diff options
Diffstat (limited to 'fs/cifs/README')
-rw-r--r-- | fs/cifs/README | 44 |
1 files changed, 38 insertions, 6 deletions
diff --git a/fs/cifs/README b/fs/cifs/README index 2bd6fe556f88..bd2343d4c6a6 100644 --- a/fs/cifs/README +++ b/fs/cifs/README | |||
@@ -542,10 +542,20 @@ SecurityFlags Flags which control security negotiation and | |||
542 | hashing mechanisms (as "must use") on the other hand | 542 | hashing mechanisms (as "must use") on the other hand |
543 | does not make much sense. Default flags are | 543 | does not make much sense. Default flags are |
544 | 0x07007 | 544 | 0x07007 |
545 | (NTLM, NTLMv2 and packet signing allowed). Maximum | 545 | (NTLM, NTLMv2 and packet signing allowed). The maximum |
546 | allowable flags if you want to allow mounts to servers | 546 | allowable flags if you want to allow mounts to servers |
547 | using weaker password hashes is 0x37037 (lanman, | 547 | using weaker password hashes is 0x37037 (lanman, |
548 | plaintext, ntlm, ntlmv2, signing allowed): | 548 | plaintext, ntlm, ntlmv2, signing allowed). Some |
549 | SecurityFlags require the corresponding menuconfig | ||
550 | options to be enabled (lanman and plaintext require | ||
551 | CONFIG_CIFS_WEAK_PW_HASH for example). Enabling | ||
552 | plaintext authentication currently requires also | ||
553 | enabling lanman authentication in the security flags | ||
554 | because the cifs module only supports sending | ||
555 | laintext passwords using the older lanman dialect | ||
556 | form of the session setup SMB. (e.g. for authentication | ||
557 | using plain text passwords, set the SecurityFlags | ||
558 | to 0x30030): | ||
549 | 559 | ||
550 | may use packet signing 0x00001 | 560 | may use packet signing 0x00001 |
551 | must use packet signing 0x01001 | 561 | must use packet signing 0x01001 |
@@ -642,8 +652,30 @@ The statistics for the number of total SMBs and oplock breaks are different in | |||
642 | that they represent all for that share, not just those for which the server | 652 | that they represent all for that share, not just those for which the server |
643 | returned success. | 653 | returned success. |
644 | 654 | ||
645 | Also note that "cat /proc/fs/cifs/DebugData" will display information about | 655 | Also note that "cat /proc/fs/cifs/DebugData" will display information about |
646 | the active sessions and the shares that are mounted. | 656 | the active sessions and the shares that are mounted. |
647 | Enabling Kerberos (extended security) works when CONFIG_CIFS_EXPERIMENTAL is | 657 | |
648 | on but requires a user space helper (from the Samba project). NTLM and NTLMv2 and | 658 | Enabling Kerberos (extended security) works but requires version 1.2 or later |
649 | LANMAN support do not require this helper. | 659 | of the helper program cifs.upcall to be present and to be configured in the |
660 | /etc/request-key.conf file. The cifs.upcall helper program is from the Samba | ||
661 | project(http://www.samba.org). NTLM and NTLMv2 and LANMAN support do not | ||
662 | require this helper. Note that NTLMv2 security (which does not require the | ||
663 | cifs.upcall helper program), instead of using Kerberos, is sufficient for | ||
664 | some use cases. | ||
665 | |||
666 | Enabling DFS support (used to access shares transparently in an MS-DFS | ||
667 | global name space) requires that CONFIG_CIFS_EXPERIMENTAL be enabled. In | ||
668 | addition, DFS support for target shares which are specified as UNC | ||
669 | names which begin with host names (rather than IP addresses) requires | ||
670 | a user space helper (such as cifs.upcall) to be present in order to | ||
671 | translate host names to ip address, and the user space helper must also | ||
672 | be configured in the file /etc/request-key.conf | ||
673 | |||
674 | To use cifs Kerberos and DFS support, the Linux keyutils package should be | ||
675 | installed and something like the following lines should be added to the | ||
676 | /etc/request-key.conf file: | ||
677 | |||
678 | create cifs.spnego * * /usr/local/sbin/cifs.upcall %k | ||
679 | create dns_resolver * * /usr/local/sbin/cifs.upcall %k | ||
680 | |||
681 | |||