1===== 2Usage 3===== 4 5This module supports the SMB3 family of advanced network protocols (as well 6as older dialects, originally called "CIFS" or SMB1). 7 8The CIFS VFS module for Linux supports many advanced network filesystem 9features such as hierarchical DFS like namespace, hardlinks, locking and more. 10It was designed to comply with the SNIA CIFS Technical Reference (which 11supersedes the 1992 X/Open SMB Standard) as well as to perform best practice 12practical interoperability with Windows 2000, Windows XP, Samba and equivalent 13servers. This code was developed in participation with the Protocol Freedom 14Information Foundation. CIFS and now SMB3 has now become a defacto 15standard for interoperating between Macs and Windows and major NAS appliances. 16 17Please see 18MS-SMB2 (for detailed SMB2/SMB3/SMB3.1.1 protocol specification) 19or https://samba.org/samba/PFIF/ 20for more details. 21 22 23For questions or bug reports please contact: 24 25 smfrench@gmail.com 26 27See the project page at: https://wiki.samba.org/index.php/LinuxCIFS_utils 28 29Build instructions 30================== 31 32For Linux: 33 341) Download the kernel (e.g. from https://www.kernel.org) 35 and change directory into the top of the kernel directory tree 36 (e.g. /usr/src/linux-2.5.73) 372) make menuconfig (or make xconfig) 383) select cifs from within the network filesystem choices 394) save and exit 405) make 41 42 43Installation instructions 44========================= 45 46If you have built the CIFS vfs as module (successfully) simply 47type ``make modules_install`` (or if you prefer, manually copy the file to 48the modules directory e.g. /lib/modules/2.4.10-4GB/kernel/fs/cifs/cifs.ko). 49 50If you have built the CIFS vfs into the kernel itself, follow the instructions 51for your distribution on how to install a new kernel (usually you 52would simply type ``make install``). 53 54If you do not have the utility mount.cifs (in the Samba 4.x source tree and on 55the CIFS VFS web site) copy it to the same directory in which mount helpers 56reside (usually /sbin). Although the helper software is not 57required, mount.cifs is recommended. Most distros include a ``cifs-utils`` 58package that includes this utility so it is recommended to install this. 59 60Note that running the Winbind pam/nss module (logon service) on all of your 61Linux clients is useful in mapping Uids and Gids consistently across the 62domain to the proper network user. The mount.cifs mount helper can be 63found at cifs-utils.git on git.samba.org 64 65If cifs is built as a module, then the size and number of network buffers 66and maximum number of simultaneous requests to one server can be configured. 67Changing these from their defaults is not recommended. By executing modinfo:: 68 69 modinfo kernel/fs/cifs/cifs.ko 70 71on kernel/fs/cifs/cifs.ko the list of configuration changes that can be made 72at module initialization time (by running insmod cifs.ko) can be seen. 73 74Recommendations 75=============== 76 77To improve security the SMB2.1 dialect or later (usually will get SMB3) is now 78the new default. To use old dialects (e.g. to mount Windows XP) use "vers=1.0" 79on mount (or vers=2.0 for Windows Vista). Note that the CIFS (vers=1.0) is 80much older and less secure than the default dialect SMB3 which includes 81many advanced security features such as downgrade attack detection 82and encrypted shares and stronger signing and authentication algorithms. 83There are additional mount options that may be helpful for SMB3 to get 84improved POSIX behavior (NB: can use vers=3.0 to force only SMB3, never 2.1): 85 86 ``mfsymlinks`` and either ``cifsacl`` or ``modefromsid`` (usually with ``idsfromsid``) 87 88Allowing User Mounts 89==================== 90 91To permit users to mount and unmount over directories they own is possible 92with the cifs vfs. A way to enable such mounting is to mark the mount.cifs 93utility as suid (e.g. ``chmod +s /sbin/mount.cifs``). To enable users to 94umount shares they mount requires 95 961) mount.cifs version 1.4 or later 972) an entry for the share in /etc/fstab indicating that a user may 98 unmount it e.g.:: 99 100 //server/usersharename /mnt/username cifs user 0 0 101 102Note that when the mount.cifs utility is run suid (allowing user mounts), 103in order to reduce risks, the ``nosuid`` mount flag is passed in on mount to 104disallow execution of an suid program mounted on the remote target. 105When mount is executed as root, nosuid is not passed in by default, 106and execution of suid programs on the remote target would be enabled 107by default. This can be changed, as with nfs and other filesystems, 108by simply specifying ``nosuid`` among the mount options. For user mounts 109though to be able to pass the suid flag to mount requires rebuilding 110mount.cifs with the following flag: CIFS_ALLOW_USR_SUID 111 112There is a corresponding manual page for cifs mounting in the Samba 3.0 and 113later source tree in docs/manpages/mount.cifs.8 114 115Allowing User Unmounts 116====================== 117 118To permit users to unmount directories that they have user mounted (see above), 119the utility umount.cifs may be used. It may be invoked directly, or if 120umount.cifs is placed in /sbin, umount can invoke the cifs umount helper 121(at least for most versions of the umount utility) for umount of cifs 122mounts, unless umount is invoked with -i (which will avoid invoking a umount 123helper). As with mount.cifs, to enable user unmounts umount.cifs must be marked 124as suid (e.g. ``chmod +s /sbin/umount.cifs``) or equivalent (some distributions 125allow adding entries to a file to the /etc/permissions file to achieve the 126equivalent suid effect). For this utility to succeed the target path 127must be a cifs mount, and the uid of the current user must match the uid 128of the user who mounted the resource. 129 130Also note that the customary way of allowing user mounts and unmounts is 131(instead of using mount.cifs and unmount.cifs as suid) to add a line 132to the file /etc/fstab for each //server/share you wish to mount, but 133this can become unwieldy when potential mount targets include many 134or unpredictable UNC names. 135 136Samba Considerations 137==================== 138 139Most current servers support SMB2.1 and SMB3 which are more secure, 140but there are useful protocol extensions for the older less secure CIFS 141dialect, so to get the maximum benefit if mounting using the older dialect 142(CIFS/SMB1), we recommend using a server that supports the SNIA CIFS 143Unix Extensions standard (e.g. almost any version of Samba ie version 1442.2.5 or later) but the CIFS vfs works fine with a wide variety of CIFS servers. 145Note that uid, gid and file permissions will display default values if you do 146not have a server that supports the Unix extensions for CIFS (such as Samba 1472.2.5 or later). To enable the Unix CIFS Extensions in the Samba server, add 148the line:: 149 150 unix extensions = yes 151 152to your smb.conf file on the server. Note that the following smb.conf settings 153are also useful (on the Samba server) when the majority of clients are Unix or 154Linux:: 155 156 case sensitive = yes 157 delete readonly = yes 158 ea support = yes 159 160Note that server ea support is required for supporting xattrs from the Linux 161cifs client, and that EA support is present in later versions of Samba (e.g. 1623.0.6 and later (also EA support works in all versions of Windows, at least to 163shares on NTFS filesystems). Extended Attribute (xattr) support is an optional 164feature of most Linux filesystems which may require enabling via 165make menuconfig. Client support for extended attributes (user xattr) can be 166disabled on a per-mount basis by specifying ``nouser_xattr`` on mount. 167 168The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba servers 169version 3.10 and later. Setting POSIX ACLs requires enabling both XATTR and 170then POSIX support in the CIFS configuration options when building the cifs 171module. POSIX ACL support can be disabled on a per mount basic by specifying 172``noacl`` on mount. 173 174Some administrators may want to change Samba's smb.conf ``map archive`` and 175``create mask`` parameters from the default. Unless the create mask is changed 176newly created files can end up with an unnecessarily restrictive default mode, 177which may not be what you want, although if the CIFS Unix extensions are 178enabled on the server and client, subsequent setattr calls (e.g. chmod) can 179fix the mode. Note that creating special devices (mknod) remotely 180may require specifying a mkdev function to Samba if you are not using 181Samba 3.0.6 or later. For more information on these see the manual pages 182(``man smb.conf``) on the Samba server system. Note that the cifs vfs, 183unlike the smbfs vfs, does not read the smb.conf on the client system 184(the few optional settings are passed in on mount via -o parameters instead). 185Note that Samba 2.2.7 or later includes a fix that allows the CIFS VFS to delete 186open files (required for strict POSIX compliance). Windows Servers already 187supported this feature. Samba server does not allow symlinks that refer to files 188outside of the share, so in Samba versions prior to 3.0.6, most symlinks to 189files with absolute paths (ie beginning with slash) such as:: 190 191 ln -s /mnt/foo bar 192 193would be forbidden. Samba 3.0.6 server or later includes the ability to create 194such symlinks safely by converting unsafe symlinks (ie symlinks to server 195files that are outside of the share) to a samba specific format on the server 196that is ignored by local server applications and non-cifs clients and that will 197not be traversed by the Samba server). This is opaque to the Linux client 198application using the cifs vfs. Absolute symlinks will work to Samba 3.0.5 or 199later, but only for remote clients using the CIFS Unix extensions, and will 200be invisible to Windows clients and typically will not affect local 201applications running on the same server as Samba. 202 203Use instructions 204================ 205 206Once the CIFS VFS support is built into the kernel or installed as a module 207(cifs.ko), you can use mount syntax like the following to access Samba or 208Mac or Windows servers:: 209 210 mount -t cifs //9.53.216.11/e$ /mnt -o username=myname,password=mypassword 211 212Before -o the option -v may be specified to make the mount.cifs 213mount helper display the mount steps more verbosely. 214After -o the following commonly used cifs vfs specific options 215are supported:: 216 217 username=<username> 218 password=<password> 219 domain=<domain name> 220 221Other cifs mount options are described below. Use of TCP names (in addition to 222ip addresses) is available if the mount helper (mount.cifs) is installed. If 223you do not trust the server to which are mounted, or if you do not have 224cifs signing enabled (and the physical network is insecure), consider use 225of the standard mount options ``noexec`` and ``nosuid`` to reduce the risk of 226running an altered binary on your local system (downloaded from a hostile server 227or altered by a hostile router). 228 229Although mounting using format corresponding to the CIFS URL specification is 230not possible in mount.cifs yet, it is possible to use an alternate format 231for the server and sharename (which is somewhat similar to NFS style mount 232syntax) instead of the more widely used UNC format (i.e. \\server\share):: 233 234 mount -t cifs tcp_name_of_server:share_name /mnt -o user=myname,pass=mypasswd 235 236When using the mount helper mount.cifs, passwords may be specified via alternate 237mechanisms, instead of specifying it after -o using the normal ``pass=`` syntax 238on the command line: 2391) By including it in a credential file. Specify credentials=filename as one 240of the mount options. Credential files contain two lines:: 241 242 username=someuser 243 password=your_password 244 2452) By specifying the password in the PASSWD environment variable (similarly 246 the user name can be taken from the USER environment variable). 2473) By specifying the password in a file by name via PASSWD_FILE 2484) By specifying the password in a file by file descriptor via PASSWD_FD 249 250If no password is provided, mount.cifs will prompt for password entry 251 252Restrictions 253============ 254 255Servers must support either "pure-TCP" (port 445 TCP/IP CIFS connections) or RFC 2561001/1002 support for "Netbios-Over-TCP/IP." This is not likely to be a 257problem as most servers support this. 258 259Valid filenames differ between Windows and Linux. Windows typically restricts 260filenames which contain certain reserved characters (e.g.the character : 261which is used to delimit the beginning of a stream name by Windows), while 262Linux allows a slightly wider set of valid characters in filenames. Windows 263servers can remap such characters when an explicit mapping is specified in 264the Server's registry. Samba starting with version 3.10 will allow such 265filenames (ie those which contain valid Linux characters, which normally 266would be forbidden for Windows/CIFS semantics) as long as the server is 267configured for Unix Extensions (and the client has not disabled 268/proc/fs/cifs/LinuxExtensionsEnabled). In addition the mount option 269``mapposix`` can be used on CIFS (vers=1.0) to force the mapping of 270illegal Windows/NTFS/SMB characters to a remap range (this mount parameter 271is the default for SMB3). This remap (``mapposix``) range is also 272compatible with Mac (and "Services for Mac" on some older Windows). 273 274CIFS VFS Mount Options 275====================== 276A partial list of the supported mount options follows: 277 278 username 279 The user name to use when trying to establish 280 the CIFS session. 281 password 282 The user password. If the mount helper is 283 installed, the user will be prompted for password 284 if not supplied. 285 ip 286 The ip address of the target server 287 unc 288 The target server Universal Network Name (export) to 289 mount. 290 domain 291 Set the SMB/CIFS workgroup name prepended to the 292 username during CIFS session establishment 293 forceuid 294 Set the default uid for inodes to the uid 295 passed in on mount. For mounts to servers 296 which do support the CIFS Unix extensions, such as a 297 properly configured Samba server, the server provides 298 the uid, gid and mode so this parameter should not be 299 specified unless the server and clients uid and gid 300 numbering differ. If the server and client are in the 301 same domain (e.g. running winbind or nss_ldap) and 302 the server supports the Unix Extensions then the uid 303 and gid can be retrieved from the server (and uid 304 and gid would not have to be specified on the mount. 305 For servers which do not support the CIFS Unix 306 extensions, the default uid (and gid) returned on lookup 307 of existing files will be the uid (gid) of the person 308 who executed the mount (root, except when mount.cifs 309 is configured setuid for user mounts) unless the ``uid=`` 310 (gid) mount option is specified. Also note that permission 311 checks (authorization checks) on accesses to a file occur 312 at the server, but there are cases in which an administrator 313 may want to restrict at the client as well. For those 314 servers which do not report a uid/gid owner 315 (such as Windows), permissions can also be checked at the 316 client, and a crude form of client side permission checking 317 can be enabled by specifying file_mode and dir_mode on 318 the client. (default) 319 forcegid 320 (similar to above but for the groupid instead of uid) (default) 321 noforceuid 322 Fill in file owner information (uid) by requesting it from 323 the server if possible. With this option, the value given in 324 the uid= option (on mount) will only be used if the server 325 can not support returning uids on inodes. 326 noforcegid 327 (similar to above but for the group owner, gid, instead of uid) 328 uid 329 Set the default uid for inodes, and indicate to the 330 cifs kernel driver which local user mounted. If the server 331 supports the unix extensions the default uid is 332 not used to fill in the owner fields of inodes (files) 333 unless the ``forceuid`` parameter is specified. 334 gid 335 Set the default gid for inodes (similar to above). 336 file_mode 337 If CIFS Unix extensions are not supported by the server 338 this overrides the default mode for file inodes. 339 fsc 340 Enable local disk caching using FS-Cache (off by default). This 341 option could be useful to improve performance on a slow link, 342 heavily loaded server and/or network where reading from the 343 disk is faster than reading from the server (over the network). 344 This could also impact scalability positively as the 345 number of calls to the server are reduced. However, local 346 caching is not suitable for all workloads for e.g. read-once 347 type workloads. So, you need to consider carefully your 348 workload/scenario before using this option. Currently, local 349 disk caching is functional for CIFS files opened as read-only. 350 dir_mode 351 If CIFS Unix extensions are not supported by the server 352 this overrides the default mode for directory inodes. 353 port 354 attempt to contact the server on this tcp port, before 355 trying the usual ports (port 445, then 139). 356 iocharset 357 Codepage used to convert local path names to and from 358 Unicode. Unicode is used by default for network path 359 names if the server supports it. If iocharset is 360 not specified then the nls_default specified 361 during the local client kernel build will be used. 362 If server does not support Unicode, this parameter is 363 unused. 364 rsize 365 default read size (usually 16K). The client currently 366 can not use rsize larger than CIFSMaxBufSize. CIFSMaxBufSize 367 defaults to 16K and may be changed (from 8K to the maximum 368 kmalloc size allowed by your kernel) at module install time 369 for cifs.ko. Setting CIFSMaxBufSize to a very large value 370 will cause cifs to use more memory and may reduce performance 371 in some cases. To use rsize greater than 127K (the original 372 cifs protocol maximum) also requires that the server support 373 a new Unix Capability flag (for very large read) which some 374 newer servers (e.g. Samba 3.0.26 or later) do. rsize can be 375 set from a minimum of 2048 to a maximum of 130048 (127K or 376 CIFSMaxBufSize, whichever is smaller) 377 wsize 378 default write size (default 57344) 379 maximum wsize currently allowed by CIFS is 57344 (fourteen 380 4096 byte pages) 381 actimeo=n 382 attribute cache timeout in seconds (default 1 second). 383 After this timeout, the cifs client requests fresh attribute 384 information from the server. This option allows to tune the 385 attribute cache timeout to suit the workload needs. Shorter 386 timeouts mean better the cache coherency, but increased number 387 of calls to the server. Longer timeouts mean reduced number 388 of calls to the server at the expense of less stricter cache 389 coherency checks (i.e. incorrect attribute cache for a short 390 period of time). 391 rw 392 mount the network share read-write (note that the 393 server may still consider the share read-only) 394 ro 395 mount network share read-only 396 version 397 used to distinguish different versions of the 398 mount helper utility (not typically needed) 399 sep 400 if first mount option (after the -o), overrides 401 the comma as the separator between the mount 402 parameters. e.g.:: 403 404 -o user=myname,password=mypassword,domain=mydom 405 406 could be passed instead with period as the separator by:: 407 408 -o sep=.user=myname.password=mypassword.domain=mydom 409 410 this might be useful when comma is contained within username 411 or password or domain. This option is less important 412 when the cifs mount helper cifs.mount (version 1.1 or later) 413 is used. 414 nosuid 415 Do not allow remote executables with the suid bit 416 program to be executed. This is only meaningful for mounts 417 to servers such as Samba which support the CIFS Unix Extensions. 418 If you do not trust the servers in your network (your mount 419 targets) it is recommended that you specify this option for 420 greater security. 421 exec 422 Permit execution of binaries on the mount. 423 noexec 424 Do not permit execution of binaries on the mount. 425 dev 426 Recognize block devices on the remote mount. 427 nodev 428 Do not recognize devices on the remote mount. 429 suid 430 Allow remote files on this mountpoint with suid enabled to 431 be executed (default for mounts when executed as root, 432 nosuid is default for user mounts). 433 credentials 434 Although ignored by the cifs kernel component, it is used by 435 the mount helper, mount.cifs. When mount.cifs is installed it 436 opens and reads the credential file specified in order 437 to obtain the userid and password arguments which are passed to 438 the cifs vfs. 439 guest 440 Although ignored by the kernel component, the mount.cifs 441 mount helper will not prompt the user for a password 442 if guest is specified on the mount options. If no 443 password is specified a null password will be used. 444 perm 445 Client does permission checks (vfs_permission check of uid 446 and gid of the file against the mode and desired operation), 447 Note that this is in addition to the normal ACL check on the 448 target machine done by the server software. 449 Client permission checking is enabled by default. 450 noperm 451 Client does not do permission checks. This can expose 452 files on this mount to access by other users on the local 453 client system. It is typically only needed when the server 454 supports the CIFS Unix Extensions but the UIDs/GIDs on the 455 client and server system do not match closely enough to allow 456 access by the user doing the mount, but it may be useful with 457 non CIFS Unix Extension mounts for cases in which the default 458 mode is specified on the mount but is not to be enforced on the 459 client (e.g. perhaps when MultiUserMount is enabled) 460 Note that this does not affect the normal ACL check on the 461 target machine done by the server software (of the server 462 ACL against the user name provided at mount time). 463 serverino 464 Use server's inode numbers instead of generating automatically 465 incrementing inode numbers on the client. Although this will 466 make it easier to spot hardlinked files (as they will have 467 the same inode numbers) and inode numbers may be persistent, 468 note that the server does not guarantee that the inode numbers 469 are unique if multiple server side mounts are exported under a 470 single share (since inode numbers on the servers might not 471 be unique if multiple filesystems are mounted under the same 472 shared higher level directory). Note that some older 473 (e.g. pre-Windows 2000) do not support returning UniqueIDs 474 or the CIFS Unix Extensions equivalent and for those 475 this mount option will have no effect. Exporting cifs mounts 476 under nfsd requires this mount option on the cifs mount. 477 This is now the default if server supports the 478 required network operation. 479 noserverino 480 Client generates inode numbers (rather than using the actual one 481 from the server). These inode numbers will vary after 482 unmount or reboot which can confuse some applications, 483 but not all server filesystems support unique inode 484 numbers. 485 setuids 486 If the CIFS Unix extensions are negotiated with the server 487 the client will attempt to set the effective uid and gid of 488 the local process on newly created files, directories, and 489 devices (create, mkdir, mknod). If the CIFS Unix Extensions 490 are not negotiated, for newly created files and directories 491 instead of using the default uid and gid specified on 492 the mount, cache the new file's uid and gid locally which means 493 that the uid for the file can change when the inode is 494 reloaded (or the user remounts the share). 495 nosetuids 496 The client will not attempt to set the uid and gid on 497 on newly created files, directories, and devices (create, 498 mkdir, mknod) which will result in the server setting the 499 uid and gid to the default (usually the server uid of the 500 user who mounted the share). Letting the server (rather than 501 the client) set the uid and gid is the default. If the CIFS 502 Unix Extensions are not negotiated then the uid and gid for 503 new files will appear to be the uid (gid) of the mounter or the 504 uid (gid) parameter specified on the mount. 505 netbiosname 506 When mounting to servers via port 139, specifies the RFC1001 507 source name to use to represent the client netbios machine 508 name when doing the RFC1001 netbios session initialize. 509 direct 510 Do not do inode data caching on files opened on this mount. 511 This precludes mmapping files on this mount. In some cases 512 with fast networks and little or no caching benefits on the 513 client (e.g. when the application is doing large sequential 514 reads bigger than page size without rereading the same data) 515 this can provide better performance than the default 516 behavior which caches reads (readahead) and writes 517 (writebehind) through the local Linux client pagecache 518 if oplock (caching token) is granted and held. Note that 519 direct allows write operations larger than page size 520 to be sent to the server. 521 strictcache 522 Use for switching on strict cache mode. In this mode the 523 client read from the cache all the time it has Oplock Level II, 524 otherwise - read from the server. All written data are stored 525 in the cache, but if the client doesn't have Exclusive Oplock, 526 it writes the data to the server. 527 rwpidforward 528 Forward pid of a process who opened a file to any read or write 529 operation on that file. This prevent applications like WINE 530 from failing on read and write if we use mandatory brlock style. 531 acl 532 Allow setfacl and getfacl to manage posix ACLs if server 533 supports them. (default) 534 noacl 535 Do not allow setfacl and getfacl calls on this mount 536 user_xattr 537 Allow getting and setting user xattrs (those attributes whose 538 name begins with ``user.`` or ``os2.``) as OS/2 EAs (extended 539 attributes) to the server. This allows support of the 540 setfattr and getfattr utilities. (default) 541 nouser_xattr 542 Do not allow getfattr/setfattr to get/set/list xattrs 543 mapchars 544 Translate six of the seven reserved characters (not backslash):: 545 546 *?<>|: 547 548 to the remap range (above 0xF000), which also 549 allows the CIFS client to recognize files created with 550 such characters by Windows's POSIX emulation. This can 551 also be useful when mounting to most versions of Samba 552 (which also forbids creating and opening files 553 whose names contain any of these seven characters). 554 This has no effect if the server does not support 555 Unicode on the wire. 556 nomapchars 557 Do not translate any of these seven characters (default). 558 nocase 559 Request case insensitive path name matching (case 560 sensitive is the default if the server supports it). 561 (mount option ``ignorecase`` is identical to ``nocase``) 562 posixpaths 563 If CIFS Unix extensions are supported, attempt to 564 negotiate posix path name support which allows certain 565 characters forbidden in typical CIFS filenames, without 566 requiring remapping. (default) 567 noposixpaths 568 If CIFS Unix extensions are supported, do not request 569 posix path name support (this may cause servers to 570 reject creatingfile with certain reserved characters). 571 nounix 572 Disable the CIFS Unix Extensions for this mount (tree 573 connection). This is rarely needed, but it may be useful 574 in order to turn off multiple settings all at once (ie 575 posix acls, posix locks, posix paths, symlink support 576 and retrieving uids/gids/mode from the server) or to 577 work around a bug in server which implement the Unix 578 Extensions. 579 nobrl 580 Do not send byte range lock requests to the server. 581 This is necessary for certain applications that break 582 with cifs style mandatory byte range locks (and most 583 cifs servers do not yet support requesting advisory 584 byte range locks). 585 forcemandatorylock 586 Even if the server supports posix (advisory) byte range 587 locking, send only mandatory lock requests. For some 588 (presumably rare) applications, originally coded for 589 DOS/Windows, which require Windows style mandatory byte range 590 locking, they may be able to take advantage of this option, 591 forcing the cifs client to only send mandatory locks 592 even if the cifs server would support posix advisory locks. 593 ``forcemand`` is accepted as a shorter form of this mount 594 option. 595 nostrictsync 596 If this mount option is set, when an application does an 597 fsync call then the cifs client does not send an SMB Flush 598 to the server (to force the server to write all dirty data 599 for this file immediately to disk), although cifs still sends 600 all dirty (cached) file data to the server and waits for the 601 server to respond to the write. Since SMB Flush can be 602 very slow, and some servers may be reliable enough (to risk 603 delaying slightly flushing the data to disk on the server), 604 turning on this option may be useful to improve performance for 605 applications that fsync too much, at a small risk of server 606 crash. If this mount option is not set, by default cifs will 607 send an SMB flush request (and wait for a response) on every 608 fsync call. 609 nodfs 610 Disable DFS (global name space support) even if the 611 server claims to support it. This can help work around 612 a problem with parsing of DFS paths with Samba server 613 versions 3.0.24 and 3.0.25. 614 remount 615 remount the share (often used to change from ro to rw mounts 616 or vice versa) 617 cifsacl 618 Report mode bits (e.g. on stat) based on the Windows ACL for 619 the file. (EXPERIMENTAL) 620 servern 621 Specify the server 's netbios name (RFC1001 name) to use 622 when attempting to setup a session to the server. 623 This is needed for mounting to some older servers (such 624 as OS/2 or Windows 98 and Windows ME) since they do not 625 support a default server name. A server name can be up 626 to 15 characters long and is usually uppercased. 627 sfu 628 When the CIFS Unix Extensions are not negotiated, attempt to 629 create device files and fifos in a format compatible with 630 Services for Unix (SFU). In addition retrieve bits 10-12 631 of the mode via the SETFILEBITS extended attribute (as 632 SFU does). In the future the bottom 9 bits of the 633 mode also will be emulated using queries of the security 634 descriptor (ACL). 635 mfsymlinks 636 Enable support for Minshall+French symlinks 637 (see http://wiki.samba.org/index.php/UNIX_Extensions#Minshall.2BFrench_symlinks) 638 This option is ignored when specified together with the 639 'sfu' option. Minshall+French symlinks are used even if 640 the server supports the CIFS Unix Extensions. 641 sign 642 Must use packet signing (helps avoid unwanted data modification 643 by intermediate systems in the route). Note that signing 644 does not work with lanman or plaintext authentication. 645 seal 646 Must seal (encrypt) all data on this mounted share before 647 sending on the network. Requires support for Unix Extensions. 648 Note that this differs from the sign mount option in that it 649 causes encryption of data sent over this mounted share but other 650 shares mounted to the same server are unaffected. 651 locallease 652 This option is rarely needed. Fcntl F_SETLEASE is 653 used by some applications such as Samba and NFSv4 server to 654 check to see whether a file is cacheable. CIFS has no way 655 to explicitly request a lease, but can check whether a file 656 is cacheable (oplocked). Unfortunately, even if a file 657 is not oplocked, it could still be cacheable (ie cifs client 658 could grant fcntl leases if no other local processes are using 659 the file) for cases for example such as when the server does not 660 support oplocks and the user is sure that the only updates to 661 the file will be from this client. Specifying this mount option 662 will allow the cifs client to check for leases (only) locally 663 for files which are not oplocked instead of denying leases 664 in that case. (EXPERIMENTAL) 665 sec 666 Security mode. Allowed values are: 667 668 none 669 attempt to connection as a null user (no name) 670 krb5 671 Use Kerberos version 5 authentication 672 krb5i 673 Use Kerberos authentication and packet signing 674 ntlm 675 Use NTLM password hashing (default) 676 ntlmi 677 Use NTLM password hashing with signing (if 678 /proc/fs/cifs/PacketSigningEnabled on or if 679 server requires signing also can be the default) 680 ntlmv2 681 Use NTLMv2 password hashing 682 ntlmv2i 683 Use NTLMv2 password hashing with packet signing 684 lanman 685 (if configured in kernel config) use older 686 lanman hash 687 hard 688 Retry file operations if server is not responding 689 soft 690 Limit retries to unresponsive servers (usually only 691 one retry) before returning an error. (default) 692 693The mount.cifs mount helper also accepts a few mount options before -o 694including: 695 696=============== =============================================================== 697 -S take password from stdin (equivalent to setting the environment 698 variable ``PASSWD_FD=0`` 699 -V print mount.cifs version 700 -? display simple usage information 701=============== =============================================================== 702 703With most 2.6 kernel versions of modutils, the version of the cifs kernel 704module can be displayed via modinfo. 705 706Misc /proc/fs/cifs Flags and Debug Info 707======================================= 708 709Informational pseudo-files: 710 711======================= ======================================================= 712DebugData Displays information about active CIFS sessions and 713 shares, features enabled as well as the cifs.ko 714 version. 715Stats Lists summary resource usage information as well as per 716 share statistics. 717open_files List all the open file handles on all active SMB sessions. 718======================= ======================================================= 719 720Configuration pseudo-files: 721 722======================= ======================================================= 723SecurityFlags Flags which control security negotiation and 724 also packet signing. Authentication (may/must) 725 flags (e.g. for NTLM and/or NTLMv2) may be combined with 726 the signing flags. Specifying two different password 727 hashing mechanisms (as "must use") on the other hand 728 does not make much sense. Default flags are:: 729 730 0x07007 731 732 (NTLM, NTLMv2 and packet signing allowed). The maximum 733 allowable flags if you want to allow mounts to servers 734 using weaker password hashes is 0x37037 (lanman, 735 plaintext, ntlm, ntlmv2, signing allowed). Some 736 SecurityFlags require the corresponding menuconfig 737 options to be enabled. Enabling plaintext 738 authentication currently requires also enabling 739 lanman authentication in the security flags 740 because the cifs module only supports sending 741 laintext passwords using the older lanman dialect 742 form of the session setup SMB. (e.g. for authentication 743 using plain text passwords, set the SecurityFlags 744 to 0x30030):: 745 746 may use packet signing 0x00001 747 must use packet signing 0x01001 748 may use NTLM (most common password hash) 0x00002 749 must use NTLM 0x02002 750 may use NTLMv2 0x00004 751 must use NTLMv2 0x04004 752 may use Kerberos security 0x00008 753 must use Kerberos 0x08008 754 may use lanman (weak) password hash 0x00010 755 must use lanman password hash 0x10010 756 may use plaintext passwords 0x00020 757 must use plaintext passwords 0x20020 758 (reserved for future packet encryption) 0x00040 759 760cifsFYI If set to non-zero value, additional debug information 761 will be logged to the system error log. This field 762 contains three flags controlling different classes of 763 debugging entries. The maximum value it can be set 764 to is 7 which enables all debugging points (default 0). 765 Some debugging statements are not compiled into the 766 cifs kernel unless CONFIG_CIFS_DEBUG2 is enabled in the 767 kernel configuration. cifsFYI may be set to one or 768 more of the following flags (7 sets them all):: 769 770 +-----------------------------------------------+------+ 771 | log cifs informational messages | 0x01 | 772 +-----------------------------------------------+------+ 773 | log return codes from cifs entry points | 0x02 | 774 +-----------------------------------------------+------+ 775 | log slow responses | 0x04 | 776 | (ie which take longer than 1 second) | | 777 | | | 778 | CONFIG_CIFS_STATS2 must be enabled in .config | | 779 +-----------------------------------------------+------+ 780 781traceSMB If set to one, debug information is logged to the 782 system error log with the start of smb requests 783 and responses (default 0) 784LookupCacheEnable If set to one, inode information is kept cached 785 for one second improving performance of lookups 786 (default 1) 787LinuxExtensionsEnabled If set to one then the client will attempt to 788 use the CIFS "UNIX" extensions which are optional 789 protocol enhancements that allow CIFS servers 790 to return accurate UID/GID information as well 791 as support symbolic links. If you use servers 792 such as Samba that support the CIFS Unix 793 extensions but do not want to use symbolic link 794 support and want to map the uid and gid fields 795 to values supplied at mount (rather than the 796 actual values, then set this to zero. (default 1) 797dfscache List the content of the DFS cache. 798 If set to 0, the client will clear the cache. 799======================= ======================================================= 800 801These experimental features and tracing can be enabled by changing flags in 802/proc/fs/cifs (after the cifs module has been installed or built into the 803kernel, e.g. insmod cifs). To enable a feature set it to 1 e.g. to enable 804tracing to the kernel message log type:: 805 806 echo 7 > /proc/fs/cifs/cifsFYI 807 808cifsFYI functions as a bit mask. Setting it to 1 enables additional kernel 809logging of various informational messages. 2 enables logging of non-zero 810SMB return codes while 4 enables logging of requests that take longer 811than one second to complete (except for byte range lock requests). 812Setting it to 4 requires CONFIG_CIFS_STATS2 to be set in kernel configuration 813(.config). Setting it to seven enables all three. Finally, tracing 814the start of smb requests and responses can be enabled via:: 815 816 echo 1 > /proc/fs/cifs/traceSMB 817 818Per share (per client mount) statistics are available in /proc/fs/cifs/Stats. 819Additional information is available if CONFIG_CIFS_STATS2 is enabled in the 820kernel configuration (.config). The statistics returned include counters which 821represent the number of attempted and failed (ie non-zero return code from the 822server) SMB3 (or cifs) requests grouped by request type (read, write, close etc.). 823Also recorded is the total bytes read and bytes written to the server for 824that share. Note that due to client caching effects this can be less than the 825number of bytes read and written by the application running on the client. 826Statistics can be reset to zero by ``echo 0 > /proc/fs/cifs/Stats`` which may be 827useful if comparing performance of two different scenarios. 828 829Also note that ``cat /proc/fs/cifs/DebugData`` will display information about 830the active sessions and the shares that are mounted. 831 832Enabling Kerberos (extended security) works but requires version 1.2 or later 833of the helper program cifs.upcall to be present and to be configured in the 834/etc/request-key.conf file. The cifs.upcall helper program is from the Samba 835project(https://www.samba.org). NTLM and NTLMv2 and LANMAN support do not 836require this helper. Note that NTLMv2 security (which does not require the 837cifs.upcall helper program), instead of using Kerberos, is sufficient for 838some use cases. 839 840DFS support allows transparent redirection to shares in an MS-DFS name space. 841In addition, DFS support for target shares which are specified as UNC 842names which begin with host names (rather than IP addresses) requires 843a user space helper (such as cifs.upcall) to be present in order to 844translate host names to ip address, and the user space helper must also 845be configured in the file /etc/request-key.conf. Samba, Windows servers and 846many NAS appliances support DFS as a way of constructing a global name 847space to ease network configuration and improve reliability. 848 849To use cifs Kerberos and DFS support, the Linux keyutils package should be 850installed and something like the following lines should be added to the 851/etc/request-key.conf file:: 852 853 create cifs.spnego * * /usr/local/sbin/cifs.upcall %k 854 create dns_resolver * * /usr/local/sbin/cifs.upcall %k 855 856CIFS kernel module parameters 857============================= 858These module parameters can be specified or modified either during the time of 859module loading or during the runtime by using the interface:: 860 861 /sys/module/cifs/parameters/<param> 862 863i.e.:: 864 865 echo "value" > /sys/module/cifs/parameters/<param> 866 867================= ========================================================== 8681. enable_oplocks Enable or disable oplocks. Oplocks are enabled by default. 869 [Y/y/1]. To disable use any of [N/n/0]. 870================= ========================================================== 871