Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | The CIFS VFS support for Linux supports many advanced network filesystem |
Uwe Kleine-König | 1b3c371 | 2007-02-17 19:23:03 +0100 | [diff] [blame] | 2 | features such as hierarchical dfs like namespace, hardlinks, locking and more. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 3 | It was designed to comply with the SNIA CIFS Technical Reference (which |
| 4 | supersedes the 1992 X/Open SMB Standard) as well as to perform best practice |
| 5 | practical interoperability with Windows 2000, Windows XP, Samba and equivalent |
Steve French | 675c467 | 2008-04-17 23:41:01 +0000 | [diff] [blame] | 6 | servers. This code was developed in participation with the Protocol Freedom |
| 7 | Information Foundation. |
| 8 | |
| 9 | Please see |
| 10 | http://protocolfreedom.org/ and |
| 11 | http://samba.org/samba/PFIF/ |
| 12 | for more details. |
| 13 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 14 | |
| 15 | For questions or bug reports please contact: |
| 16 | sfrench@samba.org (sfrench@us.ibm.com) |
| 17 | |
| 18 | Build instructions: |
| 19 | ================== |
| 20 | For Linux 2.4: |
| 21 | 1) Get the kernel source (e.g.from http://www.kernel.org) |
| 22 | and download the cifs vfs source (see the project page |
| 23 | at http://us1.samba.org/samba/Linux_CIFS_client.html) |
| 24 | and change directory into the top of the kernel directory |
| 25 | then patch the kernel (e.g. "patch -p1 < cifs_24.patch") |
| 26 | to add the cifs vfs to your kernel configure options if |
| 27 | it has not already been added (e.g. current SuSE and UL |
| 28 | users do not need to apply the cifs_24.patch since the cifs vfs is |
| 29 | already in the kernel configure menu) and then |
| 30 | mkdir linux/fs/cifs and then copy the current cifs vfs files from |
| 31 | the cifs download to your kernel build directory e.g. |
| 32 | |
| 33 | cp <cifs_download_dir>/fs/cifs/* to <kernel_download_dir>/fs/cifs |
| 34 | |
| 35 | 2) make menuconfig (or make xconfig) |
| 36 | 3) select cifs from within the network filesystem choices |
| 37 | 4) save and exit |
| 38 | 5) make dep |
| 39 | 6) make modules (or "make" if CIFS VFS not to be built as a module) |
| 40 | |
| 41 | For Linux 2.6: |
Adrian Bunk | dfc1e14 | 2005-05-05 16:15:51 -0700 | [diff] [blame] | 42 | 1) Download the kernel (e.g. from http://www.kernel.org) |
| 43 | and change directory into the top of the kernel directory tree |
| 44 | (e.g. /usr/src/linux-2.5.73) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 45 | 2) make menuconfig (or make xconfig) |
| 46 | 3) select cifs from within the network filesystem choices |
| 47 | 4) save and exit |
| 48 | 5) make |
| 49 | |
| 50 | |
| 51 | Installation instructions: |
| 52 | ========================= |
| 53 | If you have built the CIFS vfs as module (successfully) simply |
| 54 | type "make modules_install" (or if you prefer, manually copy the file to |
| 55 | the modules directory e.g. /lib/modules/2.4.10-4GB/kernel/fs/cifs/cifs.o). |
| 56 | |
| 57 | If you have built the CIFS vfs into the kernel itself, follow the instructions |
| 58 | for your distribution on how to install a new kernel (usually you |
| 59 | would simply type "make install"). |
| 60 | |
| 61 | If you do not have the utility mount.cifs (in the Samba 3.0 source tree and on |
| 62 | the CIFS VFS web site) copy it to the same directory in which mount.smbfs and |
| 63 | similar files reside (usually /sbin). Although the helper software is not |
| 64 | required, mount.cifs is recommended. Eventually the Samba 3.0 utility program |
| 65 | "net" may also be helpful since it may someday provide easier mount syntax for |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame] | 66 | users who are used to Windows e.g. |
| 67 | net use <mount point> <UNC name or cifs URL> |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 68 | Note that running the Winbind pam/nss module (logon service) on all of your |
| 69 | Linux clients is useful in mapping Uids and Gids consistently across the |
| 70 | domain to the proper network user. The mount.cifs mount helper can be |
| 71 | trivially built from Samba 3.0 or later source e.g. by executing: |
| 72 | |
| 73 | gcc samba/source/client/mount.cifs.c -o mount.cifs |
| 74 | |
| 75 | If cifs is built as a module, then the size and number of network buffers |
| 76 | and maximum number of simultaneous requests to one server can be configured. |
| 77 | Changing these from their defaults is not recommended. By executing modinfo |
| 78 | modinfo kernel/fs/cifs/cifs.ko |
| 79 | on kernel/fs/cifs/cifs.ko the list of configuration changes that can be made |
| 80 | at module initialization time (by running insmod cifs.ko) can be seen. |
| 81 | |
| 82 | Allowing User Mounts |
| 83 | ==================== |
| 84 | To permit users to mount and unmount over directories they own is possible |
| 85 | with the cifs vfs. A way to enable such mounting is to mark the mount.cifs |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 86 | utility as suid (e.g. "chmod +s /sbin/mount.cifs). To enable users to |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 87 | umount shares they mount requires |
| 88 | 1) mount.cifs version 1.4 or later |
| 89 | 2) an entry for the share in /etc/fstab indicating that a user may |
| 90 | unmount it e.g. |
| 91 | //server/usersharename /mnt/username cifs user 0 0 |
| 92 | |
| 93 | Note that when the mount.cifs utility is run suid (allowing user mounts), |
| 94 | in order to reduce risks, the "nosuid" mount flag is passed in on mount to |
| 95 | disallow execution of an suid program mounted on the remote target. |
| 96 | When mount is executed as root, nosuid is not passed in by default, |
| 97 | and execution of suid programs on the remote target would be enabled |
| 98 | by default. This can be changed, as with nfs and other filesystems, |
| 99 | by simply specifying "nosuid" among the mount options. For user mounts |
| 100 | though to be able to pass the suid flag to mount requires rebuilding |
| 101 | mount.cifs with the following flag: |
| 102 | |
| 103 | gcc samba/source/client/mount.cifs.c -DCIFS_ALLOW_USR_SUID -o mount.cifs |
| 104 | |
| 105 | There is a corresponding manual page for cifs mounting in the Samba 3.0 and |
| 106 | later source tree in docs/manpages/mount.cifs.8 |
| 107 | |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 108 | Allowing User Unmounts |
| 109 | ====================== |
| 110 | To permit users to ummount directories that they have user mounted (see above), |
| 111 | the utility umount.cifs may be used. It may be invoked directly, or if |
Steve French | 0cb766a | 2005-04-28 22:41:11 -0700 | [diff] [blame] | 112 | umount.cifs is placed in /sbin, umount can invoke the cifs umount helper |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 113 | (at least for most versions of the umount utility) for umount of cifs |
Steve French | 0cb766a | 2005-04-28 22:41:11 -0700 | [diff] [blame] | 114 | mounts, unless umount is invoked with -i (which will avoid invoking a umount |
| 115 | helper). As with mount.cifs, to enable user unmounts umount.cifs must be marked |
| 116 | as suid (e.g. "chmod +s /sbin/umount.cifs") or equivalent (some distributions |
| 117 | allow adding entries to a file to the /etc/permissions file to achieve the |
| 118 | equivalent suid effect). For this utility to succeed the target path |
| 119 | must be a cifs mount, and the uid of the current user must match the uid |
| 120 | of the user who mounted the resource. |
Steve French | 099a58f | 2005-04-28 22:41:07 -0700 | [diff] [blame] | 121 | |
| 122 | Also note that the customary way of allowing user mounts and unmounts is |
| 123 | (instead of using mount.cifs and unmount.cifs as suid) to add a line |
| 124 | to the file /etc/fstab for each //server/share you wish to mount, but |
| 125 | this can become unwieldy when potential mount targets include many |
| 126 | or unpredictable UNC names. |
| 127 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 128 | Samba Considerations |
| 129 | ==================== |
| 130 | To get the maximum benefit from the CIFS VFS, we recommend using a server that |
| 131 | supports the SNIA CIFS Unix Extensions standard (e.g. Samba 2.2.5 or later or |
| 132 | Samba 3.0) but the CIFS vfs works fine with a wide variety of CIFS servers. |
| 133 | Note that uid, gid and file permissions will display default values if you do |
| 134 | not have a server that supports the Unix extensions for CIFS (such as Samba |
| 135 | 2.2.5 or later). To enable the Unix CIFS Extensions in the Samba server, add |
| 136 | the line: |
| 137 | |
| 138 | unix extensions = yes |
| 139 | |
| 140 | to your smb.conf file on the server. Note that the following smb.conf settings |
| 141 | are also useful (on the Samba server) when the majority of clients are Unix or |
| 142 | Linux: |
| 143 | |
| 144 | case sensitive = yes |
| 145 | delete readonly = yes |
| 146 | ea support = yes |
| 147 | |
| 148 | Note that server ea support is required for supporting xattrs from the Linux |
| 149 | cifs client, and that EA support is present in later versions of Samba (e.g. |
| 150 | 3.0.6 and later (also EA support works in all versions of Windows, at least to |
| 151 | shares on NTFS filesystems). Extended Attribute (xattr) support is an optional |
| 152 | feature of most Linux filesystems which may require enabling via |
| 153 | make menuconfig. Client support for extended attributes (user xattr) can be |
| 154 | disabled on a per-mount basis by specifying "nouser_xattr" on mount. |
| 155 | |
| 156 | The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba servers |
| 157 | version 3.10 and later. Setting POSIX ACLs requires enabling both XATTR and |
| 158 | then POSIX support in the CIFS configuration options when building the cifs |
| 159 | module. POSIX ACL support can be disabled on a per mount basic by specifying |
| 160 | "noacl" on mount. |
| 161 | |
| 162 | Some administrators may want to change Samba's smb.conf "map archive" and |
| 163 | "create mask" parameters from the default. Unless the create mask is changed |
| 164 | newly created files can end up with an unnecessarily restrictive default mode, |
| 165 | which may not be what you want, although if the CIFS Unix extensions are |
| 166 | enabled on the server and client, subsequent setattr calls (e.g. chmod) can |
| 167 | fix the mode. Note that creating special devices (mknod) remotely |
| 168 | may require specifying a mkdev function to Samba if you are not using |
| 169 | Samba 3.0.6 or later. For more information on these see the manual pages |
| 170 | ("man smb.conf") on the Samba server system. Note that the cifs vfs, |
| 171 | unlike the smbfs vfs, does not read the smb.conf on the client system |
| 172 | (the few optional settings are passed in on mount via -o parameters instead). |
| 173 | Note that Samba 2.2.7 or later includes a fix that allows the CIFS VFS to delete |
| 174 | open files (required for strict POSIX compliance). Windows Servers already |
| 175 | supported this feature. Samba server does not allow symlinks that refer to files |
| 176 | outside of the share, so in Samba versions prior to 3.0.6, most symlinks to |
| 177 | files with absolute paths (ie beginning with slash) such as: |
| 178 | ln -s /mnt/foo bar |
| 179 | would be forbidden. Samba 3.0.6 server or later includes the ability to create |
| 180 | such symlinks safely by converting unsafe symlinks (ie symlinks to server |
| 181 | files that are outside of the share) to a samba specific format on the server |
| 182 | that is ignored by local server applications and non-cifs clients and that will |
| 183 | not be traversed by the Samba server). This is opaque to the Linux client |
| 184 | application using the cifs vfs. Absolute symlinks will work to Samba 3.0.5 or |
| 185 | later, but only for remote clients using the CIFS Unix extensions, and will |
| 186 | be invisbile to Windows clients and typically will not affect local |
| 187 | applications running on the same server as Samba. |
| 188 | |
| 189 | Use instructions: |
| 190 | ================ |
| 191 | Once the CIFS VFS support is built into the kernel or installed as a module |
| 192 | (cifs.o), you can use mount syntax like the following to access Samba or Windows |
| 193 | servers: |
| 194 | |
| 195 | mount -t cifs //9.53.216.11/e$ /mnt -o user=myname,pass=mypassword |
| 196 | |
| 197 | Before -o the option -v may be specified to make the mount.cifs |
| 198 | mount helper display the mount steps more verbosely. |
| 199 | After -o the following commonly used cifs vfs specific options |
| 200 | are supported: |
| 201 | |
| 202 | user=<username> |
| 203 | pass=<password> |
| 204 | domain=<domain name> |
| 205 | |
| 206 | Other cifs mount options are described below. Use of TCP names (in addition to |
| 207 | ip addresses) is available if the mount helper (mount.cifs) is installed. If |
| 208 | you do not trust the server to which are mounted, or if you do not have |
| 209 | cifs signing enabled (and the physical network is insecure), consider use |
| 210 | of the standard mount options "noexec" and "nosuid" to reduce the risk of |
| 211 | running an altered binary on your local system (downloaded from a hostile server |
| 212 | or altered by a hostile router). |
| 213 | |
| 214 | Although mounting using format corresponding to the CIFS URL specification is |
| 215 | not possible in mount.cifs yet, it is possible to use an alternate format |
| 216 | for the server and sharename (which is somewhat similar to NFS style mount |
| 217 | syntax) instead of the more widely used UNC format (i.e. \\server\share): |
| 218 | mount -t cifs tcp_name_of_server:share_name /mnt -o user=myname,pass=mypasswd |
| 219 | |
| 220 | When using the mount helper mount.cifs, passwords may be specified via alternate |
| 221 | mechanisms, instead of specifying it after -o using the normal "pass=" syntax |
| 222 | on the command line: |
| 223 | 1) By including it in a credential file. Specify credentials=filename as one |
| 224 | of the mount options. Credential files contain two lines |
| 225 | username=someuser |
| 226 | password=your_password |
| 227 | 2) By specifying the password in the PASSWD environment variable (similarly |
| 228 | the user name can be taken from the USER environment variable). |
| 229 | 3) By specifying the password in a file by name via PASSWD_FILE |
| 230 | 4) By specifying the password in a file by file descriptor via PASSWD_FD |
| 231 | |
| 232 | If no password is provided, mount.cifs will prompt for password entry |
| 233 | |
| 234 | Restrictions |
| 235 | ============ |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 236 | Servers must support either "pure-TCP" (port 445 TCP/IP CIFS connections) or RFC |
Jeff Layton | cea2180 | 2007-11-20 23:19:03 +0000 | [diff] [blame] | 237 | 1001/1002 support for "Netbios-Over-TCP/IP." This is not likely to be a |
| 238 | problem as most servers support this. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 239 | |
| 240 | Valid filenames differ between Windows and Linux. Windows typically restricts |
| 241 | filenames which contain certain reserved characters (e.g.the character : |
| 242 | which is used to delimit the beginning of a stream name by Windows), while |
| 243 | Linux allows a slightly wider set of valid characters in filenames. Windows |
| 244 | servers can remap such characters when an explicit mapping is specified in |
| 245 | the Server's registry. Samba starting with version 3.10 will allow such |
| 246 | filenames (ie those which contain valid Linux characters, which normally |
| 247 | would be forbidden for Windows/CIFS semantics) as long as the server is |
| 248 | configured for Unix Extensions (and the client has not disabled |
| 249 | /proc/fs/cifs/LinuxExtensionsEnabled). |
| 250 | |
| 251 | |
| 252 | CIFS VFS Mount Options |
| 253 | ====================== |
| 254 | A partial list of the supported mount options follows: |
| 255 | user The user name to use when trying to establish |
| 256 | the CIFS session. |
| 257 | password The user password. If the mount helper is |
| 258 | installed, the user will be prompted for password |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame] | 259 | if not supplied. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 260 | ip The ip address of the target server |
| 261 | unc The target server Universal Network Name (export) to |
| 262 | mount. |
| 263 | domain Set the SMB/CIFS workgroup name prepended to the |
| 264 | username during CIFS session establishment |
Steve French | 4523cc3 | 2007-04-30 20:13:06 +0000 | [diff] [blame] | 265 | uid Set the default uid for inodes. For mounts to servers |
| 266 | which do support the CIFS Unix extensions, such as a |
| 267 | properly configured Samba server, the server provides |
| 268 | the uid, gid and mode so this parameter should not be |
| 269 | specified unless the server and clients uid and gid |
| 270 | numbering differ. If the server and client are in the |
| 271 | same domain (e.g. running winbind or nss_ldap) and |
| 272 | the server supports the Unix Extensions then the uid |
| 273 | and gid can be retrieved from the server (and uid |
| 274 | and gid would not have to be specifed on the mount. |
| 275 | For servers which do not support the CIFS Unix |
| 276 | extensions, the default uid (and gid) returned on lookup |
| 277 | of existing files will be the uid (gid) of the person |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 278 | who executed the mount (root, except when mount.cifs |
| 279 | is configured setuid for user mounts) unless the "uid=" |
| 280 | (gid) mount option is specified. For the uid (gid) of newly |
| 281 | created files and directories, ie files created since |
| 282 | the last mount of the server share, the expected uid |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 283 | (gid) is cached as long as the inode remains in |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 284 | memory on the client. Also note that permission |
| 285 | checks (authorization checks) on accesses to a file occur |
| 286 | at the server, but there are cases in which an administrator |
| 287 | may want to restrict at the client as well. For those |
| 288 | servers which do not report a uid/gid owner |
| 289 | (such as Windows), permissions can also be checked at the |
| 290 | client, and a crude form of client side permission checking |
| 291 | can be enabled by specifying file_mode and dir_mode on |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 292 | the client. Note that the mount.cifs helper must be |
| 293 | at version 1.10 or higher to support specifying the uid |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame] | 294 | (or gid) in non-numeric form. |
Steve French | 4523cc3 | 2007-04-30 20:13:06 +0000 | [diff] [blame] | 295 | gid Set the default gid for inodes (similar to above). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 296 | file_mode If CIFS Unix extensions are not supported by the server |
| 297 | this overrides the default mode for file inodes. |
| 298 | dir_mode If CIFS Unix extensions are not supported by the server |
| 299 | this overrides the default mode for directory inodes. |
| 300 | port attempt to contact the server on this tcp port, before |
| 301 | trying the usual ports (port 445, then 139). |
| 302 | iocharset Codepage used to convert local path names to and from |
| 303 | Unicode. Unicode is used by default for network path |
| 304 | names if the server supports it. If iocharset is |
| 305 | not specified then the nls_default specified |
| 306 | during the local client kernel build will be used. |
| 307 | If server does not support Unicode, this parameter is |
| 308 | unused. |
Steve French | 75865f8 | 2007-06-24 18:30:48 +0000 | [diff] [blame] | 309 | rsize default read size (usually 16K). The client currently |
| 310 | can not use rsize larger than CIFSMaxBufSize. CIFSMaxBufSize |
| 311 | defaults to 16K and may be changed (from 8K to the maximum |
| 312 | kmalloc size allowed by your kernel) at module install time |
| 313 | for cifs.ko. Setting CIFSMaxBufSize to a very large value |
| 314 | will cause cifs to use more memory and may reduce performance |
| 315 | in some cases. To use rsize greater than 127K (the original |
| 316 | cifs protocol maximum) also requires that the server support |
| 317 | a new Unix Capability flag (for very large read) which some |
| 318 | newer servers (e.g. Samba 3.0.26 or later) do. rsize can be |
| 319 | set from a minimum of 2048 to a maximum of 130048 (127K or |
| 320 | CIFSMaxBufSize, whichever is smaller) |
| 321 | wsize default write size (default 57344) |
| 322 | maximum wsize currently allowed by CIFS is 57344 (fourteen |
| 323 | 4096 byte pages) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 324 | rw mount the network share read-write (note that the |
| 325 | server may still consider the share read-only) |
| 326 | ro mount network share read-only |
| 327 | version used to distinguish different versions of the |
| 328 | mount helper utility (not typically needed) |
| 329 | sep if first mount option (after the -o), overrides |
| 330 | the comma as the separator between the mount |
| 331 | parms. e.g. |
| 332 | -o user=myname,password=mypassword,domain=mydom |
| 333 | could be passed instead with period as the separator by |
| 334 | -o sep=.user=myname.password=mypassword.domain=mydom |
| 335 | this might be useful when comma is contained within username |
| 336 | or password or domain. This option is less important |
| 337 | when the cifs mount helper cifs.mount (version 1.1 or later) |
| 338 | is used. |
| 339 | nosuid Do not allow remote executables with the suid bit |
| 340 | program to be executed. This is only meaningful for mounts |
| 341 | to servers such as Samba which support the CIFS Unix Extensions. |
| 342 | If you do not trust the servers in your network (your mount |
| 343 | targets) it is recommended that you specify this option for |
| 344 | greater security. |
| 345 | exec Permit execution of binaries on the mount. |
| 346 | noexec Do not permit execution of binaries on the mount. |
| 347 | dev Recognize block devices on the remote mount. |
| 348 | nodev Do not recognize devices on the remote mount. |
| 349 | suid Allow remote files on this mountpoint with suid enabled to |
| 350 | be executed (default for mounts when executed as root, |
| 351 | nosuid is default for user mounts). |
| 352 | credentials Although ignored by the cifs kernel component, it is used by |
| 353 | the mount helper, mount.cifs. When mount.cifs is installed it |
| 354 | opens and reads the credential file specified in order |
| 355 | to obtain the userid and password arguments which are passed to |
| 356 | the cifs vfs. |
| 357 | guest Although ignored by the kernel component, the mount.cifs |
| 358 | mount helper will not prompt the user for a password |
| 359 | if guest is specified on the mount options. If no |
| 360 | password is specified a null password will be used. |
| 361 | perm Client does permission checks (vfs_permission check of uid |
| 362 | and gid of the file against the mode and desired operation), |
| 363 | Note that this is in addition to the normal ACL check on the |
| 364 | target machine done by the server software. |
| 365 | Client permission checking is enabled by default. |
| 366 | noperm Client does not do permission checks. This can expose |
| 367 | files on this mount to access by other users on the local |
| 368 | client system. It is typically only needed when the server |
| 369 | supports the CIFS Unix Extensions but the UIDs/GIDs on the |
| 370 | client and server system do not match closely enough to allow |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 371 | access by the user doing the mount, but it may be useful with |
| 372 | non CIFS Unix Extension mounts for cases in which the default |
| 373 | mode is specified on the mount but is not to be enforced on the |
| 374 | client (e.g. perhaps when MultiUserMount is enabled) |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 375 | Note that this does not affect the normal ACL check on the |
| 376 | target machine done by the server software (of the server |
| 377 | ACL against the user name provided at mount time). |
Steve French | 7521a3c | 2007-07-11 18:30:34 +0000 | [diff] [blame] | 378 | serverino Use server's inode numbers instead of generating automatically |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 379 | incrementing inode numbers on the client. Although this will |
| 380 | make it easier to spot hardlinked files (as they will have |
| 381 | the same inode numbers) and inode numbers may be persistent, |
| 382 | note that the server does not guarantee that the inode numbers |
| 383 | are unique if multiple server side mounts are exported under a |
| 384 | single share (since inode numbers on the servers might not |
| 385 | be unique if multiple filesystems are mounted under the same |
Steve French | 7521a3c | 2007-07-11 18:30:34 +0000 | [diff] [blame] | 386 | shared higher level directory). Note that some older |
| 387 | (e.g. pre-Windows 2000) do not support returning UniqueIDs |
| 388 | or the CIFS Unix Extensions equivalent and for those |
| 389 | this mount option will have no effect. Exporting cifs mounts |
| 390 | under nfsd requires this mount option on the cifs mount. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 391 | noserverino Client generates inode numbers (rather than using the actual one |
| 392 | from the server) by default. |
| 393 | setuids If the CIFS Unix extensions are negotiated with the server |
| 394 | the client will attempt to set the effective uid and gid of |
| 395 | the local process on newly created files, directories, and |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 396 | devices (create, mkdir, mknod). If the CIFS Unix Extensions |
| 397 | are not negotiated, for newly created files and directories |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 398 | instead of using the default uid and gid specified on |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 399 | the mount, cache the new file's uid and gid locally which means |
| 400 | that the uid for the file can change when the inode is |
| 401 | reloaded (or the user remounts the share). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 402 | nosetuids The client will not attempt to set the uid and gid on |
| 403 | on newly created files, directories, and devices (create, |
| 404 | mkdir, mknod) which will result in the server setting the |
| 405 | uid and gid to the default (usually the server uid of the |
Steve French | 67594fe | 2005-05-17 13:04:49 -0500 | [diff] [blame] | 406 | user who mounted the share). Letting the server (rather than |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 407 | the client) set the uid and gid is the default. If the CIFS |
| 408 | Unix Extensions are not negotiated then the uid and gid for |
| 409 | new files will appear to be the uid (gid) of the mounter or the |
| 410 | uid (gid) parameter specified on the mount. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 411 | netbiosname When mounting to servers via port 139, specifies the RFC1001 |
| 412 | source name to use to represent the client netbios machine |
| 413 | name when doing the RFC1001 netbios session initialize. |
| 414 | direct Do not do inode data caching on files opened on this mount. |
| 415 | This precludes mmaping files on this mount. In some cases |
| 416 | with fast networks and little or no caching benefits on the |
| 417 | client (e.g. when the application is doing large sequential |
| 418 | reads bigger than page size without rereading the same data) |
| 419 | this can provide better performance than the default |
Steve French | 67594fe | 2005-05-17 13:04:49 -0500 | [diff] [blame] | 420 | behavior which caches reads (readahead) and writes |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 421 | (writebehind) through the local Linux client pagecache |
| 422 | if oplock (caching token) is granted and held. Note that |
| 423 | direct allows write operations larger than page size |
| 424 | to be sent to the server. |
| 425 | acl Allow setfacl and getfacl to manage posix ACLs if server |
| 426 | supports them. (default) |
| 427 | noacl Do not allow setfacl and getfacl calls on this mount |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame] | 428 | user_xattr Allow getting and setting user xattrs (those attributes whose |
| 429 | name begins with "user." or "os2.") as OS/2 EAs (extended |
| 430 | attributes) to the server. This allows support of the |
| 431 | setfattr and getfattr utilities. (default) |
Steve French | ea4c07d | 2006-08-16 19:44:25 +0000 | [diff] [blame] | 432 | nouser_xattr Do not allow getfattr/setfattr to get/set/list xattrs |
Steve French | 737b758 | 2005-04-28 22:41:06 -0700 | [diff] [blame] | 433 | mapchars Translate six of the seven reserved characters (not backslash) |
| 434 | *?<>|: |
Steve French | 6a0b482 | 2005-04-28 22:41:05 -0700 | [diff] [blame] | 435 | to the remap range (above 0xF000), which also |
| 436 | allows the CIFS client to recognize files created with |
| 437 | such characters by Windows's POSIX emulation. This can |
| 438 | also be useful when mounting to most versions of Samba |
| 439 | (which also forbids creating and opening files |
| 440 | whose names contain any of these seven characters). |
| 441 | This has no effect if the server does not support |
| 442 | Unicode on the wire. |
| 443 | nomapchars Do not translate any of these seven characters (default). |
Steve French | c46fa8a | 2005-08-18 20:49:57 -0700 | [diff] [blame] | 444 | nocase Request case insensitive path name matching (case |
| 445 | sensitive is the default if the server suports it). |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame] | 446 | (mount option "ignorecase" is identical to "nocase") |
Steve French | 82940a4 | 2006-03-02 03:24:57 +0000 | [diff] [blame] | 447 | posixpaths If CIFS Unix extensions are supported, attempt to |
| 448 | negotiate posix path name support which allows certain |
| 449 | characters forbidden in typical CIFS filenames, without |
| 450 | requiring remapping. (default) |
| 451 | noposixpaths If CIFS Unix extensions are supported, do not request |
| 452 | posix path name support (this may cause servers to |
| 453 | reject creatingfile with certain reserved characters). |
Steve French | a403a0a | 2007-07-26 15:54:16 +0000 | [diff] [blame] | 454 | nounix Disable the CIFS Unix Extensions for this mount (tree |
| 455 | connection). This is rarely needed, but it may be useful |
| 456 | in order to turn off multiple settings all at once (ie |
| 457 | posix acls, posix locks, posix paths, symlink support |
| 458 | and retrieving uids/gids/mode from the server) or to |
| 459 | work around a bug in server which implement the Unix |
| 460 | Extensions. |
Steve French | c46fa8a | 2005-08-18 20:49:57 -0700 | [diff] [blame] | 461 | nobrl Do not send byte range lock requests to the server. |
| 462 | This is necessary for certain applications that break |
| 463 | with cifs style mandatory byte range locks (and most |
| 464 | cifs servers do not yet support requesting advisory |
| 465 | byte range locks). |
Steve French | 0cb766a | 2005-04-28 22:41:11 -0700 | [diff] [blame] | 466 | remount remount the share (often used to change from ro to rw mounts |
| 467 | or vice versa) |
Jeff Layton | cea2180 | 2007-11-20 23:19:03 +0000 | [diff] [blame] | 468 | cifsacl Report mode bits (e.g. on stat) based on the Windows ACL for |
| 469 | the file. (EXPERIMENTAL) |
Cyrill Gorcunov | 5e6e623 | 2007-08-18 00:15:20 +0000 | [diff] [blame] | 470 | servern Specify the server 's netbios name (RFC1001 name) to use |
Steve French | ad7a292 | 2008-02-07 23:25:02 +0000 | [diff] [blame] | 471 | when attempting to setup a session to the server. |
Cyrill Gorcunov | 5e6e623 | 2007-08-18 00:15:20 +0000 | [diff] [blame] | 472 | This is needed for mounting to some older servers (such |
| 473 | as OS/2 or Windows 98 and Windows ME) since they do not |
| 474 | support a default server name. A server name can be up |
| 475 | to 15 characters long and is usually uppercased. |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 476 | sfu When the CIFS Unix Extensions are not negotiated, attempt to |
| 477 | create device files and fifos in a format compatible with |
| 478 | Services for Unix (SFU). In addition retrieve bits 10-12 |
| 479 | of the mode via the SETFILEBITS extended attribute (as |
Matt LaPlante | cab0089 | 2006-10-03 22:36:44 +0200 | [diff] [blame] | 480 | SFU does). In the future the bottom 9 bits of the |
Steve French | 6473a55 | 2005-11-29 20:20:10 -0800 | [diff] [blame] | 481 | mode also will be emulated using queries of the security |
| 482 | descriptor (ACL). |
Steve French | 750d115 | 2006-06-27 06:28:30 +0000 | [diff] [blame] | 483 | sign Must use packet signing (helps avoid unwanted data modification |
| 484 | by intermediate systems in the route). Note that signing |
| 485 | does not work with lanman or plaintext authentication. |
Steve French | 95b1cb9 | 2008-05-15 16:44:38 +0000 | [diff] [blame] | 486 | seal Must seal (encrypt) all data on this mounted share before |
| 487 | sending on the network. Requires support for Unix Extensions. |
| 488 | Note that this differs from the sign mount option in that it |
| 489 | causes encryption of data sent over this mounted share but other |
| 490 | shares mounted to the same server are unaffected. |
Steve French | 750d115 | 2006-06-27 06:28:30 +0000 | [diff] [blame] | 491 | sec Security mode. Allowed values are: |
Steve French | bf82067 | 2005-12-01 22:32:42 -0800 | [diff] [blame] | 492 | none attempt to connection as a null user (no name) |
| 493 | krb5 Use Kerberos version 5 authentication |
| 494 | krb5i Use Kerberos authentication and packet signing |
| 495 | ntlm Use NTLM password hashing (default) |
| 496 | ntlmi Use NTLM password hashing with signing (if |
| 497 | /proc/fs/cifs/PacketSigningEnabled on or if |
| 498 | server requires signing also can be the default) |
| 499 | ntlmv2 Use NTLMv2 password hashing |
| 500 | ntlmv2i Use NTLMv2 password hashing with packet signing |
Steve French | 189acaa | 2006-06-23 02:33:48 +0000 | [diff] [blame] | 501 | lanman (if configured in kernel config) use older |
| 502 | lanman hash |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame] | 503 | hard Retry file operations if server is not responding |
| 504 | soft Limit retries to unresponsive servers (usually only |
| 505 | one retry) before returning an error. (default) |
Steve French | bf82067 | 2005-12-01 22:32:42 -0800 | [diff] [blame] | 506 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 507 | The mount.cifs mount helper also accepts a few mount options before -o |
| 508 | including: |
| 509 | |
| 510 | -S take password from stdin (equivalent to setting the environment |
| 511 | variable "PASSWD_FD=0" |
| 512 | -V print mount.cifs version |
| 513 | -? display simple usage information |
| 514 | |
Jeff Layton | 8426c39 | 2007-05-05 03:27:49 +0000 | [diff] [blame] | 515 | With most 2.6 kernel versions of modutils, the version of the cifs kernel |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 516 | module can be displayed via modinfo. |
| 517 | |
| 518 | Misc /proc/fs/cifs Flags and Debug Info |
| 519 | ======================================= |
| 520 | Informational pseudo-files: |
| 521 | DebugData Displays information about active CIFS sessions |
Steve French | 09d1db5 | 2005-04-28 22:41:08 -0700 | [diff] [blame] | 522 | and shares, as well as the cifs.ko version. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 523 | Stats Lists summary resource usage information as well as per |
| 524 | share statistics, if CONFIG_CIFS_STATS in enabled |
| 525 | in the kernel configuration. |
| 526 | |
| 527 | Configuration pseudo-files: |
| 528 | MultiuserMount If set to one, more than one CIFS session to |
| 529 | the same server ip address can be established |
| 530 | if more than one uid accesses the same mount |
| 531 | point and if the uids user/password mapping |
| 532 | information is available. (default is 0) |
| 533 | PacketSigningEnabled If set to one, cifs packet signing is enabled |
| 534 | and will be used if the server requires |
| 535 | it. If set to two, cifs packet signing is |
| 536 | required even if the server considers packet |
| 537 | signing optional. (default 1) |
Steve French | 254e55e | 2006-06-04 05:53:15 +0000 | [diff] [blame] | 538 | SecurityFlags Flags which control security negotiation and |
| 539 | also packet signing. Authentication (may/must) |
| 540 | flags (e.g. for NTLM and/or NTLMv2) may be combined with |
| 541 | the signing flags. Specifying two different password |
| 542 | hashing mechanisms (as "must use") on the other hand |
| 543 | does not make much sense. Default flags are |
| 544 | 0x07007 |
Steve French | 2e65502 | 2008-08-28 15:30:06 +0000 | [diff] [blame] | 545 | (NTLM, NTLMv2 and packet signing allowed). The maximum |
Steve French | 254e55e | 2006-06-04 05:53:15 +0000 | [diff] [blame] | 546 | allowable flags if you want to allow mounts to servers |
| 547 | using weaker password hashes is 0x37037 (lanman, |
Steve French | 2e65502 | 2008-08-28 15:30:06 +0000 | [diff] [blame] | 548 | plaintext, ntlm, ntlmv2, signing allowed). Some |
| 549 | SecurityFlags require the corresponding menuconfig |
| 550 | options to be enabled (lanman and plaintext require |
| 551 | CONFIG_CIFS_WEAK_PW_HASH for example). Enabling |
| 552 | plaintext authentication currently requires also |
| 553 | enabling lanman authentication in the security flags |
| 554 | because the cifs module only supports sending |
| 555 | laintext passwords using the older lanman dialect |
| 556 | form of the session setup SMB. (e.g. for authentication |
| 557 | using plain text passwords, set the SecurityFlags |
| 558 | to 0x30030): |
Steve French | 254e55e | 2006-06-04 05:53:15 +0000 | [diff] [blame] | 559 | |
| 560 | may use packet signing 0x00001 |
| 561 | must use packet signing 0x01001 |
| 562 | may use NTLM (most common password hash) 0x00002 |
| 563 | must use NTLM 0x02002 |
| 564 | may use NTLMv2 0x00004 |
| 565 | must use NTLMv2 0x04004 |
Steve French | f6d0998 | 2008-01-08 23:18:22 +0000 | [diff] [blame] | 566 | may use Kerberos security 0x00008 |
| 567 | must use Kerberos 0x08008 |
Steve French | 254e55e | 2006-06-04 05:53:15 +0000 | [diff] [blame] | 568 | may use lanman (weak) password hash 0x00010 |
| 569 | must use lanman password hash 0x10010 |
| 570 | may use plaintext passwords 0x00020 |
| 571 | must use plaintext passwords 0x20020 |
| 572 | (reserved for future packet encryption) 0x00040 |
| 573 | |
Jeff Layton | 8426c39 | 2007-05-05 03:27:49 +0000 | [diff] [blame] | 574 | cifsFYI If set to non-zero value, additional debug information |
| 575 | will be logged to the system error log. This field |
| 576 | contains three flags controlling different classes of |
| 577 | debugging entries. The maximum value it can be set |
| 578 | to is 7 which enables all debugging points (default 0). |
| 579 | Some debugging statements are not compiled into the |
| 580 | cifs kernel unless CONFIG_CIFS_DEBUG2 is enabled in the |
| 581 | kernel configuration. cifsFYI may be set to one or |
| 582 | nore of the following flags (7 sets them all): |
| 583 | |
| 584 | log cifs informational messages 0x01 |
| 585 | log return codes from cifs entry points 0x02 |
Steve French | 0ec54aa | 2007-05-05 22:08:06 +0000 | [diff] [blame] | 586 | log slow responses (ie which take longer than 1 second) |
| 587 | CONFIG_CIFS_STATS2 must be enabled in .config 0x04 |
Jeff Layton | 8426c39 | 2007-05-05 03:27:49 +0000 | [diff] [blame] | 588 | |
| 589 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 590 | traceSMB If set to one, debug information is logged to the |
| 591 | system error log with the start of smb requests |
| 592 | and responses (default 0) |
| 593 | LookupCacheEnable If set to one, inode information is kept cached |
| 594 | for one second improving performance of lookups |
| 595 | (default 1) |
| 596 | OplockEnabled If set to one, safe distributed caching enabled. |
| 597 | (default 1) |
| 598 | LinuxExtensionsEnabled If set to one then the client will attempt to |
| 599 | use the CIFS "UNIX" extensions which are optional |
| 600 | protocol enhancements that allow CIFS servers |
| 601 | to return accurate UID/GID information as well |
| 602 | as support symbolic links. If you use servers |
| 603 | such as Samba that support the CIFS Unix |
| 604 | extensions but do not want to use symbolic link |
| 605 | support and want to map the uid and gid fields |
| 606 | to values supplied at mount (rather than the |
| 607 | actual values, then set this to zero. (default 1) |
Steve French | 6080823 | 2006-04-22 15:53:05 +0000 | [diff] [blame] | 608 | Experimental When set to 1 used to enable certain experimental |
| 609 | features (currently enables multipage writes |
| 610 | when signing is enabled, the multipage write |
| 611 | performance enhancement was disabled when |
| 612 | signing turned on in case buffer was modified |
| 613 | just before it was sent, also this flag will |
Jeff Layton | cea2180 | 2007-11-20 23:19:03 +0000 | [diff] [blame] | 614 | be used to use the new experimental directory change |
| 615 | notification code). |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 616 | |
| 617 | These experimental features and tracing can be enabled by changing flags in |
| 618 | /proc/fs/cifs (after the cifs module has been installed or built into the |
| 619 | kernel, e.g. insmod cifs). To enable a feature set it to 1 e.g. to enable |
| 620 | tracing to the kernel message log type: |
| 621 | |
Steve French | 1047abc | 2005-10-11 19:58:06 -0700 | [diff] [blame] | 622 | echo 7 > /proc/fs/cifs/cifsFYI |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 623 | |
Steve French | 1047abc | 2005-10-11 19:58:06 -0700 | [diff] [blame] | 624 | cifsFYI functions as a bit mask. Setting it to 1 enables additional kernel |
| 625 | logging of various informational messages. 2 enables logging of non-zero |
| 626 | SMB return codes while 4 enables logging of requests that take longer |
| 627 | than one second to complete (except for byte range lock requests). |
| 628 | Setting it to 4 requires defining CONFIG_CIFS_STATS2 manually in the |
| 629 | source code (typically by setting it in the beginning of cifsglob.h), |
| 630 | and setting it to seven enables all three. Finally, tracing |
| 631 | the start of smb requests and responses can be enabled via: |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 632 | |
| 633 | echo 1 > /proc/fs/cifs/traceSMB |
| 634 | |
Steve French | 75865f8 | 2007-06-24 18:30:48 +0000 | [diff] [blame] | 635 | Two other experimental features are under development. To test these |
| 636 | requires enabling CONFIG_CIFS_EXPERIMENTAL |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 637 | |
Jeff Layton | cea2180 | 2007-11-20 23:19:03 +0000 | [diff] [blame] | 638 | cifsacl support needed to retrieve approximated mode bits based on |
| 639 | the contents on the CIFS ACL. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 640 | |
| 641 | DNOTIFY fcntl: needed for support of directory change |
| 642 | notification and perhaps later for file leases) |
| 643 | |
| 644 | Per share (per client mount) statistics are available in /proc/fs/cifs/Stats |
| 645 | if the kernel was configured with cifs statistics enabled. The statistics |
| 646 | represent the number of successful (ie non-zero return code from the server) |
| 647 | SMB responses to some of the more common commands (open, delete, mkdir etc.). |
| 648 | Also recorded is the total bytes read and bytes written to the server for |
| 649 | that share. Note that due to client caching effects this can be less than the |
| 650 | number of bytes read and written by the application running on the client. |
| 651 | The statistics for the number of total SMBs and oplock breaks are different in |
| 652 | that they represent all for that share, not just those for which the server |
| 653 | returned success. |
| 654 | |
Steve French | 3d2af34 | 2008-08-19 20:51:09 +0000 | [diff] [blame] | 655 | Also note that "cat /proc/fs/cifs/DebugData" will display information about |
Jeff Layton | cea2180 | 2007-11-20 23:19:03 +0000 | [diff] [blame] | 656 | the active sessions and the shares that are mounted. |
Steve French | 3d2af34 | 2008-08-19 20:51:09 +0000 | [diff] [blame] | 657 | |
| 658 | Enabling Kerberos (extended security) works but requires version 1.2 or later |
| 659 | of the helper program cifs.upcall to be present and to be configured in the |
| 660 | /etc/request-key.conf file. The cifs.upcall helper program is from the Samba |
| 661 | project(http://www.samba.org). NTLM and NTLMv2 and LANMAN support do not |
| 662 | require this helper. Note that NTLMv2 security (which does not require the |
| 663 | cifs.upcall helper program), instead of using Kerberos, is sufficient for |
| 664 | some use cases. |
| 665 | |
| 666 | Enabling DFS support (used to access shares transparently in an MS-DFS |
| 667 | global name space) requires that CONFIG_CIFS_EXPERIMENTAL be enabled. In |
| 668 | addition, DFS support for target shares which are specified as UNC |
| 669 | names which begin with host names (rather than IP addresses) requires |
| 670 | a user space helper (such as cifs.upcall) to be present in order to |
| 671 | translate host names to ip address, and the user space helper must also |
| 672 | be configured in the file /etc/request-key.conf |
| 673 | |
| 674 | To use cifs Kerberos and DFS support, the Linux keyutils package should be |
| 675 | installed and something like the following lines should be added to the |
| 676 | /etc/request-key.conf file: |
| 677 | |
| 678 | create cifs.spnego * * /usr/local/sbin/cifs.upcall %k |
| 679 | create dns_resolver * * /usr/local/sbin/cifs.upcall %k |
| 680 | |
| 681 | |