forked from Minki/linux
[CIFS] Kerberos and CIFS ACL support part 1
Signed-off-by: Steve French <sfrench@us.ibm.com>
This commit is contained in:
parent
83451879ab
commit
bf82067917
@ -436,7 +436,17 @@ A partial list of the supported mount options follows:
|
|||||||
SFU does). In the future the bottom 9 bits of the mode
|
SFU does). In the future the bottom 9 bits of the mode
|
||||||
mode also will be emulated using queries of the security
|
mode also will be emulated using queries of the security
|
||||||
descriptor (ACL).
|
descriptor (ACL).
|
||||||
|
sec Security mode. Allowed values are:
|
||||||
|
none attempt to connection as a null user (no name)
|
||||||
|
krb5 Use Kerberos version 5 authentication
|
||||||
|
krb5i Use Kerberos authentication and packet signing
|
||||||
|
ntlm Use NTLM password hashing (default)
|
||||||
|
ntlmi Use NTLM password hashing with signing (if
|
||||||
|
/proc/fs/cifs/PacketSigningEnabled on or if
|
||||||
|
server requires signing also can be the default)
|
||||||
|
ntlmv2 Use NTLMv2 password hashing
|
||||||
|
ntlmv2i Use NTLMv2 password hashing with packet signing
|
||||||
|
|
||||||
The mount.cifs mount helper also accepts a few mount options before -o
|
The mount.cifs mount helper also accepts a few mount options before -o
|
||||||
including:
|
including:
|
||||||
|
|
||||||
|
36
fs/cifs/cifsacl.h
Normal file
36
fs/cifs/cifsacl.h
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
/*
|
||||||
|
* fs/cifs/cifsacl.h
|
||||||
|
*
|
||||||
|
* Copyright (c) International Business Machines Corp., 2005
|
||||||
|
* Author(s): Steve French (sfrench@us.ibm.com)
|
||||||
|
*
|
||||||
|
* This library is free software; you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Lesser General Public License as published
|
||||||
|
* by the Free Software Foundation; either version 2.1 of the License, or
|
||||||
|
* (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This library is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
|
||||||
|
* the GNU Lesser General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Lesser General Public License
|
||||||
|
* along with this library; if not, write to the Free Software
|
||||||
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef _CIFSACL_H
|
||||||
|
#define _CIFSACL_H
|
||||||
|
|
||||||
|
struct cifs_sid {
|
||||||
|
__u8 revision; /* revision level */
|
||||||
|
__u8 num_subauths;
|
||||||
|
__u8 authority[6];
|
||||||
|
__u8 sub_auth[4];
|
||||||
|
/* next sub_auth if any ... */
|
||||||
|
} __attribute__((packed));
|
||||||
|
|
||||||
|
/* everyone */
|
||||||
|
const cifs_sid sid_everyone = {1, 1, {0, 0, 0, 0, 0, 0}, {0, 0, 0, 0}};
|
||||||
|
/* group users */
|
||||||
|
const cifs_sid sid_user = {1, 2 , {0, 0, 0, 0, 0, 5}, {32, 545, 0, 0}};
|
@ -1,7 +1,7 @@
|
|||||||
/*
|
/*
|
||||||
* fs/cifs/cifspdu.h
|
* fs/cifs/cifspdu.h
|
||||||
*
|
*
|
||||||
* Copyright (c) International Business Machines Corp., 2002
|
* Copyright (c) International Business Machines Corp., 2002,2005
|
||||||
* Author(s): Steve French (sfrench@us.ibm.com)
|
* Author(s): Steve French (sfrench@us.ibm.com)
|
||||||
*
|
*
|
||||||
* This library is free software; you can redistribute it and/or modify
|
* This library is free software; you can redistribute it and/or modify
|
||||||
|
@ -82,6 +82,12 @@ struct smb_vol {
|
|||||||
unsigned remap:1; /* set to remap seven reserved chars in filenames */
|
unsigned remap:1; /* set to remap seven reserved chars in filenames */
|
||||||
unsigned posix_paths:1; /* unset to not ask for posix pathnames. */
|
unsigned posix_paths:1; /* unset to not ask for posix pathnames. */
|
||||||
unsigned sfu_emul:1;
|
unsigned sfu_emul:1;
|
||||||
|
unsigned krb5:1;
|
||||||
|
unsigned ntlm:1;
|
||||||
|
unsigned ntlmv2:1;
|
||||||
|
unsigned nullauth:1; /* attempt to authenticate with null user */
|
||||||
|
unsigned sign:1;
|
||||||
|
unsigned seal:1; /* encrypt */
|
||||||
unsigned nocase; /* request case insensitive filenames */
|
unsigned nocase; /* request case insensitive filenames */
|
||||||
unsigned nobrl; /* disable sending byte range locks to srv */
|
unsigned nobrl; /* disable sending byte range locks to srv */
|
||||||
unsigned int rsize;
|
unsigned int rsize;
|
||||||
@ -777,7 +783,7 @@ cifs_parse_mount_options(char *options, const char *devname,struct smb_vol *vol)
|
|||||||
|
|
||||||
/* vol->retry default is 0 (i.e. "soft" limited retry not hard retry) */
|
/* vol->retry default is 0 (i.e. "soft" limited retry not hard retry) */
|
||||||
vol->rw = TRUE;
|
vol->rw = TRUE;
|
||||||
|
vol->ntlm = TRUE;
|
||||||
/* default is always to request posix paths. */
|
/* default is always to request posix paths. */
|
||||||
vol->posix_paths = 1;
|
vol->posix_paths = 1;
|
||||||
|
|
||||||
@ -903,6 +909,39 @@ cifs_parse_mount_options(char *options, const char *devname,struct smb_vol *vol)
|
|||||||
printk(KERN_WARNING "CIFS: ip address too long\n");
|
printk(KERN_WARNING "CIFS: ip address too long\n");
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
} else if (strnicmp(data, "sec", 3) == 0) {
|
||||||
|
if (!value || !*value) {
|
||||||
|
cERROR(1,("no security value specified"));
|
||||||
|
continue;
|
||||||
|
} else if (strnicmp(value, "krb5i", 5) == 0) {
|
||||||
|
vol->sign = 1;
|
||||||
|
vol->krb5 = 1;
|
||||||
|
} else if (strnicmp(value, "krb5p", 5) == 0) {
|
||||||
|
/* vol->seal = 1;
|
||||||
|
vol->krb5 = 1; */
|
||||||
|
cERROR(1,("Krb5 cifs privacy not supported"));
|
||||||
|
return 1;
|
||||||
|
} else if (strnicmp(value, "krb5", 4) == 0) {
|
||||||
|
vol->krb5 = 1;
|
||||||
|
} else if (strnicmp(value, "ntlmv2i", 7) == 0) {
|
||||||
|
vol->ntlmv2 = 1;
|
||||||
|
vol->sign = 1;
|
||||||
|
} else if (strnicmp(value, "ntlmv2", 6) == 0) {
|
||||||
|
vol->ntlmv2 = 1;
|
||||||
|
} else if (strnicmp(value, "ntlmi", 5) == 0) {
|
||||||
|
vol->ntlm = 1;
|
||||||
|
vol->sign = 1;
|
||||||
|
} else if (strnicmp(value, "ntlm", 4) == 0) {
|
||||||
|
/* ntlm is default so can be turned off too */
|
||||||
|
vol->ntlm = 1;
|
||||||
|
} else if (strnicmp(value, "nontlm", 6) == 0) {
|
||||||
|
vol->ntlm = 0;
|
||||||
|
} else if (strnicmp(value, "none", 4) == 0) {
|
||||||
|
vol->nullauth = 1;
|
||||||
|
} else {
|
||||||
|
cERROR(1,("bad security option: %s", value));
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
} else if ((strnicmp(data, "unc", 3) == 0)
|
} else if ((strnicmp(data, "unc", 3) == 0)
|
||||||
|| (strnicmp(data, "target", 6) == 0)
|
|| (strnicmp(data, "target", 6) == 0)
|
||||||
|| (strnicmp(data, "path", 4) == 0)) {
|
|| (strnicmp(data, "path", 4) == 0)) {
|
||||||
@ -1546,7 +1585,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
|
|||||||
cFYI(1, ("Username: %s ", volume_info.username));
|
cFYI(1, ("Username: %s ", volume_info.username));
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
cifserror("No username specified ");
|
cifserror("No username specified");
|
||||||
/* In userspace mount helper we can get user name from alternate
|
/* In userspace mount helper we can get user name from alternate
|
||||||
locations such as env variables and files on disk */
|
locations such as env variables and files on disk */
|
||||||
kfree(volume_info.UNC);
|
kfree(volume_info.UNC);
|
||||||
@ -1587,7 +1626,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
|
|||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
} else /* which servers DFS root would we conect to */ {
|
} else /* which servers DFS root would we conect to */ {
|
||||||
cERROR(1,
|
cERROR(1,
|
||||||
("CIFS mount error: No UNC path (e.g. -o unc=//192.168.1.100/public) specified "));
|
("CIFS mount error: No UNC path (e.g. -o unc=//192.168.1.100/public) specified"));
|
||||||
kfree(volume_info.UNC);
|
kfree(volume_info.UNC);
|
||||||
kfree(volume_info.password);
|
kfree(volume_info.password);
|
||||||
FreeXid(xid);
|
FreeXid(xid);
|
||||||
@ -1626,7 +1665,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
|
|||||||
|
|
||||||
|
|
||||||
if (srvTcp) {
|
if (srvTcp) {
|
||||||
cFYI(1, ("Existing tcp session with server found "));
|
cFYI(1, ("Existing tcp session with server found"));
|
||||||
} else { /* create socket */
|
} else { /* create socket */
|
||||||
if(volume_info.port)
|
if(volume_info.port)
|
||||||
sin_server.sin_port = htons(volume_info.port);
|
sin_server.sin_port = htons(volume_info.port);
|
||||||
@ -1689,11 +1728,11 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
|
|||||||
|
|
||||||
if (existingCifsSes) {
|
if (existingCifsSes) {
|
||||||
pSesInfo = existingCifsSes;
|
pSesInfo = existingCifsSes;
|
||||||
cFYI(1, ("Existing smb sess found "));
|
cFYI(1, ("Existing smb sess found"));
|
||||||
kfree(volume_info.password);
|
kfree(volume_info.password);
|
||||||
/* volume_info.UNC freed at end of function */
|
/* volume_info.UNC freed at end of function */
|
||||||
} else if (!rc) {
|
} else if (!rc) {
|
||||||
cFYI(1, ("Existing smb sess not found "));
|
cFYI(1, ("Existing smb sess not found"));
|
||||||
pSesInfo = sesInfoAlloc();
|
pSesInfo = sesInfoAlloc();
|
||||||
if (pSesInfo == NULL)
|
if (pSesInfo == NULL)
|
||||||
rc = -ENOMEM;
|
rc = -ENOMEM;
|
||||||
@ -1777,7 +1816,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
|
|||||||
find_unc(sin_server.sin_addr.s_addr, volume_info.UNC,
|
find_unc(sin_server.sin_addr.s_addr, volume_info.UNC,
|
||||||
volume_info.username);
|
volume_info.username);
|
||||||
if (tcon) {
|
if (tcon) {
|
||||||
cFYI(1, ("Found match on UNC path "));
|
cFYI(1, ("Found match on UNC path"));
|
||||||
/* we can have only one retry value for a connection
|
/* we can have only one retry value for a connection
|
||||||
to a share so for resources mounted more than once
|
to a share so for resources mounted more than once
|
||||||
to the same server share the last value passed in
|
to the same server share the last value passed in
|
||||||
|
Loading…
Reference in New Issue
Block a user