aboutsummaryrefslogtreecommitdiffstats
path: root/fs/cifs/README
diff options
context:
space:
mode:
Diffstat (limited to 'fs/cifs/README')
-rw-r--r--fs/cifs/README44
1 files changed, 38 insertions, 6 deletions
diff --git a/fs/cifs/README b/fs/cifs/README
index 2bd6fe556f88..bd2343d4c6a6 100644
--- a/fs/cifs/README
+++ b/fs/cifs/README
@@ -542,10 +542,20 @@ SecurityFlags Flags which control security negotiation and
542 hashing mechanisms (as "must use") on the other hand 542 hashing mechanisms (as "must use") on the other hand
543 does not make much sense. Default flags are 543 does not make much sense. Default flags are
544 0x07007 544 0x07007
545 (NTLM, NTLMv2 and packet signing allowed). Maximum 545 (NTLM, NTLMv2 and packet signing allowed). The maximum
546 allowable flags if you want to allow mounts to servers 546 allowable flags if you want to allow mounts to servers
547 using weaker password hashes is 0x37037 (lanman, 547 using weaker password hashes is 0x37037 (lanman,
548 plaintext, ntlm, ntlmv2, signing allowed): 548 plaintext, ntlm, ntlmv2, signing allowed). Some
549 SecurityFlags require the corresponding menuconfig
550 options to be enabled (lanman and plaintext require
551 CONFIG_CIFS_WEAK_PW_HASH for example). Enabling
552 plaintext authentication currently requires also
553 enabling lanman authentication in the security flags
554 because the cifs module only supports sending
555 laintext passwords using the older lanman dialect
556 form of the session setup SMB. (e.g. for authentication
557 using plain text passwords, set the SecurityFlags
558 to 0x30030):
549 559
550 may use packet signing 0x00001 560 may use packet signing 0x00001
551 must use packet signing 0x01001 561 must use packet signing 0x01001
@@ -642,8 +652,30 @@ The statistics for the number of total SMBs and oplock breaks are different in
642that they represent all for that share, not just those for which the server 652that they represent all for that share, not just those for which the server
643returned success. 653returned success.
644 654
645Also note that "cat /proc/fs/cifs/DebugData" will display information about 655Also note that "cat /proc/fs/cifs/DebugData" will display information about
646the active sessions and the shares that are mounted. 656the active sessions and the shares that are mounted.
647Enabling Kerberos (extended security) works when CONFIG_CIFS_EXPERIMENTAL is 657
648on but requires a user space helper (from the Samba project). NTLM and NTLMv2 and 658Enabling Kerberos (extended security) works but requires version 1.2 or later
649LANMAN support do not require this helper. 659of the helper program cifs.upcall to be present and to be configured in the
660/etc/request-key.conf file. The cifs.upcall helper program is from the Samba
661project(http://www.samba.org). NTLM and NTLMv2 and LANMAN support do not
662require this helper. Note that NTLMv2 security (which does not require the
663cifs.upcall helper program), instead of using Kerberos, is sufficient for
664some use cases.
665
666Enabling DFS support (used to access shares transparently in an MS-DFS
667global name space) requires that CONFIG_CIFS_EXPERIMENTAL be enabled. In
668addition, DFS support for target shares which are specified as UNC
669names which begin with host names (rather than IP addresses) requires
670a user space helper (such as cifs.upcall) to be present in order to
671translate host names to ip address, and the user space helper must also
672be configured in the file /etc/request-key.conf
673
674To use cifs Kerberos and DFS support, the Linux keyutils package should be
675installed and something like the following lines should be added to the
676/etc/request-key.conf file:
677
678create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
679create dns_resolver * * /usr/local/sbin/cifs.upcall %k
680
681