-
Notifications
You must be signed in to change notification settings - Fork 10
/
cifs.upcall.rst.in
154 lines (119 loc) · 5.53 KB
/
cifs.upcall.rst.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
===========
cifs.upcall
===========
--------------------------------------------------------------
Userspace upcall helper for Common Internet File System (CIFS)
--------------------------------------------------------------
:Manual section: 8
********
SYNOPSIS
********
cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
[--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
[--keytab=/path/to/keytab|-K /path/to/keytab] [--expire|-e nsecs] {keyid}
***********
DESCRIPTION
***********
This tool is part of the cifs-utils suite.
``cifs.upcall`` is a userspace helper program for the linux CIFS client
filesystem. There are a number of activities that the kernel cannot
easily do itself. This program is a callout program that does these
things for the kernel and then returns the result.
``cifs.upcall`` is generally intended to be run when the kernel calls
request-key(8) for a particular key type. While it can be run
directly from the command-line, it's not generally intended to be run
that way.
*******
OPTIONS
*******
-c
This option is deprecated and is currently ignored.
--no-env-probe|-E
Normally, ``cifs.upcall`` will probe the environment variable space of
the process that initiated the upcall in order to fetch the value of
``$KRB5CCNAME``. This can assist the program with finding credential
caches in non-default locations. If this option is set, then the
program won't do this and will rely on finding credcaches in the
default locations specified in *krb5.conf*. Note that this is never
performed when the uid is 0. The default credcache location is always
used when the uid is 0, regardless of the environment variable setting
in the process.
--krb5conf|-k=/path/to/krb5.conf
This option allows administrators to set an alternate location for the
*krb5.conf* file that ``cifs.upcall`` will use.
--keytab=|-K=/path/to/keytab
This option allows administrators to specify a keytab file to be
used. When a user has no credential cache already established,
``cifs.upcall`` will attempt to use this keytab to acquire them. The
default is the system-wide keytab */etc/krb5.keytab*.
--trust-dns|-t
With krb5 upcalls, the name used as the host portion of the service
principal defaults to the hostname portion of the UNC. This option
allows the upcall program to reverse resolve the network address of
the server in order to get the hostname.
This is less secure than not trusting DNS. When using this option,
it's possible that an attacker could get control of DNS and trick the
client into mounting a different server altogether. It's preferable to
instead add server principals to the KDC for every possible hostname,
but this option exists for cases where that isn't possible. The
default is to not trust reverse hostname lookups in this fashion.
--legacy-uid|-l
Traditionally, the kernel has sent only a single uid= parameter to the
upcall for the SPNEGO upcall that's used to determine what user's
credential cache to use. This parameter is affected by the uid=
mount option, which also governs the ownership of files on the mount.
Newer kernels send a creduid= option as well, which contains what uid
it thinks actually owns the credentials that it's looking for. At
mount time, this is generally set to the real uid of the user doing
the mount. For multisession mounts, it's set to the fsuid of the mount
user. Set this option if you want cifs.upcall to use the older uid=
parameter instead of the creduid= parameter.
--expire|-e
Override default timeout value (600 seconds) for ``dns_resolver`` key.
--version|-v
Print version number and exit.
*********************
ENVIRONMENT VARIABLES
*********************
GSS_USE_PROXY="yes"
Enable usage of gssproxy for credential retrieval. This includes keytab
based client initiation as well as (Resource Based) Constrained Delegation.
See gssproxy-mech(8).
************************
CONFIGURATION FOR KEYCTL
************************
``cifs.upcall`` is designed to be called from the kernel via the
request-key callout program. This requires that request-key be told
where and how to call this program. The current ``cifs.upcall``
program handles two different key types:
cifs.spnego
This keytype is for retrieving kerberos session keys
dns_resolver
This key type is for resolving hostnames into IP addresses. Support
for this key type may eventually be deprecated (see below).
To make this program useful for CIFS, you'll need to set up entries
for them in request-key.conf(5). Here's an example of an entry for
each key type::
#OPERATION TYPE D C PROGRAM ARG1 ARG2...
#========= ============= = = ================================
create cifs.spnego * * @sbindir@/cifs.upcall %k
create dns_resolver * * @sbindir@/cifs.upcall %k
See request-key.conf(5) for more info on each field.
The keyutils package has also started including a dns_resolver
handling program as well that is preferred over the one in
``cifs.upcall``. If you are using a keyutils version equal to or
greater than 1.5, you should use ``key.dns_resolver`` to handle the
``dns_resolver`` keytype instead of ``cifs.upcall``. See
key.dns_resolver(8) for more info.
********
SEE ALSO
********
request-key.conf(5), mount.cifs(8), key.dns_resolver(8)
******
AUTHOR
******
Igor Mammedov wrote the cifs.upcall program.
Jeff Layton authored this manpage.
The maintainer of the Linux CIFS VFS is Steve French.
The Linux CIFS Mailing list is the preferred place to ask questions
regarding these programs.