d2b915210b
Mark dependency on crypto modules in Kconfig. Defining per structures sdesc and cifs_secmech which are used to store crypto hash functions and contexts. They are stored per smb connection and used for all auth mechs to genereate hash values and signatures. Allocate crypto hashing functions, security descriptiors, and respective contexts when a smb/tcp connection is established. Release them when a tcp/smb connection is taken down. md5 and hmac-md5 are two crypto hashing functions that are used throught the life of an smb/tcp connection by various functions that calcualte signagure and ntlmv2 hash, HMAC etc. structure ntlmssp_auth is defined as per smb connection. ntlmssp_auth holds ciphertext which is genereated by rc4/arc4 encryption of secondary key, a nonce using ntlmv2 session key and sent in the session key field of the type 3 message sent by the client during ntlmssp negotiation/exchange A key is exchanged with the server if client indicates so in flags in type 1 messsage and server agrees in flag in type 2 message of ntlmssp negotiation. If both client and agree, a key sent by client in type 3 message of ntlmssp negotiation in the session key field. The key is a ciphertext generated off of secondary key, a nonce, using ntlmv2 hash via rc4/arc4. Signing works for ntlmssp in this patch. The sequence number within the server structure needs to be zero until session is established i.e. till type 3 packet of ntlmssp exchange of a to be very first smb session on that smb connection is sent. Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
159 lines
6.6 KiB
Plaintext
159 lines
6.6 KiB
Plaintext
config CIFS
|
|
tristate "CIFS support (advanced network filesystem, SMBFS successor)"
|
|
depends on INET
|
|
select NLS
|
|
select CRYPTO
|
|
select CRYPTO_MD5
|
|
select CRYPTO_ARC4
|
|
help
|
|
This is the client VFS module for the Common Internet File System
|
|
(CIFS) protocol which is the successor to the Server Message Block
|
|
(SMB) protocol, the native file sharing mechanism for most early
|
|
PC operating systems. The CIFS protocol is fully supported by
|
|
file servers such as Windows 2000 (including Windows 2003, NT 4
|
|
and Windows XP) as well by Samba (which provides excellent CIFS
|
|
server support for Linux and many other operating systems). Limited
|
|
support for OS/2 and Windows ME and similar servers is provided as
|
|
well.
|
|
|
|
The cifs module provides an advanced network file system
|
|
client for mounting to CIFS compliant servers. It includes
|
|
support for DFS (hierarchical name space), secure per-user
|
|
session establishment via Kerberos or NTLM or NTLMv2,
|
|
safe distributed caching (oplock), optional packet
|
|
signing, Unicode and other internationalization improvements.
|
|
If you need to mount to Samba or Windows from this machine, say Y.
|
|
|
|
config CIFS_STATS
|
|
bool "CIFS statistics"
|
|
depends on CIFS
|
|
help
|
|
Enabling this option will cause statistics for each server share
|
|
mounted by the cifs client to be displayed in /proc/fs/cifs/Stats
|
|
|
|
config CIFS_STATS2
|
|
bool "Extended statistics"
|
|
depends on CIFS_STATS
|
|
help
|
|
Enabling this option will allow more detailed statistics on SMB
|
|
request timing to be displayed in /proc/fs/cifs/DebugData and also
|
|
allow optional logging of slow responses to dmesg (depending on the
|
|
value of /proc/fs/cifs/cifsFYI, see fs/cifs/README for more details).
|
|
These additional statistics may have a minor effect on performance
|
|
and memory utilization.
|
|
|
|
Unless you are a developer or are doing network performance analysis
|
|
or tuning, say N.
|
|
|
|
config CIFS_WEAK_PW_HASH
|
|
bool "Support legacy servers which use weaker LANMAN security"
|
|
depends on CIFS
|
|
help
|
|
Modern CIFS servers including Samba and most Windows versions
|
|
(since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
|
|
security mechanisms. These hash the password more securely
|
|
than the mechanisms used in the older LANMAN version of the
|
|
SMB protocol but LANMAN based authentication is needed to
|
|
establish sessions with some old SMB servers.
|
|
|
|
Enabling this option allows the cifs module to mount to older
|
|
LANMAN based servers such as OS/2 and Windows 95, but such
|
|
mounts may be less secure than mounts using NTLM or more recent
|
|
security mechanisms if you are on a public network. Unless you
|
|
have a need to access old SMB servers (and are on a private
|
|
network) you probably want to say N. Even if this support
|
|
is enabled in the kernel build, LANMAN authentication will not be
|
|
used automatically. At runtime LANMAN mounts are disabled but
|
|
can be set to required (or optional) either in
|
|
/proc/fs/cifs (see fs/cifs/README for more detail) or via an
|
|
option on the mount command. This support is disabled by
|
|
default in order to reduce the possibility of a downgrade
|
|
attack.
|
|
|
|
If unsure, say N.
|
|
|
|
config CIFS_UPCALL
|
|
bool "Kerberos/SPNEGO advanced session setup"
|
|
depends on CIFS && KEYS
|
|
select DNS_RESOLVER
|
|
help
|
|
Enables an upcall mechanism for CIFS which accesses userspace helper
|
|
utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets
|
|
which are needed to mount to certain secure servers (for which more
|
|
secure Kerberos authentication is required). If unsure, say N.
|
|
|
|
config CIFS_XATTR
|
|
bool "CIFS extended attributes"
|
|
depends on CIFS
|
|
help
|
|
Extended attributes are name:value pairs associated with inodes by
|
|
the kernel or by users (see the attr(5) manual page, or visit
|
|
<http://acl.bestbits.at/> for details). CIFS maps the name of
|
|
extended attributes beginning with the user namespace prefix
|
|
to SMB/CIFS EAs. EAs are stored on Windows servers without the
|
|
user namespace prefix, but their names are seen by Linux cifs clients
|
|
prefaced by the user namespace prefix. The system namespace
|
|
(used by some filesystems to store ACLs) is not supported at
|
|
this time.
|
|
|
|
If unsure, say N.
|
|
|
|
config CIFS_POSIX
|
|
bool "CIFS POSIX Extensions"
|
|
depends on CIFS_XATTR
|
|
help
|
|
Enabling this option will cause the cifs client to attempt to
|
|
negotiate a newer dialect with servers, such as Samba 3.0.5
|
|
or later, that optionally can handle more POSIX like (rather
|
|
than Windows like) file behavior. It also enables
|
|
support for POSIX ACLs (getfacl and setfacl) to servers
|
|
(such as Samba 3.10 and later) which can negotiate
|
|
CIFS POSIX ACL support. If unsure, say N.
|
|
|
|
config CIFS_DEBUG2
|
|
bool "Enable additional CIFS debugging routines"
|
|
depends on CIFS
|
|
help
|
|
Enabling this option adds a few more debugging routines
|
|
to the cifs code which slightly increases the size of
|
|
the cifs module and can cause additional logging of debug
|
|
messages in some error paths, slowing performance. This
|
|
option can be turned off unless you are debugging
|
|
cifs problems. If unsure, say N.
|
|
|
|
config CIFS_DFS_UPCALL
|
|
bool "DFS feature support"
|
|
depends on CIFS && KEYS
|
|
select DNS_RESOLVER
|
|
help
|
|
Distributed File System (DFS) support is used to access shares
|
|
transparently in an enterprise name space, even if the share
|
|
moves to a different server. This feature also enables
|
|
an upcall mechanism for CIFS which contacts userspace helper
|
|
utilities to provide server name resolution (host names to
|
|
IP addresses) which is needed for implicit mounts of DFS junction
|
|
points. If unsure, say N.
|
|
|
|
config CIFS_FSCACHE
|
|
bool "Provide CIFS client caching support (EXPERIMENTAL)"
|
|
depends on EXPERIMENTAL
|
|
depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y
|
|
help
|
|
Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data
|
|
to be cached locally on disk through the general filesystem cache
|
|
manager. If unsure, say N.
|
|
|
|
config CIFS_EXPERIMENTAL
|
|
bool "CIFS Experimental Features (EXPERIMENTAL)"
|
|
depends on CIFS && EXPERIMENTAL
|
|
help
|
|
Enables cifs features under testing. These features are
|
|
experimental and currently include DFS support and directory
|
|
change notification ie fcntl(F_DNOTIFY), as well as the upcall
|
|
mechanism which will be used for Kerberos session negotiation
|
|
and uid remapping. Some of these features also may depend on
|
|
setting a value of 1 to the pseudo-file /proc/fs/cifs/Experimental
|
|
(which is disabled by default). See the file fs/cifs/README
|
|
for more details. If unsure, say N.
|
|
|