Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
bb26b963 | 2 | config CIFS |
2a38e120 | 3 | tristate "SMB3 and CIFS support (advanced network filesystem)" |
bb26b963 AD |
4 | depends on INET |
5 | select NLS | |
d2b91521 | 6 | select CRYPTO |
f855f6cb | 7 | select CRYPTO_MD4 |
d2b91521 | 8 | select CRYPTO_MD5 |
5b454a64 | 9 | select CRYPTO_SHA256 |
5890184d | 10 | select CRYPTO_SHA512 |
5b454a64 | 11 | select CRYPTO_CMAC |
362d3129 | 12 | select CRYPTO_HMAC |
d2b91521 | 13 | select CRYPTO_ARC4 |
5b454a64 BG |
14 | select CRYPTO_AEAD2 |
15 | select CRYPTO_CCM | |
5f0b23ee | 16 | select CRYPTO_ECB |
5b454a64 | 17 | select CRYPTO_AES |
43988d76 | 18 | select CRYPTO_DES |
bb26b963 | 19 | help |
2a38e120 | 20 | This is the client VFS module for the SMB3 family of NAS protocols, |
0fdfef9a SF |
21 | (including support for the most recent, most secure dialect SMB3.1.1) |
22 | as well as for earlier dialects such as SMB2.1, SMB2 and the older | |
2a38e120 SF |
23 | Common Internet File System (CIFS) protocol. CIFS was the successor |
24 | to the original dialect, the Server Message Block (SMB) protocol, the | |
25 | native file sharing mechanism for most early PC operating systems. | |
26 | ||
0fdfef9a SF |
27 | The SMB3 protocol is supported by most modern operating systems |
28 | and NAS appliances (e.g. Samba, Windows 10, Windows Server 2016, | |
29 | MacOS) and even in the cloud (e.g. Microsoft Azure). | |
2a38e120 SF |
30 | The older CIFS protocol was included in Windows NT4, 2000 and XP (and |
31 | later) as well by Samba (which provides excellent CIFS and SMB3 | |
0fdfef9a SF |
32 | server support for Linux and many other operating systems). Use of |
33 | dialects older than SMB2.1 is often discouraged on public networks. | |
34 | This module also provides limited support for OS/2 and Windows ME | |
35 | and similar very old servers. | |
bb26b963 | 36 | |
0fdfef9a | 37 | This module provides an advanced network file system client |
2a38e120 | 38 | for mounting to SMB3 (and CIFS) compliant servers. It includes |
bb26b963 | 39 | support for DFS (hierarchical name space), secure per-user |
0fdfef9a SF |
40 | session establishment via Kerberos or NTLM or NTLMv2, RDMA |
41 | (smbdirect), advanced security features, per-share encryption, | |
42 | directory leases, safe distributed caching (oplock), optional packet | |
bb26b963 | 43 | signing, Unicode and other internationalization improvements. |
2a38e120 SF |
44 | |
45 | In general, the default dialects, SMB3 and later, enable better | |
46 | performance, security and features, than would be possible with CIFS. | |
47 | Note that when mounting to Samba, due to the CIFS POSIX extensions, | |
48 | CIFS mounts can provide slightly better POSIX compatibility | |
49 | than SMB3 mounts. SMB2/SMB3 mount options are also | |
50 | slightly simpler (compared to CIFS) due to protocol improvements. | |
51 | ||
0fdfef9a | 52 | If you need to mount to Samba, Azure, Macs or Windows from this machine, say Y. |
bb26b963 | 53 | |
bb26b963 AD |
54 | config CIFS_STATS2 |
55 | bool "Extended statistics" | |
fcabb892 | 56 | depends on CIFS |
bb26b963 AD |
57 | help |
58 | Enabling this option will allow more detailed statistics on SMB | |
59 | request timing to be displayed in /proc/fs/cifs/DebugData and also | |
60 | allow optional logging of slow responses to dmesg (depending on the | |
61 | value of /proc/fs/cifs/cifsFYI, see fs/cifs/README for more details). | |
62 | These additional statistics may have a minor effect on performance | |
63 | and memory utilization. | |
64 | ||
65 | Unless you are a developer or are doing network performance analysis | |
66 | or tuning, say N. | |
67 | ||
7420451f SF |
68 | config CIFS_ALLOW_INSECURE_LEGACY |
69 | bool "Support legacy servers which use less secure dialects" | |
70 | depends on CIFS | |
71 | default y | |
72 | help | |
73 | Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have | |
74 | additional security features, including protection against | |
75 | man-in-the-middle attacks and stronger crypto hashes, so the use | |
76 | of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged. | |
77 | ||
78 | Disabling this option prevents users from using vers=1.0 or vers=2.0 | |
79 | on mounts with cifs.ko | |
80 | ||
81 | If unsure, say Y. | |
82 | ||
bb26b963 AD |
83 | config CIFS_WEAK_PW_HASH |
84 | bool "Support legacy servers which use weaker LANMAN security" | |
7420451f | 85 | depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY |
bb26b963 AD |
86 | help |
87 | Modern CIFS servers including Samba and most Windows versions | |
88 | (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos) | |
89 | security mechanisms. These hash the password more securely | |
90 | than the mechanisms used in the older LANMAN version of the | |
91 | SMB protocol but LANMAN based authentication is needed to | |
92 | establish sessions with some old SMB servers. | |
93 | ||
94 | Enabling this option allows the cifs module to mount to older | |
95 | LANMAN based servers such as OS/2 and Windows 95, but such | |
96 | mounts may be less secure than mounts using NTLM or more recent | |
97 | security mechanisms if you are on a public network. Unless you | |
98 | have a need to access old SMB servers (and are on a private | |
99 | network) you probably want to say N. Even if this support | |
100 | is enabled in the kernel build, LANMAN authentication will not be | |
101 | used automatically. At runtime LANMAN mounts are disabled but | |
102 | can be set to required (or optional) either in | |
103 | /proc/fs/cifs (see fs/cifs/README for more detail) or via an | |
104 | option on the mount command. This support is disabled by | |
105 | default in order to reduce the possibility of a downgrade | |
106 | attack. | |
107 | ||
108 | If unsure, say N. | |
109 | ||
110 | config CIFS_UPCALL | |
1a4240f4 WL |
111 | bool "Kerberos/SPNEGO advanced session setup" |
112 | depends on CIFS && KEYS | |
113 | select DNS_RESOLVER | |
114 | help | |
115 | Enables an upcall mechanism for CIFS which accesses userspace helper | |
116 | utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets | |
117 | which are needed to mount to certain secure servers (for which more | |
2a38e120 | 118 | secure Kerberos authentication is required). If unsure, say Y. |
bb26b963 AD |
119 | |
120 | config CIFS_XATTR | |
50cfad78 EWI |
121 | bool "CIFS extended attributes" |
122 | depends on CIFS | |
123 | help | |
124 | Extended attributes are name:value pairs associated with inodes by | |
125 | the kernel or by users (see the attr(5) manual page for details). | |
126 | CIFS maps the name of extended attributes beginning with the user | |
127 | namespace prefix to SMB/CIFS EAs. EAs are stored on Windows | |
128 | servers without the user namespace prefix, but their names are | |
129 | seen by Linux cifs clients prefaced by the user namespace prefix. | |
130 | The system namespace (used by some filesystems to store ACLs) is | |
131 | not supported at this time. | |
132 | ||
133 | If unsure, say Y. | |
bb26b963 AD |
134 | |
135 | config CIFS_POSIX | |
50cfad78 EWI |
136 | bool "CIFS POSIX Extensions" |
137 | depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR | |
138 | help | |
139 | Enabling this option will cause the cifs client to attempt to | |
bb26b963 AD |
140 | negotiate a newer dialect with servers, such as Samba 3.0.5 |
141 | or later, that optionally can handle more POSIX like (rather | |
142 | than Windows like) file behavior. It also enables | |
143 | support for POSIX ACLs (getfacl and setfacl) to servers | |
144 | (such as Samba 3.10 and later) which can negotiate | |
145 | CIFS POSIX ACL support. If unsure, say N. | |
146 | ||
1d4ab907 | 147 | config CIFS_ACL |
50cfad78 EWI |
148 | bool "Provide CIFS ACL support" |
149 | depends on CIFS_XATTR && KEYS | |
150 | help | |
151 | Allows fetching CIFS/NTFS ACL from the server. The DACL blob | |
152 | is handed over to the application/caller. See the man | |
153 | page for getcifsacl for more information. If unsure, say Y. | |
1d4ab907 | 154 | |
471b1f98 JP |
155 | config CIFS_DEBUG |
156 | bool "Enable CIFS debugging routines" | |
157 | default y | |
158 | depends on CIFS | |
159 | help | |
50cfad78 EWI |
160 | Enabling this option adds helpful debugging messages to |
161 | the cifs code which increases the size of the cifs module. | |
162 | If unsure, say Y. | |
163 | ||
bb26b963 AD |
164 | config CIFS_DEBUG2 |
165 | bool "Enable additional CIFS debugging routines" | |
471b1f98 | 166 | depends on CIFS_DEBUG |
bb26b963 | 167 | help |
50cfad78 EWI |
168 | Enabling this option adds a few more debugging routines |
169 | to the cifs code which slightly increases the size of | |
170 | the cifs module and can cause additional logging of debug | |
171 | messages in some error paths, slowing performance. This | |
172 | option can be turned off unless you are debugging | |
173 | cifs problems. If unsure, say N. | |
bb26b963 | 174 | |
d38de3c6 AA |
175 | config CIFS_DEBUG_DUMP_KEYS |
176 | bool "Dump encryption keys for offline decryption (Unsafe)" | |
2a38e120 | 177 | depends on CIFS_DEBUG |
d38de3c6 | 178 | help |
50cfad78 EWI |
179 | Enabling this will dump the encryption and decryption keys |
180 | used to communicate on an encrypted share connection on the | |
181 | console. This allows Wireshark to decrypt and dissect | |
182 | encrypted network captures. Enable this carefully. | |
183 | If unsure, say N. | |
d38de3c6 | 184 | |
10e70afa | 185 | config CIFS_DFS_UPCALL |
50cfad78 EWI |
186 | bool "DFS feature support" |
187 | depends on CIFS && KEYS | |
188 | select DNS_RESOLVER | |
189 | help | |
190 | Distributed File System (DFS) support is used to access shares | |
191 | transparently in an enterprise name space, even if the share | |
192 | moves to a different server. This feature also enables | |
193 | an upcall mechanism for CIFS which contacts userspace helper | |
194 | utilities to provide server name resolution (host names to | |
195 | IP addresses) which is needed in order to reconnect to | |
196 | servers if their addresses change or for implicit mounts of | |
197 | DFS junction points. If unsure, say Y. | |
10e70afa | 198 | |
25720873 | 199 | config CIFS_NFSD_EXPORT |
50cfad78 EWI |
200 | bool "Allow nfsd to export CIFS file system" |
201 | depends on CIFS && BROKEN | |
202 | help | |
203 | Allows NFS server to export a CIFS mounted share (nfsd over cifs) | |
675f36fb | 204 | |
2b6ed880 LL |
205 | config CIFS_SMB_DIRECT |
206 | bool "SMB Direct support (Experimental)" | |
533d1dae | 207 | depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y |
2b6ed880 LL |
208 | help |
209 | Enables SMB Direct experimental support for SMB 3.0, 3.02 and 3.1.1. | |
210 | SMB Direct allows transferring SMB packets over RDMA. If unsure, | |
211 | say N. | |
212 | ||
1d4ab907 | 213 | config CIFS_FSCACHE |
50cfad78 EWI |
214 | bool "Provide CIFS client caching support" |
215 | depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y | |
216 | help | |
217 | Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data | |
218 | to be cached locally on disk through the general filesystem cache | |
219 | manager. If unsure, say N. |