• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1config CIFS
2	tristate "SMB3 and CIFS support (advanced network filesystem)"
3	depends on INET
4	select NLS
5	select CRYPTO
6	select CRYPTO_MD4
7	select CRYPTO_MD5
8	select CRYPTO_SHA256
9	select CRYPTO_CMAC
10	select CRYPTO_HMAC
11	select CRYPTO_ARC4
12	select CRYPTO_AEAD2
13	select CRYPTO_CCM
14	select CRYPTO_ECB
15	select CRYPTO_AES
16	select CRYPTO_DES
17	help
18	  This is the client VFS module for the SMB3 family of NAS protocols,
19	  as well as for earlier dialects such as SMB2.1, SMB2 and the
20	  Common Internet File System (CIFS) protocol.  CIFS was the successor
21	  to the original dialect, the Server Message Block (SMB) protocol, the
22	  native file sharing mechanism for most early PC operating systems.
23
24	  The SMB3 protocol is supported by most modern operating systems and
25	  NAS appliances (e.g. Samba, Windows 8, Windows 2012, MacOS).
26	  The older CIFS protocol was included in Windows NT4, 2000 and XP (and
27	  later) as well by Samba (which provides excellent CIFS and SMB3
28	  server support for Linux and many other operating systems). Limited
29	  support for OS/2 and Windows ME and similar very old servers is
30	  provided as well.
31
32	  The cifs module provides an advanced network file system client
33	  for mounting to SMB3 (and CIFS) compliant servers.  It includes
34	  support for DFS (hierarchical name space), secure per-user
35	  session establishment via Kerberos or NTLM or NTLMv2,
36	  safe distributed caching (oplock), optional packet
37	  signing, Unicode and other internationalization improvements.
38
39	  In general, the default dialects, SMB3 and later, enable better
40	  performance, security and features, than would be possible with CIFS.
41	  Note that when mounting to Samba, due to the CIFS POSIX extensions,
42	  CIFS mounts can provide slightly better POSIX compatibility
43	  than SMB3 mounts. SMB2/SMB3 mount options are also
44	  slightly simpler (compared to CIFS) due to protocol improvements.
45
46	  If you need to mount to Samba, Macs or Windows from this machine, say Y.
47
48config CIFS_STATS
49        bool "CIFS statistics"
50        depends on CIFS
51        help
52          Enabling this option will cause statistics for each server share
53	  mounted by the cifs client to be displayed in /proc/fs/cifs/Stats
54
55config CIFS_STATS2
56	bool "Extended statistics"
57	depends on CIFS_STATS
58	help
59	  Enabling this option will allow more detailed statistics on SMB
60	  request timing to be displayed in /proc/fs/cifs/DebugData and also
61	  allow optional logging of slow responses to dmesg (depending on the
62	  value of /proc/fs/cifs/cifsFYI, see fs/cifs/README for more details).
63	  These additional statistics may have a minor effect on performance
64	  and memory utilization.
65
66	  Unless you are a developer or are doing network performance analysis
67	  or tuning, say N.
68
69config CIFS_ALLOW_INSECURE_LEGACY
70	bool "Support legacy servers which use less secure dialects"
71	depends on CIFS
72	default y
73	help
74	  Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
75	  additional security features, including protection against
76	  man-in-the-middle attacks and stronger crypto hashes, so the use
77	  of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.
78
79	  Disabling this option prevents users from using vers=1.0 or vers=2.0
80	  on mounts with cifs.ko
81
82	  If unsure, say Y.
83
84config CIFS_WEAK_PW_HASH
85	bool "Support legacy servers which use weaker LANMAN security"
86	depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY
87	help
88	  Modern CIFS servers including Samba and most Windows versions
89	  (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
90	  security mechanisms. These hash the password more securely
91	  than the mechanisms used in the older LANMAN version of the
92	  SMB protocol but LANMAN based authentication is needed to
93	  establish sessions with some old SMB servers.
94
95	  Enabling this option allows the cifs module to mount to older
96	  LANMAN based servers such as OS/2 and Windows 95, but such
97	  mounts may be less secure than mounts using NTLM or more recent
98	  security mechanisms if you are on a public network.  Unless you
99	  have a need to access old SMB servers (and are on a private
100	  network) you probably want to say N.  Even if this support
101	  is enabled in the kernel build, LANMAN authentication will not be
102	  used automatically. At runtime LANMAN mounts are disabled but
103	  can be set to required (or optional) either in
104	  /proc/fs/cifs (see fs/cifs/README for more detail) or via an
105	  option on the mount command. This support is disabled by
106	  default in order to reduce the possibility of a downgrade
107	  attack.
108
109	  If unsure, say N.
110
111config CIFS_UPCALL
112	bool "Kerberos/SPNEGO advanced session setup"
113	depends on CIFS && KEYS
114	select DNS_RESOLVER
115	help
116	  Enables an upcall mechanism for CIFS which accesses userspace helper
117	  utilities to provide SPNEGO packaged (RFC 4178) Kerberos tickets
118	  which are needed to mount to certain secure servers (for which more
119	  secure Kerberos authentication is required). If unsure, say Y.
120
121config CIFS_XATTR
122        bool "CIFS extended attributes"
123        depends on CIFS
124        help
125          Extended attributes are name:value pairs associated with inodes by
126          the kernel or by users (see the attr(5) manual page, or visit
127          <http://acl.bestbits.at/> for details).  CIFS maps the name of
128          extended attributes beginning with the user namespace prefix
129          to SMB/CIFS EAs. EAs are stored on Windows servers without the
130          user namespace prefix, but their names are seen by Linux cifs clients
131          prefaced by the user namespace prefix. The system namespace
132          (used by some filesystems to store ACLs) is not supported at
133          this time.
134
135          If unsure, say Y.
136
137config CIFS_POSIX
138        bool "CIFS POSIX Extensions"
139        depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY && CIFS_XATTR
140        help
141          Enabling this option will cause the cifs client to attempt to
142	  negotiate a newer dialect with servers, such as Samba 3.0.5
143	  or later, that optionally can handle more POSIX like (rather
144	  than Windows like) file behavior.  It also enables
145	  support for POSIX ACLs (getfacl and setfacl) to servers
146	  (such as Samba 3.10 and later) which can negotiate
147	  CIFS POSIX ACL support.  If unsure, say N.
148
149config CIFS_ACL
150	  bool "Provide CIFS ACL support"
151	  depends on CIFS_XATTR && KEYS
152	  help
153	    Allows fetching CIFS/NTFS ACL from the server.  The DACL blob
154	    is handed over to the application/caller.  See the man
155	    page for getcifsacl for more information.  If unsure, say Y.
156
157config CIFS_DEBUG
158	bool "Enable CIFS debugging routines"
159	default y
160	depends on CIFS
161	help
162	   Enabling this option adds helpful debugging messages to
163	   the cifs code which increases the size of the cifs module.
164	   If unsure, say Y.
165config CIFS_DEBUG2
166	bool "Enable additional CIFS debugging routines"
167	depends on CIFS_DEBUG
168	help
169	   Enabling this option adds a few more debugging routines
170	   to the cifs code which slightly increases the size of
171	   the cifs module and can cause additional logging of debug
172	   messages in some error paths, slowing performance. This
173	   option can be turned off unless you are debugging
174	   cifs problems.  If unsure, say N.
175
176config CIFS_DEBUG_DUMP_KEYS
177	bool "Dump encryption keys for offline decryption (Unsafe)"
178	depends on CIFS_DEBUG
179	help
180	   Enabling this will dump the encryption and decryption keys
181	   used to communicate on an encrypted share connection on the
182	   console. This allows Wireshark to decrypt and dissect
183	   encrypted network captures. Enable this carefully.
184	   If unsure, say N.
185
186config CIFS_DFS_UPCALL
187	  bool "DFS feature support"
188	  depends on CIFS && KEYS
189	  select DNS_RESOLVER
190	  help
191	    Distributed File System (DFS) support is used to access shares
192	    transparently in an enterprise name space, even if the share
193	    moves to a different server.  This feature also enables
194	    an upcall mechanism for CIFS which contacts userspace helper
195	    utilities to provide server name resolution (host names to
196	    IP addresses) which is needed for implicit mounts of DFS junction
197	    points. If unsure, say Y.
198
199config CIFS_NFSD_EXPORT
200	  bool "Allow nfsd to export CIFS file system"
201	  depends on CIFS && BROKEN
202	  help
203	   Allows NFS server to export a CIFS mounted share (nfsd over cifs)
204
205config CIFS_SMB311
206	bool "SMB3.1.1 network file system support (Experimental)"
207	depends on CIFS
208	select CRYPTO_SHA512
209
210	help
211	  This enables experimental support for the newest, SMB3.1.1, dialect.
212	  This dialect includes improved security negotiation features.
213	  If unsure, say N
214
215config CIFS_FSCACHE
216	  bool "Provide CIFS client caching support"
217	  depends on CIFS=m && FSCACHE || CIFS=y && FSCACHE=y
218	  help
219	    Makes CIFS FS-Cache capable. Say Y here if you want your CIFS data
220	    to be cached locally on disk through the general filesystem cache
221	    manager. If unsure, say N.
222
223