|
Packit |
5f9837 |
===========
|
|
Packit |
5f9837 |
cifs.upcall
|
|
Packit |
5f9837 |
===========
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
--------------------------------------------------------------
|
|
Packit |
5f9837 |
Userspace upcall helper for Common Internet File System (CIFS)
|
|
Packit |
5f9837 |
--------------------------------------------------------------
|
|
Packit |
5f9837 |
:Manual section: 8
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
********
|
|
Packit |
5f9837 |
SYNOPSIS
|
|
Packit |
5f9837 |
********
|
|
Packit |
5f9837 |
|
|
Packit Service |
668931 |
cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
|
|
Packit Service |
668931 |
[--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
|
|
Packit Service |
668931 |
[--keytab=/path/to/keytab|-K /path/to/keytab] {keyid}
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
***********
|
|
Packit |
5f9837 |
DESCRIPTION
|
|
Packit |
5f9837 |
***********
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
This tool is part of the cifs-utils suite.
|
|
Packit |
5f9837 |
|
|
Packit Service |
668931 |
``cifs.upcall`` is a userspace helper program for the linux CIFS client
|
|
Packit |
5f9837 |
filesystem. There are a number of activities that the kernel cannot
|
|
Packit |
5f9837 |
easily do itself. This program is a callout program that does these
|
|
Packit |
5f9837 |
things for the kernel and then returns the result.
|
|
Packit |
5f9837 |
|
|
Packit Service |
668931 |
``cifs.upcall`` is generally intended to be run when the kernel calls
|
|
Packit |
5f9837 |
request-key(8) for a particular key type. While it can be run
|
|
Packit |
5f9837 |
directly from the command-line, it's not generally intended to be run
|
|
Packit |
5f9837 |
that way.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
*******
|
|
Packit |
5f9837 |
OPTIONS
|
|
Packit |
5f9837 |
*******
|
|
Packit |
5f9837 |
|
|
Packit Service |
668931 |
-c
|
|
Packit Service |
668931 |
This option is deprecated and is currently ignored.
|
|
Packit Service |
668931 |
|
|
Packit Service |
668931 |
--no-env-probe|-E
|
|
Packit Service |
668931 |
Normally, ``cifs.upcall`` will probe the environment variable space of
|
|
Packit Service |
668931 |
the process that initiated the upcall in order to fetch the value of
|
|
Packit Service |
668931 |
``$KRB5CCNAME``. This can assist the program with finding credential
|
|
Packit Service |
668931 |
caches in non-default locations. If this option is set, then the
|
|
Packit Service |
668931 |
program won't do this and will rely on finding credcaches in the
|
|
Packit Service |
668931 |
default locations specified in *krb5.conf*. Note that this is never
|
|
Packit Service |
668931 |
performed when the uid is 0. The default credcache location is always
|
|
Packit Service |
668931 |
used when the uid is 0, regardless of the environment variable setting
|
|
Packit Service |
668931 |
in the process.
|
|
Packit Service |
668931 |
|
|
Packit Service |
668931 |
--krb5conf|-k=/path/to/krb5.conf
|
|
Packit Service |
668931 |
This option allows administrators to set an alternate location for the
|
|
Packit Service |
668931 |
*krb5.conf* file that ``cifs.upcall`` will use.
|
|
Packit Service |
668931 |
|
|
Packit Service |
668931 |
--keytab=|-K=/path/to/keytab
|
|
Packit Service |
668931 |
This option allows administrators to specify a keytab file to be
|
|
Packit Service |
668931 |
used. When a user has no credential cache already established,
|
|
Packit Service |
668931 |
``cifs.upcall`` will attempt to use this keytab to acquire them. The
|
|
Packit Service |
668931 |
default is the system-wide keytab */etc/krb5.keytab*.
|
|
Packit Service |
668931 |
|
|
Packit Service |
668931 |
--trust-dns|-t
|
|
Packit Service |
668931 |
With krb5 upcalls, the name used as the host portion of the service
|
|
Packit Service |
668931 |
principal defaults to the hostname portion of the UNC. This option
|
|
Packit Service |
668931 |
allows the upcall program to reverse resolve the network address of
|
|
Packit Service |
668931 |
the server in order to get the hostname.
|
|
Packit Service |
668931 |
|
|
Packit Service |
668931 |
This is less secure than not trusting DNS. When using this option,
|
|
Packit Service |
668931 |
it's possible that an attacker could get control of DNS and trick the
|
|
Packit Service |
668931 |
client into mounting a different server altogether. It's preferable to
|
|
Packit Service |
668931 |
instead add server principals to the KDC for every possible hostname,
|
|
Packit Service |
668931 |
but this option exists for cases where that isn't possible. The
|
|
Packit Service |
668931 |
default is to not trust reverse hostname lookups in this fashion.
|
|
Packit Service |
668931 |
|
|
Packit Service |
668931 |
--legacy-uid|-l
|
|
Packit Service |
668931 |
Traditionally, the kernel has sent only a single uid= parameter to the
|
|
Packit Service |
668931 |
upcall for the SPNEGO upcall that's used to determine what user's
|
|
Packit Service |
668931 |
credential cache to use. This parameter is affected by the uid=
|
|
Packit Service |
668931 |
mount option, which also governs the ownership of files on the mount.
|
|
Packit Service |
668931 |
|
|
Packit Service |
668931 |
Newer kernels send a creduid= option as well, which contains what uid
|
|
Packit Service |
668931 |
it thinks actually owns the credentials that it's looking for. At
|
|
Packit Service |
668931 |
mount time, this is generally set to the real uid of the user doing
|
|
Packit Service |
668931 |
the mount. For multisession mounts, it's set to the fsuid of the mount
|
|
Packit Service |
668931 |
user. Set this option if you want cifs.upcall to use the older uid=
|
|
Packit Service |
668931 |
parameter instead of the creduid= parameter.
|
|
Packit Service |
668931 |
|
|
Packit Service |
668931 |
--version|-v
|
|
Packit Service |
668931 |
Print version number and exit.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
************************
|
|
Packit |
5f9837 |
CONFIGURATION FOR KEYCTL
|
|
Packit |
5f9837 |
************************
|
|
Packit |
5f9837 |
|
|
Packit Service |
668931 |
``cifs.upcall`` is designed to be called from the kernel via the
|
|
Packit |
5f9837 |
request-key callout program. This requires that request-key be told
|
|
Packit Service |
668931 |
where and how to call this program. The current ``cifs.upcall``
|
|
Packit |
5f9837 |
program handles two different key types:
|
|
Packit |
5f9837 |
|
|
Packit Service |
668931 |
cifs.spnego
|
|
Packit Service |
668931 |
This keytype is for retrieving kerberos session keys
|
|
Packit Service |
668931 |
|
|
Packit Service |
668931 |
dns_resolver
|
|
Packit Service |
668931 |
This key type is for resolving hostnames into IP addresses. Support
|
|
Packit Service |
668931 |
for this key type may eventually be deprecated (see below).
|
|
Packit Service |
668931 |
|
|
Packit Service |
668931 |
To make this program useful for CIFS, you'll need to set up entries
|
|
Packit Service |
668931 |
for them in request-key.conf(5). Here's an example of an entry for
|
|
Packit Service |
668931 |
each key type::
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
#OPERATION TYPE D C PROGRAM ARG1 ARG2...
|
|
Packit |
5f9837 |
#========= ============= = = ================================
|
|
Packit |
5f9837 |
create cifs.spnego * * @sbindir@/cifs.upcall %k
|
|
Packit |
5f9837 |
create dns_resolver * * @sbindir@/cifs.upcall %k
|
|
Packit |
5f9837 |
|
|
Packit Service |
668931 |
See request-key.conf(5) for more info on each field.
|
|
Packit |
5f9837 |
|
|
Packit Service |
668931 |
The keyutils package has also started including a dns_resolver
|
|
Packit Service |
668931 |
handling program as well that is preferred over the one in
|
|
Packit Service |
668931 |
``cifs.upcall``. If you are using a keyutils version equal to or
|
|
Packit Service |
668931 |
greater than 1.5, you should use ``key.dns_resolver`` to handle the
|
|
Packit Service |
668931 |
``dns_resolver`` keytype instead of ``cifs.upcall``. See
|
|
Packit Service |
668931 |
key.dns_resolver(8) for more info.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
********
|
|
Packit |
5f9837 |
SEE ALSO
|
|
Packit |
5f9837 |
********
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
request-key.conf(5), mount.cifs(8), key.dns_resolver(8)
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
******
|
|
Packit |
5f9837 |
AUTHOR
|
|
Packit |
5f9837 |
******
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Igor Mammedov wrote the cifs.upcall program.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Jeff Layton authored this manpage.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The maintainer of the Linux CIFS VFS is Steve French.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The Linux CIFS Mailing list is the preferred place to ask questions
|
|
Packit |
5f9837 |
regarding these programs.
|