14e92c5dc7
Clarify the use of the CONFIG_DFS_UPCALL for DNS name resolution when server ip addresses change (e.g. on long running mounts) Signed-off-by: Steve French <stfrench@microsoft.com>
219 lines
8.8 KiB
Plaintext
219 lines
8.8 KiB
Plaintext
config CIFS
|
|
tristate "SMB3 and CIFS support (advanced network filesystem)"
|
|
depends on INET
|
|
select NLS
|
|
select CRYPTO
|
|
select CRYPTO_MD4
|
|
select CRYPTO_MD5
|
|
select CRYPTO_SHA256
|
|
select CRYPTO_SHA512
|
|
select CRYPTO_CMAC
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_ARC4
|
|
select CRYPTO_AEAD2
|
|
select CRYPTO_CCM
|
|
select CRYPTO_ECB
|
|
select CRYPTO_AES
|
|
select CRYPTO_DES
|
|
help
|
|
This is the client VFS module for the SMB3 family of NAS protocols,
|
|
(including support for the most recent, most secure dialect SMB3.1.1)
|
|
as well as for earlier dialects such as SMB2.1, SMB2 and the older
|
|
Common Internet File System (CIFS) protocol. CIFS was the successor
|
|
to the original dialect, the Server Message Block (SMB) protocol, the
|
|
native file sharing mechanism for most early PC operating systems.
|
|
|
|
The SMB3 protocol is supported by most modern operating systems
|
|
and NAS appliances (e.g. Samba, Windows 10, Windows Server 2016,
|
|
MacOS) and even in the cloud (e.g. Microsoft Azure).
|
|
The older CIFS protocol was included in Windows NT4, 2000 and XP (and
|
|
later) as well by Samba (which provides excellent CIFS and SMB3
|
|
server support for Linux and many other operating systems). Use of
|
|
dialects older than SMB2.1 is often discouraged on public networks.
|
|
This module also provides limited support for OS/2 and Windows ME
|
|
and similar very old servers.
|
|
|
|
This module provides an advanced network file system client
|
|
for mounting to SMB3 (and CIFS) compliant servers. It includes
|
|
support for DFS (hierarchical name space), secure per-user
|
|
session establishment via Kerberos or NTLM or NTLMv2, RDMA
|
|
(smbdirect), advanced security features, per-share encryption,
|
|
directory leases, safe distributed caching (oplock), optional packet
|
|
signing, Unicode and other internationalization improvements.
|
|
|
|
In general, the default dialects, SMB3 and later, enable better
|
|
performance, security and features, than would be possible with CIFS.
|
|
Note that when mounting to Samba, due to the CIFS POSIX extensions,
|
|
CIFS mounts can provide slightly better POSIX compatibility
|
|
than SMB3 mounts. SMB2/SMB3 mount options are also
|
|
slightly simpler (compared to CIFS) due to protocol improvements.
|
|
|
|
If you need to mount to Samba, Azure, Macs or Windows from this machine, say Y.
|
|
|
|
config CIFS_STATS2
|
|
bool "Extended statistics"
|
|
depends on CIFS
|
|
help
|
|
Enabling this option will allow more detailed statistics on SMB
|
|
request timing to be displayed in /proc/fs/cifs/DebugData and also
|
|
allow optional logging of slow responses to dmesg (depending on the
|
|
value of /proc/fs/cifs/cifsFYI, see fs/cifs/README for more details).
|
|
These additional statistics may have a minor effect on performance
|
|
and memory utilization.
|
|
|
|
Unless you are a developer or are doing network performance analysis
|
|
or tuning, say N.
|
|
|
|
config CIFS_ALLOW_INSECURE_LEGACY
|
|
bool "Support legacy servers which use less secure dialects"
|
|
depends on CIFS
|
|
default y
|
|
help
|
|
Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
|
|
additional security features, including protection against
|
|
man-in-the-middle attacks and stronger crypto hashes, so the use
|
|
of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.
|
|
|
|
Disabling this option prevents users from using vers=1.0 or vers=2.0
|
|
on mounts with cifs.ko
|
|
|
|
If unsure, say Y.
|
|
|
|
config CIFS_WEAK_PW_HASH
|
|
bool "Support legacy servers which use weaker LANMAN security"
|
|
depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY
|
|
help
|
|
Modern CIFS servers including Samba and most Windows versions
|
|
(since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
|
|
security mechanisms. These hash the password more securely
|
|
than the mechanisms used in the older LANMAN version of the
|
|
SMB protocol but LANMAN based authentication is needed to
|
|
establish sessions with some old SMB servers.
|
|
|
|
Enabling this option allows the cifs module to mount to older
|
|
LANMAN based servers such as OS/2 and Windows 95, but such
|
|
mounts may be less secure than mounts using NTLM or more recent
|
|
security mechanisms if you are on a public network. Unless you
|
|
have a need to access old SMB servers (and are on a private
|
|
network) you probably want to say N. Even if this support
|
|
is enabled in the kernel build, LANMAN authentication will not be
|
|
used automatically. At runtime LANMAN mounts are disabled but
|
|
can be set to required (or optional) either in
|
|
/proc/fs/cifs (see fs/cifs/README for more detail) or via an
|
|
option on the mount command. This support is disabled by
|
|
default in order to reduce the possibility of a downgrade
|
|
attack.
|
|
|
|
If unsure, say N.
|
|
|
|
config CIFS_UPCALL
|
|
bool "Kerberos/SPNEGO advanced session setup"
|
|
depends on CIFS && KEYS
|
|
select DNS_RESOLVER
|
|
help
|
|
Enables an upcall mechanism for CIFS which accesses userspace helper
|
|
utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets
|
|
which are needed to mount to certain secure servers (for which more
|
|
secure Kerberos authentication is required). If unsure, say Y.
|
|
|
|
config CIFS_XATTR
|
|
bool "CIFS extended attributes"
|
|
depends on CIFS
|
|
help
|
|
Extended attributes are name:value pairs associated with inodes by
|
|
the kernel or by users (see the attr(5) manual page for details).
|
|
CIFS maps the name of extended attributes beginning with the user
|
|
namespace prefix to SMB/CIFS EAs. EAs are stored on Windows
|
|
servers without the user namespace prefix, but their names are
|
|
seen by Linux cifs clients prefaced by the user namespace prefix.
|
|
The system namespace (used by some filesystems to store ACLs) is
|
|
not supported at this time.
|
|
|
|
If unsure, say Y.
|
|
|
|
config CIFS_POSIX
|
|
bool "CIFS POSIX Extensions"
|
|
depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR
|
|
help
|
|
Enabling this option will cause the cifs client to attempt to
|
|
negotiate a newer dialect with servers, such as Samba 3.0.5
|
|
or later, that optionally can handle more POSIX like (rather
|
|
than Windows like) file behavior. It also enables
|
|
support for POSIX ACLs (getfacl and setfacl) to servers
|
|
(such as Samba 3.10 and later) which can negotiate
|
|
CIFS POSIX ACL support. If unsure, say N.
|
|
|
|
config CIFS_ACL
|
|
bool "Provide CIFS ACL support"
|
|
depends on CIFS_XATTR && KEYS
|
|
help
|
|
Allows fetching CIFS/NTFS ACL from the server. The DACL blob
|
|
is handed over to the application/caller. See the man
|
|
page for getcifsacl for more information. If unsure, say Y.
|
|
|
|
config CIFS_DEBUG
|
|
bool "Enable CIFS debugging routines"
|
|
default y
|
|
depends on CIFS
|
|
help
|
|
Enabling this option adds helpful debugging messages to
|
|
the cifs code which increases the size of the cifs module.
|
|
If unsure, say Y.
|
|
config CIFS_DEBUG2
|
|
bool "Enable additional CIFS debugging routines"
|
|
depends on CIFS_DEBUG
|
|
help
|
|
Enabling this option adds a few more debugging routines
|
|
to the cifs code which slightly increases the size of
|
|
the cifs module and can cause additional logging of debug
|
|
messages in some error paths, slowing performance. This
|
|
option can be turned off unless you are debugging
|
|
cifs problems. If unsure, say N.
|
|
|
|
config CIFS_DEBUG_DUMP_KEYS
|
|
bool "Dump encryption keys for offline decryption (Unsafe)"
|
|
depends on CIFS_DEBUG
|
|
help
|
|
Enabling this will dump the encryption and decryption keys
|
|
used to communicate on an encrypted share connection on the
|
|
console. This allows Wireshark to decrypt and dissect
|
|
encrypted network captures. Enable this carefully.
|
|
If unsure, say N.
|
|
|
|
config CIFS_DFS_UPCALL
|
|
bool "DFS feature support"
|
|
depends on CIFS && KEYS
|
|
select DNS_RESOLVER
|
|
help
|
|
Distributed File System (DFS) support is used to access shares
|
|
transparently in an enterprise name space, even if the share
|
|
moves to a different server. This feature also enables
|
|
an upcall mechanism for CIFS which contacts userspace helper
|
|
utilities to provide server name resolution (host names to
|
|
IP addresses) which is needed in order to reconnect to
|
|
servers if their addresses change or for implicit mounts of
|
|
DFS junction points. If unsure, say Y.
|
|
|
|
config CIFS_NFSD_EXPORT
|
|
bool "Allow nfsd to export CIFS file system"
|
|
depends on CIFS && BROKEN
|
|
help
|
|
Allows NFS server to export a CIFS mounted share (nfsd over cifs)
|
|
|
|
config CIFS_SMB_DIRECT
|
|
bool "SMB Direct support (Experimental)"
|
|
depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y
|
|
help
|
|
Enables SMB Direct experimental support for SMB 3.0, 3.02 and 3.1.1.
|
|
SMB Direct allows transferring SMB packets over RDMA. If unsure,
|
|
say N.
|
|
|
|
config CIFS_FSCACHE
|
|
bool "Provide CIFS client caching support"
|
|
depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y
|
|
help
|
|
Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data
|
|
to be cached locally on disk through the general filesystem cache
|
|
manager. If unsure, say N.
|
|
|