[linux-2.6-block.git] / fs / cifs / Kconfig

# SPDX-License-Identifier: GPL-2.0-only
config CIFS
	tristate "SMB3 and CIFS support (advanced network filesystem)"
	depends on INET
	select NLS
	select CRYPTO
	select CRYPTO_MD4
	select CRYPTO_MD5
	select CRYPTO_SHA256
	select CRYPTO_SHA512
	select CRYPTO_CMAC
	select CRYPTO_HMAC
	select CRYPTO_ARC4
	select CRYPTO_AEAD2
	select CRYPTO_CCM
	select CRYPTO_ECB
	select CRYPTO_AES
	select CRYPTO_DES
	help
	  This is the client VFS module for the SMB3 family of NAS protocols,
	  (including support for the most recent, most secure dialect SMB3.1.1)
	  as well as for earlier dialects such as SMB2.1, SMB2 and the older
	  Common Internet File System (CIFS) protocol.  CIFS was the successor
	  to the original dialect, the Server Message Block (SMB) protocol, the
	  native file sharing mechanism for most early PC operating systems.

	  The SMB3 protocol is supported by most modern operating systems
	  and NAS appliances (e.g. Samba, Windows 10, Windows Server 2016,
	  MacOS) and even in the cloud (e.g. Microsoft Azure).
	  The older CIFS protocol was included in Windows NT4, 2000 and XP (and
	  later) as well by Samba (which provides excellent CIFS and SMB3
	  server support for Linux and many other operating systems). Use of
	  dialects older than SMB2.1 is often discouraged on public networks.
	  This module also provides limited support for OS/2 and Windows ME
	  and similar very old servers.

	  This module provides an advanced network file system client
	  for mounting to SMB3 (and CIFS) compliant servers.  It includes
	  support for DFS (hierarchical name space), secure per-user
	  session establishment via Kerberos or NTLM or NTLMv2, RDMA
	  (smbdirect), advanced security features, per-share encryption,
	  directory leases, safe distributed caching (oplock), optional packet
	  signing, Unicode and other internationalization improvements.

	  In general, the default dialects, SMB3 and later, enable better
	  performance, security and features, than would be possible with CIFS.
	  Note that when mounting to Samba, due to the CIFS POSIX extensions,
	  CIFS mounts can provide slightly better POSIX compatibility
	  than SMB3 mounts. SMB2/SMB3 mount options are also
	  slightly simpler (compared to CIFS) due to protocol improvements.

	  If you need to mount to Samba, Azure, Macs or Windows from this machine, say Y.

config CIFS_STATS2
	bool "Extended statistics"
	depends on CIFS
	help
	  Enabling this option will allow more detailed statistics on SMB
	  request timing to be displayed in /proc/fs/cifs/DebugData and also
	  allow optional logging of slow responses to dmesg (depending on the
	  value of /proc/fs/cifs/cifsFYI, see fs/cifs/README for more details).
	  These additional statistics may have a minor effect on performance
	  and memory utilization.

	  Unless you are a developer or are doing network performance analysis
	  or tuning, say N.

config CIFS_ALLOW_INSECURE_LEGACY
	bool "Support legacy servers which use less secure dialects"
	depends on CIFS
	default y
	help
	  Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
	  additional security features, including protection against
	  man-in-the-middle attacks and stronger crypto hashes, so the use
	  of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.

	  Disabling this option prevents users from using vers=1.0 or vers=2.0
	  on mounts with cifs.ko

	  If unsure, say Y.

config CIFS_WEAK_PW_HASH
	bool "Support legacy servers which use weaker LANMAN security"
	depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY
	help
	  Modern CIFS servers including Samba and most Windows versions
	  (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
	  security mechanisms. These hash the password more securely
	  than the mechanisms used in the older LANMAN version of the
	  SMB protocol but LANMAN based authentication is needed to
	  establish sessions with some old SMB servers.

	  Enabling this option allows the cifs module to mount to older
	  LANMAN based servers such as OS/2 and Windows 95, but such
	  mounts may be less secure than mounts using NTLM or more recent
	  security mechanisms if you are on a public network.  Unless you
	  have a need to access old SMB servers (and are on a private
	  network) you probably want to say N.  Even if this support
	  is enabled in the kernel build, LANMAN authentication will not be
	  used automatically. At runtime LANMAN mounts are disabled but
	  can be set to required (or optional) either in
	  /proc/fs/cifs (see fs/cifs/README for more detail) or via an
	  option on the mount command. This support is disabled by
	  default in order to reduce the possibility of a downgrade
	  attack.

	  If unsure, say N.

config CIFS_UPCALL
	bool "Kerberos/SPNEGO advanced session setup"
	depends on CIFS && KEYS
	select DNS_RESOLVER
	help
	  Enables an upcall mechanism for CIFS which accesses userspace helper
	  utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets
	  which are needed to mount to certain secure servers (for which more
	  secure Kerberos authentication is required). If unsure, say Y.

config CIFS_XATTR
	bool "CIFS extended attributes"
	depends on CIFS
	help
	  Extended attributes are name:value pairs associated with inodes by
	  the kernel or by users (see the attr(5) manual page for details).
	  CIFS maps the name of extended attributes beginning with the user
	  namespace prefix to SMB/CIFS EAs.  EAs are stored on Windows
	  servers without the user namespace prefix, but their names are
	  seen by Linux cifs clients prefaced by the user namespace prefix.
	  The system namespace (used by some filesystems to store ACLs) is
	  not supported at this time.

	  If unsure, say Y.

config CIFS_POSIX
	bool "CIFS POSIX Extensions"
	depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR
	help
	  Enabling this option will cause the cifs client to attempt to
	  negotiate a newer dialect with servers, such as Samba 3.0.5
	  or later, that optionally can handle more POSIX like (rather
	  than Windows like) file behavior.  It also enables
	  support for POSIX ACLs (getfacl and setfacl) to servers
	  (such as Samba 3.10 and later) which can negotiate
	  CIFS POSIX ACL support.  If unsure, say N.

config CIFS_ACL
	bool "Provide CIFS ACL support"
	depends on CIFS_XATTR && KEYS
	help
	  Allows fetching CIFS/NTFS ACL from the server.  The DACL blob
	  is handed over to the application/caller.  See the man
	  page for getcifsacl for more information.  If unsure, say Y.

config CIFS_DEBUG
	bool "Enable CIFS debugging routines"
	default y
	depends on CIFS
	help
	  Enabling this option adds helpful debugging messages to
	  the cifs code which increases the size of the cifs module.
	  If unsure, say Y.

config CIFS_DEBUG2
	bool "Enable additional CIFS debugging routines"
	depends on CIFS_DEBUG
	help
	  Enabling this option adds a few more debugging routines
	  to the cifs code which slightly increases the size of
	  the cifs module and can cause additional logging of debug
	  messages in some error paths, slowing performance. This
	  option can be turned off unless you are debugging
	  cifs problems.  If unsure, say N.

config CIFS_DEBUG_DUMP_KEYS
	bool "Dump encryption keys for offline decryption (Unsafe)"
	depends on CIFS_DEBUG
	help
	  Enabling this will dump the encryption and decryption keys
	  used to communicate on an encrypted share connection on the
	  console. This allows Wireshark to decrypt and dissect
	  encrypted network captures. Enable this carefully.
	  If unsure, say N.

config CIFS_DFS_UPCALL
	bool "DFS feature support"
	depends on CIFS && KEYS
	select DNS_RESOLVER
	help
	  Distributed File System (DFS) support is used to access shares
	  transparently in an enterprise name space, even if the share
	  moves to a different server.  This feature also enables
	  an upcall mechanism for CIFS which contacts userspace helper
	  utilities to provide server name resolution (host names to
	  IP addresses) which is needed in order to reconnect to
	  servers if their addresses change or for implicit mounts of
	  DFS junction points. If unsure, say Y.

config CIFS_NFSD_EXPORT
	bool "Allow nfsd to export CIFS file system"
	depends on CIFS && BROKEN
	help
	  Allows NFS server to export a CIFS mounted share (nfsd over cifs)

config CIFS_SMB_DIRECT
	bool "SMB Direct support (Experimental)"
	depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y
	help
	  Enables SMB Direct experimental support for SMB 3.0, 3.02 and 3.1.1.
	  SMB Direct allows transferring SMB packets over RDMA. If unsure,
	  say N.

config CIFS_FSCACHE
	bool "Provide CIFS client caching support"
	depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y
	help
	  Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data
	  to be cached locally on disk through the general filesystem cache
	  manager. If unsure, say N.
Commit	Line	Data
ec8f24b7	1	# SPDX-License-Identifier: GPL-2.0-only
bb26b963	2	config CIFS
2a38e120	3	tristate "SMB3 and CIFS support (advanced network filesystem)"
bb26b963 AD	4	depends on INET
bb26b963 AD	5	select NLS
d2b91521	6	select CRYPTO
f855f6cb	7	select CRYPTO_MD4
d2b91521	8	select CRYPTO_MD5
5b454a64	9	select CRYPTO_SHA256
5890184d	10	select CRYPTO_SHA512
5b454a64	11	select CRYPTO_CMAC
362d3129	12	select CRYPTO_HMAC
d2b91521	13	select CRYPTO_ARC4
5b454a64 BG	14	select CRYPTO_AEAD2
5b454a64 BG	15	select CRYPTO_CCM
5f0b23ee	16	select CRYPTO_ECB
5b454a64	17	select CRYPTO_AES
43988d76	18	select CRYPTO_DES
bb26b963	19	help
2a38e120	20	This is the client VFS module for the SMB3 family of NAS protocols,
0fdfef9a SF	21	(including support for the most recent, most secure dialect SMB3.1.1)
0fdfef9a SF	22	as well as for earlier dialects such as SMB2.1, SMB2 and the older
2a38e120 SF	23	Common Internet File System (CIFS) protocol. CIFS was the successor
	24	to the original dialect, the Server Message Block (SMB) protocol, the
	25	native file sharing mechanism for most early PC operating systems.
	26
0fdfef9a SF	27	The SMB3 protocol is supported by most modern operating systems
	28	and NAS appliances (e.g. Samba, Windows 10, Windows Server 2016,
	29	MacOS) and even in the cloud (e.g. Microsoft Azure).
2a38e120 SF	30	The older CIFS protocol was included in Windows NT4, 2000 and XP (and
2a38e120 SF	31	later) as well by Samba (which provides excellent CIFS and SMB3
0fdfef9a SF	32	server support for Linux and many other operating systems). Use of
	33	dialects older than SMB2.1 is often discouraged on public networks.
	34	This module also provides limited support for OS/2 and Windows ME
	35	and similar very old servers.
bb26b963	36
0fdfef9a	37	This module provides an advanced network file system client
2a38e120	38	for mounting to SMB3 (and CIFS) compliant servers. It includes
bb26b963	39	support for DFS (hierarchical name space), secure per-user
0fdfef9a SF	40	session establishment via Kerberos or NTLM or NTLMv2, RDMA
	41	(smbdirect), advanced security features, per-share encryption,
	42	directory leases, safe distributed caching (oplock), optional packet
bb26b963	43	signing, Unicode and other internationalization improvements.
2a38e120 SF	44
	45	In general, the default dialects, SMB3 and later, enable better
	46	performance, security and features, than would be possible with CIFS.
	47	Note that when mounting to Samba, due to the CIFS POSIX extensions,
	48	CIFS mounts can provide slightly better POSIX compatibility
	49	than SMB3 mounts. SMB2/SMB3 mount options are also
	50	slightly simpler (compared to CIFS) due to protocol improvements.
	51
0fdfef9a	52	If you need to mount to Samba, Azure, Macs or Windows from this machine, say Y.
bb26b963	53
bb26b963 AD	54	config CIFS_STATS2
bb26b963 AD	55	bool "Extended statistics"
fcabb892	56	depends on CIFS
bb26b963 AD	57	help
	58	Enabling this option will allow more detailed statistics on SMB
	59	request timing to be displayed in /proc/fs/cifs/DebugData and also
	60	allow optional logging of slow responses to dmesg (depending on the
	61	value of /proc/fs/cifs/cifsFYI, see fs/cifs/README for more details).
	62	These additional statistics may have a minor effect on performance
	63	and memory utilization.
	64
	65	Unless you are a developer or are doing network performance analysis
	66	or tuning, say N.
	67
7420451f SF	68	config CIFS_ALLOW_INSECURE_LEGACY
	69	bool "Support legacy servers which use less secure dialects"
	70	depends on CIFS
	71	default y
	72	help
	73	Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
	74	additional security features, including protection against
	75	man-in-the-middle attacks and stronger crypto hashes, so the use
	76	of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.
	77
	78	Disabling this option prevents users from using vers=1.0 or vers=2.0
	79	on mounts with cifs.ko
	80
	81	If unsure, say Y.
	82
bb26b963 AD	83	config CIFS_WEAK_PW_HASH
bb26b963 AD	84	bool "Support legacy servers which use weaker LANMAN security"
7420451f	85	depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY
bb26b963 AD	86	help
	87	Modern CIFS servers including Samba and most Windows versions
	88	(since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
	89	security mechanisms. These hash the password more securely
	90	than the mechanisms used in the older LANMAN version of the
	91	SMB protocol but LANMAN based authentication is needed to
	92	establish sessions with some old SMB servers.
	93
	94	Enabling this option allows the cifs module to mount to older
	95	LANMAN based servers such as OS/2 and Windows 95, but such
	96	mounts may be less secure than mounts using NTLM or more recent
	97	security mechanisms if you are on a public network. Unless you
	98	have a need to access old SMB servers (and are on a private
	99	network) you probably want to say N. Even if this support
	100	is enabled in the kernel build, LANMAN authentication will not be
	101	used automatically. At runtime LANMAN mounts are disabled but
	102	can be set to required (or optional) either in
	103	/proc/fs/cifs (see fs/cifs/README for more detail) or via an
	104	option on the mount command. This support is disabled by
	105	default in order to reduce the possibility of a downgrade
	106	attack.
	107
	108	If unsure, say N.
	109
	110	config CIFS_UPCALL
1a4240f4 WL	111	bool "Kerberos/SPNEGO advanced session setup"
	112	depends on CIFS && KEYS
	113	select DNS_RESOLVER
	114	help
	115	Enables an upcall mechanism for CIFS which accesses userspace helper
	116	utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets
	117	which are needed to mount to certain secure servers (for which more
2a38e120	118	secure Kerberos authentication is required). If unsure, say Y.
bb26b963 AD	119
bb26b963 AD	120	config CIFS_XATTR
50cfad78 EWI	121	bool "CIFS extended attributes"
	122	depends on CIFS
	123	help
	124	Extended attributes are name:value pairs associated with inodes by
	125	the kernel or by users (see the attr(5) manual page for details).
	126	CIFS maps the name of extended attributes beginning with the user
	127	namespace prefix to SMB/CIFS EAs. EAs are stored on Windows
	128	servers without the user namespace prefix, but their names are
	129	seen by Linux cifs clients prefaced by the user namespace prefix.
	130	The system namespace (used by some filesystems to store ACLs) is
	131	not supported at this time.
	132
	133	If unsure, say Y.
bb26b963 AD	134
bb26b963 AD	135	config CIFS_POSIX
50cfad78 EWI	136	bool "CIFS POSIX Extensions"
	137	depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR
	138	help
	139	Enabling this option will cause the cifs client to attempt to
bb26b963 AD	140	negotiate a newer dialect with servers, such as Samba 3.0.5
	141	or later, that optionally can handle more POSIX like (rather
	142	than Windows like) file behavior. It also enables
	143	support for POSIX ACLs (getfacl and setfacl) to servers
	144	(such as Samba 3.10 and later) which can negotiate
	145	CIFS POSIX ACL support. If unsure, say N.
	146
1d4ab907	147	config CIFS_ACL
50cfad78 EWI	148	bool "Provide CIFS ACL support"
	149	depends on CIFS_XATTR && KEYS
	150	help
	151	Allows fetching CIFS/NTFS ACL from the server. The DACL blob
	152	is handed over to the application/caller. See the man
	153	page for getcifsacl for more information. If unsure, say Y.
1d4ab907	154
471b1f98 JP	155	config CIFS_DEBUG
	156	bool "Enable CIFS debugging routines"
	157	default y
	158	depends on CIFS
	159	help
50cfad78 EWI	160	Enabling this option adds helpful debugging messages to
	161	the cifs code which increases the size of the cifs module.
	162	If unsure, say Y.
	163
bb26b963 AD	164	config CIFS_DEBUG2
bb26b963 AD	165	bool "Enable additional CIFS debugging routines"
471b1f98	166	depends on CIFS_DEBUG
bb26b963	167	help
50cfad78 EWI	168	Enabling this option adds a few more debugging routines
	169	to the cifs code which slightly increases the size of
	170	the cifs module and can cause additional logging of debug
	171	messages in some error paths, slowing performance. This
	172	option can be turned off unless you are debugging
	173	cifs problems. If unsure, say N.
bb26b963	174
d38de3c6 AA	175	config CIFS_DEBUG_DUMP_KEYS
d38de3c6 AA	176	bool "Dump encryption keys for offline decryption (Unsafe)"
2a38e120	177	depends on CIFS_DEBUG
d38de3c6	178	help
50cfad78 EWI	179	Enabling this will dump the encryption and decryption keys
	180	used to communicate on an encrypted share connection on the
	181	console. This allows Wireshark to decrypt and dissect
	182	encrypted network captures. Enable this carefully.
	183	If unsure, say N.
d38de3c6	184
10e70afa	185	config CIFS_DFS_UPCALL
50cfad78 EWI	186	bool "DFS feature support"
	187	depends on CIFS && KEYS
	188	select DNS_RESOLVER
	189	help
	190	Distributed File System (DFS) support is used to access shares
	191	transparently in an enterprise name space, even if the share
	192	moves to a different server. This feature also enables
	193	an upcall mechanism for CIFS which contacts userspace helper
	194	utilities to provide server name resolution (host names to
	195	IP addresses) which is needed in order to reconnect to
	196	servers if their addresses change or for implicit mounts of
	197	DFS junction points. If unsure, say Y.
10e70afa	198
25720873	199	config CIFS_NFSD_EXPORT
50cfad78 EWI	200	bool "Allow nfsd to export CIFS file system"
	201	depends on CIFS && BROKEN
	202	help
	203	Allows NFS server to export a CIFS mounted share (nfsd over cifs)
675f36fb	204
2b6ed880 LL	205	config CIFS_SMB_DIRECT
2b6ed880 LL	206	bool "SMB Direct support (Experimental)"
533d1dae	207	depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS \|\| CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y
2b6ed880 LL	208	help
	209	Enables SMB Direct experimental support for SMB 3.0, 3.02 and 3.1.1.
	210	SMB Direct allows transferring SMB packets over RDMA. If unsure,
	211	say N.
	212
1d4ab907	213	config CIFS_FSCACHE
50cfad78 EWI	214	bool "Provide CIFS client caching support"
	215	depends on CIFS=m && FSCACHE \|\| CIFS=y && FSCACHE=y
	216	help
	217	Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data
	218	to be cached locally on disk through the general filesystem cache
	219	manager. If unsure, say N.