kept cached |
| 572 | for one second improving performance of lookups |
| 573 | (default 1) |
| 574 | OplockEnabled If set to one, safe distributed caching enabled. |
| 575 | (default 1) |
| 576 | LinuxExtensionsEnabled If set to one then the client will attempt to |
| 577 | use the CIFS "UNIX" extensions which are optional |
| 578 | protocol enhancements that allow CIFS servers |
| 579 | to return accurate UID/GID information as well |
| 580 | as support symbolic links. If you use servers |
| 581 | such as Samba that support the CIFS Unix |
| 582 | extensions but do not want to use symbolic link |
| 583 | support and want to map the uid and gid fields |
| 584 | to values supplied at mount (rather than the |
| 585 | actual values, then set this to zero. (default 1) |
Steve French | 6080823 | 2006-04-22 15:53:05 +0000 | [diff] [blame] | 586 | Experimental When set to 1 used to enable certain experimental |
| 587 | features (currently enables multipage writes |
| 588 | when signing is enabled, the multipage write |
| 589 | performance enhancement was disabled when |
| 590 | signing turned on in case buffer was modified |
| 591 | just before it was sent, also this flag will |
Jeff Layton | cea2180 | 2007-11-20 23:19:03 +0000 | [diff] [blame] | 592 | be used to use the new experimental directory change |
| 593 | notification code). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 594 | |
| 595 | These experimental features and tracing can be enabled by changing flags in |
| 596 | /proc/fs/cifs (after the cifs module has been installed or built into the |
| 597 | kernel, e.g. insmod cifs). To enable a feature set it to 1 e.g. to enable |
| 598 | tracing to the kernel message log type: |
| 599 | |
Steve French | 1047abc | 2005-10-11 19:58:06 -0700 | [diff] [blame] | 600 | echo 7 > /proc/fs/cifs/cifsFYI |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 601 | |
Steve French | 1047abc | 2005-10-11 19:58:06 -0700 | [diff] [blame] | 602 | cifsFYI functions as a bit mask. Setting it to 1 enables additional kernel |
| 603 | logging of various informational messages. 2 enables logging of non-zero |
| 604 | SMB return codes while 4 enables logging of requests that take longer |
| 605 | than one second to complete (except for byte range lock requests). |
| 606 | Setting it to 4 requires defining CONFIG_CIFS_STATS2 manually in the |
| 607 | source code (typically by setting it in the beginning of cifsglob.h), |
| 608 | and setting it to seven enables all three. Finally, tracing |
| 609 | the start of smb requests and responses can be enabled via: |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 610 | |
| 611 | echo 1 > /proc/fs/cifs/traceSMB |
| 612 | |
Steve French | 75865f8c | 2007-06-24 18:30:48 +0000 | [diff] [blame] | 613 | Two other experimental features are under development. To test these |
| 614 | requires enabling CONFIG_CIFS_EXPERIMENTAL |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 615 | |
Jeff Layton | cea2180 | 2007-11-20 23:19:03 +0000 | [diff] [blame] | 616 | cifsacl support needed to retrieve approximated mode bits based on |
| 617 | the contents on the CIFS ACL. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 618 | |
| 619 | DNOTIFY fcntl: needed for support of directory change |
| 620 | notification and perhaps later for file leases) |
| 621 | |
| 622 | Per share (per client mount) statistics are available in /proc/fs/cifs/Stats |
| 623 | if the kernel was configured with cifs statistics enabled. The statistics |
| 624 | represent the number of successful (ie non-zero return code from the server) |
| 625 | SMB responses to some of the more common commands (open, delete, mkdir etc.). |
| 626 | Also recorded is the total bytes read and bytes written to the server for |
| 627 | that share. Note that due to client caching effects this can be less than the |
| 628 | number of bytes read and written by the application running on the client. |
| 629 | The statistics for the number of total SMBs and oplock breaks are different in |
| 630 | that they represent all for that share, not just those for which the server |
| 631 | returned success. |
| 632 | |
| 633 | Also note that "cat /proc/fs/cifs/DebugData" will display information about |
Jeff Layton | cea2180 | 2007-11-20 23:19:03 +0000 | [diff] [blame] | 634 | the active sessions and the shares that are mounted. |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame^] | 635 | Enabling Kerberos (extended security) works when CONFIG_CIFS_EXPERIMENTAL is |
| 636 | on but requires a user space helper (from the Samba project). NTLM and NTLMv2 and |
| 637 | LANMAN support do not require this helper. |