Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
bb26b963 | 2 | config CIFS |
2a38e120 | 3 | tristate "SMB3 and CIFS support (advanced network filesystem)" |
bb26b963 AD |
4 | depends on INET |
5 | select NLS | |
d2b91521 | 6 | select CRYPTO |
f855f6cb | 7 | select CRYPTO_MD4 |
d2b91521 | 8 | select CRYPTO_MD5 |
5b454a64 | 9 | select CRYPTO_SHA256 |
5890184d | 10 | select CRYPTO_SHA512 |
5b454a64 | 11 | select CRYPTO_CMAC |
362d3129 | 12 | select CRYPTO_HMAC |
97a5fee2 | 13 | select CRYPTO_LIB_ARC4 |
5b454a64 BG |
14 | select CRYPTO_AEAD2 |
15 | select CRYPTO_CCM | |
5fc3681f | 16 | select CRYPTO_GCM |
5f0b23ee | 17 | select CRYPTO_ECB |
5b454a64 | 18 | select CRYPTO_AES |
43988d76 | 19 | select CRYPTO_DES |
e7a1a2df | 20 | select KEYS |
bb26b963 | 21 | help |
2a38e120 | 22 | This is the client VFS module for the SMB3 family of NAS protocols, |
0fdfef9a SF |
23 | (including support for the most recent, most secure dialect SMB3.1.1) |
24 | as well as for earlier dialects such as SMB2.1, SMB2 and the older | |
2a38e120 SF |
25 | Common Internet File System (CIFS) protocol. CIFS was the successor |
26 | to the original dialect, the Server Message Block (SMB) protocol, the | |
27 | native file sharing mechanism for most early PC operating systems. | |
28 | ||
0fdfef9a SF |
29 | The SMB3 protocol is supported by most modern operating systems |
30 | and NAS appliances (e.g. Samba, Windows 10, Windows Server 2016, | |
31 | MacOS) and even in the cloud (e.g. Microsoft Azure). | |
2a38e120 SF |
32 | The older CIFS protocol was included in Windows NT4, 2000 and XP (and |
33 | later) as well by Samba (which provides excellent CIFS and SMB3 | |
0fdfef9a SF |
34 | server support for Linux and many other operating systems). Use of |
35 | dialects older than SMB2.1 is often discouraged on public networks. | |
36 | This module also provides limited support for OS/2 and Windows ME | |
37 | and similar very old servers. | |
bb26b963 | 38 | |
0fdfef9a | 39 | This module provides an advanced network file system client |
2a38e120 | 40 | for mounting to SMB3 (and CIFS) compliant servers. It includes |
bb26b963 | 41 | support for DFS (hierarchical name space), secure per-user |
0fdfef9a SF |
42 | session establishment via Kerberos or NTLM or NTLMv2, RDMA |
43 | (smbdirect), advanced security features, per-share encryption, | |
44 | directory leases, safe distributed caching (oplock), optional packet | |
bb26b963 | 45 | signing, Unicode and other internationalization improvements. |
2a38e120 SF |
46 | |
47 | In general, the default dialects, SMB3 and later, enable better | |
48 | performance, security and features, than would be possible with CIFS. | |
49 | Note that when mounting to Samba, due to the CIFS POSIX extensions, | |
50 | CIFS mounts can provide slightly better POSIX compatibility | |
51 | than SMB3 mounts. SMB2/SMB3 mount options are also | |
52 | slightly simpler (compared to CIFS) due to protocol improvements. | |
53 | ||
0fdfef9a | 54 | If you need to mount to Samba, Azure, Macs or Windows from this machine, say Y. |
bb26b963 | 55 | |
bb26b963 AD |
56 | config CIFS_STATS2 |
57 | bool "Extended statistics" | |
fcabb892 | 58 | depends on CIFS |
bb26b963 AD |
59 | help |
60 | Enabling this option will allow more detailed statistics on SMB | |
61 | request timing to be displayed in /proc/fs/cifs/DebugData and also | |
62 | allow optional logging of slow responses to dmesg (depending on the | |
63 | value of /proc/fs/cifs/cifsFYI, see fs/cifs/README for more details). | |
64 | These additional statistics may have a minor effect on performance | |
65 | and memory utilization. | |
66 | ||
67 | Unless you are a developer or are doing network performance analysis | |
68 | or tuning, say N. | |
69 | ||
7420451f SF |
70 | config CIFS_ALLOW_INSECURE_LEGACY |
71 | bool "Support legacy servers which use less secure dialects" | |
72 | depends on CIFS | |
73 | default y | |
74 | help | |
75 | Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have | |
76 | additional security features, including protection against | |
77 | man-in-the-middle attacks and stronger crypto hashes, so the use | |
78 | of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged. | |
79 | ||
80 | Disabling this option prevents users from using vers=1.0 or vers=2.0 | |
81 | on mounts with cifs.ko | |
82 | ||
83 | If unsure, say Y. | |
84 | ||
bb26b963 AD |
85 | config CIFS_WEAK_PW_HASH |
86 | bool "Support legacy servers which use weaker LANMAN security" | |
7420451f | 87 | depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY |
bb26b963 AD |
88 | help |
89 | Modern CIFS servers including Samba and most Windows versions | |
90 | (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos) | |
91 | security mechanisms. These hash the password more securely | |
92 | than the mechanisms used in the older LANMAN version of the | |
93 | SMB protocol but LANMAN based authentication is needed to | |
94 | establish sessions with some old SMB servers. | |
95 | ||
96 | Enabling this option allows the cifs module to mount to older | |
97 | LANMAN based servers such as OS/2 and Windows 95, but such | |
98 | mounts may be less secure than mounts using NTLM or more recent | |
99 | security mechanisms if you are on a public network. Unless you | |
100 | have a need to access old SMB servers (and are on a private | |
101 | network) you probably want to say N. Even if this support | |
102 | is enabled in the kernel build, LANMAN authentication will not be | |
103 | used automatically. At runtime LANMAN mounts are disabled but | |
104 | can be set to required (or optional) either in | |
105 | /proc/fs/cifs (see fs/cifs/README for more detail) or via an | |
106 | option on the mount command. This support is disabled by | |
107 | default in order to reduce the possibility of a downgrade | |
108 | attack. | |
109 | ||
110 | If unsure, say N. | |
111 | ||
112 | config CIFS_UPCALL | |
1a4240f4 | 113 | bool "Kerberos/SPNEGO advanced session setup" |
e7a1a2df | 114 | depends on CIFS |
1a4240f4 WL |
115 | select DNS_RESOLVER |
116 | help | |
117 | Enables an upcall mechanism for CIFS which accesses userspace helper | |
118 | utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets | |
119 | which are needed to mount to certain secure servers (for which more | |
2a38e120 | 120 | secure Kerberos authentication is required). If unsure, say Y. |
bb26b963 AD |
121 | |
122 | config CIFS_XATTR | |
50cfad78 EWI |
123 | bool "CIFS extended attributes" |
124 | depends on CIFS | |
125 | help | |
126 | Extended attributes are name:value pairs associated with inodes by | |
127 | the kernel or by users (see the attr(5) manual page for details). | |
128 | CIFS maps the name of extended attributes beginning with the user | |
129 | namespace prefix to SMB/CIFS EAs. EAs are stored on Windows | |
130 | servers without the user namespace prefix, but their names are | |
131 | seen by Linux cifs clients prefaced by the user namespace prefix. | |
132 | The system namespace (used by some filesystems to store ACLs) is | |
133 | not supported at this time. | |
134 | ||
135 | If unsure, say Y. | |
bb26b963 AD |
136 | |
137 | config CIFS_POSIX | |
50cfad78 EWI |
138 | bool "CIFS POSIX Extensions" |
139 | depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR | |
140 | help | |
141 | Enabling this option will cause the cifs client to attempt to | |
bb26b963 AD |
142 | negotiate a newer dialect with servers, such as Samba 3.0.5 |
143 | or later, that optionally can handle more POSIX like (rather | |
144 | than Windows like) file behavior. It also enables | |
145 | support for POSIX ACLs (getfacl and setfacl) to servers | |
146 | (such as Samba 3.10 and later) which can negotiate | |
147 | CIFS POSIX ACL support. If unsure, say N. | |
148 | ||
471b1f98 JP |
149 | config CIFS_DEBUG |
150 | bool "Enable CIFS debugging routines" | |
151 | default y | |
152 | depends on CIFS | |
153 | help | |
50cfad78 EWI |
154 | Enabling this option adds helpful debugging messages to |
155 | the cifs code which increases the size of the cifs module. | |
156 | If unsure, say Y. | |
157 | ||
bb26b963 AD |
158 | config CIFS_DEBUG2 |
159 | bool "Enable additional CIFS debugging routines" | |
471b1f98 | 160 | depends on CIFS_DEBUG |
bb26b963 | 161 | help |
50cfad78 EWI |
162 | Enabling this option adds a few more debugging routines |
163 | to the cifs code which slightly increases the size of | |
164 | the cifs module and can cause additional logging of debug | |
165 | messages in some error paths, slowing performance. This | |
166 | option can be turned off unless you are debugging | |
167 | cifs problems. If unsure, say N. | |
bb26b963 | 168 | |
d38de3c6 AA |
169 | config CIFS_DEBUG_DUMP_KEYS |
170 | bool "Dump encryption keys for offline decryption (Unsafe)" | |
2a38e120 | 171 | depends on CIFS_DEBUG |
d38de3c6 | 172 | help |
50cfad78 EWI |
173 | Enabling this will dump the encryption and decryption keys |
174 | used to communicate on an encrypted share connection on the | |
175 | console. This allows Wireshark to decrypt and dissect | |
176 | encrypted network captures. Enable this carefully. | |
177 | If unsure, say N. | |
d38de3c6 | 178 | |
10e70afa | 179 | config CIFS_DFS_UPCALL |
50cfad78 | 180 | bool "DFS feature support" |
e7a1a2df | 181 | depends on CIFS |
50cfad78 EWI |
182 | select DNS_RESOLVER |
183 | help | |
184 | Distributed File System (DFS) support is used to access shares | |
185 | transparently in an enterprise name space, even if the share | |
186 | moves to a different server. This feature also enables | |
187 | an upcall mechanism for CIFS which contacts userspace helper | |
188 | utilities to provide server name resolution (host names to | |
189 | IP addresses) which is needed in order to reconnect to | |
190 | servers if their addresses change or for implicit mounts of | |
191 | DFS junction points. If unsure, say Y. | |
10e70afa | 192 | |
25720873 | 193 | config CIFS_NFSD_EXPORT |
50cfad78 EWI |
194 | bool "Allow nfsd to export CIFS file system" |
195 | depends on CIFS && BROKEN | |
196 | help | |
197 | Allows NFS server to export a CIFS mounted share (nfsd over cifs) | |
675f36fb | 198 | |
2b6ed880 | 199 | config CIFS_SMB_DIRECT |
e9630660 | 200 | bool "SMB Direct support" |
533d1dae | 201 | depends on CIFS=m && INFINIBAND && INFINIBAND_ADDR_TRANS || CIFS=y && INFINIBAND=y && INFINIBAND_ADDR_TRANS=y |
2b6ed880 | 202 | help |
e9630660 | 203 | Enables SMB Direct support for SMB 3.0, 3.02 and 3.1.1. |
2b6ed880 LL |
204 | SMB Direct allows transferring SMB packets over RDMA. If unsure, |
205 | say N. | |
206 | ||
1d4ab907 | 207 | config CIFS_FSCACHE |
50cfad78 EWI |
208 | bool "Provide CIFS client caching support" |
209 | depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y | |
210 | help | |
211 | Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data | |
212 | to be cached locally on disk through the general filesystem cache | |
213 | manager. If unsure, say N. |