diff --git a/SOURCES/0001-docs-cleanup-rst-formating.patch b/SOURCES/0001-docs-cleanup-rst-formating.patch new file mode 100644 index 0000000..c0ed217 --- /dev/null +++ b/SOURCES/0001-docs-cleanup-rst-formating.patch @@ -0,0 +1,1122 @@ +From 2f36d879c3522fe423ffd14fb7e568cdc9df0b48 Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Tue, 15 May 2018 10:12:32 +0200 +Subject: [PATCH 01/36] docs: cleanup rst formating + +Signed-off-by: Aurelien Aptel +Reviewed-by: Steve French +Reviewed-by: Pavel Shilovsky +(cherry picked from commit 81dcfb24f54a5757f7c9fe08285bf527b8333506) +Signed-off-by: Sachin Prabhu +--- + cifs.idmap.rst.in | 71 ++++++------------- + cifs.upcall.rst.in | 200 ++++++++++++++++++++--------------------------------- + cifscreds.rst | 92 ++++++++---------------- + getcifsacl.rst.in | 40 +++-------- + idmapwb.rst.in | 19 +++-- + mount.cifs.rst | 9 ++- + pam_cifscreds.rst | 61 +++++----------- + setcifsacl.rst.in | 143 ++++++++++---------------------------- + 8 files changed, 201 insertions(+), 434 deletions(-) + +diff --git a/cifs.idmap.rst.in b/cifs.idmap.rst.in +index 91b585e..60d7f0a 100644 +--- a/cifs.idmap.rst.in ++++ b/cifs.idmap.rst.in +@@ -11,124 +11,93 @@ Userspace helper for mapping ids for Common Internet File System (CIFS) + SYNOPSIS + ******** + +- +-cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid} +- ++ cifs.idmap [--help|-h] [--timeout|-t] [--version|-v] {keyid} + + *********** + DESCRIPTION + *********** + +- + This tool is part of the cifs-utils suite. + +-\ **cifs.idmap**\ is a userspace helper program for the linux CIFS client ++``cifs.idmap`` is a userspace helper program for the linux CIFS client + filesystem. There are a number of activities that the kernel cannot + easily do itself. This program is a callout program that does these + things for the kernel and then returns the result. + +-\ **cifs.idmap**\ is generally intended to be run when the kernel calls ++``cifs.idmap`` is generally intended to be run when the kernel calls + request-key(8) for a particular key type. While it can be run + directly from the command-line, it is not generally intended to be run + that way. + +-This program is only called if a share is mounted with the \ **cifsacl**\ ++This program is only called if a share is mounted with the ``cifsacl`` + mount option. The kernel will only upcall to do this conversion if + that mount option is specified. + +-\ **cifs.idmap**\ relies on a plugin to handle the ID mapping. If it can't ++``cifs.idmap`` relies on a plugin to handle the ID mapping. If it can't + find the plugin then it will not work properly. The plugin (or a + symlink to it) must be at @pluginpath@. + +-In the case where \ **cifs.idmap**\ or the plugin are unavailable, file ++In the case where ``cifs.idmap`` or the plugin are unavailable, file + objects in a mounted share are assigned uid and gid of the credentials + of the process that mounted the share. It is strongly recomemended to + use mount options of uid and gid to specify a default uid and gid to + map owner SIDs and group SIDs in this situation. + +- + ******* + OPTIONS + ******* + ++--help|-h ++ Print the usage message and exit. + ++--timeout|-t ++ Set the expiration timer, in seconds on the key. The default is 600 ++ seconds (10 minutes). Setting this to 0 will cause the key to never ++ expire. + +-\ **--help|-h**\ +- +- Print the usage message and exit. +- +- +- +-\ **--timeout|-t**\ +- +- Set the expiration timer, in seconds on the key. The default is 600 +- seconds (10 minutes). Setting this to 0 will cause the key to never +- expire. +- +- +- +-\ **--version|-v**\ +- +- Print version number and exit. +- +- +- ++--version|-v ++ Print version number and exit. + + ************************ + CONFIGURATION FOR KEYCTL + ************************ + +- +-\ **cifs.idmap**\ is designed to be called from the kernel via the ++``cifs.idmap`` is designed to be called from the kernel via the + request-key callout program. This requires that request-key be told +-where and how to call this program. Currently \ **cifs.idmap**\ handles a +-key type of: ++where and how to call this program. Currently ``cifs.idmap`` handles a ++key type of:: + ++ cifs.idmap + +-\ **cifs.idmap**\ +- +- This keytype is for mapping a SID to either an uid or a gid +- +- ++This keytype is for mapping a SID to either an uid or a gid. + + To make this program useful for CIFS, you will need to set up entry for it in +-request-key.conf(5). Here is an example of an entry for this key type: +- +- +-.. code-block:: perl ++request-key.conf(5). Here is an example of an entry for this key type:: + + #OPERATION TYPE D C PROGRAM ARG1 ARG2... + #========= ============= = = ================================ + create cifs.idmap * * @sbindir@/cifs.idmap %k + +- + See request-key.conf(5) for more info on each field. + +- + ***** + NOTES + ***** + +- + Support for upcalls to cifs.idmap was initially introduced in the 3.0 + kernel. + +- + ******** + SEE ALSO + ******** + +- + request-key.conf(5), mount.cifs(8) + +- + ****** + AUTHOR + ****** + +- + Shirish Pargaonkar wrote the cifs.idmap program. + + The Linux CIFS Mailing list is the preferred place to ask questions + regarding these programs. +- +diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in +index 8f4ee62..1b8df3f 100644 +--- a/cifs.upcall.rst.in ++++ b/cifs.upcall.rst.in +@@ -7,178 +7,131 @@ Userspace upcall helper for Common Internet File System (CIFS) + -------------------------------------------------------------- + :Manual section: 8 + +- + ******** + SYNOPSIS + ******** + +-.. code-block:: perl +- +- cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] +- [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] +- [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} +- +- ++ cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] ++ [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] ++ [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} + + *********** + DESCRIPTION + *********** + +- + This tool is part of the cifs-utils suite. + +-\ **cifs.upcall**\ is a userspace helper program for the linux CIFS client ++``cifs.upcall`` is a userspace helper program for the linux CIFS client + filesystem. There are a number of activities that the kernel cannot + easily do itself. This program is a callout program that does these + things for the kernel and then returns the result. + +-\ **cifs.upcall**\ is generally intended to be run when the kernel calls ++``cifs.upcall`` is generally intended to be run when the kernel calls + request-key(8) for a particular key type. While it can be run + directly from the command-line, it's not generally intended to be run + that way. + +- + ******* + OPTIONS + ******* + +- +- +-\ **-c**\ +- +- This option is deprecated and is currently ignored. +- +- +- +-\ **--no-env-probe|-E**\ +- +- Normally, \ **cifs.upcall**\ will probe the environment variable space of +- the process that initiated the upcall in order to fetch the value of +- \ ``$KRB5CCNAME``\ . This can assist the program with finding credential +- caches in non-default locations. If this option is set, then the +- program won't do this and will rely on finding credcaches in the +- default locations specified in \ *krb5.conf*\ . Note that this is never +- performed when the uid is 0. The default credcache location is always +- used when the uid is 0, regardless of the environment variable setting +- in the process. +- +- +- +-\ **--krb5conf|-k=/path/to/krb5.conf**\ +- +- This option allows administrators to set an alternate location for the +- \ *krb5.conf*\ file that \ **cifs.upcall**\ will use. +- +- +- +-\ **--keytab=|-K=/path/to/keytab**\ +- +- This option allows administrators to specify a keytab file to be +- used. When a user has no credential cache already established, +- \ **cifs.upcall**\ will attempt to use this keytab to acquire them. The +- default is the system-wide keytab \ */etc/krb5.keytab*\ . +- +- +- +-\ **--trust-dns|-t**\ +- +- With krb5 upcalls, the name used as the host portion of the service +- principal defaults to the hostname portion of the UNC. This option +- allows the upcall program to reverse resolve the network address of +- the server in order to get the hostname. +- +- This is less secure than not trusting DNS. When using this option, +- it's possible that an attacker could get control of DNS and trick the +- client into mounting a different server altogether. It's preferable to +- instead add server principals to the KDC for every possible hostname, +- but this option exists for cases where that isn't possible. The +- default is to not trust reverse hostname lookups in this fashion. +- +- +- +-\ **--legacy-uid|-l**\ +- +- Traditionally, the kernel has sent only a single uid= parameter to the +- upcall for the SPNEGO upcall that's used to determine what user's +- credential cache to use. This parameter is affected by the \ **uid=**\ +- mount option, which also governs the ownership of files on the mount. +- +- Newer kernels send a creduid= option as well, which contains what uid +- it thinks actually owns the credentials that it's looking for. At +- mount time, this is generally set to the real uid of the user doing +- the mount. For multisession mounts, it's set to the fsuid of the mount +- user. Set this option if you want cifs.upcall to use the older \ **uid=**\ +- parameter instead of the creduid= parameter. +- +- +- +-\ **--version|-v**\ +- +- Print version number and exit. +- +- +- ++-c ++ This option is deprecated and is currently ignored. ++ ++--no-env-probe|-E ++ Normally, ``cifs.upcall`` will probe the environment variable space of ++ the process that initiated the upcall in order to fetch the value of ++ ``$KRB5CCNAME``. This can assist the program with finding credential ++ caches in non-default locations. If this option is set, then the ++ program won't do this and will rely on finding credcaches in the ++ default locations specified in *krb5.conf*. Note that this is never ++ performed when the uid is 0. The default credcache location is always ++ used when the uid is 0, regardless of the environment variable setting ++ in the process. ++ ++--krb5conf|-k=/path/to/krb5.conf ++ This option allows administrators to set an alternate location for the ++ *krb5.conf* file that ``cifs.upcall`` will use. ++ ++--keytab=|-K=/path/to/keytab ++ This option allows administrators to specify a keytab file to be ++ used. When a user has no credential cache already established, ++ ``cifs.upcall`` will attempt to use this keytab to acquire them. The ++ default is the system-wide keytab */etc/krb5.keytab*. ++ ++--trust-dns|-t ++ With krb5 upcalls, the name used as the host portion of the service ++ principal defaults to the hostname portion of the UNC. This option ++ allows the upcall program to reverse resolve the network address of ++ the server in order to get the hostname. ++ ++ This is less secure than not trusting DNS. When using this option, ++ it's possible that an attacker could get control of DNS and trick the ++ client into mounting a different server altogether. It's preferable to ++ instead add server principals to the KDC for every possible hostname, ++ but this option exists for cases where that isn't possible. The ++ default is to not trust reverse hostname lookups in this fashion. ++ ++--legacy-uid|-l ++ Traditionally, the kernel has sent only a single uid= parameter to the ++ upcall for the SPNEGO upcall that's used to determine what user's ++ credential cache to use. This parameter is affected by the uid= ++ mount option, which also governs the ownership of files on the mount. ++ ++ Newer kernels send a creduid= option as well, which contains what uid ++ it thinks actually owns the credentials that it's looking for. At ++ mount time, this is generally set to the real uid of the user doing ++ the mount. For multisession mounts, it's set to the fsuid of the mount ++ user. Set this option if you want cifs.upcall to use the older uid= ++ parameter instead of the creduid= parameter. ++ ++--version|-v ++ Print version number and exit. + + ************************ + CONFIGURATION FOR KEYCTL + ************************ + +- +-\ **cifs.upcall**\ is designed to be called from the kernel via the ++``cifs.upcall`` is designed to be called from the kernel via the + request-key callout program. This requires that request-key be told +-where and how to call this program. The current \ **cifs.upcall**\ ++where and how to call this program. The current ``cifs.upcall`` + program handles two different key types: + ++cifs.spnego ++ This keytype is for retrieving kerberos session keys ++ ++dns_resolver ++ This key type is for resolving hostnames into IP addresses. Support ++ for this key type may eventually be deprecated (see below). ++ ++ To make this program useful for CIFS, you'll need to set up entries ++ for them in request-key.conf(5). Here's an example of an entry for ++ each key type:: + +-\ **cifs.spnego**\ +- +- This keytype is for retrieving kerberos session keys +- +- +- +-\ **dns_resolver**\ +- +- This key type is for resolving hostnames into IP addresses. Support +- for this key type may eventually be deprecated (see below). +- +- To make this program useful for CIFS, you'll need to set up entries +- for them in request-key.conf(5). Here's an example of an entry for +- each key type: +- +- +- .. code-block:: perl +- + #OPERATION TYPE D C PROGRAM ARG1 ARG2... + #========= ============= = = ================================ + create cifs.spnego * * @sbindir@/cifs.upcall %k + create dns_resolver * * @sbindir@/cifs.upcall %k +- +- +- See request-key.conf(5) for more info on each field. +- +- The keyutils package has also started including a dns_resolver +- handling program as well that is preferred over the one in +- \ **cifs.upcall.**\ If you are using a keyutils version equal to or +- greater than 1.5, you should use \ ``key.dns_resolver``\ to handle the +- \ ``dns_resolver``\ keytype instead of \ **cifs.upcall**\ . See +- key.dns_resolver(8) for more info. +- + ++ See request-key.conf(5) for more info on each field. + ++ The keyutils package has also started including a dns_resolver ++ handling program as well that is preferred over the one in ++ ``cifs.upcall``. If you are using a keyutils version equal to or ++ greater than 1.5, you should use ``key.dns_resolver`` to handle the ++ ``dns_resolver`` keytype instead of ``cifs.upcall``. See ++ key.dns_resolver(8) for more info. + + ******** + SEE ALSO + ******** + +- + request-key.conf(5), mount.cifs(8), key.dns_resolver(8) + +- + ****** + AUTHOR + ****** + +- + Igor Mammedov wrote the cifs.upcall program. + + Jeff Layton authored this manpage. +@@ -187,4 +140,3 @@ The maintainer of the Linux CIFS VFS is Steve French. + + The Linux CIFS Mailing list is the preferred place to ask questions + regarding these programs. +- +diff --git a/cifscreds.rst b/cifscreds.rst +index 5c2a195..a6676cb 100644 +--- a/cifscreds.rst ++++ b/cifscreds.rst +@@ -5,125 +5,91 @@ cifscreds + ----------------------------------------- + manage NTLM credentials in kernel keyring + ----------------------------------------- +- + :Manual section: 1 + + ******** + SYNOPSIS + ******** + +- +-cifscreds add|clear|clearall|update [-u username] [-d] host|domain +- ++ cifscreds add|clear|clearall|update [-u username] [-d] host|domain + + *********** + DESCRIPTION + *********** + +- +-The \ **cifscreds**\ program is a tool for managing credentials (username ++The ``cifscreds`` program is a tool for managing credentials (username + and password) for the purpose of establishing sessions in multiuser + mounts. + + When a cifs filesystem is mounted with the "multiuser" option, and does + not use krb5 authentication, it needs to be able to get the credentials +-for each user from somewhere. The \ **cifscreds**\ program is the tool used ++for each user from somewhere. The ``cifscreds`` program is the tool used + to provide these credentials to the kernel. + + The first non-option argument to cifscreds is a command (see the +-\ **COMMANDS**\ section below). The second non-option argument is a hostname ++`COMMANDS`_ section below). The second non-option argument is a hostname + or address, or an NT domain name. + +- + ******** + COMMANDS + ******** + ++add ++ Add credentials to the kernel to be used for connecting to the given ++ server, or servers in the given domain. + ++clear ++ Clear credentials for a particular host or domain from the kernel. + +-\ **add**\ +- +- Add credentials to the kernel to be used for connecting to the given server, or servers in the given domain. +- +- +- +-\ **clear**\ +- +- Clear credentials for a particular host or domain from the kernel. +- +- +- +-\ **clearall**\ +- +- Clear all cifs credentials from the kernel. +- +- +- +-\ **update**\ +- +- Update stored credentials in the kernel with a new username and +- password. +- +- ++clearall ++ Clear all cifs credentials from the kernel. + ++update ++ Update stored credentials in the kernel with a new username and ++ password. + + ******* + OPTIONS + ******* + ++-d, --domain ++ The provided host/domain argument is a NT domainname. + ++ Ordinarily the second argument provided to cifscreds is treated as a ++ hostname or IP address. This option causes the cifscreds program to ++ treat that argument as an NT domainname instead. + +-\ **-d**\ , \ **--domain**\ +- +- The provided host/domain argument is a NT domainname. +- +- Ordinarily the second argument provided to cifscreds is treated as a +- hostname or IP address. This option causes the cifscreds program to +- treat that argument as an NT domainname instead. +- +- If there are not host specific credentials for the mounted server, then +- the kernel will next look for a set of domain credentials equivalent to +- the domain= option provided at mount time. +- +- +- +-\ **-u**\ , \ **--username**\ +- +- Ordinarily, the username is derived from the unix username of the user +- adding the credentials. This option allows the user to substitute a +- different username. +- +- ++ If there are not host specific credentials for the mounted server, then ++ the kernel will next look for a set of domain credentials equivalent to ++ the domain= option provided at mount time. + ++-u, --username ++ Ordinarily, the username is derived from the unix username of the user ++ adding the credentials. This option allows the user to substitute a ++ different username. + + ***** + NOTES + ***** + +- + The cifscreds utility requires a kernel built with support for the +-\ **login**\ key type. That key type was added in v3.3 in mainline Linux ++``login`` key type. That key type was added in v3.3 in mainline Linux + kernels. + +-Since \ **cifscreds**\ adds keys to the session keyring, it is highly +-recommended that one use \ **pam_keyinit**\ to ensure that a session keyring ++Since ``cifscreds`` adds keys to the session keyring, it is highly ++recommended that one use ``pam_keyinit`` to ensure that a session keyring + is established at login time. + +- + ******** + SEE ALSO + ******** + +- + pam_keyinit(8) + +- + ******* + AUTHORS + ******* + +- + The cifscreds program was originally developed by Igor Druzhinin + . This manpage and a redesign of the code was done + by Jeff Layton . +- +diff --git a/getcifsacl.rst.in b/getcifsacl.rst.in +index 42af258..21a10cd 100644 +--- a/getcifsacl.rst.in ++++ b/getcifsacl.rst.in +@@ -7,80 +7,60 @@ Userspace helper to display an ACL in a security descriptor for Common Internet + -------------------------------------------------------------------------------------------------- + :Manual section: 1 + +- + ******** + SYNOPSIS + ******** + +- +-getcifsacl [-v|-r] {file system object} +- ++ getcifsacl [-v|-r] {file system object} + + *********** + DESCRIPTION + *********** + +- + This tool is part of the cifs-utils suite. + +-getcifsacl is a userspace helper program for the Linux CIFS client ++``getcifsacl`` is a userspace helper program for the Linux CIFS client + file system. It is intended to display a security descriptor including + ACL for a file system object. + + This program uses a plugin to handle the mapping of SIDs to user and +-group names. \ *@pluginpath@*\ should be a symlink that points to the ++group names. *@pluginpath@* should be a symlink that points to the + correct plugin to use. + + Fields of an ACE such as SID, type, flags, and mask are displayed +-separated by /. Numeric values of type, flags, and mask are displayed ++separated by /. Numeric values of type, flags, and mask are displayed + in hexadecimal format. + +- + ******* + OPTIONS + ******* + ++-v ++ Print version number and exit. + +- +-\ **-v**\ +- +- Print version number and exit. +- +- +- +-\ **-r**\ +- +- Display a security descriptor in raw mode. Values such as type and +- flags are displayed in hexadecimal format, a SID is not mapped to a +- name. +- +- +- ++-r ++ Display a security descriptor in raw mode. Values such as type and ++ flags are displayed in hexadecimal format, a SID is not mapped to a ++ name. + + ***** + NOTES + ***** + +- + Kernel support for getcifsacl/setcifsacl utilities was initially + introduced in the 2.6.37 kernel. + +- + ******** + SEE ALSO + ******** + +- + mount.cifs(8), setcifsacl(1) + +- + ****** + AUTHOR + ****** + +- + Shirish Pargaonkar wrote the getcifsacl program. + + The Linux CIFS Mailing list is the preferred place to ask questions + regarding these programs. +- +diff --git a/idmapwb.rst.in b/idmapwb.rst.in +index 4d7fd62..c03e4ca 100644 +--- a/idmapwb.rst.in ++++ b/idmapwb.rst.in +@@ -7,31 +7,28 @@ winbind ID mapping plugin for cifs-utils + ---------------------------------------- + :Manual section: 8 + +- + *********** + DESCRIPTION + *********** + +- + This plugin allows the utilities in cifs-utils to work in conjuction with + the winbind facility of Samba suite. It handles several functions including + mapping UID and GID to SIDs and vice versa. + + Utilities are usually configured to use the correct plugin by creating a +-symlink at @pluginpath@ that points to the correct plugin that you wish ++symlink at *@pluginpath@* that points to the correct plugin that you wish + to use. + +-This plugin requires that \ **winbindd(8)**\ be properly configured and running. ++This plugin requires that winbindd(8) be properly configured and running. + +- +-******************************************************************************* ++******** + SEE ALSO +-******************************************************************************* +-getcifsacl(1), setcifsacl(1), cifs.idmap(8), samba(7), smb.conf(5), winbindd(8) +- ++******** + ++getcifsacl(1), setcifsacl(1), cifs.idmap(8), samba(7), smb.conf(5), winbindd(8) + +-***************************************************************** ++****** + AUTHOR +-***************************************************************** ++****** ++ + idmapwb.so was written by Jeff Layton +diff --git a/mount.cifs.rst b/mount.cifs.rst +index a81c6c4..c0f0bdb 100644 +--- a/mount.cifs.rst ++++ b/mount.cifs.rst +@@ -47,7 +47,6 @@ unmounted (usually via the ``umount`` utility). + OPTIONS + ******* + +- + username=arg|user=arg + specifies the username to connect as. If this is not + given, then the environment variable USER is used. +@@ -84,9 +83,9 @@ credentials=filename|cred=filename + password=value + domain=value + +- This is preferred over having passwords in plaintext in a shared file, +- such as ``/etc/fstab`` . Be sure to protect any credentials file +- properly. ++ This is preferred over having passwords in plaintext in a shared file, ++ such as */etc/fstab* . Be sure to protect any credentials file ++ properly. + + uid=arg + sets the uid that will own all files or directories on the mounted +@@ -558,7 +557,7 @@ It's generally preferred to use forward slashes (/) as a delimiter in + service names. They are considered to be the "universal delimiter" + since they are generally not allowed to be embedded within path + components on Windows machines and the client can convert them to +-backslashes (\) unconditionally. Conversely, backslash characters are ++backslashes (\\) unconditionally. Conversely, backslash characters are + allowed by POSIX to be part of a path component, and can't be + automatically converted in the same way. + +diff --git a/pam_cifscreds.rst b/pam_cifscreds.rst +index 8e8308c..4e89bfd 100644 +--- a/pam_cifscreds.rst ++++ b/pam_cifscreds.rst +@@ -7,110 +7,83 @@ PAM module to manage NTLM credentials in kernel keyring + ------------------------------------------------------- + :Manual section: 8 + +- + ******** + SYNOPSIS + ******** + +- + Edit the PAM configuration files for the systems that you want to +-automatically register NTLM credentials for, e.g. /etc/pam.d/login, +-and modify as follows: +- +- +-.. code-block:: perl ++automatically register NTLM credentials for, e.g. */etc/pam.d/login*, ++and modify as follows:: + + ... + auth substack system-auth + +++ auth optional pam_cifscreds.so + auth include postlogin + ... +- ++ + ... + session include system-auth + +++ session optional pam_cifscreds.so domain=DOMAIN + session include postlogin + ... + +- + Change DOMAIN to the name of you Windows domain, or use host= as + described below. + +- + *********** + DESCRIPTION + *********** + +- +-The \ **pam_cifscreds**\ PAM module is a tool for automatically adding ++The ``pam_cifscreds`` PAM module is a tool for automatically adding + credentials (username and password) for the purpose of establishing + sessions in multiuser mounts. + + When a cifs filesystem is mounted with the "multiuser" option, and does + not use krb5 authentication, it needs to be able to get the credentials +-for each user from somewhere. The \ **pam_cifscreds**\ module can be used ++for each user from somewhere. The ``pam_cifscreds`` module can be used + to provide these credentials to the kernel automatically at login. + + In the session section of the PAM configuration file, the module can + either an NT domain name or a list of hostname or addresses. + +- + ******* + OPTIONS + ******* + ++``pam_cifscreds`` supports a couple options which can be set in the PAM ++configuration files. You must have one (and only one) of ``domain=`` or ++``host=``. + +-\ **pam_cifscreds**\ supports a couple options which can be set in the PAM +-configuration files. You must have one (and only one) of domain= or +-host=. +- +- +-\ **debug**\ +- +- Turns on some extra debug logging. +- +- +- +-\ **domain**\ = +- +- Credentials will be added for the specified NT domain name. +- +- +- +-\ **host**\ =[,...] +- +- Credentials will be added for the specified hostnames or IP addresses. +- ++debug ++ Turns on some extra debug logging. + ++domain= ++ Credentials will be added for the specified NT domain name. + ++host=[,...] ++ Credentials will be added for the specified hostnames or IP addresses. + + ***** + NOTES + ***** + +- + The pam_cifscreds PAM module requires a kernel built with support for +-the \ **login**\ key type. That key type was added in v3.3 in mainline Linux ++the ``login`` key type. That key type was added in v3.3 in mainline Linux + kernels. + +-Since \ **pam_cifscreds**\ adds keys to the session keyring, it is highly +-recommended that one use \ **pam_keyinit**\ to ensure that a session keyring ++Since ``pam_cifscreds`` adds keys to the session keyring, it is highly ++recommended that one use ``pam_keyinit`` to ensure that a session keyring + is established at login time. + +- + ******** + SEE ALSO + ******** + +- + cifscreds(1), pam_keyinit(8) + +- + ****** + AUTHOR + ****** + +- + The pam_cifscreds PAM module was developed by Orion Poplawski + . +- +diff --git a/setcifsacl.rst.in b/setcifsacl.rst.in +index ea981e2..de9c758 100644 +--- a/setcifsacl.rst.in ++++ b/setcifsacl.rst.in +@@ -7,179 +7,110 @@ Userspace helper to alter an ACL in a security descriptor for Common Internet Fi + ------------------------------------------------------------------------------------------------ + :Manual section: 1 + +- + ******** + SYNOPSIS + ******** + +- +-setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object} +- ++ setcifsacl [-v|-a|-D|-M|-S] "{one or more ACEs}" {file system object} + + *********** + DESCRIPTION + *********** + +- + This tool is part of the cifs-utils suite. + +-\ **setcifsacl**\ is a userspace helper program for the Linux CIFS client +-file system. It is intended to alter an ACL of a security descriptor +-for a file system object. Whether a security descriptor to be set is ++``setcifsacl`` is a userspace helper program for the Linux CIFS client ++file system. It is intended to alter an ACL of a security descriptor ++for a file system object. Whether a security descriptor to be set is + applied or not is determined by the CIFS/SMB server. + + This program uses a plugin to handle the mapping of user and group +-names to SIDs. ``@pluginpath@`` should be a symlink that points to the ++names to SIDs. *@pluginpath@* should be a symlink that points to the + correct plugin to use. + +- + ******* + OPTIONS + ******* + ++-h ++ Print usage message and exit. + ++-v ++ Print version number and exit. + +-\ **-h**\ +- +- Print usage message and exit. +- +- +- +-\ **-v**\ +- +- Print version number and exit. +- ++-a ++ Add one or more ACEs to an ACL of a security descriptor. An ACE is ++ added even if the same ACE exists in the ACL. + ++-D ++ Delete one or more ACEs from an ACL of a security descriptor. Entire ++ ACE has to match in an existing ACL for the listed ACEs to be deleted. + +-\ **-a**\ +- +- Add one or more ACEs to an ACL of a security descriptor. An ACE is +- added even if the same ACE exists in the ACL. +- ++-M ++ Modify one or more ACEs from an ACL of a security descriptor. SID and ++ type are used to match for existing ACEs to be modified with the list ++ of ACEs specified. + ++-S ++ Set an ACL of security descriptor with the list of ACEs Existing ACL ++ is replaced entirely with the specified ACEs. + +-\ **-D**\ +- +- Delete one or more ACEs from an ACL of a security descriptor. Entire +- ACE has to match in an existing ACL for the listed ACEs to be deleted. +- +- +- +-\ **-M**\ +- +- Modify one or more ACEs from an ACL of a security descriptor. SID and +- type are used to match for existing ACEs to be modified with the list +- of ACEs specified. +- +- +- +-\ **-S**\ +- +- Set an ACL of security descriptor with the list of ACEs Existing ACL +- is replaced entirely with the specified ACEs. +- +- Every ACE entry starts with "ACL:" One or more ACEs are specified +- within double quotes. Multiple ACEs are separated by a comma. +- +- Following fields of an ACE can be modified with possible values: +- +- +- \ **SID**\ - Either a name or a raw SID value. +- +- +- +- \ **type**\ - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6) +- +- +- +- \ **flags**\ - OBJECT_INHERIT_FLAG (OI or 0x1), CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI or +- 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or 0x10) +- or a combination/OR of these values. +- +- +- +- \ **mask**\ - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value +- +- +- ++ Every ACE entry starts with "ACL:" One or more ACEs are specified ++ within double quotes. Multiple ACEs are separated by a comma. + ++ Following fields of an ACE can be modified with possible values: + ++ - ``SID`` - Either a name or a raw SID value. ++ - ``type`` - ALLOWED (0x0), DENIED (0x1), OBJECT_ALLOWED (0x5), OBJECT_DENIED (0x6) ++ - ``flags`` - OBJECT_INHERIT_FLAG (OI or 0x1), ++ CONTAINER_INHERIT_FLAG (CI or 0x2), NO_PROPAGATE_INHERIT_FLAG (NI ++ or 0x4), INHERIT_ONLY_FLAG (IO or 0x8), INHERITED_ACE_FLAG (IA or ++ 0x10) or a combination/OR of these values. ++ - ``mask`` - Either one of FULL, CHANGE, READ, a combination of R W X D P O, or a hex value. + + ******** + EXAMPLES + ******** + +- + Add an ACE + ========== + +- +- +-.. code-block:: perl +- +- setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" +- setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" +- +- ++ setcifsacl -a "ACL:CIFSTESTDOM\user2:DENIED/0x1/D" ++ setcifsacl -a "ACL:CIFSTESTDOM\user1:ALLOWED/OI|CI|NI/D" + + Delete an ACE + ============= + +- +- +-.. code-block:: perl +- +- setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" +- +- ++ setcifsacl -D "ACL:S-1-1-0:0x1/OI/0x1201ff" + + Modify an ACE + ============= + +- +- +-.. code-block:: perl +- +- setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" +- +- ++ setcifsacl -M "ACL:CIFSTESTDOM\user1:ALLOWED/0x1f/CHANGE" + + Set an ACL + ========== + +- +- +-.. code-block:: perl +- +- setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" +- +- +- ++ setcifsacl -S "ACL:CIFSTESTDOM\Administrator:0x0/0x0/FULL,ACL:CIFSTESTDOM\user2:0x0/0x0/FULL" + + ***** + NOTES + ***** + +- + Kernel support for getcifsacl/setcifsacl utilities was initially + introduced in the 2.6.37 kernel. + +- + ******** + SEE ALSO + ******** + +- + mount.cifs(8), getcifsacl(1) + +- + ****** + AUTHOR + ****** + +- + Shirish Pargaonkar wrote the setcifsacl program. + + The Linux CIFS Mailing list is the preferred place to ask questions + regarding these programs. +- +-- +1.8.3.1 + diff --git a/SOURCES/0002-mount.cifs.rst-document-new-no-handlecache-mount-opt.patch b/SOURCES/0002-mount.cifs.rst-document-new-no-handlecache-mount-opt.patch new file mode 100644 index 0000000..3ec0ede --- /dev/null +++ b/SOURCES/0002-mount.cifs.rst-document-new-no-handlecache-mount-opt.patch @@ -0,0 +1,39 @@ +From f701927118c7c0833751e610c3fd45504c47ef08 Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Tue, 15 May 2018 10:40:48 +0200 +Subject: [PATCH 02/36] mount.cifs.rst: document new (no)handlecache mount + option + +Signed-off-by: Aurelien Aptel +Reviewed-by: Steve French +Reviewed-by: Pavel Shilovsky +(cherry picked from commit bfcbfaa27a6bcfea3d463e793feff5a983f344a5) +Signed-off-by: Sachin Prabhu +--- + mount.cifs.rst | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/mount.cifs.rst b/mount.cifs.rst +index c0f0bdb..405c459 100644 +--- a/mount.cifs.rst ++++ b/mount.cifs.rst +@@ -237,6 +237,16 @@ cache=arg + The default in kernels prior to 3.7 was ``loose``. As of kernel 3.7 the + default is ``strict``. + ++handlecache ++ (default) In SMB2 and above, the client often has to open the root ++ of the share (empty path) in various places during mount, path ++ revalidation and the statfs(2) system call. This option cuts ++ redundant round trip traffic (opens and closes) by simply keeping ++ the directory handle for the root around once opened. ++ ++nohandlecache ++ Disable caching of the share root directory handle. ++ + directio + Do not do inode data caching on files opened on this mount. This + precludes mmaping files on this mount. In some cases with fast +-- +1.8.3.1 + diff --git a/SOURCES/0003-manpage-update-mount.cifs-manpage-with-info-about-rd.patch b/SOURCES/0003-manpage-update-mount.cifs-manpage-with-info-about-rd.patch new file mode 100644 index 0000000..1facb72 --- /dev/null +++ b/SOURCES/0003-manpage-update-mount.cifs-manpage-with-info-about-rd.patch @@ -0,0 +1,32 @@ +From 9caa0b96b49cb38b8ed7c4c05b3f517ae0313991 Mon Sep 17 00:00:00 2001 +From: Kenneth Dsouza +Date: Fri, 13 Jul 2018 23:49:59 +0530 +Subject: [PATCH 03/36] manpage: update mount.cifs manpage with info about rdma + option + +Signed-off-by: Kenneth Dsouza +(cherry picked from commit 03a3296c79f8195f94c43a3b4feb09df75d9b90e) +Signed-off-by: Sachin Prabhu +--- + mount.cifs.rst | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/mount.cifs.rst b/mount.cifs.rst +index 405c459..56c1bf9 100644 +--- a/mount.cifs.rst ++++ b/mount.cifs.rst +@@ -403,6 +403,11 @@ echo_interval=n + If this option is not given then the default value of 60 seconds is used. + The minimum tunable value is 1 second and maximum can go up to 600 seconds. + ++rdma ++ Use to connect to SMB Direct, only applicable when specified with ++ vers=3 or vers=3.x. ++ Here 3.x can be 3.0, 3.02 or 3.1.1. ++ + serverino + Use inode numbers (unique persistent file identifiers) returned by the + server instead of automatically generating temporary inode numbers on +-- +1.8.3.1 + diff --git a/SOURCES/0004-checkopts-add-python-script-to-cross-check-mount-opt.patch b/SOURCES/0004-checkopts-add-python-script-to-cross-check-mount-opt.patch new file mode 100644 index 0000000..cacafe4 --- /dev/null +++ b/SOURCES/0004-checkopts-add-python-script-to-cross-check-mount-opt.patch @@ -0,0 +1,263 @@ +From 0c846b0201e7d74186a10facfed222596a0d1d50 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Aur=C3=A9lien=20Aptel?= +Date: Tue, 10 Jul 2018 17:50:42 +0200 +Subject: [PATCH 04/36] checkopts: add python script to cross check mount + options + +Signed-off-by: Aurelien Aptel +(cherry picked from commit 97209a56d13b8736579a58cccf00d2da4e4a0e5a) +Signed-off-by: Sachin Prabhu +--- + checkopts | 240 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 240 insertions(+) + create mode 100755 checkopts + +diff --git a/checkopts b/checkopts +new file mode 100755 +index 0000000..26ca271 +--- /dev/null ++++ b/checkopts +@@ -0,0 +1,240 @@ ++#!/usr/bin/env python3 ++# ++# Script to check for inconsistencies between documented mount options ++# and implemented kernel options. ++# Copyright (C) 2018 Aurelien Aptel (aaptel@suse.com) ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++ ++import os ++import sys ++import re ++import subprocess ++import argparse ++from pprint import pprint as P ++ ++def extract_canonical_opts(s): ++ """ ++ Return list of option names present in s. ++ e.g "opt1=a|opt2=d" => ["opt1", "opt2"]) ++ """ ++ opts = s.split("|") ++ res = [] ++ for o in opts: ++ x = o.split("=") ++ res.append(x[0]) ++ return res ++ ++def extract_kernel_opts(fn): ++ STATE_BASE = 0 ++ STATE_DEF = 1 ++ STATE_USE = 2 ++ STATE_EXIT = 3 ++ ++ state = STATE_BASE ++ fmt2enum = {} ++ enum2code = {} ++ code = '' ++ current_opt = '' ++ rx = RX() ++ ++ def code_add(s): ++ if current_opt != '': ++ if current_opt not in enum2code: ++ enum2code[current_opt] = '' ++ enum2code[current_opt] += s ++ ++ with open(fn) as f: ++ for s in f.readlines(): ++ if state == STATE_EXIT: ++ break ++ ++ elif state == STATE_BASE: ++ if rx.search(r'cifs_mount_option_tokens.*\{', s): ++ state = STATE_DEF ++ elif rx.search(r'^cifs_parse_mount_options', s): ++ state = STATE_USE ++ ++ elif state == STATE_DEF: ++ if rx.search(r'(Opt_[a-zA-Z0-9_]+)\s*,\s*"([^"]+)"', s): ++ fmt = rx.group(2) ++ opts = extract_canonical_opts(fmt) ++ assert(len(opts) == 1) ++ name = opts[0] ++ fmt2enum[name] = {'enum':rx.group(1), 'fmt':fmt} ++ elif rx.search(r'^};', s): ++ state = STATE_BASE ++ ++ elif state == STATE_USE: ++ if rx.search(r'^\s*case (Opt_[a-zA-Z0-9_]+)', s): ++ current_opt = rx.group(1) ++ elif current_opt != '' and rx.search(r'^\s*default:', s): ++ state = STATE_EXIT ++ else: ++ code_add(s) ++ return fmt2enum, enum2code ++ ++def chomp(s): ++ if s[-1] == '\n': ++ return s[:-1] ++ return s ++ ++def extract_man_opts(fn): ++ STATE_EXIT = 0 ++ STATE_BASE = 1 ++ STATE_OPT = 2 ++ ++ state = STATE_BASE ++ rx = RX() ++ opts = {} ++ ++ with open(fn) as f: ++ for s in f.readlines(): ++ if state == STATE_EXIT: ++ break ++ ++ elif state == STATE_BASE: ++ if rx.search(r'^OPTION', s): ++ state = STATE_OPT ++ ++ elif state == STATE_OPT: ++ if rx.search('^[a-z]', s) and len(s) < 50: ++ s = chomp(s) ++ names = extract_canonical_opts(s) ++ for name in names: ++ opts[name] = s ++ elif rx.search(r'^[A-Z]+', s): ++ state = STATE_EXIT ++ return opts ++ ++def format_code(s): ++ # remove common indent in the block ++ min_indent = None ++ for ln in s.split("\n"): ++ indent = 0 ++ for c in ln: ++ if c == '\t': indent += 1 ++ else: break ++ if min_indent is None: ++ min_indent = indent ++ elif indent > 0: ++ min_indent = min(indent, min_indent) ++ out = '' ++ lines = s.split("\n") ++ if lines[-1].strip() == '': ++ lines.pop() ++ for ln in lines: ++ out += "| %s\n" % ln[min_indent:] ++ return out ++ ++def sortedset(s): ++ return sorted(list(s), key=lambda x: re.sub('^no', '', x)) ++ ++def opt_neg(opt): ++ if opt.startswith("no"): ++ return opt[2:] ++ else: ++ return "no"+opt ++ ++def main(): ++ ap = argparse.ArgumentParser(description="Cross-check mount options from cifs.ko/man page") ++ ap.add_argument("cfile", help="path to connect.c") ++ ap.add_argument("rstfile", help="path to mount.cifs.rst") ++ args = ap.parse_args() ++ ++ fmt2enum, enum2code = extract_kernel_opts(args.cfile) ++ manopts = extract_man_opts(args.rstfile) ++ ++ kernel_opts_set = set(fmt2enum.keys()) ++ man_opts_set = set(manopts.keys()) ++ ++ def opt_alias_is_doc(o): ++ enum = fmt2enum[o]['enum'] ++ aliases = [] ++ for k,v in fmt2enum.items(): ++ if k != o and v['enum'] == enum: ++ if opt_is_doc(k): ++ return k ++ return None ++ ++ def opt_exists(o): ++ return o in fmt2enum ++ ++ def opt_is_doc(o): ++ return o in manopts ++ ++ ++ print('UNDOCUMENTED OPTIONS') ++ print('====================') ++ ++ undoc_opts = kernel_opts_set - man_opts_set ++ # group opts and their negations together ++ for opt in sortedset(undoc_opts): ++ fmt = fmt2enum[opt]['fmt'] ++ enum = fmt2enum[opt]['enum'] ++ code = format_code(enum2code[enum]) ++ neg = opt_neg(opt) ++ ++ if enum == 'Opt_ignore': ++ print("# skipping %s (Opt_ignore)\n"%opt) ++ continue ++ ++ if opt_exists(neg) and opt_is_doc(neg): ++ print("# skipping %s (%s is documented)\n"%(opt, neg)) ++ continue ++ ++ alias = opt_alias_is_doc(opt) ++ if alias: ++ print("# skipping %s (alias %s is documented)\n"%(opt, alias)) ++ continue ++ ++ print('OPTION %s ("%s" -> %s):\n%s'%(opt, fmt, enum, code)) ++ ++ print('') ++ print('DOCUMENTED BUT NON-EXISTING OPTIONS') ++ print('===================================') ++ ++ unex_opts = man_opts_set - kernel_opts_set ++ # group opts and their negations together ++ for opt in sortedset(unex_opts): ++ fmt = manopts[opt] ++ print('OPTION %s ("%s")' % (opt, fmt)) ++ ++ ++ print('') ++ print('NEGATIVE OPTIONS WITHOUT POSITIVE') ++ print('=================================') ++ ++ for opt in sortedset(kernel_opts_set): ++ if not opt.startswith('no'): ++ continue ++ ++ neg = opt[2:] ++ if not opt_exists(neg): ++ print("OPTION %s exists but not %s"%(opt,neg)) ++ ++# little helper to test AND store result at the same time so you can ++# do if/elsif easily instead of nesting them when you need to do ++# captures ++class RX: ++ def __init__(self): ++ pass ++ def search(self, rx, s, flags=0): ++ self.r = re.search(rx, s, flags) ++ return self.r ++ def group(self, n): ++ return self.r.group(n) ++ ++if __name__ == '__main__': ++ main() +-- +1.8.3.1 + diff --git a/SOURCES/0005-mount.cifs.rst-document-missing-options-correct-wron.patch b/SOURCES/0005-mount.cifs.rst-document-missing-options-correct-wron.patch new file mode 100644 index 0000000..1ef5802 --- /dev/null +++ b/SOURCES/0005-mount.cifs.rst-document-missing-options-correct-wron.patch @@ -0,0 +1,221 @@ +From e1e36b41e779d241cc1ff0e2f6f90b630b1e3d14 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Aur=C3=A9lien=20Aptel?= +Date: Tue, 10 Jul 2018 17:50:43 +0200 +Subject: [PATCH 05/36] mount.cifs.rst: document missing options, correct wrong + ones + +Signed-off-by: Aurelien Aptel +(cherry picked from commit 7325a01abc529d68756bae90cf23233392626939) +Signed-off-by: Sachin Prabhu +--- + mount.cifs.rst | 111 ++++++++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 79 insertions(+), 32 deletions(-) + +diff --git a/mount.cifs.rst b/mount.cifs.rst +index 56c1bf9..13b3a1e 100644 +--- a/mount.cifs.rst ++++ b/mount.cifs.rst +@@ -123,6 +123,11 @@ forcegid + of the gid= option. See the section on `FILE AND DIRECTORY OWNERSHIP + AND PERMISSIONS`_ below for more information. + ++idsfromsid ++ Extract uid/gid from special SID instead of mapping it. See the ++ section on `FILE AND DIRECTORY OWNERSHIP AND PERMISSIONS`_ below for ++ more information. ++ + port=arg + sets the port number on which the client will attempt to contact the + CIFS server. If this value is specified, look for an existing +@@ -133,8 +138,9 @@ port=arg + try to connect on port 445 first and then port 139 if that + fails. Return an error if both fail. + +-servernetbiosname=arg +- Specify the server netbios name (RFC1001 name) to use when attempting ++ ++netbiosname=arg ++ Specify the client netbios name (RFC1001 name) to use when attempting + to setup a session to the server. Although rarely needed for mounting + to newer servers, this option is needed for mounting to some older + servers (such as OS/2 or Windows 98 and Windows ME) since when +@@ -143,7 +149,8 @@ servernetbiosname=arg + characters long and is usually uppercased. + + servern=arg +- Synonym for ``servernetbiosname`` ++ Similarl to ``netbiosname`` except it specifies the netbios name of ++ the server instead of the client. + + netbiosname=arg + When mounting to servers via port 139, specifies the RFC1001 source +@@ -166,6 +173,10 @@ ip=arg|addr=arg + domain=arg|dom=arg|workgroup=arg + sets the domain (workgroup) of the user. + ++domainauto ++ When using NTLMv2 authentification and not providing a domain via ++ ``domain``, guess the domain from the server NTLM challenge. ++ + guest + don't prompt for a password. + +@@ -237,6 +248,9 @@ cache=arg + The default in kernels prior to 3.7 was ``loose``. As of kernel 3.7 the + default is ``strict``. + ++nostrictsync ++ Do not flush to the server on fsync(). ++ + handlecache + (default) In SMB2 and above, the client often has to open the root + of the share (empty path) in various places during mount, path +@@ -247,32 +261,6 @@ handlecache + nohandlecache + Disable caching of the share root directory handle. + +-directio +- Do not do inode data caching on files opened on this mount. This +- precludes mmaping files on this mount. In some cases with fast +- networks and little or no caching benefits on the client (e.g. when +- the application is doing large sequential reads bigger than page size +- without rereading the same data) this can provide better performance +- than the default behavior which caches reads (readahead) and writes +- (writebehind) through the local Linux client pagecache if oplock +- (caching token) is granted and held. Note that direct allows write +- operations larger than page size to be sent to the server. On some +- kernels this requires the cifs.ko module to be built with the +- ``CIFS_EXPERIMENTAL`` configure option. +- +- This option is will be deprecated in 3.7. Users should use +- ``cache=none`` instead on more recent kernels. +- +-strictcache +- Use for switching on strict cache mode. In this mode the client reads +- from the cache all the time it has *Oplock Level II* , otherwise - +- read from the server. As for write - the client stores a data in the +- cache in *Exclusive Oplock* case, otherwise - write directly to the +- server. +- +- This option is will be deprecated in 3.7. Users should use +- ``cache=strict`` instead on more recent kernels. +- + rwpidforward + Forward pid of a process who opened a file to any read or write + operation on that file. This prevent applications like wine(1) from +@@ -283,7 +271,7 @@ mapchars + including the colon, question mark, pipe, asterik, greater than and + less than characters) to the remap range (above 0xF000), which also + allows the CIFS client to recognize files created with such characters +- by Windows's POSIX emulation. This can also be useful when mounting to ++ by Windows's Services for Mac. This can also be useful when mounting to + most versions of Samba (which also forbids creating and opening files + whose names contain any of these seven characters). This has no effect + if the server does not support Unicode on the wire. Please note that +@@ -293,6 +281,10 @@ mapchars + nomapchars + (default) Do not translate any of these seven characters. + ++mapposix ++ Translate reserved characters similarly to ``mapchars`` but use the ++ mapping from Microsoft "Services For Unix". ++ + intr + currently unimplemented. + +@@ -370,12 +362,42 @@ seal + Request encryption at the SMB layer. Encryption is only supported in + SMBv3 and above. The encryption algorithm used is AES-128-CCM. + ++rdma ++ Connect directly to the server using SMB Direct via a RDMA adapter. ++ ++resilienthandles ++ Enable resilient handles. If the server supports it, keep opened ++ files across reconenctions. Requires SMB2.1. ++ ++noresilienthandles ++ (default) Disable resilient handles. ++ ++persistenthandles ++ Enable persistent handles. If the server supports it, keep opened ++ files across reconnections. Persistent handles are also valid across ++ servers in a cluser and have stronger guarantees than resilient ++ handles. Requires SMB3 or above. ++ ++nopersistenthandles ++ (default) Disable persistent handles. ++ ++snapshot=time ++ Mount a specific snapshot of the remote share. ``time`` must be a ++ positive integer identifying the snapshot requested. ++ + nobrl + Do not send byte range lock requests to the server. This is necessary + for certain applications that break with cifs style mandatory byte + range locks (and most cifs servers do not yet support requesting + advisory byte range locks). + ++forcemandatorylock ++ Do not use POSIX locks even when available via unix ++ extensions. Always use cifs style mandatory locks. ++ ++locallease ++ Check cache leases locally instead of querying the server. ++ + sfu + When the CIFS Unix Extensions are not negotiated, attempt to create + device files and fifos in a format compatible with Services for Unix +@@ -431,8 +453,12 @@ noserverino + + See section `INODE NUMBERS`_ for more information. + +-nounix +- Disable the CIFS Unix Extensions for this mount. This can be useful in ++unix|linux ++ (default) Enable Unix Extensions for this mount. Requires CIFS ++ (vers=1.0) or SMB3.1.1 (vers=3.1.1) and a server supporting them. ++ ++nounix|nolinux ++ Disable the Unix Extensions for this mount. This can be useful in + order to turn off multiple settings at once. This includes POSIX acls, + POSIX locks, POSIX paths, symlink support and retrieving + uids/gids/mode from the server. This can also be useful to work around +@@ -444,6 +470,23 @@ nouser_xattr + Do not allow getfattr/setfattr to get/set xattrs, even if server would + support it otherwise. The default is for xattr support to be enabled. + ++nodfs ++ Do not follow Distributed FileSystem referals. IO on a file not ++ stored on the server will fail instead of connecting to the target ++ server transparently. ++ ++noautotune ++ Use fixed size for kernel recv/send socket buffers. ++ ++nosharesock ++ Do not try to reuse sockets if the system is already connected to ++ the server via an existing mount point. This will make the client ++ always make a new connection to the server no matter what he is ++ already connected to. ++ ++noblocksend ++ Send data on the socket using non blocking operations (MSG_DONTWAIT flag). ++ + rsize=bytes + Maximum amount of data that the kernel will request in a read request + in bytes. Prior to kernel 3.2.0, the default was 16k, and the maximum +@@ -472,6 +515,10 @@ wsize=bytes + this value isn't specified or it's greater or equal than the existing + one. + ++max_credits=n ++ Maximum credits the SMB2 client can have. Default is 32000. Must be ++ set to a number between 20 and 60000. ++ + fsc + Enable local disk caching using FS-Cache for CIFS. This option could + be useful to improve performance on a slow link, heavily loaded server +-- +1.8.3.1 + diff --git a/SOURCES/0006-checkopts-report-duplicated-options-in-man-page.patch b/SOURCES/0006-checkopts-report-duplicated-options-in-man-page.patch new file mode 100644 index 0000000..fc2af65 --- /dev/null +++ b/SOURCES/0006-checkopts-report-duplicated-options-in-man-page.patch @@ -0,0 +1,69 @@ +From 5cff08c4ac6bcb43ac2bc371db189a88c53c8326 Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Wed, 8 Aug 2018 11:38:15 +0200 +Subject: [PATCH 06/36] checkopts: report duplicated options in man page + +Signed-off-by: Aurelien Aptel +(cherry picked from commit 77b028c11fee787d1235a08fd06c8b60d20eb9c0) +Signed-off-by: Sachin Prabhu +--- + checkopts | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/checkopts b/checkopts +index 26ca271..88e70b1 100755 +--- a/checkopts ++++ b/checkopts +@@ -98,9 +98,12 @@ def extract_man_opts(fn): + state = STATE_BASE + rx = RX() + opts = {} ++ ln = 0 + + with open(fn) as f: + for s in f.readlines(): ++ ln += 1 ++ + if state == STATE_EXIT: + break + +@@ -113,7 +116,9 @@ def extract_man_opts(fn): + s = chomp(s) + names = extract_canonical_opts(s) + for name in names: +- opts[name] = s ++ if name not in opts: ++ opts[name] = [] ++ opts[name].append({'ln':ln, 'fmt':s}) + elif rx.search(r'^[A-Z]+', s): + state = STATE_EXIT + return opts +@@ -174,6 +179,14 @@ def main(): + def opt_is_doc(o): + return o in manopts + ++ print('DUPLICATED DOC OPTIONS') ++ print('======================') ++ ++ for opt in sortedset(man_opts_set): ++ if len(manopts[opt]) > 1: ++ lines = ", ".join([str(x['ln']) for x in manopts[opt]]) ++ print("OPTION %-20.20s (lines %s)"%(opt, lines)) ++ print() + + print('UNDOCUMENTED OPTIONS') + print('====================') +@@ -208,8 +221,8 @@ def main(): + unex_opts = man_opts_set - kernel_opts_set + # group opts and their negations together + for opt in sortedset(unex_opts): +- fmt = manopts[opt] +- print('OPTION %s ("%s")' % (opt, fmt)) ++ man = manopts[opt][0] ++ print('OPTION %s ("%s") line %d' % (opt, man['fmt'], man['ln'])) + + + print('') +-- +1.8.3.1 + diff --git a/SOURCES/0007-mount.cifs.rst-more-cleanups.patch b/SOURCES/0007-mount.cifs.rst-more-cleanups.patch new file mode 100644 index 0000000..1c9c302 --- /dev/null +++ b/SOURCES/0007-mount.cifs.rst-more-cleanups.patch @@ -0,0 +1,161 @@ +From 4641bf62ceab8ed86e55c422f0dc7819972f14b6 Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Wed, 8 Aug 2018 11:38:16 +0200 +Subject: [PATCH 07/36] mount.cifs.rst: more cleanups + +* remove duplicates (netbiosname, rdma) +* remove snapshot +* document nostrictsync, domain, domainauto better +* point to vers= when talking about version requirements +* typos + +Signed-off-by: Aurelien Aptel +(cherry picked from commit 06503ef4490a3dde4e8297cf1c5cb336ba43aafa) +Signed-off-by: Sachin Prabhu +--- + mount.cifs.rst | 61 ++++++++++++++++++++++++++++------------------------------ + 1 file changed, 29 insertions(+), 32 deletions(-) + +diff --git a/mount.cifs.rst b/mount.cifs.rst +index 13b3a1e..3504477 100644 +--- a/mount.cifs.rst ++++ b/mount.cifs.rst +@@ -138,25 +138,20 @@ port=arg + try to connect on port 445 first and then port 139 if that + fails. Return an error if both fail. + +- + netbiosname=arg +- Specify the client netbios name (RFC1001 name) to use when attempting +- to setup a session to the server. Although rarely needed for mounting ++ When mounting to servers via port 139, specifies the RFC1001 source ++ name to use to represent the client netbios machine during the netbios ++ session initialization. ++ ++servern=arg ++ Similar to ``netbiosname`` except it specifies the netbios name of ++ the server instead of the client. Although rarely needed for mounting + to newer servers, this option is needed for mounting to some older + servers (such as OS/2 or Windows 98 and Windows ME) since when + connecting over port 139 they, unlike most newer servers, do not + support a default server name. A server name can be up to 15 + characters long and is usually uppercased. + +-servern=arg +- Similarl to ``netbiosname`` except it specifies the netbios name of +- the server instead of the client. +- +-netbiosname=arg +- When mounting to servers via port 139, specifies the RFC1001 source +- name to use to represent the client netbios machine name when doing +- the RFC1001 netbios session initialize. +- + file_mode=arg + If the server does not support the CIFS Unix extensions this overrides + the default file mode. +@@ -171,11 +166,14 @@ ip=arg|addr=arg + rarely needs to be specified by the user. + + domain=arg|dom=arg|workgroup=arg +- sets the domain (workgroup) of the user. ++ Sets the domain (workgroup) of the user. If no domains are given, ++ the empty domain will be used. Use ``domainauto`` to automatically ++ guess the domain of the server you are connecting to. + + domainauto +- When using NTLMv2 authentification and not providing a domain via ++ When using NTLM authentication and not providing a domain via + ``domain``, guess the domain from the server NTLM challenge. ++ This behavior used to be the default on kernels older than 2.6.36. + + guest + don't prompt for a password. +@@ -249,7 +247,14 @@ cache=arg + default is ``strict``. + + nostrictsync +- Do not flush to the server on fsync(). ++ Do not ask the server to flush on fsync(). ++ Some servers perform non-buffered writes by default in which case ++ flushing is redundant. In workloads where a client is performing a ++ lot of small write + fsync combinations and where network latency is ++ much higher than the server latency, this brings a 2x performance ++ improvement. ++ This option is also a good candidate in scenarios where we want ++ performance over consistency. + + handlecache + (default) In SMB2 and above, the client often has to open the root +@@ -359,15 +364,16 @@ sec=arg + automatically if it's enabled in */proc/fs/cifs/SecurityFlags*. + + seal +- Request encryption at the SMB layer. Encryption is only supported in +- SMBv3 and above. The encryption algorithm used is AES-128-CCM. ++ Request encryption at the SMB layer. The encryption algorithm used ++ is AES-128-CCM. Requires SMB3 or above (see ``vers``). + + rdma +- Connect directly to the server using SMB Direct via a RDMA adapter. ++ Connect directly to the server using SMB Direct via a RDMA ++ adapter. Requires SMB3 or above (see ``vers``). + + resilienthandles + Enable resilient handles. If the server supports it, keep opened +- files across reconenctions. Requires SMB2.1. ++ files across reconnections. Requires SMB2.1 (see ``vers``). + + noresilienthandles + (default) Disable resilient handles. +@@ -375,16 +381,12 @@ noresilienthandles + persistenthandles + Enable persistent handles. If the server supports it, keep opened + files across reconnections. Persistent handles are also valid across +- servers in a cluser and have stronger guarantees than resilient +- handles. Requires SMB3 or above. ++ servers in a cluster and have stronger guarantees than resilient ++ handles. Requires SMB3 or above (see ``vers``). + + nopersistenthandles + (default) Disable persistent handles. + +-snapshot=time +- Mount a specific snapshot of the remote share. ``time`` must be a +- positive integer identifying the snapshot requested. +- + nobrl + Do not send byte range lock requests to the server. This is necessary + for certain applications that break with cifs style mandatory byte +@@ -396,7 +398,7 @@ forcemandatorylock + extensions. Always use cifs style mandatory locks. + + locallease +- Check cache leases locally instead of querying the server. ++ Check cached leases locally instead of querying the server. + + sfu + When the CIFS Unix Extensions are not negotiated, attempt to create +@@ -425,11 +427,6 @@ echo_interval=n + If this option is not given then the default value of 60 seconds is used. + The minimum tunable value is 1 second and maximum can go up to 600 seconds. + +-rdma +- Use to connect to SMB Direct, only applicable when specified with +- vers=3 or vers=3.x. +- Here 3.x can be 3.0, 3.02 or 3.1.1. +- + serverino + Use inode numbers (unique persistent file identifiers) returned by the + server instead of automatically generating temporary inode numbers on +@@ -471,7 +468,7 @@ nouser_xattr + support it otherwise. The default is for xattr support to be enabled. + + nodfs +- Do not follow Distributed FileSystem referals. IO on a file not ++ Do not follow Distributed FileSystem referrals. IO on a file not + stored on the server will fail instead of connecting to the target + server transparently. + +-- +1.8.3.1 + diff --git a/SOURCES/0008-mount.cifs.rst-document-vers-3-mount-option.patch b/SOURCES/0008-mount.cifs.rst-document-vers-3-mount-option.patch new file mode 100644 index 0000000..6621492 --- /dev/null +++ b/SOURCES/0008-mount.cifs.rst-document-vers-3-mount-option.patch @@ -0,0 +1,27 @@ +From 3d47c844a7b69a1c9f96289e44d92343653d05f4 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Fri, 17 Aug 2018 11:08:58 -0700 +Subject: [PATCH 08/36] mount.cifs.rst: document vers=3 mount option + +Signed-off-by: Pavel Shilovsky +(cherry picked from commit 439cd76f72a2dd3c65fd7d30ece460cde6b9675d) +Signed-off-by: Sachin Prabhu +--- + mount.cifs.rst | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mount.cifs.rst b/mount.cifs.rst +index 3504477..6587e16 100644 +--- a/mount.cifs.rst ++++ b/mount.cifs.rst +@@ -592,6 +592,7 @@ vers=arg + - 2.1 - The SMBv2.1 protocol that was introduced in Microsoft Windows 7 and Windows Server 2008R2. + - 3.0 - The SMBv3.0 protocol that was introduced in Microsoft Windows 8 and Windows Server 2012. + - 3.1.1 or 3.11 - The SMBv3.1.1 protocol that was introduced in Microsoft Windows Server 2016. ++ - 3 - The SMBv3.0 protocol version and above. + + Note too that while this option governs the protocol version used, not + all features of each version are available. +-- +1.8.3.1 + diff --git a/SOURCES/0009-mount.cifs.rst-document-vers-3.02-mount-option.patch b/SOURCES/0009-mount.cifs.rst-document-vers-3.02-mount-option.patch new file mode 100644 index 0000000..96a8077 --- /dev/null +++ b/SOURCES/0009-mount.cifs.rst-document-vers-3.02-mount-option.patch @@ -0,0 +1,27 @@ +From ac92f498e11b61def574fe858e6346bf8f2bad25 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Fri, 17 Aug 2018 11:13:45 -0700 +Subject: [PATCH 09/36] mount.cifs.rst: document vers=3.02 mount option + +Signed-off-by: Pavel Shilovsky +(cherry picked from commit 3c7e8c3663f50c2d2df6158cc4d22c4fccdc8ae8) +Signed-off-by: Sachin Prabhu +--- + mount.cifs.rst | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/mount.cifs.rst b/mount.cifs.rst +index 6587e16..a0faf7f 100644 +--- a/mount.cifs.rst ++++ b/mount.cifs.rst +@@ -591,6 +591,7 @@ vers=arg + different dialect (2.000) that is not supported. + - 2.1 - The SMBv2.1 protocol that was introduced in Microsoft Windows 7 and Windows Server 2008R2. + - 3.0 - The SMBv3.0 protocol that was introduced in Microsoft Windows 8 and Windows Server 2012. ++ - 3.02 - The SMBv3.0.2 protocol that was introduced in Microsoft Windows 8.1 and Windows Server 2012R2. + - 3.1.1 or 3.11 - The SMBv3.1.1 protocol that was introduced in Microsoft Windows Server 2016. + - 3 - The SMBv3.0 protocol version and above. + +-- +1.8.3.1 + diff --git a/SOURCES/0010-cifs-Allow-DNS-resolver-key-to-expire.patch b/SOURCES/0010-cifs-Allow-DNS-resolver-key-to-expire.patch new file mode 100644 index 0000000..f621411 --- /dev/null +++ b/SOURCES/0010-cifs-Allow-DNS-resolver-key-to-expire.patch @@ -0,0 +1,216 @@ +From bc41dbe55098629101fbf286755e123c9a2b6b77 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 13 Feb 2019 16:09:41 -0200 +Subject: [PATCH 10/36] cifs: Allow DNS resolver key to expire + +This patch introduces a new '--expire' option that allows the user to +set a timeout value for the dns resolver key -- which is typically +useful for hostnames that may get their ip addresses changed under +long running mounts. + +The default timeout value is set to 10 minutes. + +Signed-off-by: Paulo Alcantara +(cherry picked from commit b101af793c8415f298072d06841a278df0368bc3) +Signed-off-by: Sachin Prabhu +--- + cifs.upcall.c | 82 +++++++++++++++++++++++++++++++++++++++--------------- + cifs.upcall.rst.in | 5 +++- + 2 files changed, 64 insertions(+), 23 deletions(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index 89563fd..c92ee62 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -63,6 +63,8 @@ + static krb5_context context; + static const char *prog = "cifs.upcall"; + ++#define DNS_RESOLVER_DEFAULT_TIMEOUT 600 /* 10 minutes */ ++ + typedef enum _sectype { + NONE = 0, + KRB5, +@@ -749,19 +751,48 @@ decode_key_description(const char *desc, struct decoded_args *arg) + return retval; + } + +-static int cifs_resolver(const key_serial_t key, const char *key_descr) ++static int setup_key(const key_serial_t key, const void *data, size_t datalen) ++{ ++ int rc; ++ ++ rc = keyctl_instantiate(key, data, datalen, 0); ++ if (rc) { ++ switch (errno) { ++ case ENOMEM: ++ case EDQUOT: ++ rc = keyctl_clear(key); ++ if (rc) { ++ syslog(LOG_ERR, "%s: keyctl_clear: %s", ++ __func__, strerror(errno)); ++ return rc; ++ } ++ rc = keyctl_instantiate(key, data, datalen, 0); ++ break; ++ default: ++ ; ++ } ++ } ++ if (rc) { ++ syslog(LOG_ERR, "%s: keyctl_instantiate: %s", ++ __func__, strerror(errno)); ++ } ++ return rc; ++} ++ ++static int cifs_resolver(const key_serial_t key, const char *key_descr, ++ const char *key_buf, unsigned expire_time) + { + int c; + struct addrinfo *addr; + char ip[INET6_ADDRSTRLEN]; + void *p; +- const char *keyend = key_descr; ++ const char *keyend = key_buf; + /* skip next 4 ';' delimiters to get to description */ + for (c = 1; c <= 4; c++) { + keyend = index(keyend + 1, ';'); + if (!keyend) { + syslog(LOG_ERR, "invalid key description: %s", +- key_descr); ++ key_buf); + return 1; + } + } +@@ -787,15 +818,21 @@ static int cifs_resolver(const key_serial_t key, const char *key_descr) + return 1; + } + +- /* setup key */ +- c = keyctl_instantiate(key, ip, strlen(ip) + 1, 0); +- if (c == -1) { +- syslog(LOG_ERR, "%s: keyctl_instantiate: %s", __func__, ++ /* needed for keyctl_set_timeout() */ ++ request_key("keyring", key_descr, NULL, KEY_SPEC_THREAD_KEYRING); ++ ++ c = setup_key(key, ip, strlen(ip) + 1); ++ if (c) { ++ freeaddrinfo(addr); ++ return 1; ++ } ++ c = keyctl_set_timeout(key, expire_time); ++ if (c) { ++ syslog(LOG_ERR, "%s: keyctl_set_timeout: %s", __func__, + strerror(errno)); + freeaddrinfo(addr); + return 1; + } +- + freeaddrinfo(addr); + return 0; + } +@@ -864,7 +901,7 @@ lowercase_string(char *c) + + static void usage(void) + { +- fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] key_serial\n", prog); ++ fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] [-e nsecs] key_serial\n", prog); + } + + static const struct option long_options[] = { +@@ -874,6 +911,7 @@ static const struct option long_options[] = { + {"trust-dns", 0, NULL, 't'}, + {"keytab", 1, NULL, 'K'}, + {"version", 0, NULL, 'v'}, ++ {"expire", 1, NULL, 'e'}, + {NULL, 0, NULL, 0} + }; + +@@ -897,13 +935,15 @@ int main(const int argc, char *const argv[]) + char *env_cachename = NULL; + krb5_ccache ccache = NULL; + struct passwd *pw; ++ unsigned expire_time = DNS_RESOLVER_DEFAULT_TIMEOUT; ++ const char *key_descr = NULL; + + hostbuf[0] = '\0'; + memset(&arg, 0, sizeof(arg)); + + openlog(prog, 0, LOG_DAEMON); + +- while ((c = getopt_long(argc, argv, "cEk:K:ltv", long_options, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "cEk:K:ltve:", long_options, NULL)) != -1) { + switch (c) { + case 'c': + /* legacy option -- skip it */ +@@ -931,6 +971,9 @@ int main(const int argc, char *const argv[]) + rc = 0; + printf("version: %s\n", VERSION); + goto out; ++ case 'e': ++ expire_time = strtoul(optarg, NULL, 10); ++ break; + default: + syslog(LOG_ERR, "unknown option: %c", c); + goto out; +@@ -965,9 +1008,12 @@ int main(const int argc, char *const argv[]) + + syslog(LOG_DEBUG, "key description: %s", buf); + +- if ((strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0) || +- (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0)) { +- rc = cifs_resolver(key, buf); ++ if (strncmp(buf, "cifs.resolver", sizeof("cifs.resolver") - 1) == 0) ++ key_descr = ".cifs.resolver"; ++ else if (strncmp(buf, "dns_resolver", sizeof("dns_resolver") - 1) == 0) ++ key_descr = ".dns_resolver"; ++ if (key_descr) { ++ rc = cifs_resolver(key, key_descr, buf, expire_time); + goto out; + } + +@@ -1193,16 +1239,8 @@ retry_new_hostname: + memcpy(&(keydata->data) + keydata->sesskey_len, + secblob.data, secblob.length); + +- /* setup key */ +- rc = keyctl_instantiate(key, keydata, datalen, 0); +- if (rc == -1) { +- syslog(LOG_ERR, "keyctl_instantiate: %s", strerror(errno)); +- goto out; +- } ++ rc = setup_key(key, keydata, datalen); + +- /* BB: maybe we need use timeout for key: for example no more then +- * ticket lifietime? */ +- /* keyctl_set_timeout( key, 60); */ + out: + /* + * on error, negatively instantiate the key ourselves so that we can +diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in +index 1b8df3f..08ce324 100644 +--- a/cifs.upcall.rst.in ++++ b/cifs.upcall.rst.in +@@ -13,7 +13,7 @@ SYNOPSIS + + cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] + [--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf] +- [--keytab=/path/to/keytab|-K /path/to/keytab] {keyid} ++ [--keytab=/path/to/keytab|-K /path/to/keytab] [--expire|-e nsecs] {keyid} + + *********** + DESCRIPTION +@@ -85,6 +85,9 @@ OPTIONS + user. Set this option if you want cifs.upcall to use the older uid= + parameter instead of the creduid= parameter. + ++--expire|-e ++ Override default timeout value (600 seconds) for ``dns_resolver`` key. ++ + --version|-v + Print version number and exit. + +-- +1.8.3.1 + diff --git a/SOURCES/0011-mount.cifs-be-more-verbose-and-helpful-regarding-mou.patch b/SOURCES/0011-mount.cifs-be-more-verbose-and-helpful-regarding-mou.patch new file mode 100644 index 0000000..803e431 --- /dev/null +++ b/SOURCES/0011-mount.cifs-be-more-verbose-and-helpful-regarding-mou.patch @@ -0,0 +1,53 @@ +From 368b0d656eaa0c529743d582a36a46d994b260dd Mon Sep 17 00:00:00 2001 +From: Aurelien Aptel +Date: Thu, 14 Feb 2019 12:15:44 +0100 +Subject: [PATCH 11/36] mount.cifs: be more verbose and helpful regarding mount + errors + +Signed-off-by: Aurelien Aptel +(cherry picked from commit 3a00449ea2560c1f160ca5e69a48a5078bfa1194) +Signed-off-by: Sachin Prabhu +--- + mount.cifs.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index ae7a899..9370f2e 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -2099,6 +2099,10 @@ mount_retry: + switch (errno) { + case ECONNREFUSED: + case EHOSTUNREACH: ++ if (currentaddress) { ++ fprintf(stderr, "mount error(%d): could not connect to %s", ++ errno, currentaddress); ++ } + currentaddress = nextaddress; + if (currentaddress) { + nextaddress = strchr(currentaddress, ','); +@@ -2110,6 +2114,12 @@ mount_retry: + fprintf(stderr, + "mount error: %s filesystem not supported by the system\n", cifs_fstype); + break; ++ case EHOSTDOWN: ++ fprintf(stderr, ++ "mount error: Server abruptly closed the connection.\n" ++ "This can happen if the server does not support the SMB version you are trying to use.\n" ++ "The default SMB version recently changed from SMB1 to SMB2.1 and above. Try mounting with vers=1.0.\n"); ++ break; + case ENXIO: + if (!already_uppercased && + uppercase_string(parsed_info->host) && +@@ -2126,7 +2136,7 @@ mount_retry: + strerror(errno)); + fprintf(stderr, + "Refer to the %s(8) manual page (e.g. man " +- "%s)\n", thisprogram, thisprogram); ++ "%s) and kernel log messages (dmesg)\n", thisprogram, thisprogram); + rc = EX_FAIL; + goto mount_exit; + } +-- +1.8.3.1 + diff --git a/SOURCES/0012-Update-mount.cifs-with-vers-default-mount-option-and.patch b/SOURCES/0012-Update-mount.cifs-with-vers-default-mount-option-and.patch new file mode 100644 index 0000000..f5f222a --- /dev/null +++ b/SOURCES/0012-Update-mount.cifs-with-vers-default-mount-option-and.patch @@ -0,0 +1,39 @@ +From 478e60f01a37928a5cece9407bf66a1b731d2363 Mon Sep 17 00:00:00 2001 +From: Kenneth D'souza +Date: Fri, 15 Feb 2019 07:52:48 +0530 +Subject: [PATCH 12/36] Update mount.cifs with vers=default mount option and + SMBv3.0.2 + +Add vers=3.0.2 as a valid option for SMBv3.0.2 and explain behavior +of vers=default. + +Signed-off-by: Kenneth D'souza +(cherry picked from commit d93cabc638195b5a4274c2650477456f81651e75) + +Signed-off-by: Sachin Prabhu +--- + mount.cifs.rst | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/mount.cifs.rst b/mount.cifs.rst +index a0faf7f..2ad7f59 100644 +--- a/mount.cifs.rst ++++ b/mount.cifs.rst +@@ -591,9 +591,13 @@ vers=arg + different dialect (2.000) that is not supported. + - 2.1 - The SMBv2.1 protocol that was introduced in Microsoft Windows 7 and Windows Server 2008R2. + - 3.0 - The SMBv3.0 protocol that was introduced in Microsoft Windows 8 and Windows Server 2012. +- - 3.02 - The SMBv3.0.2 protocol that was introduced in Microsoft Windows 8.1 and Windows Server 2012R2. ++ - 3.02 or 3.0.2 - The SMBv3.0.2 protocol that was introduced in Microsoft Windows 8.1 and Windows Server 2012R2. + - 3.1.1 or 3.11 - The SMBv3.1.1 protocol that was introduced in Microsoft Windows Server 2016. + - 3 - The SMBv3.0 protocol version and above. ++ - default - Tries to negotiate the highest SMB2+ version supported by both the client and server. ++ ++ If no dialect is specified on mount vers=default is used. ++ To check ``Dialect`` refer to /proc/fs/cifs/DebugData + + Note too that while this option governs the protocol version used, not + all features of each version are available. +-- +1.8.3.1 + diff --git a/SOURCES/0013-mount.cifs.rst-update-vers-3.1.1-option-description.patch b/SOURCES/0013-mount.cifs.rst-update-vers-3.1.1-option-description.patch new file mode 100644 index 0000000..8dd160f --- /dev/null +++ b/SOURCES/0013-mount.cifs.rst-update-vers-3.1.1-option-description.patch @@ -0,0 +1,29 @@ +From 87d529be482436e809dd6280d6d1cc977fd2d453 Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Fri, 15 Feb 2019 12:03:44 -0800 +Subject: [PATCH 13/36] mount.cifs.rst: update vers=3.1.1 option description + +Signed-off-by: Pavel Shilovsky +(cherry picked from commit b3f78f6dc200f61418d3d6c256ec116c3137ffee) + +Signed-off-by: Sachin Prabhu +--- + mount.cifs.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mount.cifs.rst b/mount.cifs.rst +index 2ad7f59..f64d1f1 100644 +--- a/mount.cifs.rst ++++ b/mount.cifs.rst +@@ -592,7 +592,7 @@ vers=arg + - 2.1 - The SMBv2.1 protocol that was introduced in Microsoft Windows 7 and Windows Server 2008R2. + - 3.0 - The SMBv3.0 protocol that was introduced in Microsoft Windows 8 and Windows Server 2012. + - 3.02 or 3.0.2 - The SMBv3.0.2 protocol that was introduced in Microsoft Windows 8.1 and Windows Server 2012R2. +- - 3.1.1 or 3.11 - The SMBv3.1.1 protocol that was introduced in Microsoft Windows Server 2016. ++ - 3.1.1 or 3.11 - The SMBv3.1.1 protocol that was introduced in Microsoft Windows 10 and Windows Server 2016. + - 3 - The SMBv3.0 protocol version and above. + - default - Tries to negotiate the highest SMB2+ version supported by both the client and server. + +-- +1.8.3.1 + diff --git a/SOURCES/0014-getcifsacl-Do-not-go-to-parse_sec_desc-if-getxattr-f.patch b/SOURCES/0014-getcifsacl-Do-not-go-to-parse_sec_desc-if-getxattr-f.patch new file mode 100644 index 0000000..e37c2b4 --- /dev/null +++ b/SOURCES/0014-getcifsacl-Do-not-go-to-parse_sec_desc-if-getxattr-f.patch @@ -0,0 +1,38 @@ +From cb086a53b73901cf0dfc957915ff454a30f333b3 Mon Sep 17 00:00:00 2001 +From: Kenneth D'souza +Date: Tue, 19 Feb 2019 07:13:43 +0530 +Subject: [PATCH 14/36] getcifsacl: Do not go to parse_sec_desc if getxattr + fails. + +Add more to the error message by printing the filename and error. + +Signed-off-by: Kenneth D'souza +Reviewed-by: Steve French +(cherry picked from commit 670f416d2c0d07a4d9ff469eb797e5bef624d863) +Signed-off-by: Sachin Prabhu +--- + getcifsacl.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/getcifsacl.c b/getcifsacl.c +index f08cdea..aaf15fa 100644 +--- a/getcifsacl.c ++++ b/getcifsacl.c +@@ -398,8 +398,12 @@ cifsacl: + free(attrval); + bufsize += BUFSIZE; + goto cifsacl; +- } else +- printf("getxattr error: %d\n", errno); ++ } else { ++ fprintf(stderr, "getxattr failed on %s: %s\n", filename, strerror(errno) ); ++ free(attrval); ++ ret = -1; ++ goto out; ++ } + } + + parse_sec_desc((struct cifs_ntsd *)attrval, attrlen, raw); +-- +1.8.3.1 + diff --git a/SOURCES/0015-getcifsacl-Improve-help-usage-and-add-h-option.patch b/SOURCES/0015-getcifsacl-Improve-help-usage-and-add-h-option.patch new file mode 100644 index 0000000..9305693 --- /dev/null +++ b/SOURCES/0015-getcifsacl-Improve-help-usage-and-add-h-option.patch @@ -0,0 +1,82 @@ +From efff67c46ffeb0de69259e6c5cb9c4f6b82a860a Mon Sep 17 00:00:00 2001 +From: Kenneth D'souza +Date: Thu, 21 Feb 2019 10:39:25 +0530 +Subject: [PATCH 15/36] getcifsacl: Improve help usage and add -h option. + +Call getcifsacl_usage only for -h and default case. +For others error out with appropriate message. + +Signed-off-by: Kenneth D'souza +(cherry picked from commit ea9b99cf17a949edbe368301881a353d27018847) +Signed-off-by: Sachin Prabhu +--- + getcifsacl.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/getcifsacl.c b/getcifsacl.c +index aaf15fa..fc78881 100644 +--- a/getcifsacl.c ++++ b/getcifsacl.c +@@ -40,6 +40,7 @@ + + static void *plugin_handle; + static bool plugin_loaded; ++static char *execname; + + static void + print_each_ace_mask(uint32_t mask) +@@ -331,6 +332,8 @@ getcifsacl_usage(const char *prog) + prog); + fprintf(stderr, "Usage: %s [option] \n", prog); + fprintf(stderr, "Valid options:\n"); ++ fprintf(stderr, "\t-h Display this help text\n"); ++ fprintf(stderr, "\n"); + fprintf(stderr, "\t-v Version of the program\n"); + fprintf(stderr, "\n"); + fprintf(stderr, "\t-r Display raw values of the ACE fields\n"); +@@ -345,8 +348,15 @@ main(const int argc, char *const argv[]) + ssize_t attrlen; + size_t bufsize = BUFSIZE; + char *filename, *attrval; ++ execname = basename(argv[0]); ++ ++ if (argc < 2) { ++ fprintf(stderr, "%s: you must specify a filename.\n", execname); ++ printf("Try `getcifsacl -h' for more information.\n"); ++ goto out; ++ } + +- while ((c = getopt_long(argc, argv, "r:v", NULL, NULL)) != -1) { ++ while ((c = getopt_long(argc, argv, "rhv", NULL, NULL)) != -1) { + switch (c) { + case 'v': + printf("Version: %s\n", VERSION); +@@ -355,18 +365,17 @@ main(const int argc, char *const argv[]) + raw = true; + break; + default: +- break; ++ getcifsacl_usage(execname); ++ goto out; + } + } + +- if (raw && argc == 3) +- filename = argv[2]; +- else if (argc == 2) +- filename = argv[1]; +- else { +- getcifsacl_usage(basename(argv[0])); ++ if (optind >= argc) { ++ printf("you must specify a filename after options.\n"); ++ printf("Usage: getcifsacl [option] \n"); + goto out; +- } ++ } else ++ filename = argv[optind]; + + if (!raw && !plugin_loaded) { + ret = init_plugin(&plugin_handle); +-- +1.8.3.1 + diff --git a/SOURCES/0016-setcifsacl-fix-adding-ACE-when-owner-sid-in-unexpect.patch b/SOURCES/0016-setcifsacl-fix-adding-ACE-when-owner-sid-in-unexpect.patch new file mode 100644 index 0000000..b613ddb --- /dev/null +++ b/SOURCES/0016-setcifsacl-fix-adding-ACE-when-owner-sid-in-unexpect.patch @@ -0,0 +1,63 @@ +From 5053ec60ea609bbb5499e8359681fe998c3d4d68 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Fri, 1 Mar 2019 23:11:25 -0600 +Subject: [PATCH 16/36] setcifsacl: fix adding ACE when owner sid in unexpected + location + +If owner information is after the ACEs instead of before (e.g. Azure servers) in the ACL query +then we would get "invalid argument" returned on setcifsacl -a (adding an ACE). + +This fixes that. + +Signed-off-by: Steve French +(cherry picked from commit 0feb1a80f3777f4c244b46958aa9f730de9e18b6) +Signed-off-by: Sachin Prabhu +--- + setcifsacl.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/setcifsacl.c b/setcifsacl.c +index ba34403..1b98c37 100644 +--- a/setcifsacl.c ++++ b/setcifsacl.c +@@ -106,13 +106,32 @@ copy_sec_desc(const struct cifs_ntsd *pntsd, struct cifs_ntsd *pnntsd, + + /* copy owner sid */ + owner_sid_ptr = (struct cifs_sid *)((char *)pntsd + osidsoffset); +- nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + osidsoffset); +- size = copy_cifs_sid(nowner_sid_ptr, owner_sid_ptr); +- bufsize += size; ++ group_sid_ptr = (struct cifs_sid *)((char *)pntsd + gsidsoffset); ++ /* ++ * some servers like Azure return the owner and group SIDs at end rather ++ * than at the beginning of the ACL so don't want to overwrite the last ACEs ++ */ ++ if (dacloffset <= osidsoffset) { ++ /* owners placed at end of ACL */ ++ nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + dacloffset + size); ++ pnntsd->osidoffset = dacloffset + size; ++ size = copy_cifs_sid(nowner_sid_ptr, owner_sid_ptr); ++ bufsize += size; ++ /* put group SID after owner SID */ ++ ngroup_sid_ptr = (struct cifs_sid *)((char *)nowner_sid_ptr + size); ++ pnntsd->gsidoffset = pnntsd->osidoffset + size; ++ } else { ++ /* ++ * Most servers put the owner information at the beginning, ++ * before the ACL ++ */ ++ nowner_sid_ptr = (struct cifs_sid *)((char *)pnntsd + osidsoffset); ++ size = copy_cifs_sid(nowner_sid_ptr, owner_sid_ptr); ++ bufsize += size; ++ ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + gsidsoffset); ++ } + + /* copy group sid */ +- group_sid_ptr = (struct cifs_sid *)((char *)pntsd + gsidsoffset); +- ngroup_sid_ptr = (struct cifs_sid *)((char *)pnntsd + gsidsoffset); + size = copy_cifs_sid(ngroup_sid_ptr, group_sid_ptr); + bufsize += size; + +-- +1.8.3.1 + diff --git a/SOURCES/0017-cifs.upcall-fix-a-compiler-warning.patch b/SOURCES/0017-cifs.upcall-fix-a-compiler-warning.patch new file mode 100644 index 0000000..ed78516 --- /dev/null +++ b/SOURCES/0017-cifs.upcall-fix-a-compiler-warning.patch @@ -0,0 +1,27 @@ +From e762faa6943c90e6b593c13b3962af16cdf20d2c Mon Sep 17 00:00:00 2001 +From: Pavel Shilovsky +Date: Sat, 16 Mar 2019 12:34:13 -0700 +Subject: [PATCH 17/36] cifs.upcall: fix a compiler warning + +Signed-off-by: Pavel Shilovsky +(cherry picked from commit 2244e109ae30aeb0a21deaa591f6e11fa2039e7d) +Signed-off-by: Sachin Prabhu +--- + cifs.upcall.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index c92ee62..1559434 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -126,6 +126,7 @@ drop_all_capabilities(void) + static int + trim_capabilities(bool unused) + { ++ (void)unused; + return 0; + } + +-- +1.8.3.1 + diff --git a/SOURCES/0018-mount.cifs-Add-various-missing-parms-from-the-help-t.patch b/SOURCES/0018-mount.cifs-Add-various-missing-parms-from-the-help-t.patch new file mode 100644 index 0000000..3787770 --- /dev/null +++ b/SOURCES/0018-mount.cifs-Add-various-missing-parms-from-the-help-t.patch @@ -0,0 +1,55 @@ +From 3c6a5d30cb3eb3f2f12415c1797b8f7802652b17 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Tue, 2 Apr 2019 21:18:27 -0500 +Subject: [PATCH 18/36] mount.cifs Add various missing parms from the help text + +When you type mount.cifs --help there were more than 40 mount parms +missing. Add 12 of the more common ones to what is displayed by help. + +Signed-off-by: Steve French +Reviewed-by: Paulo Alcantara +(cherry picked from commit 83c6472020afc3db0c63b65e7b67d65a61f3a12e) +Signed-off-by: Sachin Prabhu +--- + mount.cifs.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 9370f2e..d921fed 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -269,20 +269,28 @@ static int mount_usage(FILE * stream) + fprintf(stream, + "\n\tmapchars,nomapchars,nolock,servernetbiosname="); + fprintf(stream, +- "\n\tdirectio,nounix,cifsacl,sec=,sign,seal,fsc"); ++ "\n\tdirectio,nounix,cifsacl,sec=,sign,seal,fsc,"); ++ fprintf(stream, ++ "\n\tsnapshot=