mirror of
https://github.com/torvalds/linux.git
synced 2024-11-13 23:51:39 +00:00
429b46f4fd
SMB3 uses a much faster method of signing (which is also better in other ways), AES-CMAC. With the kernel now supporting AES-CMAC since last release, we are overdue to allow SMB3 signing (today only CIFS and SMB2 and SMB2.1, but not SMB3 and SMB3.1 can sign) - and we need this also for checking secure negotation and also per-share encryption (two other new SMB3 features which we need to implement). This patch needs some work in a few areas - for example we need to move signing for SMB2/SMB3 from per-socket to per-user (we may be able to use the "nosharesock" mount option in the interim for the multiuser case), and Shirish found a bug in the earlier authentication overhaul (setting signing flags properly) - but those can be done in followon patches. Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com> Signed-off-by: Steve French <smfrench@gmail.com>
192 lines
7.4 KiB
Plaintext
192 lines
7.4 KiB
Plaintext
config CIFS
|
|
tristate "CIFS support (advanced network filesystem, SMBFS successor)"
|
|
depends on INET
|
|
select NLS
|
|
select CRYPTO
|
|
select CRYPTO_MD4
|
|
select CRYPTO_MD5
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_ARC4
|
|
select CRYPTO_ECB
|
|
select CRYPTO_DES
|
|
select CRYPTO_SHA256
|
|
select CRYPTO_CMAC
|
|
help
|
|
This is the client VFS module for the Common Internet File System
|
|
(CIFS) protocol which is the successor to the Server Message Block
|
|
(SMB) protocol, the native file sharing mechanism for most early
|
|
PC operating systems. The CIFS protocol is fully supported by
|
|
file servers such as Windows 2000 (including Windows 2003, Windows 2008,
|
|
NT 4 and Windows XP) as well by Samba (which provides excellent CIFS
|
|
server support for Linux and many other operating systems). Limited
|
|
support for OS/2 and Windows ME and similar servers is provided as
|
|
well.
|
|
|
|
The cifs module provides an advanced network file system
|
|
client for mounting to CIFS compliant servers. It includes
|
|
support for DFS (hierarchical name space), secure per-user
|
|
session establishment via Kerberos or NTLM or NTLMv2,
|
|
safe distributed caching (oplock), optional packet
|
|
signing, Unicode and other internationalization improvements.
|
|
If you need to mount to Samba or Windows from this machine, say Y.
|
|
|
|
config CIFS_STATS
|
|
bool "CIFS statistics"
|
|
depends on CIFS
|
|
help
|
|
Enabling this option will cause statistics for each server share
|
|
mounted by the cifs client to be displayed in /proc/fs/cifs/Stats
|
|
|
|
config CIFS_STATS2
|
|
bool "Extended statistics"
|
|
depends on CIFS_STATS
|
|
help
|
|
Enabling this option will allow more detailed statistics on SMB
|
|
request timing to be displayed in /proc/fs/cifs/DebugData and also
|
|
allow optional logging of slow responses to dmesg (depending on the
|
|
value of /proc/fs/cifs/cifsFYI, see fs/cifs/README for more details).
|
|
These additional statistics may have a minor effect on performance
|
|
and memory utilization.
|
|
|
|
Unless you are a developer or are doing network performance analysis
|
|
or tuning, say N.
|
|
|
|
config CIFS_WEAK_PW_HASH
|
|
bool "Support legacy servers which use weaker LANMAN security"
|
|
depends on CIFS
|
|
help
|
|
Modern CIFS servers including Samba and most Windows versions
|
|
(since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
|
|
security mechanisms. These hash the password more securely
|
|
than the mechanisms used in the older LANMAN version of the
|
|
SMB protocol but LANMAN based authentication is needed to
|
|
establish sessions with some old SMB servers.
|
|
|
|
Enabling this option allows the cifs module to mount to older
|
|
LANMAN based servers such as OS/2 and Windows 95, but such
|
|
mounts may be less secure than mounts using NTLM or more recent
|
|
security mechanisms if you are on a public network. Unless you
|
|
have a need to access old SMB servers (and are on a private
|
|
network) you probably want to say N. Even if this support
|
|
is enabled in the kernel build, LANMAN authentication will not be
|
|
used automatically. At runtime LANMAN mounts are disabled but
|
|
can be set to required (or optional) either in
|
|
/proc/fs/cifs (see fs/cifs/README for more detail) or via an
|
|
option on the mount command. This support is disabled by
|
|
default in order to reduce the possibility of a downgrade
|
|
attack.
|
|
|
|
If unsure, say N.
|
|
|
|
config CIFS_UPCALL
|
|
bool "Kerberos/SPNEGO advanced session setup"
|
|
depends on CIFS && KEYS
|
|
select DNS_RESOLVER
|
|
help
|
|
Enables an upcall mechanism for CIFS which accesses userspace helper
|
|
utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets
|
|
which are needed to mount to certain secure servers (for which more
|
|
secure Kerberos authentication is required). If unsure, say N.
|
|
|
|
config CIFS_XATTR
|
|
bool "CIFS extended attributes"
|
|
depends on CIFS
|
|
help
|
|
Extended attributes are name:value pairs associated with inodes by
|
|
the kernel or by users (see the attr(5) manual page, or visit
|
|
<http://acl.bestbits.at/> for details). CIFS maps the name of
|
|
extended attributes beginning with the user namespace prefix
|
|
to SMB/CIFS EAs. EAs are stored on Windows servers without the
|
|
user namespace prefix, but their names are seen by Linux cifs clients
|
|
prefaced by the user namespace prefix. The system namespace
|
|
(used by some filesystems to store ACLs) is not supported at
|
|
this time.
|
|
|
|
If unsure, say N.
|
|
|
|
config CIFS_POSIX
|
|
bool "CIFS POSIX Extensions"
|
|
depends on CIFS_XATTR
|
|
help
|
|
Enabling this option will cause the cifs client to attempt to
|
|
negotiate a newer dialect with servers, such as Samba 3.0.5
|
|
or later, that optionally can handle more POSIX like (rather
|
|
than Windows like) file behavior. It also enables
|
|
support for POSIX ACLs (getfacl and setfacl) to servers
|
|
(such as Samba 3.10 and later) which can negotiate
|
|
CIFS POSIX ACL support. If unsure, say N.
|
|
|
|
config CIFS_ACL
|
|
bool "Provide CIFS ACL support"
|
|
depends on CIFS_XATTR && KEYS
|
|
help
|
|
Allows fetching CIFS/NTFS ACL from the server. The DACL blob
|
|
is handed over to the application/caller.
|
|
|
|
config CIFS_DEBUG
|
|
bool "Enable CIFS debugging routines"
|
|
default y
|
|
depends on CIFS
|
|
help
|
|
Enabling this option adds helpful debugging messages to
|
|
the cifs code which increases the size of the cifs module.
|
|
If unsure, say Y.
|
|
config CIFS_DEBUG2
|
|
bool "Enable additional CIFS debugging routines"
|
|
depends on CIFS_DEBUG
|
|
help
|
|
Enabling this option adds a few more debugging routines
|
|
to the cifs code which slightly increases the size of
|
|
the cifs module and can cause additional logging of debug
|
|
messages in some error paths, slowing performance. This
|
|
option can be turned off unless you are debugging
|
|
cifs problems. If unsure, say N.
|
|
|
|
config CIFS_DFS_UPCALL
|
|
bool "DFS feature support"
|
|
depends on CIFS && KEYS
|
|
select DNS_RESOLVER
|
|
help
|
|
Distributed File System (DFS) support is used to access shares
|
|
transparently in an enterprise name space, even if the share
|
|
moves to a different server. This feature also enables
|
|
an upcall mechanism for CIFS which contacts userspace helper
|
|
utilities to provide server name resolution (host names to
|
|
IP addresses) which is needed for implicit mounts of DFS junction
|
|
points. If unsure, say N.
|
|
|
|
config CIFS_NFSD_EXPORT
|
|
bool "Allow nfsd to export CIFS file system"
|
|
depends on CIFS && BROKEN
|
|
help
|
|
Allows NFS server to export a CIFS mounted share (nfsd over cifs)
|
|
|
|
config CIFS_SMB2
|
|
bool "SMB2 network file system support"
|
|
depends on CIFS && INET
|
|
select NLS
|
|
select KEYS
|
|
select FSCACHE
|
|
select DNS_RESOLVER
|
|
|
|
help
|
|
This enables experimental support for the SMB2 (Server Message Block
|
|
version 2) protocol. The SMB2 protocol is the successor to the
|
|
popular CIFS and SMB network file sharing protocols. SMB2 is the
|
|
native file sharing mechanism for recent versions of Windows
|
|
operating systems (since Vista). SMB2 enablement will eventually
|
|
allow users better performance, security and features, than would be
|
|
possible with cifs. Note that smb2 mount options also are simpler
|
|
(compared to cifs) due to protocol improvements.
|
|
|
|
Unless you are a developer or tester, say N.
|
|
|
|
config CIFS_FSCACHE
|
|
bool "Provide CIFS client caching support"
|
|
depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y
|
|
help
|
|
Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data
|
|
to be cached locally on disk through the general filesystem cache
|
|
manager. If unsure, say N.
|
|
|