|
Packit |
5f9837 |
==========
|
|
Packit |
5f9837 |
mount.cifs
|
|
Packit |
5f9837 |
==========
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
--------------------------------------------------
|
|
Packit |
5f9837 |
mount using the Common Internet File System (CIFS)
|
|
Packit |
5f9837 |
--------------------------------------------------
|
|
Packit |
5f9837 |
:Manual section: 8
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
********
|
|
Packit |
5f9837 |
SYNOPSIS
|
|
Packit |
5f9837 |
********
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
mount.cifs {service} {mount-point} [-o options]
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
This tool is part of the cifs-utils suite.
|
|
Packit |
5f9837 |
|
|
Packit Service |
a19c70 |
``mount.cifs`` mounts a Linux CIFS filesystem. It is usually invoked
|
|
Packit Service |
a19c70 |
indirectly by the mount(8) command when using the "-t cifs"
|
|
Packit |
5f9837 |
option. This command only works in Linux, and the kernel must support
|
|
Packit Service |
a19c70 |
the cifs filesystem. The CIFS protocol is the successor to the SMB
|
|
Packit Service |
a19c70 |
protocol and is supported by most Windows servers and many other
|
|
Packit Service |
a19c70 |
commercial servers and Network Attached Storage appliances as well as
|
|
Packit Service |
a19c70 |
by the popular Open Source server Samba.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The mount.cifs utility attaches the UNC name (exported network
|
|
Packit |
5f9837 |
resource) specified as service (using ``//server/share`` syntax, where
|
|
Packit |
5f9837 |
"server" is the server name or IP address and "share" is the name of
|
|
Packit |
5f9837 |
the share) to the local directory mount-point.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Options to mount.cifs are specified as a comma-separated list of
|
|
Packit |
5f9837 |
``key=value`` pairs. It is possible to send options other than those
|
|
Packit |
5f9837 |
listed here, assuming that the cifs filesystem kernel module
|
|
Packit |
5f9837 |
(``cifs.ko``) supports them. Unrecognized cifs mount options passed to
|
|
Packit |
5f9837 |
the cifs vfs kernel code will be logged to the kernel log.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
``mount.cifs`` causes the cifs vfs to launch a thread named
|
|
Packit |
5f9837 |
cifsd. After mounting it keeps running until the mounted resource is
|
|
Packit |
5f9837 |
unmounted (usually via the ``umount`` utility).
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
``mount.cifs -V`` command displays the version of cifs mount helper.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
``modinfo cifs`` command displays the version of cifs module.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
*******
|
|
Packit |
5f9837 |
OPTIONS
|
|
Packit |
5f9837 |
*******
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
username=arg|user=arg
|
|
Packit |
5f9837 |
specifies the username to connect as. If this is not
|
|
Packit |
5f9837 |
given, then the environment variable USER is used.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Earlier versions of mount.cifs also allowed one to specify the
|
|
Packit |
5f9837 |
username in a ``user%password`` or ``workgroup/user`` or
|
|
Packit |
5f9837 |
``workgroup/user%password`` to allow the password and workgroup to
|
|
Packit |
5f9837 |
be specified as part of the username. Support for those alternate
|
|
Packit |
5f9837 |
username formats is now deprecated and should no longer be
|
|
Packit |
5f9837 |
used. Users should use the discrete ``password=`` and ``domain=`` to
|
|
Packit |
5f9837 |
specify those values. While some versions of the cifs kernel module
|
|
Packit |
5f9837 |
accept ``user=`` as an abbreviation for this option, its use can
|
|
Packit |
5f9837 |
confuse the standard mount program into thinking that this is a
|
|
Packit |
5f9837 |
non-superuser mount. It is therefore recommended to use the full
|
|
Packit |
5f9837 |
``username=`` option name.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
password=arg|pass=arg
|
|
Packit |
5f9837 |
specifies the CIFS password. If this option is not given then the
|
|
Packit |
5f9837 |
environment variable PASSWD is used. If the password is not specified
|
|
Packit |
5f9837 |
directly or indirectly via an argument to mount, mount.cifs will
|
|
Packit |
5f9837 |
prompt for a password, unless the guest option is specified.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Note that a password which contains the delimiter character (i.e. a
|
|
Packit |
5f9837 |
comma ',') will fail to be parsed correctly on the command
|
|
Packit |
5f9837 |
line. However, the same password defined in the PASSWD environment
|
|
Packit |
5f9837 |
variable or via a credentials file (see below) or entered at the
|
|
Packit |
5f9837 |
password prompt will be read correctly.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
credentials=filename|cred=filename
|
|
Packit |
5f9837 |
specifies a file that contains a username and/or password and
|
|
Packit |
5f9837 |
optionally the name of the workgroup. The format of the file is::
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
username=value
|
|
Packit |
5f9837 |
password=value
|
|
Packit |
5f9837 |
domain=value
|
|
Packit |
5f9837 |
|
|
Packit Service |
668931 |
This is preferred over having passwords in plaintext in a shared file,
|
|
Packit Service |
668931 |
such as */etc/fstab* . Be sure to protect any credentials file
|
|
Packit Service |
668931 |
properly.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
uid=arg
|
|
Packit |
5f9837 |
sets the uid that will own all files or directories on the mounted
|
|
Packit |
5f9837 |
filesystem when the server does not provide ownership information. It
|
|
Packit |
5f9837 |
may be specified as either a username or a numeric uid. When not
|
|
Packit |
5f9837 |
specified, the default is uid 0. The mount.cifs helper must be at
|
|
Packit |
5f9837 |
version 1.10 or higher to support specifying the uid in non-numeric
|
|
Packit |
5f9837 |
form. See the section on `FILE AND DIRECTORY OWNERSHIP AND PERMISSIONS`_
|
|
Packit |
5f9837 |
below for more information.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
forceuid
|
|
Packit |
5f9837 |
instructs the client to ignore any uid provided by the server for
|
|
Packit |
5f9837 |
files and directories and to always assign the owner to be the value
|
|
Packit |
5f9837 |
of the uid= option. See the section on
|
|
Packit |
5f9837 |
`FILE AND DIRECTORY OWNERSHIP AND PERMISSIONS`_ below for more information.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
cruid=arg
|
|
Packit |
5f9837 |
sets the uid of the owner of the credentials cache. This is primarily
|
|
Packit |
5f9837 |
useful with ``sec=krb5``. The default is the real uid of the process
|
|
Packit |
5f9837 |
performing the mount. Setting this parameter directs the upcall to
|
|
Packit |
5f9837 |
look for a credentials cache owned by that user.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
gid=arg
|
|
Packit |
5f9837 |
sets the gid that will own all files or directories on the mounted
|
|
Packit |
5f9837 |
filesystem when the server does not provide ownership information. It
|
|
Packit |
5f9837 |
may be specified as either a groupname or a numeric gid. When not
|
|
Packit |
5f9837 |
specified, the default is gid 0. The mount.cifs helper must be at
|
|
Packit |
5f9837 |
version 1.10 or higher to support specifying the gid in non-numeric
|
|
Packit |
5f9837 |
form. See the section on `FILE AND DIRECTORY OWNERSHIP AND PERMISSIONS`_
|
|
Packit |
5f9837 |
below for more information.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
forcegid
|
|
Packit |
5f9837 |
instructs the client to ignore any gid provided by the server for
|
|
Packit |
5f9837 |
files and directories and to always assign the owner to be the value
|
|
Packit |
5f9837 |
of the gid= option. See the section on `FILE AND DIRECTORY OWNERSHIP
|
|
Packit |
5f9837 |
AND PERMISSIONS`_ below for more information.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
port=arg
|
|
Packit |
5f9837 |
sets the port number on which the client will attempt to contact the
|
|
Packit |
5f9837 |
CIFS server. If this value is specified, look for an existing
|
|
Packit |
5f9837 |
connection with this port, and use that if one exists. If one doesn't
|
|
Packit |
5f9837 |
exist, try to create a new connection on that port. If that connection
|
|
Packit |
5f9837 |
fails, return an error. If this value isn't specified, look for an
|
|
Packit |
5f9837 |
existing connection on port 445 or 139. If no such connection exists,
|
|
Packit |
5f9837 |
try to connect on port 445 first and then port 139 if that
|
|
Packit |
5f9837 |
fails. Return an error if both fail.
|
|
Packit |
5f9837 |
|
|
Packit Service |
a19c70 |
servernetbiosname=arg
|
|
Packit Service |
a19c70 |
Specify the server netbios name (RFC1001 name) to use when attempting
|
|
Packit Service |
a19c70 |
to setup a session to the server. Although rarely needed for mounting
|
|
Packit |
5f9837 |
to newer servers, this option is needed for mounting to some older
|
|
Packit |
5f9837 |
servers (such as OS/2 or Windows 98 and Windows ME) since when
|
|
Packit |
5f9837 |
connecting over port 139 they, unlike most newer servers, do not
|
|
Packit |
5f9837 |
support a default server name. A server name can be up to 15
|
|
Packit |
5f9837 |
characters long and is usually uppercased.
|
|
Packit |
5f9837 |
|
|
Packit Service |
a19c70 |
servern=arg
|
|
Packit Service |
a19c70 |
Synonym for ``servernetbiosname``
|
|
Packit Service |
a19c70 |
|
|
Packit Service |
a19c70 |
netbiosname=arg
|
|
Packit Service |
a19c70 |
When mounting to servers via port 139, specifies the RFC1001 source
|
|
Packit Service |
a19c70 |
name to use to represent the client netbios machine name when doing
|
|
Packit Service |
a19c70 |
the RFC1001 netbios session initialize.
|
|
Packit Service |
a19c70 |
|
|
Packit |
5f9837 |
file_mode=arg
|
|
Packit |
5f9837 |
If the server does not support the CIFS Unix extensions this overrides
|
|
Packit |
5f9837 |
the default file mode.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
dir_mode=arg
|
|
Packit |
5f9837 |
If the server does not support the CIFS Unix extensions this overrides
|
|
Packit |
5f9837 |
the default mode for directories.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
ip=arg|addr=arg
|
|
Packit |
5f9837 |
sets the destination IP address. This option is set automatically if
|
|
Packit |
5f9837 |
the server name portion of the requested UNC name can be resolved so
|
|
Packit |
5f9837 |
rarely needs to be specified by the user.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
domain=arg|dom=arg|workgroup=arg
|
|
Packit Service |
a19c70 |
sets the domain (workgroup) of the user.
|
|
Packit |
d852ed |
|
|
Packit |
5f9837 |
guest
|
|
Packit |
5f9837 |
don't prompt for a password.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
iocharset
|
|
Packit |
5f9837 |
Charset used to convert local path names to and from Unicode. Unicode
|
|
Packit |
5f9837 |
is used by default for network path names if the server supports
|
|
Packit |
5f9837 |
it. If ``iocharset`` is not specified then the ``nls_default`` specified
|
|
Packit |
5f9837 |
during the local client kernel build will be used. If server does not
|
|
Packit |
5f9837 |
support Unicode, this parameter is unused.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
ro
|
|
Packit |
5f9837 |
mount read-only.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
rw
|
|
Packit |
5f9837 |
mount read-write.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
setuids
|
|
Packit |
5f9837 |
If the CIFS Unix extensions are negotiated with the server the client
|
|
Packit |
5f9837 |
will attempt to set the effective uid and gid of the local process on
|
|
Packit |
5f9837 |
newly created files, directories, and devices (create, mkdir,
|
|
Packit |
5f9837 |
mknod). If the CIFS Unix Extensions are not negotiated, for newly
|
|
Packit |
5f9837 |
created files and directories instead of using the default uid and gid
|
|
Packit |
5f9837 |
specified on the the mount, cache the new file's uid and gid locally
|
|
Packit |
5f9837 |
which means that the uid for the file can change when the inode is
|
|
Packit |
5f9837 |
reloaded (or the user remounts the share).
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
nosetuids
|
|
Packit |
5f9837 |
The client will not attempt to set the uid and gid on on newly created
|
|
Packit |
5f9837 |
files, directories, and devices (create, mkdir, mknod) which will
|
|
Packit |
5f9837 |
result in the server setting the uid and gid to the default (usually
|
|
Packit |
5f9837 |
the server uid of the user who mounted the share). Letting the server
|
|
Packit |
5f9837 |
(rather than the client) set the uid and gid is the default. If the
|
|
Packit |
5f9837 |
CIFS Unix Extensions are not negotiated then the uid and gid for new
|
|
Packit |
5f9837 |
files will appear to be the uid (gid) of the mounter or the uid (gid)
|
|
Packit |
5f9837 |
parameter specified on the mount.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
perm
|
|
Packit |
5f9837 |
Client does permission checks (vfs_permission check of uid and gid of
|
|
Packit |
5f9837 |
the file against the mode and desired operation), Note that this is in
|
|
Packit |
5f9837 |
addition to the normal ACL check on the target machine done by the
|
|
Packit |
5f9837 |
server software. Client permission checking is enabled by default.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
noperm
|
|
Packit |
5f9837 |
Client does not do permission checks. This can expose files on this
|
|
Packit |
5f9837 |
mount to access by other users on the local client system. It is
|
|
Packit |
5f9837 |
typically only needed when the server supports the CIFS Unix
|
|
Packit |
5f9837 |
Extensions but the UIDs/GIDs on the client and server system do not
|
|
Packit |
5f9837 |
match closely enough to allow access by the user doing the mount. Note
|
|
Packit |
5f9837 |
that this does not affect the normal ACL check on the target machine
|
|
Packit |
5f9837 |
done by the server software (of the server ACL against the user name
|
|
Packit |
5f9837 |
provided at mount time).
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
dynperm
|
|
Packit |
5f9837 |
Instructs the server to maintain ownership and permissions in memory
|
|
Packit |
5f9837 |
that can't be stored on the server. This information can disappear
|
|
Packit |
5f9837 |
at any time (whenever the inode is flushed from the cache), so while
|
|
Packit |
5f9837 |
this may help make some applications work, it's behavior is somewhat
|
|
Packit |
5f9837 |
unreliable. See the section below on `FILE AND DIRECTORY OWNERSHIP
|
|
Packit |
5f9837 |
AND PERMISSIONS`_ for more information.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
cache=arg
|
|
Packit |
5f9837 |
Cache mode. See the section below on `CACHE COHERENCY`_ for
|
|
Packit |
5f9837 |
details. Allowed values are:
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
- ``none`` - do not cache file data at all
|
|
Packit |
5f9837 |
- ``strict`` - follow the CIFS/SMB2 protocol strictly
|
|
Packit |
5f9837 |
- ``loose`` - allow loose caching semantics
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The default in kernels prior to 3.7 was ``loose``. As of kernel 3.7 the
|
|
Packit |
5f9837 |
default is ``strict``.
|
|
Packit |
5f9837 |
|
|
Packit Service |
e00a9f |
handlecache
|
|
Packit Service |
e00a9f |
(default) In SMB2 and above, the client often has to open the root
|
|
Packit Service |
e00a9f |
of the share (empty path) in various places during mount, path
|
|
Packit Service |
e00a9f |
revalidation and the statfs(2) system call. This option cuts
|
|
Packit Service |
e00a9f |
redundant round trip traffic (opens and closes) by simply keeping
|
|
Packit Service |
e00a9f |
the directory handle for the root around once opened.
|
|
Packit Service |
e00a9f |
|
|
Packit Service |
e00a9f |
nohandlecache
|
|
Packit Service |
e00a9f |
Disable caching of the share root directory handle.
|
|
Packit Service |
e00a9f |
|
|
Packit Service |
a19c70 |
directio
|
|
Packit Service |
a19c70 |
Do not do inode data caching on files opened on this mount. This
|
|
Packit Service |
a19c70 |
precludes mmaping files on this mount. In some cases with fast
|
|
Packit Service |
a19c70 |
networks and little or no caching benefits on the client (e.g. when
|
|
Packit Service |
a19c70 |
the application is doing large sequential reads bigger than page size
|
|
Packit Service |
a19c70 |
without rereading the same data) this can provide better performance
|
|
Packit Service |
a19c70 |
than the default behavior which caches reads (readahead) and writes
|
|
Packit Service |
a19c70 |
(writebehind) through the local Linux client pagecache if oplock
|
|
Packit Service |
a19c70 |
(caching token) is granted and held. Note that direct allows write
|
|
Packit Service |
a19c70 |
operations larger than page size to be sent to the server. On some
|
|
Packit Service |
a19c70 |
kernels this requires the cifs.ko module to be built with the
|
|
Packit Service |
a19c70 |
``CIFS_EXPERIMENTAL`` configure option.
|
|
Packit Service |
a19c70 |
|
|
Packit Service |
a19c70 |
This option is will be deprecated in 3.7. Users should use
|
|
Packit Service |
a19c70 |
``cache=none`` instead on more recent kernels.
|
|
Packit Service |
a19c70 |
|
|
Packit Service |
a19c70 |
strictcache
|
|
Packit Service |
a19c70 |
Use for switching on strict cache mode. In this mode the client reads
|
|
Packit Service |
a19c70 |
from the cache all the time it has *Oplock Level II* , otherwise -
|
|
Packit Service |
a19c70 |
read from the server. As for write - the client stores a data in the
|
|
Packit Service |
a19c70 |
cache in *Exclusive Oplock* case, otherwise - write directly to the
|
|
Packit Service |
a19c70 |
server.
|
|
Packit Service |
a19c70 |
|
|
Packit Service |
a19c70 |
This option is will be deprecated in 3.7. Users should use
|
|
Packit Service |
a19c70 |
``cache=strict`` instead on more recent kernels.
|
|
Packit |
48d9f2 |
|
|
Packit |
5f9837 |
rwpidforward
|
|
Packit |
5f9837 |
Forward pid of a process who opened a file to any read or write
|
|
Packit |
5f9837 |
operation on that file. This prevent applications like wine(1) from
|
|
Packit |
5f9837 |
failing on read and write if we use mandatory brlock style.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
mapchars
|
|
Packit |
5f9837 |
Translate six of the seven reserved characters (not backslash, but
|
|
Packit |
5f9837 |
including the colon, question mark, pipe, asterik, greater than and
|
|
Packit |
5f9837 |
less than characters) to the remap range (above 0xF000), which also
|
|
Packit |
5f9837 |
allows the CIFS client to recognize files created with such characters
|
|
Packit Service |
a19c70 |
by Windows's POSIX emulation. This can also be useful when mounting to
|
|
Packit |
5f9837 |
most versions of Samba (which also forbids creating and opening files
|
|
Packit |
5f9837 |
whose names contain any of these seven characters). This has no effect
|
|
Packit |
5f9837 |
if the server does not support Unicode on the wire. Please note that
|
|
Packit |
5f9837 |
the files created with ``mapchars`` mount option may not be accessible
|
|
Packit |
5f9837 |
if the share is mounted without that option.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
nomapchars
|
|
Packit |
5f9837 |
(default) Do not translate any of these seven characters.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
intr
|
|
Packit |
5f9837 |
currently unimplemented.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
nointr
|
|
Packit |
5f9837 |
(default) currently unimplemented.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
hard
|
|
Packit |
5f9837 |
The program accessing a file on the cifs mounted file system will hang
|
|
Packit |
5f9837 |
when the server crashes.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
soft
|
|
Packit |
5f9837 |
(default) The program accessing a file on the cifs mounted file system
|
|
Packit |
5f9837 |
will not hang when the server crashes and will return errors to the
|
|
Packit |
5f9837 |
user application.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
noacl
|
|
Packit |
5f9837 |
Do not allow POSIX ACL operations even if server would support them.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba
|
|
Packit |
5f9837 |
servers version 3.0.10 and later. Setting POSIX ACLs requires enabling
|
|
Packit |
5f9837 |
both ``CIFS_XATTR`` and then ``CIFS_POSIX`` support in the CIFS
|
|
Packit |
5f9837 |
configuration options when building the cifs module. POSIX ACL support
|
|
Packit |
5f9837 |
can be disabled on a per mount basis by specifying ``noacl`` on mount.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
cifsacl
|
|
Packit |
5f9837 |
This option is used to map CIFS/NTFS ACLs to/from Linux permission
|
|
Packit |
5f9837 |
bits, map SIDs to/from UIDs and GIDs, and get and set Security
|
|
Packit |
5f9837 |
Descriptors.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
See section on `CIFS/NTFS ACL, SID/UID/GID MAPPING, SECURITY DESCRIPTORS`_
|
|
Packit |
5f9837 |
for more information.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
backupuid=arg
|
|
Packit |
5f9837 |
File access by this user shall be done with the backup intent flag
|
|
Packit |
5f9837 |
set. Either a name or an id must be provided as an argument, there are
|
|
Packit |
5f9837 |
no default values.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
See section `ACCESSING FILES WITH BACKUP INTENT`_ for more details.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
backupgid=arg
|
|
Packit |
5f9837 |
File access by users who are members of this group shall be done with
|
|
Packit |
5f9837 |
the backup intent flag set. Either a name or an id must be provided as
|
|
Packit |
5f9837 |
an argument, there are no default values.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
See section `ACCESSING FILES WITH BACKUP INTENT`_ for more details.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
nocase
|
|
Packit |
5f9837 |
Request case insensitive path name matching (case sensitive is the default if the
|
|
Packit |
5f9837 |
server supports it).
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
ignorecase
|
|
Packit |
5f9837 |
Synonym for ``nocase``.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
sec=arg
|
|
Packit |
5f9837 |
Security mode. Allowed values are:
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
- ``none`` - attempt to connection as a null user (no name)
|
|
Packit |
5f9837 |
- ``krb5`` - Use Kerberos version 5 authentication
|
|
Packit |
5f9837 |
- ``krb5i`` - Use Kerberos authentication and forcibly enable packet signing
|
|
Packit |
5f9837 |
- ``ntlm`` - Use NTLM password hashing
|
|
Packit |
5f9837 |
- ``ntlmi`` - Use NTLM password hashing and force packet signing
|
|
Packit |
5f9837 |
- ``ntlmv2`` - Use NTLMv2 password hashing
|
|
Packit |
5f9837 |
- ``ntlmv2i`` - Use NTLMv2 password hashing and force packet signing
|
|
Packit |
5f9837 |
- ``ntlmssp`` - Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message
|
|
Packit |
5f9837 |
- ``ntlmsspi`` - Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message, and force packet signing
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The default in mainline kernel versions prior to v3.8 was
|
|
Packit |
5f9837 |
``sec=ntlm``. In v3.8, the default was changed to ``sec=ntlmssp``.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
If the server requires signing during protocol negotiation, then it
|
|
Packit |
5f9837 |
may be enabled automatically. Packet signing may also be enabled
|
|
Packit |
5f9837 |
automatically if it's enabled in */proc/fs/cifs/SecurityFlags*.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
seal
|
|
Packit Service |
a19c70 |
Request encryption at the SMB layer. Encryption is only supported in
|
|
Packit Service |
a19c70 |
SMBv3 and above. The encryption algorithm used is AES-128-CCM.
|
|
Packit |
48d9f2 |
|
|
Packit |
5f9837 |
nobrl
|
|
Packit |
5f9837 |
Do not send byte range lock requests to the server. This is necessary
|
|
Packit |
5f9837 |
for certain applications that break with cifs style mandatory byte
|
|
Packit |
5f9837 |
range locks (and most cifs servers do not yet support requesting
|
|
Packit |
5f9837 |
advisory byte range locks).
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
sfu
|
|
Packit Service |
a19c70 |
When the CIFS Unix Extensions are not negotiated, attempt to create
|
|
Packit |
5f9837 |
device files and fifos in a format compatible with Services for Unix
|
|
Packit |
5f9837 |
(SFU). In addition retrieve bits 10-12 of the mode via the
|
|
Packit |
5f9837 |
``SETFILEBITS`` extended attribute (as SFU does). In the future the
|
|
Packit |
5f9837 |
bottom 9 bits of the mode mode also will be emulated using queries of
|
|
Packit |
5f9837 |
the security descriptor (ACL). [NB: requires version 1.39 or later of
|
|
Packit |
5f9837 |
the CIFS VFS. To recognize symlinks and be able to create symlinks in
|
|
Packit |
5f9837 |
an SFU interoperable form requires version 1.40 or later of the CIFS
|
|
Packit |
5f9837 |
VFS kernel module.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
mfsymlinks
|
|
Packit |
5f9837 |
Enable support for Minshall+French symlinks (see
|
|
Packit |
5f9837 |
`http://wiki.samba.org/index.php/UNIX_Extensions#Minshall.2BFrench_symlinks <http://wiki.samba.org/index.php/UNIX_Extensions#Minshall.2BFrench_symlinks>`_). This
|
|
Packit |
5f9837 |
option is ignored when specified together with the ``sfu``
|
|
Packit |
5f9837 |
option. Minshall+French symlinks are used even if the server supports
|
|
Packit |
5f9837 |
the CIFS Unix Extensions.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
echo_interval=n
|
|
Packit |
5f9837 |
sets the interval at which echo requests are sent to the server on an
|
|
Packit |
5f9837 |
idling connection. This setting also affects the time required for a
|
|
Packit |
5f9837 |
connection to an unresponsive server to timeout. Here n is the echo
|
|
Packit |
5f9837 |
interval in seconds. The reconnection happens at twice the value of the
|
|
Packit |
5f9837 |
echo_interval set for an unresponsive server.
|
|
Packit |
5f9837 |
If this option is not given then the default value of 60 seconds is used.
|
|
Packit |
5f9837 |
The minimum tunable value is 1 second and maximum can go up to 600 seconds.
|
|
Packit |
5f9837 |
|
|
Packit Service |
0c1411 |
rdma
|
|
Packit Service |
0c1411 |
Use to connect to SMB Direct, only applicable when specified with
|
|
Packit Service |
0c1411 |
vers=3 or vers=3.x.
|
|
Packit Service |
0c1411 |
Here 3.x can be 3.0, 3.02 or 3.1.1.
|
|
Packit Service |
0c1411 |
|
|
Packit |
5f9837 |
serverino
|
|
Packit |
5f9837 |
Use inode numbers (unique persistent file identifiers) returned by the
|
|
Packit |
5f9837 |
server instead of automatically generating temporary inode numbers on
|
|
Packit |
5f9837 |
the client. Although server inode numbers make it easier to spot
|
|
Packit |
5f9837 |
hardlinked files (as they will have the same inode numbers) and inode
|
|
Packit |
5f9837 |
numbers may be persistent (which is useful for some software), the
|
|
Packit |
5f9837 |
server does not guarantee that the inode numbers are unique if
|
|
Packit |
5f9837 |
multiple server side mounts are exported under a single share (since
|
|
Packit |
5f9837 |
inode numbers on the servers might not be unique if multiple
|
|
Packit |
5f9837 |
filesystems are mounted under the same shared higher level
|
|
Packit |
5f9837 |
directory). Note that not all servers support returning server inode
|
|
Packit |
5f9837 |
numbers, although those that support the CIFS Unix Extensions, and
|
|
Packit |
5f9837 |
Windows 2000 and later servers typically do support this (although not
|
|
Packit |
5f9837 |
necessarily on every local server filesystem). Parameter has no effect
|
|
Packit |
5f9837 |
if the server lacks support for returning inode numbers or
|
|
Packit |
5f9837 |
equivalent. This behavior is enabled by default.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
noserverino
|
|
Packit |
5f9837 |
Client generates inode numbers itself rather than using the actual
|
|
Packit |
5f9837 |
ones from the server.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
See section `INODE NUMBERS`_ for more information.
|
|
Packit |
5f9837 |
|
|
Packit Service |
a19c70 |
nounix
|
|
Packit Service |
a19c70 |
Disable the CIFS Unix Extensions for this mount. This can be useful in
|
|
Packit |
5f9837 |
order to turn off multiple settings at once. This includes POSIX acls,
|
|
Packit |
5f9837 |
POSIX locks, POSIX paths, symlink support and retrieving
|
|
Packit |
5f9837 |
uids/gids/mode from the server. This can also be useful to work around
|
|
Packit |
5f9837 |
a bug in a server that supports Unix Extensions.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
See section `INODE NUMBERS`_ for more information.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
nouser_xattr
|
|
Packit |
5f9837 |
Do not allow getfattr/setfattr to get/set xattrs, even if server would
|
|
Packit |
5f9837 |
support it otherwise. The default is for xattr support to be enabled.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
rsize=bytes
|
|
Packit |
5f9837 |
Maximum amount of data that the kernel will request in a read request
|
|
Packit Service |
a19c70 |
in bytes. Prior to kernel 3.2.0, the default was 16k, and the maximum
|
|
Packit Service |
a19c70 |
size was limited by the ``CIFSMaxBufSize`` module parameter. As of
|
|
Packit Service |
a19c70 |
kernel 3.2.0, the behavior varies according to whether POSIX
|
|
Packit Service |
a19c70 |
extensions are enabled on the mount and the server supports large
|
|
Packit Service |
a19c70 |
POSIX reads. If they are, then the default is 1M, and the maximum is
|
|
Packit Service |
a19c70 |
16M. If they are not supported by the server, then the default is 60k
|
|
Packit Service |
a19c70 |
and the maximum is around 127k. The reason for the 60k is because it's
|
|
Packit Service |
a19c70 |
the maximum size read that windows servers can fill. Note that this
|
|
Packit Service |
a19c70 |
value is a maximum, and the client may settle on a smaller size to
|
|
Packit Service |
a19c70 |
accommodate what the server supports. In kernels prior to 3.2.0, no
|
|
Packit Service |
a19c70 |
negotiation is performed.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
wsize=bytes
|
|
Packit |
5f9837 |
Maximum amount of data that the kernel will send in a write request in
|
|
Packit Service |
a19c70 |
bytes. Prior to kernel 3.0.0, the default and maximum was 57344 (14 \*
|
|
Packit Service |
a19c70 |
4096 pages). As of 3.0.0, the default depends on whether the client
|
|
Packit Service |
a19c70 |
and server negotiate large writes via POSIX extensions. If they do,
|
|
Packit Service |
a19c70 |
then the default is 1M, and the maximum allowed is 16M. If they do
|
|
Packit Service |
a19c70 |
not, then the default is 65536 and the maximum allowed is 131007. Note
|
|
Packit Service |
a19c70 |
that this value is just a starting point for negotiation in 3.0.0 and
|
|
Packit Service |
a19c70 |
up. The client and server may negotiate this size downward according
|
|
Packit Service |
a19c70 |
to the server's capabilities. In kernels prior to 3.0.0, no
|
|
Packit Service |
a19c70 |
negotiation is performed. It can end up with an existing superblock if
|
|
Packit Service |
a19c70 |
this value isn't specified or it's greater or equal than the existing
|
|
Packit Service |
a19c70 |
one.
|
|
Packit |
d852ed |
|
|
Packit |
5f9837 |
fsc
|
|
Packit |
5f9837 |
Enable local disk caching using FS-Cache for CIFS. This option could
|
|
Packit |
5f9837 |
be useful to improve performance on a slow link, heavily loaded server
|
|
Packit |
5f9837 |
and/or network where reading from the disk is faster than reading from
|
|
Packit |
5f9837 |
the server (over the network). This could also impact the scalability
|
|
Packit |
5f9837 |
positively as the number of calls to the server are reduced. But, be
|
|
Packit |
5f9837 |
warned that local caching is not suitable for all workloads, for e.g.,
|
|
Packit |
5f9837 |
read-once type workloads. So, you need to consider carefully the
|
|
Packit |
5f9837 |
situation/workload before using this option. Currently, local disk
|
|
Packit |
5f9837 |
caching is enabled for CIFS files opened as read-only.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
**NOTE**: This feature is available only in the recent kernels that
|
|
Packit |
5f9837 |
have been built with the kernel config option
|
|
Packit |
5f9837 |
``CONFIG_CIFS_FSCACHE``. You also need to have ``cachefilesd``
|
|
Packit |
5f9837 |
daemon installed and running to make the cache operational.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
multiuser
|
|
Packit |
5f9837 |
Map user accesses to individual credentials when accessing the
|
|
Packit |
5f9837 |
server. By default, CIFS mounts only use a single set of user
|
|
Packit |
5f9837 |
credentials (the mount credentials) when accessing a share. With this
|
|
Packit |
5f9837 |
option, the client instead creates a new session with the server using
|
|
Packit |
5f9837 |
the user's credentials whenever a new user accesses the mount.
|
|
Packit |
5f9837 |
Further accesses by that user will also use those credentials. Because
|
|
Packit |
5f9837 |
the kernel cannot prompt for passwords, multiuser mounts are limited
|
|
Packit |
5f9837 |
to mounts using ``sec=`` options that don't require passwords.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
With this change, it's feasible for the server to handle permissions
|
|
Packit |
5f9837 |
enforcement, so this option also implies ``noperm`` . Furthermore, when
|
|
Packit |
5f9837 |
unix extensions aren't in use and the administrator has not overridden
|
|
Packit |
5f9837 |
ownership using the ``uid=`` or ``gid=`` options, ownership of files is
|
|
Packit |
5f9837 |
presented as the current user accessing the share.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
actimeo=arg
|
|
Packit |
5f9837 |
The time (in seconds) that the CIFS client caches attributes of a file or
|
|
Packit |
5f9837 |
directory before it requests attribute information from a server. During this
|
|
Packit |
5f9837 |
period the changes that occur on the server remain undetected until the client
|
|
Packit |
5f9837 |
checks the server again.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
By default, the attribute cache timeout is set to 1 second. This means
|
|
Packit |
5f9837 |
more frequent on-the-wire calls to the server to check whether
|
|
Packit |
5f9837 |
attributes have changed which could impact performance. With this
|
|
Packit |
5f9837 |
option users can make a tradeoff between performance and cache
|
|
Packit |
5f9837 |
metadata correctness, depending on workload needs. Shorter timeouts
|
|
Packit |
5f9837 |
mean better cache coherency, but frequent increased number of calls to
|
|
Packit |
5f9837 |
the server. Longer timeouts mean a reduced number of calls to the
|
|
Packit |
5f9837 |
server but looser cache coherency. The ``actimeo`` value is a positive
|
|
Packit |
5f9837 |
integer that can hold values between 0 and a maximum value of 2^30 \*
|
|
Packit |
5f9837 |
HZ (frequency of timer interrupt) setting.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
noposixpaths
|
|
Packit |
5f9837 |
If unix extensions are enabled on a share, then the client will
|
|
Packit |
5f9837 |
typically allow filenames to include any character besides '/' in a
|
|
Packit |
5f9837 |
pathname component, and will use forward slashes as a pathname
|
|
Packit |
5f9837 |
delimiter. This option prevents the client from attempting to
|
|
Packit |
5f9837 |
negotiate the use of posix-style pathnames to the server.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
posixpaths
|
|
Packit |
5f9837 |
Inverse of ``noposixpaths`` .
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
prefixpath=arg
|
|
Packit |
5f9837 |
It's possible to mount a subdirectory of a share. The preferred way to
|
|
Packit |
5f9837 |
do this is to append the path to the UNC when mounting. However, it's
|
|
Packit |
5f9837 |
also possible to do the same by setting this option and providing the
|
|
Packit |
5f9837 |
path there.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
vers=arg
|
|
Packit |
5f9837 |
SMB protocol version. Allowed values are:
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
- 1.0 - The classic CIFS/SMBv1 protocol.
|
|
Packit |
5f9837 |
- 2.0 - The SMBv2.002 protocol. This was initially introduced in
|
|
Packit |
5f9837 |
Windows Vista Service Pack 1, and Windows Server 2008. Note that
|
|
Packit |
5f9837 |
the initial release version of Windows Vista spoke a slightly
|
|
Packit |
5f9837 |
different dialect (2.000) that is not supported.
|
|
Packit |
5f9837 |
- 2.1 - The SMBv2.1 protocol that was introduced in Microsoft Windows 7 and Windows Server 2008R2.
|
|
Packit |
5f9837 |
- 3.0 - The SMBv3.0 protocol that was introduced in Microsoft Windows 8 and Windows Server 2012.
|
|
Packit Service |
a19c70 |
- 3.1.1 or 3.11 - The SMBv3.1.1 protocol that was introduced in Microsoft Windows Server 2016.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Note too that while this option governs the protocol version used, not
|
|
Packit |
5f9837 |
all features of each version are available.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The default since v4.13.5 is for the client and server to negotiate
|
|
Packit |
5f9837 |
the highest possible version greater than or equal to ``2.1``. In
|
|
Packit |
5f9837 |
kernels prior to v4.13, the default was ``1.0``. For kernels
|
|
Packit |
5f9837 |
between v4.13 and v4.13.5 the default is ``3.0``.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
--verbose
|
|
Packit |
5f9837 |
Print additional debugging information for the mount. Note that this
|
|
Packit |
5f9837 |
parameter must be specified before the ``-o`` . For example::
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
mount -t cifs //server/share /mnt --verbose -o user=username
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
*********************************
|
|
Packit |
5f9837 |
SERVICE FORMATTING AND DELIMITERS
|
|
Packit |
5f9837 |
*********************************
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
It's generally preferred to use forward slashes (/) as a delimiter in
|
|
Packit |
5f9837 |
service names. They are considered to be the "universal delimiter"
|
|
Packit |
5f9837 |
since they are generally not allowed to be embedded within path
|
|
Packit |
5f9837 |
components on Windows machines and the client can convert them to
|
|
Packit Service |
668931 |
backslashes (\\) unconditionally. Conversely, backslash characters are
|
|
Packit |
5f9837 |
allowed by POSIX to be part of a path component, and can't be
|
|
Packit |
5f9837 |
automatically converted in the same way.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
``mount.cifs`` will attempt to convert backslashes to forward slashes
|
|
Packit |
5f9837 |
where it's able to do so, but it cannot do so in any path component
|
|
Packit |
5f9837 |
following the sharename.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
*************
|
|
Packit |
5f9837 |
INODE NUMBERS
|
|
Packit |
5f9837 |
*************
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
When Unix Extensions are enabled, we use the actual inode number
|
|
Packit |
5f9837 |
provided by the server in response to the POSIX calls as an inode
|
|
Packit |
5f9837 |
number.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
When Unix Extensions are disabled and ``serverino`` mount option is
|
|
Packit |
5f9837 |
enabled there is no way to get the server inode number. The client
|
|
Packit |
5f9837 |
typically maps the server-assigned ``UniqueID`` onto an inode number.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Note that the ``UniqueID`` is a different value from the server inode
|
|
Packit |
5f9837 |
number. The ``UniqueID`` value is unique over the scope of the entire
|
|
Packit |
5f9837 |
server and is often greater than 2 power 32. This value often makes
|
|
Packit |
5f9837 |
programs that are not compiled with LFS (Large File Support), to
|
|
Packit |
5f9837 |
trigger a glibc ``EOVERFLOW`` error as this won't fit in the target
|
|
Packit |
5f9837 |
structure field. It is strongly recommended to compile your programs
|
|
Packit |
5f9837 |
with LFS support (i.e. with ``-D_FILE_OFFSET_BITS=64``) to prevent this
|
|
Packit |
5f9837 |
problem. You can also use ``noserverino`` mount option to generate
|
|
Packit |
5f9837 |
inode numbers smaller than 2 power 32 on the client. But you may not
|
|
Packit |
5f9837 |
be able to detect hardlinks properly.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
***************
|
|
Packit |
5f9837 |
CACHE COHERENCY
|
|
Packit |
5f9837 |
***************
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
With a network filesystem such as CIFS or NFS, the client must contend
|
|
Packit |
5f9837 |
with the fact that activity on other clients or the server could
|
|
Packit |
5f9837 |
change the contents or attributes of a file without the client being
|
|
Packit |
5f9837 |
aware of it. One way to deal with such a problem is to mandate that
|
|
Packit |
5f9837 |
all file accesses go to the server directly. This is performance
|
|
Packit |
5f9837 |
prohibitive however, so most protocols have some mechanism to allow
|
|
Packit |
5f9837 |
the client to cache data locally.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The CIFS protocol mandates (in effect) that the client should not
|
|
Packit |
5f9837 |
cache file data unless it holds an opportunistic lock (aka oplock) or
|
|
Packit |
5f9837 |
a lease. Both of these entities allow the client to guarantee certain
|
|
Packit |
5f9837 |
types of exclusive access to a file so that it can access its contents
|
|
Packit |
5f9837 |
without needing to continually interact with the server. The server
|
|
Packit |
5f9837 |
will call back the client when it needs to revoke either of them and
|
|
Packit |
5f9837 |
allow the client a certain amount of time to flush any cached data.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The cifs client uses the kernel's pagecache to cache file data. Any
|
|
Packit |
5f9837 |
I/O that's done through the pagecache is generally page-aligned. This
|
|
Packit |
5f9837 |
can be problematic when combined with byte-range locks as Windows'
|
|
Packit |
5f9837 |
locking is mandatory and can block reads and writes from occurring.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
``cache=none`` means that the client never utilizes the cache for
|
|
Packit |
5f9837 |
normal reads and writes. It always accesses the server directly to
|
|
Packit |
5f9837 |
satisfy a read or write request.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
``cache=strict`` means that the client will attempt to follow the
|
|
Packit |
5f9837 |
CIFS/SMB2 protocol strictly. That is, the cache is only trusted when
|
|
Packit |
5f9837 |
the client holds an oplock. When the client does not hold an oplock,
|
|
Packit |
5f9837 |
then the client bypasses the cache and accesses the server directly to
|
|
Packit |
5f9837 |
satisfy a read or write request. By doing this, the client avoids
|
|
Packit |
5f9837 |
problems with byte range locks. Additionally, byte range locks are
|
|
Packit |
5f9837 |
cached on the client when it holds an oplock and are "pushed" to the
|
|
Packit |
5f9837 |
server when that oplock is recalled.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
``cache=loose`` allows the client to use looser protocol semantics
|
|
Packit |
5f9837 |
which can sometimes provide better performance at the expense of cache
|
|
Packit |
5f9837 |
coherency. File access always involves the pagecache. When an oplock
|
|
Packit |
5f9837 |
or lease is not held, then the client will attempt to flush the cache
|
|
Packit |
5f9837 |
soon after a write to a file. Note that that flush does not
|
|
Packit |
5f9837 |
necessarily occur before a write system call returns.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
In the case of a read without holding an oplock, the client will
|
|
Packit |
5f9837 |
attempt to periodically check the attributes of the file in order to
|
|
Packit |
5f9837 |
ascertain whether it has changed and the cache might no longer be
|
|
Packit |
5f9837 |
valid. This mechanism is much like the one that NFSv2/3 use for cache
|
|
Packit |
5f9837 |
coherency, but it particularly problematic with CIFS. Windows is
|
|
Packit |
5f9837 |
quite "lazy" with respect to updating the ``LastWriteTime`` field that
|
|
Packit |
5f9837 |
the client uses to verify this. The effect is that ``cache=loose`` can
|
|
Packit |
5f9837 |
cause data corruption when multiple readers and writers are working on
|
|
Packit |
5f9837 |
the same files.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Because of this, when multiple clients are accessing the same set of
|
|
Packit |
5f9837 |
files, then ``cache=strict`` is recommended. That helps eliminate
|
|
Packit |
5f9837 |
problems with cache coherency by following the CIFS/SMB2 protocols
|
|
Packit |
5f9837 |
more strictly.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Note too that no matter what caching model is used, the client will
|
|
Packit |
5f9837 |
always use the pagecache to handle mmap'ed files. Writes to mmap'ed
|
|
Packit |
5f9837 |
files are only guaranteed to be flushed to the server when msync() is
|
|
Packit |
5f9837 |
called, or on close().
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The default in kernels prior to 3.7 was ``loose``. As of 3.7, the
|
|
Packit |
5f9837 |
default is ``strict``.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
********************************************************
|
|
Packit |
5f9837 |
CIFS/NTFS ACL, SID/UID/GID MAPPING, SECURITY DESCRIPTORS
|
|
Packit |
5f9837 |
********************************************************
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
This option is used to work with file objects which posses Security
|
|
Packit |
5f9837 |
Descriptors and CIFS/NTFS ACL instead of UID, GID, file permission
|
|
Packit |
5f9837 |
bits, and POSIX ACL as user authentication model. This is the most
|
|
Packit |
5f9837 |
common authentication model for CIFS servers and is the one used by
|
|
Packit |
5f9837 |
Windows.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Support for this requires both CIFS_XATTR and CIFS_ACL support in the
|
|
Packit |
5f9837 |
CIFS configuration options when building the cifs module.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
A CIFS/NTFS ACL is mapped to file permission bits using an algorithm
|
|
Packit |
5f9837 |
specified in the following Microsoft TechNet document:
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
`http://technet.microsoft.com/en-us/library/bb463216.aspx <http://technet.microsoft.com/en-us/library/bb463216.aspx>`_
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
In order to map SIDs to/from UIDs and GIDs, the following is required:
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
- a kernel upcall to the ``cifs.idmap`` utility set up via request-key.conf(5)
|
|
Packit |
5f9837 |
- winbind support configured via nsswitch.conf(5) and smb.conf(5)
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Please refer to the respective manpages of cifs.idmap(8) and
|
|
Packit |
5f9837 |
winbindd(8) for more information.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Security descriptors for a file object can be retrieved and set
|
|
Packit |
5f9837 |
directly using extended attribute named ``system.cifs_acl``. The
|
|
Packit |
5f9837 |
security descriptors presented via this interface are "raw" blobs of
|
|
Packit |
5f9837 |
data and need a userspace utility to either parse and format or to
|
|
Packit |
5f9837 |
assemble it such as getcifsacl(1) and setcifsacl(1)
|
|
Packit |
5f9837 |
respectively.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Some of the things to consider while using this mount option:
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
- There may be an increased latency when handling metadata due to
|
|
Packit |
5f9837 |
additional requests to get and set security descriptors.
|
|
Packit |
5f9837 |
- The mapping between a CIFS/NTFS ACL and POSIX file permission bits
|
|
Packit |
5f9837 |
is imperfect and some ACL information may be lost in the
|
|
Packit |
5f9837 |
translation.
|
|
Packit |
5f9837 |
- If either upcall to cifs.idmap is not setup correctly or winbind is
|
|
Packit |
5f9837 |
not configured and running, ID mapping will fail. In that case uid
|
|
Packit |
5f9837 |
and gid will default to either to those values of the share or to
|
|
Packit |
5f9837 |
the values of uid and/or gid mount options if specified.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
**********************************
|
|
Packit |
5f9837 |
ACCESSING FILES WITH BACKUP INTENT
|
|
Packit |
5f9837 |
**********************************
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
For an user on the server, desired access to a file is determined by
|
|
Packit |
5f9837 |
the permissions and rights associated with that file. This is
|
|
Packit |
5f9837 |
typically accomplished using ownership and ACL. For a user who does
|
|
Packit |
5f9837 |
not have access rights to a file, it is still possible to access that
|
|
Packit |
5f9837 |
file for a specific or a targeted purpose by granting special rights.
|
|
Packit |
5f9837 |
One of the specific purposes is to access a file with the intent to
|
|
Packit |
5f9837 |
either backup or restore i.e. backup intent. The right to access a
|
|
Packit |
5f9837 |
file with the backup intent can typically be granted by making that
|
|
Packit |
5f9837 |
user a part of the built-in group *Backup Operators*. Thus, when
|
|
Packit |
5f9837 |
this user attempts to open a file with the backup intent, open request
|
|
Packit |
5f9837 |
is sent by setting the bit ``FILE_OPEN_FOR_BACKUP_INTENT`` as one of
|
|
Packit |
5f9837 |
the ``CreateOptions``.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
As an example, on a Windows server, a user named *testuser*, cannot open
|
|
Packit |
5f9837 |
this file with such a security descriptor::
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
REVISION:0x1
|
|
Packit |
5f9837 |
CONTROL:0x9404
|
|
Packit |
5f9837 |
OWNER:Administrator
|
|
Packit |
5f9837 |
GROUP:Domain Users
|
|
Packit |
5f9837 |
ACL:Administrator:ALLOWED/0x0/FULL
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
But the user *testuser*, if it becomes part of the *Backup Operators*
|
|
Packit |
5f9837 |
group, can open the file with the backup intent.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Any user on the client side who can authenticate as such a user on the
|
|
Packit |
5f9837 |
server, can access the files with the backup intent. But it is
|
|
Packit |
5f9837 |
desirable and preferable for security reasons amongst many, to
|
|
Packit |
5f9837 |
restrict this special right.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The mount option ``backupuid`` is used to restrict this special right
|
|
Packit |
5f9837 |
to a user which is specified by either a name or an id. The mount
|
|
Packit |
5f9837 |
option ``backupgid`` is used to restrict this special right to the
|
|
Packit |
5f9837 |
users in a group which is specified by either a name or an id. Only
|
|
Packit |
5f9837 |
users matching either backupuid or backupgid shall attempt to access
|
|
Packit |
5f9837 |
files with backup intent. These two mount options can be used
|
|
Packit |
5f9837 |
together.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
********************************************
|
|
Packit |
5f9837 |
FILE AND DIRECTORY OWNERSHIP AND PERMISSIONS
|
|
Packit |
5f9837 |
********************************************
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The core CIFS protocol does not provide unix ownership information or
|
|
Packit |
5f9837 |
mode for files and directories. Because of this, files and directories
|
|
Packit |
5f9837 |
will generally appear to be owned by whatever values the ``uid=`` or
|
|
Packit |
5f9837 |
``gid=`` options are set, and will have permissions set to the default
|
|
Packit |
5f9837 |
``file_mode`` and ``dir_mode`` for the mount. Attempting to change these
|
|
Packit |
5f9837 |
values via chmod/chown will return success but have no effect.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
When the client and server negotiate unix extensions, files and
|
|
Packit |
5f9837 |
directories will be assigned the uid, gid, and mode provided by the
|
|
Packit |
5f9837 |
server. Because CIFS mounts are generally single-user, and the same
|
|
Packit |
5f9837 |
credentials are used no matter what user accesses the mount, newly
|
|
Packit |
5f9837 |
created files and directories will generally be given ownership
|
|
Packit |
5f9837 |
corresponding to whatever credentials were used to mount the share.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
If the uid's and gid's being used do not match on the client and
|
|
Packit |
5f9837 |
server, the ``forceuid`` and ``forcegid`` options may be helpful. Note
|
|
Packit |
5f9837 |
however, that there is no corresponding option to override the
|
|
Packit |
5f9837 |
mode. Permissions assigned to a file when ``forceuid`` or ``forcegid``
|
|
Packit |
5f9837 |
are in effect may not reflect the the real permissions.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
When unix extensions are not negotiated, it's also possible to emulate
|
|
Packit |
5f9837 |
them locally on the server using the ``dynperm`` mount option. When
|
|
Packit |
5f9837 |
this mount option is in effect, newly created files and directories
|
|
Packit |
5f9837 |
will receive what appear to be proper permissions. These permissions
|
|
Packit |
5f9837 |
are not stored on the server however and can disappear at any time in
|
|
Packit |
5f9837 |
the future (subject to the whims of the kernel flushing out the inode
|
|
Packit |
5f9837 |
cache). In general, this mount option is discouraged.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
It's also possible to override permission checking on the client
|
|
Packit |
5f9837 |
altogether via the ``noperm`` option. Server-side permission checks
|
|
Packit |
5f9837 |
cannot be overridden. The permission checks done by the server will
|
|
Packit |
5f9837 |
always correspond to the credentials used to mount the share, and not
|
|
Packit |
5f9837 |
necessarily to the user who is accessing the share.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
*********************
|
|
Packit |
5f9837 |
ENVIRONMENT VARIABLES
|
|
Packit |
5f9837 |
*********************
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The variable ``USER`` may contain the username of the person to be used
|
|
Packit |
5f9837 |
to authenticate to the server. The variable can be used to set both
|
|
Packit |
5f9837 |
username and password by using the format ``username%password``.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The variable ``PASSWD`` may contain the password of the person using
|
|
Packit |
5f9837 |
the client.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The variable ``PASSWD_FILE`` may contain the pathname of a file to read
|
|
Packit |
5f9837 |
the password from. A single line of input is read and used as the
|
|
Packit |
5f9837 |
password.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
*****
|
|
Packit |
5f9837 |
NOTES
|
|
Packit |
5f9837 |
*****
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
This command may be used only by root, unless installed setuid, in
|
|
Packit |
5f9837 |
which case the noexec and nosuid mount flags are enabled. When
|
|
Packit |
5f9837 |
installed as a setuid program, the program follows the conventions set
|
|
Packit |
5f9837 |
forth by the mount program for user mounts, with the added restriction
|
|
Packit |
5f9837 |
that users must be able to chdir() into the mountpoint prior to the
|
|
Packit |
5f9837 |
mount in order to be able to mount onto it.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Some samba client tools like smbclient(8) honour client-side
|
|
Packit |
5f9837 |
configuration parameters present in *smb.conf*. Unlike those client
|
|
Packit |
5f9837 |
tools, ``mount.cifs`` ignores *smb.conf* completely.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
*************
|
|
Packit |
5f9837 |
CONFIGURATION
|
|
Packit |
5f9837 |
*************
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The primary mechanism for making configuration changes and for reading
|
|
Packit |
5f9837 |
debug information for the cifs vfs is via the Linux /proc
|
|
Packit |
5f9837 |
filesystem. In the directory */proc/fs/cifs* are various
|
|
Packit Service |
a19c70 |
configuration files and pseudo files which can display debug
|
|
Packit Service |
a19c70 |
information. There are additional startup options such as maximum
|
|
Packit Service |
a19c70 |
buffer size and number of buffers which only may be set when the
|
|
Packit |
5f9837 |
kernel cifs vfs (cifs.ko module) is loaded. These can be seen by
|
|
Packit |
5f9837 |
running the ``modinfo`` utility against the file cifs.ko which will
|
|
Packit |
5f9837 |
list the options that may be passed to cifs during module installation
|
|
Packit |
5f9837 |
(device driver load). For more information see the kernel file
|
|
Packit Service |
a19c70 |
*fs/cifs/README*.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
****
|
|
Packit |
5f9837 |
BUGS
|
|
Packit |
5f9837 |
****
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Mounting using the CIFS URL specification is currently not supported.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
The credentials file does not handle usernames or passwords with
|
|
Packit |
5f9837 |
leading space.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Note that the typical response to a bug report is a suggestion to try
|
|
Packit |
5f9837 |
the latest version first. So please try doing that first, and always
|
|
Packit |
5f9837 |
include which versions you use of relevant software when reporting
|
|
Packit |
5f9837 |
bugs (minimum: mount.cifs (try ``mount.cifs -V``), kernel (see
|
|
Packit |
5f9837 |
*/proc/version*) and server type you are trying to contact.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
*******
|
|
Packit |
5f9837 |
VERSION
|
|
Packit |
5f9837 |
*******
|
|
Packit |
5f9837 |
|
|
Packit Service |
a19c70 |
This man page is correct for version 1.74 of the cifs vfs filesystem
|
|
Packit Service |
a19c70 |
(roughly Linux kernel 3.0).
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
********
|
|
Packit |
5f9837 |
SEE ALSO
|
|
Packit |
5f9837 |
********
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
cifs.upcall(8), getcifsacl(1), setcifsacl(1)
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
*Documentation/filesystems/cifs.txt* and *fs/cifs/README* in the
|
|
Packit |
5f9837 |
Linux kernel source tree may contain additional options and
|
|
Packit |
5f9837 |
information.
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
******
|
|
Packit |
5f9837 |
AUTHOR
|
|
Packit |
5f9837 |
******
|
|
Packit |
5f9837 |
|
|
Packit |
5f9837 |
Steve French
|
|
Packit |
5f9837 |
|
|
Packit Service |
a19c70 |
The maintainer of the Linux cifs vfs and the userspace tool mount.cifs
|
|
Packit Service |
a19c70 |
is Steve French. The Linux CIFS Mailing list is the preferred place to
|
|
Packit Service |
a19c70 |
ask questions regarding these programs.
|