Merge branch 'core/xen' into x86/xen

author: Ingo Molnar <mingo@elte.hu> 2008-09-10 08:05:45 -0400
committer: Ingo Molnar <mingo@elte.hu> 2008-09-10 08:05:45 -0400
commit: 3ce9bcb583536c45a46c7302747029450e22279c (patch)
tree: 7a4167189ffc6dc909151d1a5d040f9f0656a9f4 /fs/cifs/README
parent: 26fd10517e810dd59ea050b052de24a75ee6dc07 (diff)
parent: f7d0b926ac8c8ec0c7a83ee69409bd2e6bb39f81 (diff)
1 files changed, 38 insertions, 6 deletions
diff --git a/fs/cifs/README b/fs/cifs/README
index 2bd6fe556f88..bd2343d4c6a6 100644
--- a/fs/cifs/README
+++ b/fs/cifs/README
@@ -542,10 +542,20 @@ SecurityFlags		Flags which control security negotiation and
                        hashing mechanisms (as "must use") on the other hand 
                        does not make much sense. Default flags are 
                                0x07007 
-                        (NTLM, NTLMv2 and packet signing allowed).  Maximum 
+                        (NTLM, NTLMv2 and packet signing allowed).  The maximum 
                        allowable flags if you want to allow mounts to servers
                        using weaker password hashes is 0x37037 (lanman,
-                        plaintext, ntlm, ntlmv2, signing allowed):
+                        plaintext, ntlm, ntlmv2, signing allowed).  Some
+                        SecurityFlags require the corresponding menuconfig
+                        options to be enabled (lanman and plaintext require
+                        CONFIG_CIFS_WEAK_PW_HASH for example).  Enabling
+                        plaintext authentication currently requires also
+                        enabling lanman authentication in the security flags
+                        because the cifs module only supports sending
+                        laintext passwords using the older lanman dialect
+                        form of the session setup SMB.  (e.g. for authentication
+                        using plain text passwords, set the SecurityFlags
+                        to 0x30030):
 
                        may use packet signing                          0x00001
                        must use packet signing                         0x01001
@@ -642,8 +652,30 @@ The statistics for the number of total SMBs and oplock breaks are different in
 that they represent all for that share, not just those for which the server
 returned success.
        
-Also note that "cat /proc/fs/cifs/DebugData" will display information about 
+Also note that "cat /proc/fs/cifs/DebugData" will display information about
 the active sessions and the shares that are mounted.
-Enabling Kerberos (extended security) works when CONFIG_CIFS_EXPERIMENTAL is
-on but requires a user space helper (from the Samba project). NTLM and NTLMv2 and
+Enabling Kerberos (extended security) works but requires version 1.2 or later
-LANMAN support do not require this helper.
+of the helper program cifs.upcall to be present and to be configured in the
+/etc/request-key.conf file.  The cifs.upcall helper program is from the Samba
+project(http://www.samba.org). NTLM and NTLMv2 and LANMAN support do not
+require this helper. Note that NTLMv2 security (which does not require the
+cifs.upcall helper program), instead of using Kerberos, is sufficient for
+some use cases.
+Enabling DFS support (used to access shares transparently in an MS-DFS
+global name space) requires that CONFIG_CIFS_EXPERIMENTAL be enabled.  In
+addition, DFS support for target shares which are specified as UNC
+names which begin with host names (rather than IP addresses) requires
+a user space helper (such as cifs.upcall) to be present in order to
+translate host names to ip address, and the user space helper must also
+be configured in the file /etc/request-key.conf
+To use cifs Kerberos and DFS support, the Linux keyutils package should be
+installed and something like the following lines should be added to the
+/etc/request-key.conf file:
+create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
+create dns_resolver * * /usr/local/sbin/cifs.upcall %k
author	Ingo Molnar <mingo@elte.hu>	2008-09-10 08:05:45 -0400
committer	Ingo Molnar <mingo@elte.hu>	2008-09-10 08:05:45 -0400
commit	3ce9bcb583536c45a46c7302747029450e22279c (patch)
tree	7a4167189ffc6dc909151d1a5d040f9f0656a9f4 /fs/cifs/README
parent	26fd10517e810dd59ea050b052de24a75ee6dc07 (diff)
parent	f7d0b926ac8c8ec0c7a83ee69409bd2e6bb39f81 (diff)

diff --git a/fs/cifs/README b/fs/cifs/README index 2bd6fe556f88..bd2343d4c6a6 100644 --- a/fs/cifs/README +++ b/fs/cifs/README
@@ -542,10 +542,20 @@ SecurityFlags Flags which control security negotiation and
542	hashing mechanisms (as "must use") on the other hand	542	hashing mechanisms (as "must use") on the other hand
543	does not make much sense. Default flags are	543	does not make much sense. Default flags are
544	0x07007	544	0x07007
545	(NTLM, NTLMv2 and packet signing allowed). Maximum	545	(NTLM, NTLMv2 and packet signing allowed). The maximum
546	allowable flags if you want to allow mounts to servers	546	allowable flags if you want to allow mounts to servers
547	using weaker password hashes is 0x37037 (lanman,	547	using weaker password hashes is 0x37037 (lanman,
548	plaintext, ntlm, ntlmv2, signing allowed):	548	plaintext, ntlm, ntlmv2, signing allowed). Some
		549	SecurityFlags require the corresponding menuconfig
		550	options to be enabled (lanman and plaintext require
		551	CONFIG_CIFS_WEAK_PW_HASH for example). Enabling
		552	plaintext authentication currently requires also
		553	enabling lanman authentication in the security flags
		554	because the cifs module only supports sending
		555	laintext passwords using the older lanman dialect
		556	form of the session setup SMB. (e.g. for authentication
		557	using plain text passwords, set the SecurityFlags
		558	to 0x30030):
549		559
550	may use packet signing 0x00001	560	may use packet signing 0x00001
551	must use packet signing 0x01001	561	must use packet signing 0x01001
@@ -642,8 +652,30 @@ The statistics for the number of total SMBs and oplock breaks are different in
642	that they represent all for that share, not just those for which the server	652	that they represent all for that share, not just those for which the server
643	returned success.	653	returned success.
644		654
645	Also note that "cat /proc/fs/cifs/DebugData" will display information about	655	Also note that "cat /proc/fs/cifs/DebugData" will display information about
646	the active sessions and the shares that are mounted.	656	the active sessions and the shares that are mounted.
647	Enabling Kerberos (extended security) works when CONFIG_CIFS_EXPERIMENTAL is	657
648	on but requires a user space helper (from the Samba project). NTLM and NTLMv2 and	658	Enabling Kerberos (extended security) works but requires version 1.2 or later
649	LANMAN support do not require this helper.	659	of the helper program cifs.upcall to be present and to be configured in the
		660	/etc/request-key.conf file. The cifs.upcall helper program is from the Samba
		661	project(http://www.samba.org). NTLM and NTLMv2 and LANMAN support do not
		662	require this helper. Note that NTLMv2 security (which does not require the
		663	cifs.upcall helper program), instead of using Kerberos, is sufficient for
		664	some use cases.
		665
		666	Enabling DFS support (used to access shares transparently in an MS-DFS
		667	global name space) requires that CONFIG_CIFS_EXPERIMENTAL be enabled. In
		668	addition, DFS support for target shares which are specified as UNC
		669	names which begin with host names (rather than IP addresses) requires
		670	a user space helper (such as cifs.upcall) to be present in order to
		671	translate host names to ip address, and the user space helper must also
		672	be configured in the file /etc/request-key.conf
		673
		674	To use cifs Kerberos and DFS support, the Linux keyutils package should be
		675	installed and something like the following lines should be added to the
		676	/etc/request-key.conf file:
		677
		678	create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
		679	create dns_resolver * * /usr/local/sbin/cifs.upcall %k
		680
		681